• How to secure Smooth Streaming using PlayReady DRM (Silverlight)

    There are several ways to protect Smooth Streaming using PlayReady DRM. This article tries to cover all the options. Many of the descriptions in this article assume a familiarity with PlayReady protection and the PlayReady SDK. A Wowza media server doesn't function as a PlayReady key server. It instead can be used to deliver pre-encrypted content or it can encrypt and deliver content on-the-fly. Each of the sections in this article describe the different means for protecting content using a Wowza media server.

    Wowza DRM

    You can use Wowza DRM with Wowza media server software to enable direct integration with several third-party PlayReady vendors such as EZDRM. When using this option, you'll be using the PlayReady key server provided by the third-party vendor. Wowza DRM includes a direct integration with the third-party key server to acquire the encryption keys and license URLs needed to protect your content. Visit the page below for more detailed information:

    Pre-encrypted Video On Demand Content

    If you have video-on-demand content that's protected using PlayReady DRM (such as content encoded and encrypted using the Microsoft Expression Encoder), then this content can be streamed directly from a Wowza media server while maintaining the PlayReady protection. When using this option, you'll need to provide your own PlayReady key server.

    There are no additional steps needed to stream already PlayReady protected content. See How to play a video on demand file to stream video-on-demand content using Smooth Streaming.

    On-the-Fly PlayReady Encryption Using Key Files

    Video on demand and live content can be PlayReady encrypted on-the-fly using key files. When using this option, you'll need to provide your own PlayReady key server. Key files are text files that are located in the [install-dir]/keys folder that match the stream name of the stream you're playing with the addition of a .key extension. For example, if you're interested in protecting the live stream myStream, then you create a key file with the following path:
    [install-dir]/keys/myStream.key
    The naming is similar for a video-on-demand stream. To protect the stream sample.mp4, create a key file with the following path:
    [install-dir]/keys/sample.mp4.key
    If the stream is at a path location such as [install-dir]/content/myfiles/sample.mp4, then the key file should be at a parallel location in the key folder:
    [install-dir]/keys/myfiles/sample.mp4.key
    The key file is a text file that has the following content:
    smoothstreaming-playready-key-id: F6005DCF-7F93-4B8E-85C7-F977740DA059
    smoothstreaming-playready-license-url: http://myplayreadyserver.com/authenticate.aspx
    smoothstreaming-playready-content-key: Tc2cQBPC/paTkftvaITCSQ==
    smoothstreaming-playready-checksum: vbxgstjfSQY=
    smoothstreaming-playready-algorithm: AESCTR
    Note: The above keys are fabricated and won't function properly to encrypt/decrypt content. It's best to use the PlayReady SDK to generate a proper set of keys for testing.
    To use this method of PlayReady protection, you must have a PlayReady SDK and a means to obtain the above information. Here's a description of each of the items in this file:

    • smoothstreaming-playready-key-id: The key ID for this asset.
    • smoothstreaming-playready-license-url: The license URL that's used by the player to authenticate the player and retrieve the decryption key needed for playback.
    • smoothstreaming-playready-content-key: The actual content encryption key (128-bit key), Base64 encoded.
    • smoothstreaming-playready-checksum: The special checksum of the key ID that's needed to authenticate the player.
    • smoothstreaming-playready-algorithm: The encryption algorithm. The most common value is AESCTR.

    With the key file in place all streams with key files will be encrypted using PlayReady encryption before being delivered. When doing video-on-demand stream, when playback begins you'll see the following log statement to indicate that the session is encrypted:

    LiveStreamPacketizerSmoothStreaming.init[vod/_definst_/sample.mp4]: PlayReady encrypted AESCTR: keyId: F6005DCF-7F93-4B8E-85C7-F977740DA059

    When doing live streaming, when Smooth Streaming packetization begins you'll see a similar message in the log files:

    LiveStreamPacketizerSmoothStreaming.init[live/_definst_/myStream]: PlayReady encrypted AESCTR: keyId: F6005DCF-7F93-4B8E-85C7-F977740DA059

    It's best to get unencrypted live or video-on-demand streaming using Smooth Streaming working first by following on the tutorials in the Tutorials section.

    After you have this working, follow these instructions to protect the stream using PlayReady. Another debugging method to ensure the Smooth Stream is PlayReady protected is to download the Manifest data directly to the browser window by entering the Manifest URL into the browser address field. If the stream is properly PlayReady encrypted, when you scroll down to the bottom of the Manifest XML data you should see a <Protection> section that contains the PlayReady data.

    On-the-Fly PlayReady Encryption Using Server-side API

    Similar to the key files described above, Smooth Streaming streams can be protected using key data passed to a Wowza media server using the server-side API. There are two methods (one for video on demand and one for live) that you can be added to a server-side module to control PlayReady encryption.

    Video on Demand PlayReady Protection
    public void onHTTPSmoothStreamingPlayReadyCreateVOD(HTTPStreamerSessionSmoothStreamer httpSession, PlayReadyKeyInfo playReadyKeyInfo)
    {
        playReadyKeyInfo.setLicenseURL("http://myplayreadyserver.com/authenticate.aspx");
        playReadyKeyInfo.setChecksum(Base64.decode("vbxgstjfSQY="));
        playReadyKeyInfo.setKeyId(BufferUtils.decodeHexString("F6005DCF-7F93-4B8E-85C7-F977740DA059".replace("-", "")));
        playReadyKeyInfo.setContentKey(Base64.decode("Tc2cQBPC/paTkftvaITCSQ=="));
    }
    Live Streaming PlayReady Protection
    public void onHTTPSmoothStreamingPlayReadyCreateLive(IApplicationInstance appInstance, String streamName, PlayReadyKeyInfo playReadyKeyInfo)
    {
        playReadyKeyInfo.setLicenseURL("http://myplayreadyserver.com/authenticate.aspx");
        playReadyKeyInfo.setChecksum(Base64.decode("vbxgstjfSQY="));
        playReadyKeyInfo.setKeyId(BufferUtils.decodeHexString("F6005DCF-7F93-4B8E-85C7-F977740DA059".replace("-", "")));
        playReadyKeyInfo.setContentKey(Base64.decode("Tc2cQBPC/paTkftvaITCSQ=="));
    }
    The onHTTPSmoothStreamingPlayReadyCreateVOD is invoked each time a Smooth Streaming video-on-demand session is started. If you don't set any playReadyKeyInfo key information in this method, then the stream won't be encrypted. If you set the playReadyKeyInfo information, then the stream will be encrypted.

    The onHTTPSmoothStreamingPlayReadyCreateLive works in a similar manner. It's invoked when packetization is started for a live Smooth Stream. In this case, the live stream is encrypted once and all sessions will share the same PlayReady key information. When using this option, you must provide your own PlayReady key server.

    Note: To get started with Wowza media server server-side programming, use the Wowza IDE.

    nDVR Specific Instructions


    There are a couple unique instructions for DRM with nDVR.

    • For nDVR, use a URL with ?dvr query parameter:
      http://[wowza-ip-address]:1935/[application-name]/[stream-name]/Manifest?dvr
    • The DRM module must be enabled during nDVR recording and playback.

    • When using nDVR in an origin-edge scenario, the DRM module must be enabled on both origin and edge.

    • In origin-edge mode, both origin and edges use a common shared secret string to encrypt data sent between instances. The dvrEncryptionSharedSecret or liveRepeaterEncryptionSharedSecret properties can be used to customize the shared secret that's used. See nDVR advanced configuration for specific uses of these properties.


    Originally Published: 11-15-2011.

    If you're having problems or want to discuss this article, post in our forum.