Skip to content

Content protection with DRM

DRM (Digital Rights Management) is a content protection method where the content is encrypted and decrypted by a pair of keys that are generated by the key server of the DRM system.

This page describes the settings that apply to all DRM systems supported by Flussonic.

To learn how to set a certain DRM, follow the links below. Flussonic Media Server supports the following DRM systems:

The mechanism of DRM

In the HLS specification Apple describes two standard encryption alorithms: AES-128 and SAMPLE-AES. Flussonic Media Server supports both of them.

The algorithms use different encryption methods, but the concept stays the same. Here is how it is done in Flussonic:

  1. Flussonic requests and retrieves an encryption key from a key server along with the URL of this key.
  2. The client receives an encrypted content and the URL of a decryption key from the Flussonic server.
  3. The key server receives a request from the client and then decides whether or not it should send a decryption key in response.

If a client receives video content from Flussonic over a safe channel and connects to the key server over HTTPS, you can most likely expect it to decrypt the video and play it without being compromised.

Live streams and VOD files use the same encryption mechanism.

Setting up encryption in general

Flussonic Media Server stores all content in an unencrypted form. Content gets encrypted only when Flussonic transmits it to the client.

To turn on the encryption add the drm parameter to the configuration entry of a stream or VOD location in the configuration file (/etc/flussonic/flussonic.conf). Then specify the DRM encryption method and the DRM key server (some other information may be required depending on the DRM system).

stream channel0 {
  input fake://fake;
  drm aes128 keyserver=http://examplehost:5000/cas-server;
}

You can also enable this option through Flussonic UI. To do that:

  • Head to the Media -> Streams and choose the necessary stream. Click on the stream name.
  • In stream settings go to the Auth tab and find the Require DRM authorization section. Then choose the DRM system from the list and provide the required information:

Flussonic drm

Service-specific DRM settings can be found in the relevant sections of this manual (see the links at the beginning of the page). Find the latest list of settings for each DRM service in the Flussonic API reference.

As soon as the configuration has been saved, Flussonic will encrypt the content for all the protocols that are supported by the specified DRM.

You can also edit DRM settings by providing the drm parameter in the Flussonic-API: PUT /streams/{name} API request.

You will see the following alert on the Overview tab of the stream settings:

DRM alert

HLS playback options

For a successful playback of an AES128 encrypted HLS streams on some modern devices (running on Tizen 5), add the option hls_ext_x_key_iv=false:

stream channel0 {
  input fake://fake;
  drm aes128 keyserver=http://examplehost:5000/cas-server hls_ext_x_key_iv=false;
}

Restricting playback via certain protocols

Danger

Make sure you disable all the protocols that do not support the specified DRM. For example, if an encryption method is supported by HLS, but the DASH protocol is left enabled, users can potentially play the video via DASH, bypassing the content protection.

To avoid situations like this disable all the unnecessary protocols for the stream or files:

stream channel0 {
  input udp://239.0.0.1:1234;
  protocols hls;
  drm aes128 keyserver=http://examplehost:5000/cas-server;
}
vod vod_files {
  storage /storage;
  protocols hls;
  drm aes128 keyserver=http://examplehost:5000/cas-server;
}

In the example above a user can only access video over HLS.

DRM for VOD files

When streaming VOD files with DRM encryption, the external key server cannot distribute keys directly, because it does not know when a file will be opened.

To solve this problem, configure the file to access a key server directly:

vod vod_files {
  storage /storage;
  protocols dash hls;
  drm aes128 keyserver=http://examplehost:5000/cas-server;
}

This way Flussonic will send an HTTP GET request to the key server with a ?file= parameter when the file is accessed: http://examplehost:5000/cas-server?file=drm/bunny.mp4

Flussonic expects the data, where the first 32 bytes should be a hexadecimal representation of an encryption key. In response, an X-Key-Url HTTP header should be present. The header will be forwarded to the client. The X-Key-Url header should contain a 16-byte-long decryption key (NOT in hexadecimal form).

DRM protection of DVR archives

Archives are encrypted segment-by-segment with a key that rotates every 10 minutes. New key is requested from the DRM server with every rotation.

Warning

For DRM protection to work on the DVR archive, the key server must store all the old keys (old URLs) for a time period equal to the depth of the archive.

