How Industry Standard DRMs Like Widevine Protect Content
Industry-standard DRM systems, such as Widevine, PlayReady, and FairPlay, protect content in multiple ways:
- During Internet Transfer: The content is always encrypted, and licensing key exchanges are conducted through HTTPS key exchange mechanisms.
- On Device Playback: They provide hardware-level protection.
In this blog, we will explore how content is encrypted, how encryption keys are transferred, and how they are used for decryption without leaking the key or content.
DRM Data Flow
Background Process: (At the Video Production End)
- Video Transcoding: Content providers (video owners) transcode their video into multiple bitrates to enhance playback experience (adaptive bitrate playback).
- Video Encryption: All bitrate video segments are encrypted with a ‘Key’ (encryption is based on the standard for all DRM providers called ‘CENC’—Common Encryption, which uses AES-128 CTR).
- Content Upload: The encrypted content is uploaded to a CDN.
- Key Upload: The ‘Key’ (KeyId + actual encryption key) is uploaded to the DRM license provider. KeyId is public information used to retrieve the encryption key during playback.
Runtime Process: (During Playback in a Player)
- Obtain Video: The video manifest and video segments are obtained from the CDN.
- Extract KeyId: The KeyId is extracted from the manifest (or sometimes from the video segments)..
- Create License Request: A license request specific to the player/device is created.
- Send License Request: The license request is sent to the license server.
- Receive License: The DRM license server sends the license (with the Key) to the player/application.
- Update CDM: The player updates the license to the CDM component.
- Decrypt and Decode Video: The CDM extracts the ‘Key’ from the license file received from the server, uses it to decrypt the video segments, and then decodes the decrypted video segment.
- Play Video: The decoded video is played
Main Components Handling Runtime Activities
Runtime activities are typically handled by two main components:
- The Player: Responsible for obtaining the movie, parsing the manifest, extracting the KeyId, and making requests to the DRM license server.
- The CDM (Content Decryption Module): Handles creating the license request, decrypting, and decoding the content.
CDM or Content Decryption Module
Every DRM provider supplies a CDM with specific functionalities, including:
- Algorithms for creating license requests (using the KeyId, device, signing algorithms, etc.).
- Algorithms for decoding the license response received from the DRM license server and extracting the decryption key.
- Rules around storing the license locally on the client, renewing licenses, expiry, etc.
DRM vendors (like Widevine) test and certify these CDM implementations (on devices) to ensure all specifications are followed:
- They do not leak decryption keys or decoded videos.
- They securely store decryption keys based on the license specifications (e.g., store the key for X days).
- They transfer decoded video to the screen (hardware-assisted).
CDM and Security Levels
For video playback, the CDM (Content Decryption Module) plays a crucial role in preventing data leaks because it handles the decrypted raw data. CDMs typically offer the following options:
- Decrypt the video and hand over the bitstream to the application/player.
- Decrypt, decode, and pass on the decoded frames of video to the platform’s display engine.
- Decrypt, decode, and display the video by itself (most secure).
The implementation of content decryption and decoding in CDM can be done via software or hardware. Hardware-based implementation is considered more secure because all operations take place in a Trusted Execution Environment (TEE). According to Wikipedia, a TEE is “a secure area of a main processor that guarantees code and data loaded inside to be protected with respect to confidentiality and integrity.”
Based on device capabilities (typically low-end devices), not all can perform hardware decryption and decoding, and they are categorized into different security levels. For example, Google’s Widevine defines three security levels: L1 (highest), L2, and L3 (lowest).
Security Levels
- Security Level 1 (L1): Cryptography and video decoding operations are performed within the Trusted Execution Environment (TEE).
- Security Level 2 (L2): Only cryptography operations are done inside TEE.
- Security Level 3 (L3): The device doesn’t have a TEE, or all processing is done outside of TEE. Typically, WhiteBox Cryptography (WBC) and software obfuscations are implemented here for protection.
Security Levels and Blocking HD Content
Content providers typically have the flexibility to allow different bitrates for different security levels. These are managed through rules in license files. Usually, playing HD and above quality videos requires L1 level security on the client side.
Websites Using DRM Protection
Many popular websites use DRM protection to secure their content. Some of these websites include:
- Netflix: Uses Widevine, PlayReady, and FairPlay.
- Amazon Prime Video: Utilizes Widevine and PlayReady.
- Hulu: Employs Widevine and PlayReady.
- Disney+: Uses Widevine and PlayReady.
- OnlyFans: Implements DRM to protect exclusive content shared by creators.
How to Download DRM-Protected Video
If you're looking for a reliable and efficient way to download videos, Itdown Video Downloader is the tool you need. It supports a wide range of websites and formats, ensuring you can download your favorite videos quickly and easily. With its user-friendly interface and powerful features, Itdown Video Downloader makes it simple to save videos for offline viewing.