Digital Rights Management: Comparing PlayReady, FairPlay and WideVine
As of 2019, there are more video streaming subscribers than paid TV subscribers worldwide, accessing over 500 licensed online video portals. With increase in demand for online video portals, digital piracy has also increased. Digital piracy is enabled by pirated devices, apps and websites (such as BitTorrent and The Pirate Bay) which help users to download unauthorized content such as television shows, latest movies, and/or games over the internet.
According to a report from the US Chamber of Commerce, online piracy costs US economy almost $30 billion a year with pirated videos being viewed over 200 billion times. However, the impact of piracy is not limited to loss of revenue only. GIPC’s report has found that digital video piracy results in 230,000 to 560,000 job losses per year. In terms of GDP, piracy caused a reduction of US GDP between $47.5 billion and $115.3 billion in 2018 only.
To protect the digital content from piracy, technologies such as Digital Rights Management (commonly known as DRM) were developed by Samsung, Microsoft, Google and/or Apple. DRM products are developed in response to the rapid increase in online piracy of commercially marketed material due to the extensive use of peer to peer file exchange programs. The term “Digital Rights Management” (DRM) refers to the set of policies and rights which are used to prevent unauthorized user to access the digital media content and files. The main components of the DRM system are Packaging Server, License Server, and Playback Devices.
How does DRM work?
The playback device (such as smart TV, Laptop and/or Smartphone) sends a request for digital content (such as TV shows, On-Demand Videos and/or Web Series available on Netflix, YouTube, and Hulu) to a Packaging Server. The Packaging Server retrieves the content from the Content Server. The Packaging Server encodes the digital content into the adaptive stream formats such as MPEG-DASH, HLS for encryption. Encryption is applied to protect the content during streaming, downloading and storage on the Distribution Server. The Packaging Server further sends the encrypted content to the playback device.
To play the encrypted content, the playback device sends a license request with its public key for a particular content to the License Server. The License Server verifies the device using the device public key. Once the device is verified, the License Server sends a license with a content key to the playback device. The playback device decrypts the content using this key and plays the content.
Major DRM technology providers include:
Google’s Widevine DRM implemented by Amazon Video, BBC, Hulu, and Spotify
Microsoft’s PlayReady implemented by Netflix
Apple’s FairPlay implemented by iTunes
Google’s Widevine DRM Technology
Widevine DRM technology is a Digital Rights Management component of the Google Chrome web browser. In 2010, Widevine technologies was acquired by Google. Widevine DRM is a media file copy prevention technology used by Chromium (“an open-source web browser started by Google”). Widevine DRM solution combines the following industry standards to provide a strong multiplatform protection:
Dynamic Adaptive Streaming over HTTP (DASH)
Common Encryption (CENC)
Encrypted Media Extensions (EME)
Widevine DRM includes encryption, output prevention and Digital Rights Management (DRM). Widevine uses a combination of CENC encryption, licensing key exchange and adaptive streaming quality to manage and send the media file to the users. It simplifies the amount of work on the service provider’s end by supporting multiple levels of streaming quality based on the security capabilities of the receiving device. Thus, Widevine creates a secure environment for playing digital content on a consumer devices such as Chromecast, Android TVs, HTML5 browsers, etc. Content providers such as Amazon Video, Netflix and Spotify streams restricted audio and video with Widevine encryption.
Key benefits of Widevine’s DRM solutions
Support for reliable content protection across multiple systems.
Standardized media container formats.
Complete control and flexibility during video playbacks.
Compatibility with legacy systems.
Widevine Components Overview
Media source extensions: Media Source Extensions (MSE) are used to resolve the incoming DASH-based media streams and allow them to pass to the playback hardware.
Dynamic Adaptive Streaming over HTTP: Widevine DRM employs the Dynamic Adaptive Streaming over HTTP (DASH) to avoid problems related to varying bandwidth in an environment,
Media Packaging: Widevine DRM provides an open source DASH packaging system called Shaka Packager. The packager converts files of different solutions and bandwidth to the different formats which describes the type of resolutions and bandwidth for each file.
License Server: Widevine DRM provides a cloud-based license service to provide a license information for encryption and decryption process of the media. The license protocol is used to communicate with the License Server in a simple request-response method over the HTTPS.
Video Players: Widevine DRM supports a wide variety of consumer devices using an Android TV, Chromecast and HTML5 browsers. It also supports OEM devices on the basis of the License request.
Content Decryption Module: The devices includes a Content Decryption Module (CDM) to create and send an encrypted license request to the Widevine License Server. The Widevine License Server responds to the device request by sending an encrypted content containing license information. The encrypted content is decrypted using this license.
OEMCrypto Module: The OEMCrypto Module decrypts the content using the information from the device and also from the License Server. It uses the encrypted License information to decrypt the digital video content.
Shaka Packager is a media Packaging SDK (“Software Development Kit”) for DASH and HLS packager with CENC (“Common Encryption”) support, live TV, and video on demand. Shaka Packager is also supported on all three major operating systems: Linux, Windows and MacOS.