Enabling encryption of all frames

By default Flussonic encrypts only key frames. In most cases this is enough to protect the stream from an unauthorized access. It also reduces the power consumption, when decrypting on the client side. However, some Smart TVs and STBs require all frames to be encrypted.

To enable encryption of all frames, use the encryption=full option when configuring DRM.

To enable encryption of only key frames, use the encryption=sparse option.

stream channel0 {
  url fake://fake;
  protocols dash hls;
  drm aes128 keyserver=http://examplehost:5000/cas-server encryption=full;
}

Encryption key rotation

Many DRM servers rotate license keys in order to provide a better security. By default, Flussonic does not rotate the encryption keys. To enable rotation and change the key rotation interval, use the expires option and specify the required time in minutes.

stream channel1 {
  url fake://fake;
  protocols dash hls;
  drm aes128 keyserver=http://examplehost:5000/cas-server expires=60;
}

In case of using the expires option the drm_id is generated automatically with each new request for the encryption key.

Warning

Enabling the expires option means regularly updating encryption keys from the key server. Depending on the conditions DRM provider may charge for each key issued. We recommend to check your agreement with the DRM provider before enabling the expires option.

CPIX API

CPIX is an open specification developed by DASH-IF that provides an XML-based interoperable format for exchanging content protection configurations between different systems.

Flussonic Media Server supports the CPIX API. Now any DRM provider that supports CPIX API can integrate with Flussonic.

CPIX uses the following XML schema to describe the data used for key exchange.

Configuring CPIX DRM

To enable DRM protection with CPIX key exchange format, specify your key server with the drm cpix option.

For a stream:

stream mystream {
  input udp://239.0.0.1:1234;
  protocols dash hls mss;
  resource_id MYSTREAM;
  drm cpix keyserver=http://my.keyserver;
}

For a file:

vod drm {
  storage /storage/vod;
  protocols dash hls mss;
  drm cpix keyserver=http://my.keyserver;
}

Note that when using the configuration for a file you need to put the custom content ID (drm_id) in the *.cpix_id file because there is no meta option for VOD. The drm_id will be used in the CPIX requests.

Request example

When the stream mystream is requested, Flussonic sends a POST request to the URL http://my.keyserver with the following payload body:

<?xml version="1.0" encoding="UTF-8"?>
<cpix:CPIX xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke" id="MYSTREAM">
  <cpix:ContentKeyList>
    <cpix:ContentKey kid="2d70751b-972e-1479-7ef9-9fc835860120"/>
  </cpix:ContentKeyList>
  <cpix:DRMSystemList>
    <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"/> # widevine
    <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="9a04f079-9840-4286-ab92-e65be0885f95"/> # playready
    <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="94ce86fb-07ff-4f43-adb8-93d2fa968ca2"/> # fairplay
  </cpix:DRMSystemList>
</cpix:CPIX>

The fields used in the request and response, such as ContentKeyList and DRMSystemList are described in DASH-IF Implementation Guidelines: Content Protection Information Exchange Format

Response example

Flussonic awaits the response that looks as follows:

