February 12, 2015

HLS AES encryption support for DRM in Nimble Streamer

Nimble Streamer supports variety of features for HLS, including big feature set for live streaming. In order for HLS to support secure streaming, the initial HLS RFC has a description of protection mechanism based on AES-128 encryption. This allows covering Digital Right Management (DRM) use cases.

Nimble Streamer has now encryption support. It allows encrypting chunks using DRM key specified by server admin. It supports the following key scenarios

  1. Nimble hosts the key URL and uses it for giving out the key.
  2. External key URL is used for the cases when a customer needs additional authentication for a key.

Let's review each scenario separately. We assume that your system administrator has already installed and set up Nimble Streamer and it has streams ready to be protected by DRM.

Note, that Nimble Streamer encrypts only self-produced HLS streams, those can be VOD streams or transmuxed Live streams. Therefore, HLS encryption can't be applied to re-streaming scenarios.

1. Using encryption key hosted by Nimble


In this scenario the DRM AES-128 encryption key is provided by Nimble itself. Let's go step by step to see how it is set up and used.

The whole scenario is shown on the following sequence diagram.
AES DRM encryption workflow with Nimble Streamer hosting the DRM key.



1.1 DRM key setup


Server administrator goes to Servers menu, selects Nimble Streamer instance and clicks on DRM Setup.

This opens a dialog shown below.


The DRM key field has the key used for further DRM encryption. You may re-generate the key any time. Clicking Save brings the value to the Nimble Streamer instance.

1.2 Playlist and key exchange


When the visitor wants to play the media, the player requests a stream playlist from Nimble Streamer. The playlist is returned with chunk-list (nested playlist), which content is similar to the one listed below.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="hls.key?nimblesessionid=5"
#EXTINF:3.75,
n_0.ts?nimblesessionid=5
#EXTINF:7.5,
n_1.ts?nimblesessionid=5
#EXTINF:7.5,
n_2.ts?nimblesessionid=5
In EXT-X-KEY field you may see the URI which is used for returning the encryption key assigned at step 1.1. This URI is hosted by Nimble instance itself.
The player downloads the key and starts requesting chunks.

1.3 Chunks processing


When Nimble gets the request for a chunk from player, that chunk is being encrypted by AES-128 using the assigned encryption key. Then it's being returned to the player.

Player gets the chunk and decrypts the content with previously downloaded key.

Further workflow is based on the same steps - chunks are requested and processed with the key obtained from the URL hosted by Nimble.

2. Using encryption key from external URL


This scenario is similar to the scenario 1, the difference is that the DRM AES-128 encryption key is provided by the external handler.

This scenario is shown on the sequence diagram below.

AES DRM encryption workflow with external DRM key handler.

Here are the steps to follow.

2.1 DRM key setup


As in scenario 1, server administrator goes to Servers menu, selects Nimble Streamer instance and clicks on DRM Setup.

This opens a dialog shown below.


The DRM key field has the key used for further DRM encryption. You may re-generate the key any time.
To specify a URL for external key handler click on "I also want to use my own DRM key URL" to see additional field.


Enter the DRM URL where the key will be obtained. Clicking Save brings the value to the Nimble Streamer instance.

If the key DRM URL is specified, Nimble Streamer will not be returning the key like described in step 1.2. So you need to implement the functionality which will return the correct key, see step 2.2.

2.2 DRM key URL handler


The DRM URL specified at step 2.1 must point to the location of the handler which is responsible for returning DRM key. Typically it's a web application which makes decision whether a viewer may get the DRM key or not.

The returned key must be the same as the key specified in DRM key field at step 2.1.
The Content-Type of the returned key must be application/octet-stream. The key itself needs to have binary format according to HLS RFC mentioned in the beginning of this article.

If a WMSAuth signature is used for authenticating a user, this parameter is also passed to the handler. So you may implement pay-per-view system based on DRM encryption.

2.3 Playlist and key exchange


When the visitor wants to play the media, the player requests a stream playlist from Nimble Streamer. The playlist is returned with chunk-list (nested playlist), which content is similar to the one listed below.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="http://example.com/drm/hls.key?nimblesessionid=7"
#EXTINF:3.75,
n_0.ts?nimblesessionid=7
#EXTINF:7.5,
n_1.ts?nimblesessionid=7
#EXTINF:7.5,
n_2.ts?nimblesessionid=7
In EXT-X-KEY field you may see the URI which you set up at step 2.1.

The player obtains the key from the handler and starts requesting chunks.

2.4 Chunks processing


Just as in step 1.3, when Nimble gets the request for a chunk from player, that chunk is being encrypted by AES-128 using the assigned encryption key. Then it's being returned to the player.

Player gets the chunk and de-crypts the content with previously downloaded key.

Further workflow is based on the same steps - chunks are requested and processed with the key obtained from the handler URL.

What's next


The described feature allows adding more security to your streaming infrastructure in addition to already existing paywall framework and SSL support. Also, check our Verimatrix VCAS DRM support. If you have any questions  or suggestions regarding this feature set, contact us as we're opened for discussion.

Related documentation


Nimble StreamerHLS RFCNimble Streamer HLS support for VOD streaming, WMSPanel Paywall framework, SSL support for HTTP streaming in Nimble Streamer, Verimatrix VCAS DRM support in Nimble

4 comments:

  1. What is the point of having a AES DRM ,when video can be downloaded and played.

    ReplyDelete
  2. Please take a look at "AES DRM encryption workflow with external DRM key handler." schema and find "external DRM handler". You don't have to provide everyone with drm key thus you can control an access to your content.

    ReplyDelete
  3. Once I set this up in WMSPanel do I need to make any changes in my code?

    ReplyDelete
  4. You don't need to make changes in code for that.

    ReplyDelete