February 12, 2015

HLS AES encryption support for DRM in Nimble Streamer

Nimble Streamer supports variety of features for HLS, including big feature set for live streaming. In order for HLS to support secure streaming, the initial HLS RFC has a description of protection mechanism based on AES-128 encryption. This allows covering Digital Right Management (DRM) use cases.

Nimble Streamer has now encryption support. It allows encrypting chunks using DRM key specified by server admin. It supports the following key scenarios

  1. Nimble hosts the key URL and uses it for giving out the key.
  2. External key URL is used for the cases when a customer needs additional authentication for a key.

Let's review each scenario separately. We assume that your system administrator has already installed and set up Nimble Streamer and it has streams ready to be protected by DRM.

Note, that Nimble Streamer encrypts only self-produced HLS streams, those can be VOD streams or transmuxed Live streams. Therefore, HLS encryption can't be applied to re-streaming scenarios.

1. Using encryption key hosted by Nimble


In this scenario the DRM AES-128 encryption key is provided by Nimble itself. Let's go step by step to see how it is set up and used.

The whole scenario is shown on the following sequence diagram.
AES DRM encryption workflow with Nimble Streamer hosting the DRM key.

1.1 DRM key setup


Server administrator goes to Control top menu and selects HLS AES encryption DRM.

This opens a dialog shown below.


The DRM key field has the key used for further DRM encryption. You may re-generate the key any time. Clicking Save brings the value to the Nimble Streamer instance.

1.2 Playlist and key exchange


When the visitor wants to play the media, the player requests a stream playlist from Nimble Streamer. The playlist is returned with chunk-list (nested playlist), which content is similar to the one listed below.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="hls.key?nimblesessionid=5"
#EXTINF:3.75,
n_0.ts?nimblesessionid=5
#EXTINF:7.5,
n_1.ts?nimblesessionid=5
#EXTINF:7.5,
n_2.ts?nimblesessionid=5
In EXT-X-KEY field you may see the URI which is used for returning the encryption key assigned at step 1.1. This URI is hosted by Nimble instance itself.
The player downloads the key and starts requesting chunks.

1.3 Chunks processing


When Nimble gets the request for a chunk from player, that chunk is being encrypted by AES-128 using the assigned encryption key. Then it's being returned to the player.

Player gets the chunk and decrypts the content with previously downloaded key.

Further workflow is based on the same steps - chunks are requested and processed with the key obtained from the URL hosted by Nimble.

2. Using encryption key from external URL


This scenario is similar to the scenario 1, the difference is that the DRM AES-128 encryption key is provided by the external handler.

This scenario is shown on the sequence diagram below.

AES DRM encryption workflow with external DRM key handler.

Here are the steps to follow.

2.1 DRM key setup


As in scenario 1, server administrator goes to Servers menu, selects Nimble Streamer instance and clicks on DRM Setup.

This opens a dialog shown below.


The DRM key field has the key used for further DRM encryption. You may re-generate the key any time.
To specify a URL for external key handler click on "I also want to use my own DRM key URL" to see additional field.


Enter the DRM URL where the key will be obtained. Clicking Save brings the value to the Nimble Streamer instance.

If the key DRM URL is specified, Nimble Streamer will not be returning the key like described in step 1.2. So you need to implement the functionality which will return the correct key, see step 2.2.

2.2 DRM key URL handler


The DRM URL specified at step 2.1 must point to the location of the handler which is responsible for returning DRM key. Typically it's a web application which makes decision whether a viewer may get the DRM key or not.

The returned key must be the same as the key specified in DRM key field at step 2.1.
The Content-Type of the returned key must be application/octet-stream. The key itself needs to have binary format according to HLS RFC mentioned in the beginning of this article.

If a WMSAuth signature is used for authenticating a user, this parameter is also passed to the handler. So you may implement pay-per-view system based on DRM encryption.

2.3 Playlist and key exchange


When the visitor wants to play the media, the player requests a stream playlist from Nimble Streamer. The playlist is returned with chunk-list (nested playlist), which content is similar to the one listed below.
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:0
#EXT-X-KEY:METHOD=AES-128,URI="http://example.com/drm/hls.key?nimblesessionid=7"
#EXTINF:3.75,
n_0.ts?nimblesessionid=7
#EXTINF:7.5,
n_1.ts?nimblesessionid=7
#EXTINF:7.5,
n_2.ts?nimblesessionid=7
In EXT-X-KEY field you may see the URI which you set up at step 2.1.

The player obtains the key from the handler and starts requesting chunks.

2.4 Chunks processing


Just as in step 1.3, when Nimble gets the request for a chunk from player, that chunk is being encrypted by AES-128 using the assigned encryption key. Then it's being returned to the player.

Player gets the chunk and de-crypts the content with previously downloaded key.

Further workflow is based on the same steps - chunks are requested and processed with the key obtained from the handler URL.


Also take a look at Nimble Streamer DRM feature set which covers various encryption.

Related documentation


Nimble Streamer, Nimble Streamer DRMHLS RFCNimble Streamer HLS support for VOD streaming, WMSPanel Paywall framework, SSL support for HTTP streaming in Nimble Streamer, Verimatrix VCAS DRM support in Nimble

15 comments:

  1. What is the point of having a AES DRM ,when video can be downloaded and played.

    ReplyDelete
  2. Please take a look at "AES DRM encryption workflow with external DRM key handler." schema and find "external DRM handler". You don't have to provide everyone with drm key thus you can control an access to your content.

    ReplyDelete
  3. Once I set this up in WMSPanel do I need to make any changes in my code?

    ReplyDelete
  4. You don't need to make changes in code for that.

    ReplyDelete
  5. What is the optimal AES setup for optimal performance. Should we encrypt in intervals of 3 minutes or 10 minutes. Will key rotation impact server performance. Can someone quantify the impact of AES setup on performance.

    ReplyDelete
  6. key rotation supported for http://blog.wmspanel.com/2015/05/verimatrix-vcas-drm-live-streaming-nimble-streamer.html only. AES setup will not impact performance too much. It's actively used without performance complains

    ReplyDelete
  7. AES 128 bit encryption basically does not help much. The streaming URL can be played via VLC player with no problem. Anyone know how to use the Verimatrix Settings?

    ReplyDelete
    Replies
    1. Hi,

      Please take a look at this article: http://blog.wmspanel.com/2015/05/verimatrix-vcas-drm-live-streaming-nimble-streamer.html

      Delete
    2. I'd rather recommend to use SLDP if you don't want your stream be played outside of your page http://blog.wmspanel.com/2017/06/faq-sldp-tips-troubleshooting.html

      Delete
    3. How do I setup DRM URL? I am really confused.

      Delete
    4. There is no "DRM URL" in AES-128 encryption.

      Delete
  8. Could help a link from the staff with opensource code to create an hls server key easy ;)

    ReplyDelete
    Replies
    1. We don't plan anything like that. But if you create something like that, we could definitely upload it to our github!

      Delete
  9. An opensource code to create proprietary server for key geneartion?

    ReplyDelete
    Replies
    1. still not available. it should be simple to do it on your side though

      Delete

If you face any specific issue or want to ask some question to our team,
PLEASE USE OUR HELPDESK

This will give much faster and precise response.
Thank you.

Note: Only a member of this blog may post a comment.