<?xml version="1.0" encoding="UTF-8"?>
<cpix:CPIX xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke" id="MYSTREAM">
   <cpix:ContentKeyList>
      <cpix:ContentKey explicitIV="" kid="2d70751b-972e-1479-7ef9-9fc835860120">
         <cpix:Data>
            <pskc:Secret>
               <pskc:PlainValue>iufSFDzgKQ+6pnV88WyZnA==</pskc:PlainValue>
            </pskc:Secret>
         </cpix:Data>
      </cpix:ContentKey>
   </cpix:ContentKeyList>
   <cpix:DRMSystemList>
        <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="94ce86fb-07ff-4f43-adb8-93d2fa968ca2">
            <cpix:URIExtXKey>aHR0cHM6Ly83azR5dHV4cTVkLmV4ZWN1dGUtYXBpLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tL0VrZVN0YWdlL2NsaWVudC9hYmMxMjMvOThlZTU1OTYtY2QzZS1hMjBkLTE2M2EtZTM4MjQyMGM2ZWZm</cpix:URIExtXKey>
        </cpix:DRMSystem>
      <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
         <cpix:PSSH>AAAAd3Bzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAAFcIARIQzLxOBq/7WMlQjQ4jrSMwnxoIbW92aWRvbmUiM3sia2lkIjoiekx4T0JxXC83V01sUWpRNGpyU013bnc9PSIsInRyYWNrcyI6WyJTRCJdfSoCU0Q=</cpix:PSSH>
      </cpix:DRMSystem>
      <cpix:DRMSystem kid="2d70751b-972e-1479-7ef9-9fc835860120" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
         <speke:ProtectionHeader>mAIAAAEAAQCOAjwAVwBSAE0ASABFAEEARABFAFIAIAB4AG0AbABuAHMAPQAiAGgAdAB0AHAAOgAvAC8AcwBjAGgAZQBtAGEAcwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBEAFIATQAvADIAMAAwADcALwAwADMALwBQAGwAYQB5AFIAZQBhAGQAeQBIAGUAYQBkAGUAcgAiACAAdgBlAHIAcwBpAG8AbgA9ACIANAAuADAALgAwAC4AMAAiAD4APABEAEEAVABBAD4APABQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEsARQBZAEwARQBOAD4AMQA2ADwALwBLAEUAWQBMAEUATgA+ADwAQQBMAEcASQBEAD4AQQBFAFMAQwBUAFIAPAAvAEEATABHAEkARAA+ADwALwBQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEsASQBEAD4AQgBrADYAOAB6AFAAdQB2AHkAVgBoAFEAagBRADQAagByAFMATQB3AG4AdwA9AD0APAAvAEsASQBEAD4APABDAEgARQBDAEsAUwBVAE0APgBsADEANgBXAHYAcABrADUAVABwAFEAPQA8AC8AQwBIAEUAQwBLAFMAVQBNAD4APABMAEEAXwBVAFIATAA+AGgAdAB0AHAAcwA6AC8ALwBwAGwAYQB5AHIAZQBhAGQAeQAuAGUAegBkAHIAbQAuAGMAbwBtAC8AYwBlAG4AYwB5AC8AcAByAGUAYQB1AHQAaAAuAGEAcwBwAHgAPwBwAFgAPQA1ADEANAA1ADgAOQA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</speke:ProtectionHeader>
         <cpix:PSSH>AAACuHBzc2gAAAAAmgTweZhAQoarkuZb4IhflQAAApiYAgAAAQABAI4CPABXAFIATQBIAEUAQQBEAEUAUgAgAHgAbQBsAG4AcwA9ACIAaAB0AHQAcAA6AC8ALwBzAGMAaABlAG0AYQBzAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEQAUgBNAC8AMgAwADAANwAvADAAMwAvAFAAbABhAHkAUgBlAGEAZAB5AEgAZQBhAGQAZQByACIAIAB2AGUAcgBzAGkAbwBuAD0AIgA0AC4AMAAuADAALgAwACIAPgA8AEQAQQBUAEEAPgA8AFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBFAFkATABFAE4APgAxADYAPAAvAEsARQBZAEwARQBOAD4APABBAEwARwBJAEQAPgBBAEUAUwBDAFQAUgA8AC8AQQBMAEcASQBEAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBJAEQAPgBCAGsANgA4AHoAUAB1AHYAeQBWAGgAUQBqAFEANABqAHIAUwBNAHcAbgB3AD0APQA8AC8ASwBJAEQAPgA8AEMASABFAEMASwBTAFUATQA+AGwAMQA2AFcAdgBwAGsANQBUAHAAUQA9ADwALwBDAEgARQBDAEsAUwBVAE0APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHAAbABhAHkAcgBlAGEAZAB5AC4AZQB6AGQAcgBtAC4AYwBvAG0ALwBjAGUAbgBjAHkALwBwAHIAZQBhAHUAdABoAC4AYQBzAHAAeAA/AHAAWAA9ADUAMQA0ADUAOAA5ADwALwBMAEEAXwBVAFIATAA+ADwALwBEAEEAVABBAD4APAAvAFcAUgBNAEgARQBBAEQARQBSAD4A</cpix:PSSH>
      </cpix:DRMSystem>
   </cpix:DRMSystemList>
</cpix:CPIX>

Flussonic-specific options you may want to know:

  • save_template — saves the keyserver response to a file.
  • dump_url — logs the requested URL.