Digital Rights Management (DRM): A Primer
More than just as a way to restrict non-paying users, digital rights management (DRM) offers key features beyond content protection.
Copyright Protection for Digital Media
If latency sucks (to steal a phrase from an article I wrote a few years ago), then piracy sucks even more. As long as we’ve had paid online streaming, we’ve had viewers attempting to access that content without paying for it. It’s true for on-demand content services like Hulu or Netflix, and it’s also true for live events like concerts and prize fights.
To address the balance between viewership and the content owner’s rights management — which can vary, in some instances, by countries or even regions of a country — the concept of digital rights management (DRM) came into play very shortly after the first paid stream was broadcast online.
At its core, DRM is a series of business rules around a piece of specific content rather than rules around the platform on which that content is delivered. DRM does, however, act in conjunction with other forms of access control, from authentication (signing into an event) to license negotiation.
Let’s take a brief glimpse at the technical aspects of DRM, as well as places where DRM is useful beyond just protecting content.
Encryption vs. DRM
There’s often confusion about DRM and types of encryption.
The industry standard for encryption, for instance, is Advanced Encryption Standard (AES), and it uses a substitution-permutation and key schedule to deliver encryption for 128-bit block sizes. The terms AES-128 or AES-256 refer to the length, or the number of alphanumeric characters, that comprise each key.
While encryption typically protects the content when it is at rest — meaning when it is stored on a local machine for playback, since HTTP-based streaming is really just a series of small files played in sequence — there is another area where encryption comes into play: the transport mechanism itself.
To address the vulnerabilities of content as it is moved from one place to another (the “streams” in our case), there are approaches that will set up an encrypted tunnel between the server and the end device. For some content providers, the encrypted tunnel is more important than encryption on the end-user device, since the content will only survive on the local device for a few minutes at most.
To effectively create these tunnels, a session is set up between the server and the end-user device. This session requires authentication, which includes swapping keys between the server and the local device so that the two devices agree that they’ve established an encrypted tunnel. The end result of that negotiated session is often a token that the end-user device receives that’s valid for a certain period of time.
All of those approaches noted above — encryption of content, encryption of transport, sessions, and authentication of connections between the server and end-user device — are not DRM.
Yes, they work in conjunction with DRM. And yes, DRM often uses sessions and tokens as part of its overall process. But DRM itself is a confirmation between the end user’s player app or device and a licensing server that the content is allowed to be played.
More sophisticated DRM addresses whether the content can be played on a particular device at a particular time in a particular location. And that leads to some interesting benefits.
Geo-Blocking and Geofencing
Like DVDs or Blu-ray Discs, which come in a number of regional flavors and can only be played by disc players from those particular regions, online video streams protected by DRM can also be set to only play in a particular country or region.
The two approaches to region-based DRM for online video are called geo-blocking (essentially restricting particular IPs or regions from being able to view content in another region) or geofencing (where content is allowed only in a particular region).
In addition, the Common Encryption Scheme (CENC) allows for up to five different DRM flavors — some of which require paid licenses, others of which are open-source based — meaning that DRMs can be tuned on a per-country or per-region basis.
Since online video DRM restrictions can be modified over time, it’s possible to leverage DRM to fine-tune the release of a video across the globe. For instance, a content distributor could start first with geofencing, where a video might only be available in France, then in Francophile countries in Africa, then in Canada, then throughout the world.
At some point, if piracy is rampant from a particular region, geo-blocking could be used to restrict IP addresses, internet service providers (ISPs), or even countries from viewing the content.
Some services focus their DRM geo-blocking efforts on a particular partner CDN. Wowza CDN on Akamai, for instance, allows streams delivered through Wowza CDN to pre-defined stream targets for Apple HTTP Live Stream (HLS) or Adobe HTTP Dynamic Streaming (HDS) playback to set geo-blocking parameters.
While HDS has waned in popularity with the advent of MPEG’s Dynamic Adaptive Streaming via HTTP (MPEG-DASH) and its use of the popular fragmented MP4 (fMP4) approach to delivery, the Adobe Primetime DRM that debuted alongside HDS is still in widespread use.
HLS is quite popular as a delivery format, in both MPEG 2 Transport Streams and fMP4, with the latter allowing HLS content to be securely delivered to both Apple- and non-Apple devices using one of the common encryption schemes noted below.
Earlier in this blog post, I mentioned the Common Encryption Protection Scheme (CENC) and the possible DRM choices available to content owners. Let’s wrap up the blog post by talking about how CENC fits in with fMP4 and the ISO Base Media File Format.
Initially, CENC provided for five DRM options:
- Adobe Primetime DRM
- Marlin DRM
- PlayReady DRM
- Widevine Modular DRM
- Irdeto Protection System
Over the past few years, two additional DRM schemes were added — Latens DRM for DASH and ViaccessOrca for DASH — to bring the total to seven schemes that should be available to content owners and rights holders.
Various players and media servers, however, often only support a subset of the seven. Unified Streaming, for instance, supports Adobe Primetime, Latens, Marlin, Playready, and Widevine. And a number of smart televisions only support one or, at the most, two of the CENC DRM options.
As a result of the different levels of support for CENC, and given the number of new end-user devices appearing every year, there are now specialized services that offer multiple DRM license servers and maintain lists of end-user devices to assure that each can play content protected by DRM. EZDRM is one example of a company that offers DRM services that allow content and rights owners to guarantee their content will be delivered on all devices to which they want the content delivered.
Finally, it’s important to note that, according to W3C standards, ISO Base Media File Format (MP4) content that uses CENC must be encrypted with AES-128 to “enable multiple Key Systems to decrypt the same media content.“
As you can see, DRM is integral not just for piracy abatement, but also as a tool for basic business decisions around premium content. From geofencing and geo-blocking to integrations with authentication systems, the use of DRM can allow global content rollouts across countries and regions to be semi-automated — while still allowing the content to be cached to those locations ahead of time.
Search Wowza Resources
About Tim Siglin
Tim Siglin, who has over two decades of streaming media design and consulting experience, and an additional 10 years in video conferencing and media production, has written for Streaming Media magazine and other publications for 23 years. He has an MBA in International Entrepreneurship and currently serves as the founding executive director of Help Me Stream Research Foundation, a 501(c)3 dedicated to assisting NGOs in emerging markets with the technologies needed to deliver critical educational messages to under-served populations.