How to use DRM encryption
Quortex.io supports DRM (Digital Rights Management) encryption to secure your published streams and make sure they can only be watched by entitled viewers. In a nutshell, DRM ensures that video content is stored and transmitted in an encrypted form, to make sure only authorized users and devices can play it back. It is common to use multiple DRM schemes for better device compatibility. While there are multiple different schemes available, the three below mentioned are the most commonly used ones:
Google’s Widevine: Widevine-protected content can be played in Chrome and Firefox web browsers, as well as Android and Chromecast devices.
Apple’s FairPlay: FairPlay-protected content can be played in Safari on OS X, as well as iPhones, iPads, and AppleTVs.
Microsoft's PlayReady: PlayReady-protected content can be played in IE11 and Edge browsers, Windows Phone, Xbox, and other platforms via SDKs.
quortex.io supports all three schemes in order to make sure that all devices can be served with encrypted content.
In order to enable DRM encryption in quortex.io you need to have a third party DRM license server in place that will be able to create all the necessary keys to encrypt your content properly. When a user attempts to play back this content, the video player requests a key from this license server. The server determines whether the user and device are authorized, before issuing a license response with a decryption key. The player can then decrypt and play back the content for the user.
This Tutorial is going to show the encryption workflow based on Castlabs DRM Today solution. Other solutions might provide a different way of obtaining the values, but the naming should be consistent.
To start with the encryption, we need the Assets key ID and a the corresponding content key. While the key ID is supposed to be a public value, the content key should remain private.
In the case of Castlabs, the Key ID and the content key ( "key") can be copied from the Dashboard, while the content key individually needs to be pulled using the Rest API. The result of that will look partially like the below response:
Since Castlabs provides all values as base64, we need to convert them to hex in order to be used with quortex.io.
Once you have both values and converted them, you can go to the Configuration in quortex.io and create a new Target or Update an existing one. By enabling the sliders "encryption on video" and/or "encryption on audio" you can add encryption on your media representation. Once enabled, the key ID and the content key can be added.
After adding the Keys, you need to select the DRM schemes that should be applied. In this example, we are going to configure an encrypted DASH presentation, so we select Playready and Widevine as the DRM schemes to use. For FairPlay, you will also need to generate and provide an Initialization Vector (IV) value in in order to use the scheme.
The last configuration step is to add the pssh payload per DRM scheme and save the target.
In the example of castlabs, this payloads are being published when pulling the rest API for the content key.
Your content will be delivered encrypted and can only be pulled when the play request includes a valid playback token. To get such token, authentication against the DRM license server is required. This authentication request will include the key ID to make sure that the specific user is entitled to play the specific content. The token can be of custom lifetime, meaning that re-authentication can be enforced after a certain period of time.
In order to validate playback, you will need to get an playback token.
In the Castlabs example, we have a little script that emulates user authentication to get a playback token. The response for this request will look like this:
To check your encryption is applied, you can also pull your mainfest, where every media presentation should have a contentProtection tag:
Using the token in response and a reference player that is able to access the DRM vendors backend, you should be able to playback your stream.
Google’s Widevine: Widevine-protected content can be played in Chrome and Firefox web browsers, as well as Android and Chromecast devices.
Apple’s FairPlay: FairPlay-protected content can be played in Safari on OS X, as well as iPhones, iPads, and AppleTVs.
Microsoft's PlayReady: PlayReady-protected content can be played in IE11 and Edge browsers, Windows Phone, Xbox, and other platforms via SDKs.
quortex.io supports all three schemes in order to make sure that all devices can be served with encrypted content.
Getting started with Encryption
In order to enable DRM encryption in quortex.io you need to have a third party DRM license server in place that will be able to create all the necessary keys to encrypt your content properly. When a user attempts to play back this content, the video player requests a key from this license server. The server determines whether the user and device are authorized, before issuing a license response with a decryption key. The player can then decrypt and play back the content for the user.
This Tutorial is going to show the encryption workflow based on Castlabs DRM Today solution. Other solutions might provide a different way of obtaining the values, but the naming should be consistent.
To start with the encryption, we need the Assets key ID and a the corresponding content key. While the key ID is supposed to be a public value, the content key should remain private.
In the case of Castlabs, the Key ID and the content key ( "key") can be copied from the Dashboard, while the content key individually needs to be pulled using the Rest API. The result of that will look partially like the below response:
{
"assets": [
{
"assetId": "helpcenter_asset_demo",
"keys": [
{
"streamType": "VIDEO_AUDIO",
"keyId": "LYz5h/JcPJvAr+w==+eSFCOU",
"key": "ftn+8ABzK1IP8w==6S1aizMA",
"signaling": {},
"alreadyExisted": true
…Since Castlabs provides all values as base64, we need to convert them to hex in order to be used with quortex.io.
Once you have both values and converted them, you can go to the Configuration in quortex.io and create a new Target or Update an existing one. By enabling the sliders "encryption on video" and/or "encryption on audio" you can add encryption on your media representation. Once enabled, the key ID and the content key can be added.
After adding the Keys, you need to select the DRM schemes that should be applied. In this example, we are going to configure an encrypted DASH presentation, so we select Playready and Widevine as the DRM schemes to use. For FairPlay, you will also need to generate and provide an Initialization Vector (IV) value in in order to use the scheme.
The last configuration step is to add the pssh payload per DRM scheme and save the target.
In the example of castlabs, this payloads are being published when pulling the rest API for the content key.
{
"cencResponse": {
"systemId": {
"edef8ba9-79d6-4ace-a3c8-27dcd51d21ed": {
"name": "Widevine",
"psshBoxContent": "CAESEC2M+YfyXD/nkhQjlCbwK/saCGNhc3.............."
},
"9A04F079-9840-4286-AB92-E65BE0885F95": {
"name": "PlayReady",
"xmlFragment": "<mspr:pro xmlns:mspr=\"urn:microsoft:playready\">OAMAAAEAAQAuAzwAVwBSAE0ASA............=</mspr:pro>",
"psshBoxContent": "OAMAAAEAAQAuAzwAVwBSAE0ASABFAEEARABFAFIAIAB4..........."
}
}
}
}Your content will be delivered encrypted and can only be pulled when the play request includes a valid playback token. To get such token, authentication against the DRM license server is required. This authentication request will include the key ID to make sure that the specific user is entitled to play the specific content. The token can be of custom lifetime, meaning that re-authentication can be enforced after a certain period of time.
Validating the Encryption
In order to validate playback, you will need to get an playback token.
In the Castlabs example, we have a little script that emulates user authentication to get a playback token. The response for this request will look like this:
{'optData': '{"userId": "q::q", "sessionId": "default", "merchant": "q"}', 'crt': '[{"accountingId": "hep_center", "assetId": "helpcenter_asset_demo", "profile": {"rental": {"absoluteExpiration": "2022-12-31T11:40:00.000Z", "playDuration": 1000000}}, "outputProtection": {"digital": false, "analogue": false, "enforce": false}}]', 'iat': 1643182648, 'jti': '4d7d2e75-c551-4a8b-b484-df75b720be73'}
ey{somedata}FSATo check your encryption is applied, you can also pull your mainfest, where every media presentation should have a contentProtection tag:
<ContentProtection cenc:default_KID="2d8cf987-f25c-3fe7-9214-239426f02bfb" schemeIdUri="urn:mpeg:dash:mp4protection:2011" value="cenc"/>Using the token in response and a reference player that is able to access the DRM vendors backend, you should be able to playback your stream.
Updated on: 01/03/2024
Thank you!