Flussonic Media Server documentation

Contents

Content Protection with DRM

DRM (Digital Rights Management) is a content protection method where the content is encrypted and decrypted by using a pair of keys. The keys are generated by the DRM system's key server.

Flussonic Media Server supports the following DRM systems:

Many DRM servers rotate license keys in order to achieve better security. Flussonic rotates keys by itself — it requests a new key from a DRM key server every 10 minutes.

The mechanism of DRM

In the HLS specification Apple describes two standard encryption alorithms: AES-128 and SAMPLE-AES. Flussonic Media Server supports both algorithms, and a number of DRM systems.

The algorithms use different encryption methods, but they all work in the same way:

  1. Flussonic requests and retrieves an encryption key from a key server along with the URL of this key.
  2. The client retrieves encrypted content and the URL of a decryption key from the Flussonic server.
  3. The key server receives a request from the client and then decides whether it should respond with a decryption key or not.

If the client receives video content from Flussonic over a safe channel and connects to the key server over HTTPS, you can most likely expect that it can decrypt video and play it without revealing this decrypted content to illegitimate users.

Live streams and VOD files use the same encryption mechanism.

Setting up encryption in general

Flussonic Media Server stores all content in unencrypted form. Content gets encrypted only when Flussonic transmits it to the client.

To turn on encryption, you should add the drm line to the configuration entry of a stream or VOD location. Then specify the DRM encryption method and the DRM key server.

stream channel0 {
  url udp://239.0.0.1:1234;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

Service-specific DRM settings can be found in the relevant sections of this manual.

After you have saved the configuration, Flussonic will encrypt content for all protocols that can work with the specified DRM.

Warning! Make sure you disable all protocols that do not support the specified DRM. For example, if an encryption method is supported by HLS, but the HDS protocol has been left enabled, users can potentially play the video over HDS, bypassing the content protection.

stream channel0 {
  url udp://239.0.0.1:1234;
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

file vod {
  rtsp off;
  rtmp off;
  hds off;
  mpegts off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

In the example above a user could only access video over HLS.

DRM for VOD files

When streaming VOD files with DRM, the external key server cannot distribute keys directly, because it does not know when a file will be opened.

To work around this problem, configure the file for accessing a key server directly:

file drm {
  path priv;
  hds off;
  rtmp off;
  rtsp off;
  dash off;
  drm aes128 keyserver=http://192.168.0.80:4500/;
}

In this configuration, Flussonic will send an HTTP GET request to the key server with a ?file= parameter when the file is accessed: http://192.168.0.80:4500/?file=drm/bunny.mp4

As a response Flussonic expects data where the first 32 bytes should be a hexadecimal representation of an encryption key. In the response, an X-Key-Url HTTP header should be present. The header will be forwarded to the client. The X-Key-Url header should contain a 16-byte-long decryption key (NOT in hexadecimal form).

DRM protection of DVR archives

Archives are encrypted segment-by-segment with a key that rotates every 10 minutes. Every rotation, a new key is requested from the DRM server.

Important! For DRM protection to work on the DVR archive, the key server must store all old keys (at old URLs) for a time equal to the depth of the archive.