When a user requests for digital content by accessing at least one of the streaming services (such as Amazon Video, BBC, Hulu, and Spotify), the user’s device sends a request for digital content (such as audio/video content) to the Shaka Packager which is included in the Widevine Server. The Shaka Packager encrypts the content using at least one of the encryption technologies such as CENC (Common Encryption), DASH (Dynamic Adaptive Streaming over HTTP) or EME (encrypted media extensions). The Shaka Packager embeds a Protection System Specific Header (PSSH) data/box in a requested content which includes a Widevine License URL to acquire a license from a Widevine License Server. The encryption process sends an HTTP(s) request to the Widevine License Server in which the Content Identifiers (ID) is included. Widevine License Server responds with the Content Key(s) which are associated with the Content ID. The device receives an encrypted content via a Content Delivery Network. The encrypted digital video content includes digital data and file format information such as VP9, H.264, MPEG2-TS, and Widevine 1.0 (WVM) codec.
Content Decryption Module (CDM)
Content Decryption Module (CDM) is installed on every user’s device that plays the Widevine encrypted content. There is a unique module for each type of device. The CDM creates an encrypted license request and sends it to the Widevine License Server. The Widevine License Server responds to the player’s request and sends an encrypted content containing the license information. The player passes the encrypted content to CDM, which then passes it to the OEMCrypto Module for decryption. The encrypted content is then decrypted using the license in order to play the digital content.
Microsoft’s PlayReady DRM technology
Microsoft PlayReady is a media file copy prevention technology that includes encryption, output prevention and Digital Rights Management (DRM). It was announced on February 2007. PlayReady offers a comprehensive secure content delivery and management solution that act as a strong foundation for products, services, devices and entertainment industry. Consumer devices such as Chromecast, Android TV, Google TV, Roku and Amazon Fire TV utilizes Microsoft PlayReady DRM content protection and encryption functionality to stream digital video content.
DRM further includes restrictive license agreements, encryption, and license acquisition to create a secure environment for digital content for the user. PlayReady supports various protection technologies such as:
CopyEnablers (supported in PlayReady 1.X and 2.X only)
MoveEnablers (supported in PlayReady 1.X and 2.X only)
Import and Export
Secure License Delivery: PlayReady securely delivers licenses to the user device/clients. Every client has unique proof that authenticates the client to the PlayReady server.
Key Rotation: For Live TV and/or on-demand TV shows or series, PlayReady provides support for the Key Rotation in which the encryption keys help in protecting the content change on a frequent and specified basis.
Output protection: PlayReady can enforce the restriction of playback to output ports on playback devices based on license policies.
Domains: PlayReady supports the concept of domains. The Microsoft PlayReady Server’s Domain Controller determines the domain of the user (such as a single user, a family or a group of users). The controller determines the domain of the user (such as a single user, a family or a group of users) to process the video content.
Metering: PlayReady supports metering, in which the playback client maintains a count of how many times a content file is played.
Breach Response: PlayReady actively manages the device ecosystem and has industry leading processes in place to manage clients in the unlikely event of a security breach.
Multiple Client platforms: PlayReady supports a range of client platforms which includes Windows, Xbox, and Android. PlayReady is also available for set up boxes and also the other consumer devices such as TVs and media players.
Multiple Content Types: The setup box receives a PlayReady protected digital video content form the PlayReady Server. The digital video content includes digital data and file formats. For audio content, the support includes AAC, AAC+, and WMA codecs and for the video content, the support includes H.263, H.264 and H.265 codecs.
Encryption process in PlayReady
When a streaming service such as Netflix is accessed on a user’s computing device, a request from the device is sent to the PlayReady Server. PlayReady Server includes a Packaging Server which retrieves the requested video content from a streaming service such as Netflix and encrypts it using at least one of the encryption technologies such as CENC (Common Encryption), DASH (Dynamic Adaptive Streaming over HTTP). The Packaging Server embeds a PlayReady header in the requested content. After encrypting the requested content, the Packaging Server sends the encrypted content to the user’s device via a Distribution Server.
Decryption process in PlayReady.
After receiving the encrypted content, the user sends a license request from its device to a License Server. The license request includes a KID (Key Identifier) and user’s device public key. The License Server uses the device public key to verify the user’s device. If the device is a valid PlayReady device, the License Server generates a content key corresponding to the KID. The License Server sends a resulting license to the user’s device. The user’s device decrypts the content key using its private key and further decrypts the digital video content for playing.
Apple’s FairPlay DRM Technology
FairPlay technology is used to encrypt the iTunes content such as movies, TV shows, music videos, apps, eBooks, etc. FairPlay encrypts iTunes content to prevent it from unfair sharing and copying to an unauthorized user.
Encryption and decryption process in FairPlay
When a user creates an account with iTunes, Apple Server authorizes the user to access iTunes on its PC and/or Smartphone (iPhone). iTunes creates a globally unique ID for a user’s device and sends the unique ID to the Apple server, where it is assigned to the user account.
When a user purchases a digital content (such as an song) from the store, a key is created for the purchased content. The audio file is protected using AAC (Advanced Audio Content Coding) technology which code files at medium to high bit rates. It is designed to provide better sound quality than MP3. An audio layer with a master key using AES algorithm is used. The master key is also stored in the protected audio file.
The master key is encrypted using the user key which is held by iTunes and also sent to the Apple Server.
iTunes maintain a collection of user keys for all the purchased tracks in its library. It does not need to connect to a server for a user key. To play a protected song, iTunes matches the created user key with its collection of user keys to decrypt the master key. The decrypted master key is then used to decrypt the AAC song file.