This blog goes often into very technical depth, but it’s sometime important to talk about some of the basics like the fundamentals of DRM.
If you are working in the broadcast industry with premium content, you properly have a clear understanding of what DRM is. If not, this will help you to understand where DRM is applicable.
1. What is DRM?
DRM has different forms today, everywhere from distribution of online video, games, software, and everything that is digitally valuable. There is often a certain negativity associated with it, specifically if it starts limiting the user experience – one example are games that require to be always online to check-in with a DRM system.
In this post, I am only going to focus on DRM for online video, which covers a lot of content you are consuming today without knowing that it is DRM protected.
DRM covers the following areas:
– Protect content with encryption
– Robust mechanisms to protect the decryption key
– Follow certain rules defined in policies when issuing the key
– Ensure the media pipeline is secure, and prevent ways to get access to the content (e.g. by using output protection)
2. What levels of protection exist?
Level 1 – Protected Streaming
RTMPe was the first enhancement to protect RTMP streaming delivered to Flash Player and AIR. It protects the connection between Flash Player/AIR and Adobe Media Server, and prevents any hijacking between the client and the server. That said, it has been around for a while, and is not considered DRM level content protection.
The HLS specs provide a way to secure HLS content by integrating a key URL into the m3u8 manifest file. It’s up to the publisher to develop the corresponding key server. Security can be enhanced by adding information to HTTP request headers, and delivery of the actual video files over HTTPs, but it provides a lot of room for attacks, and it’s not considered DRM level security.
Both RTMPe and encrypted HLS are wildly used to protect online content, but it’s doesn’t offer DRM level characteristics.
Level 2 – Protected Streaming using DRM features – without a key server
This is a specific intermediate content protection level Adobe developed to provide DRM like content protection without requiring a key server. The inspiration for this was the tremendous popularity of RTMPe, which was caused mostly due to it’s ease of use (switch the URL to encrypted RTMPe, and block unencrypted RTMP access on the server).
The protocols are pRTMP, pHLS, and pHLS. You can find more detailed information here. It uses the built-in DRM capabilities of Flash Player/AIR, with Primetime Player providing the corresponding DRM components on the mobile side. It uses an embedded key, and can use all DRM capabilities of the clients (e.g. output protection). But since it’s not using a license server, it doesn’t fulfill the requirements of a maximum protection DRM solution.
Level 3 – DRM
This category requires DRM capabilities enabled on the client, and a key server with robust and secure key-exchange, third-party audited for robustness.
Adobe Access / Primetime DRM falls into this category. Other DRM solutions include Playready and Widevine.
While most mobile platforms support different DRM systems via applications, on desktop it requires the appropriate client within the browsers.
These clients are:
Adobe Access: Flash Player
Widevine: An additional plugin install running alongside of Flash
Note: Flash Player only supports Adobe Access as DRM.
In addition to the mentioned plugins above, the HTML5 specs provide encrypted media extensions to enable DRM level protection natively in browsers with all the major DRM vendors involved. The penetration is still relatively low though, with different DRM systems for each browser (and some with no support yet).
It’s not close to a penetration point where realistically a publisher could solely rely on a HTML5 DRM solution, and not use the plugins mentioned above – with Flash leading the desktop with 99% penetration.
3. Do I need DRM?
If you don’t know, you properly don’t, and are okay with Level 1 or Level 2 protection. There are certain categories of content that notoriously don’t require DRM, such as live events, which value is primarily during the actual event. It needs to be secure enough that someone can’t easily republish the live stream, but DRM is not important. This can be different for linear simulcast, but it’s case by case.
DRM comes into play where highly valuable content is published, such as premium movies or TV shows. In a lot of cases, the content is licensed from a movie studio which demands as condition for distribution a DRM secured playback environment. This includes a long list of security features, that need to be fulfilled by the solution and be robustly implemented. Adobe Access provides this functionality.
Of course you can use DRM for your own content as well, but in a lot of cases you are externally forced to use DRM.
If you never heard of DRM before, you likely conclude from this article that you don’t need it. But it comes into play with the majority of content consumed today, without you realizing it. And this is where DRM becomes beneficial to the end user. Because of DRM, there is better high quality content on the web. And if it uses Flash Player on desktop, there is no need for an additional plugin install.
The critical question for DRM shouldn’t be if it’s required in the first place, but how well it’s implemented so it doesn’t impact the user experience, while increasing the amount of consumable premium content.