Encrypting premium videos is not enough, OTT players need secure handling of license and decryption keys to prevent content leakage

In the world of over-the-top (OTT) content, security of video assets is of utmost importance, as there is a great demand of premium content in the grey market where people want to access top TV shows and films for free. It affects the revenue generation of industry leaders, like Netflix, Amazon Prime, Disney+, etc. which spend a great amount in obtaining exclusive distribution rights for premium content.

OTT players use multi-DRM services to encrypt video streams and manage DRM licenses from industry majors like Google’s Widevine, Apple’s FairPlay, and Microsoft’s PlayReady. A good multi-DRM service also protects video files with video watermark, which help them locate the leakage points and take further action.

Many players encrypt video content with the AES-128 encryption standard but face a problem in security of the decryption key. An unsecured decryption key can lead to content leakage and illegal use of video streams even when the encryption standard is world class. OTT players use multi-DRM services to address this problem.

Advanced Encryption with DRM

Digital rights management (DRM) functionalities include the distribution and management of encryption and decryption keys and backend licensing servers. The commercial DRM systems work with AES as their encryption standard. It involves encrypting the premium content so it can be read only with a decryption key supplied by a third-party DRM platform chosen by the OTT platform. It is a symmetric key algorithm, as the same key is used for encryption and decryption. The keys for encryption are saved in the licensing server.

AES 128-bit cryptographic key is used by content owners to encrypt their videos. The end-user requires the same key to playback the video content. Only those users who have access to the key can access the content. Before providing a license response with a decryption key, the multi-DRM service provider’s server ascertains whether the user and device are authorized.

Since, digital content needs to be encrypted to prevent the content from being misused or any illegal and unauthorized playback, it should be packaged in a compatible format, like MPEG-DASH or HLS. MPEG-DASH and HLS are streaming protocols based on HTTP. The cloud encoding system encodes the source files into these adaptive streaming formats. The encoder encrypts the files with encryption keys from multi-DRM providers.

To encrypt any digital content, the multi-DRM packager sends out a request for an encryption key from the DRM system, like Google’s Widevine. Once the encryption key is provided by the DRM system, the key is linked to the media content ID. In certain cases, the encryption keys are created in the packager itself and sent to the DRM system for storing and distributing to the consumers. The packager then encrypts the content using the encryption key.

The content needs to be decrypted before playback by the client. The DRM system gives the client access to the decryption key for the particular content ID that was used to encrypt the video. Decryption is done by the Content Decryption Module (CDM), which is a proprietary software, a component of the device or the browser. CDM is a part of every compatible Encrypted Media Extensions (EME) device. It decrypts the video content and makes it available to the player for use.

While it is technically possible that a studio or content producer uses AES protection for their content on their own, they may not be able to plug the hardware-based leakages or stop the unsecure transmission of AES keys between devices or between the server and the client device. A multi-DRM solution plugs this gap when it protects video content with an AES layer.

Importance of AES-CTR and AES-CBC

A standardized method for enabling digital content protection, called Common Encryption (CENC) has been adopted by leading DRM systems. CENC permits a single content file-set to be encrypted only once for distribution across several devices or platforms which incorporate different DRM systems. The CENC encryption specification supports both cipher block chaining (CBC) and counter (CTR) modes.

AES is the most used algorithm for block encryption. Block ciphers are protocols for encryption and decryption. A block of plaintext serves as a single block and is used to obtain a block of ciphertext with the identical size. The size of the encryption block is 128 bits. A few algorithms can be used for padding blocks when the plaintext is not enough of a block; it can defend against a padding attack by using the CBC mode. The AES mode can also be used to support a stream of plaintext, like cipher feedback (CFB), output feedback (OFB), or CTR mode.  Both the modes used for encryption of digital content, AES-CTR and AES-CBC, are not always compatible with each other, though they serve the same purpose of encryption for security and decryption with DRM licensing by a player. For instance, HLS and Apple devices only support AES-CBC.

An algorithm scrambles the video file during encryption to prevent playback. This is done with the help of a key which is used jointly with the algorithm to both encrypt and decrypt the digital content. A separate key is used for every video and for each asset component, like audio, SD video, and HD video. Hence, video encryption or decryption is a symmetric crypto operation.

The Multi-DRM Advantage

A DRM solution supports both streaming of video content and the option to playback in an offline environment. It provides a service to digital content producers and OTT players, that handles DRM packaging of the source content as a cloud-based solution as a service (SaaS) facility. In many cases, it comes pre-integrated with popular cloud services, like AWS Elemental Media Services through its SPEKE API. This highlights the standard for communication between encryptors and packagers of media assets and the DRM key distributors.