Stock Code: 430755
SDMC Products
Android TV
Android TV Box, Android TV Dongle, DVB STB
Broadband
WI-FI Router, DOCSIS, PON
IOT & Smart home
Smart Speaker, IoT Device
Platform
XMediaTV, TMS, DMS, Shopping TV System, Advertisement System
Cloud Service
XMediaCloud Platform, WeTV & Game & Contents

How To Protect OTT Content With Google Widevine DRM

March 16 2022

Introduction To Widevine DRM

Widevine DRM solution owned by Google (which acquired Widevine in 2010), provides the capability to license, securely distribute and protect playback of content on any consumer device.

Widevine is a popular DRM solution and has support for the Android operating system, several SmartTVs, browsers, etc. It also supports MPEG-DASH, HLS, MSS streaming along with CENC and CMAF.There are two versions of Widevine – Classic & Modular.
Widevine Classic

Widevine Classic is supported only in legacy devices and it requires the media to be packaged into a proprietary.WVM format. It had support in old Android (3.1 ~ 5.1) versions, legacy SmartTVs, Google TV, etc. and is not used anymore.
 Widevine Modular

Widevine Modular is the current version of Widevine and has support for MPEG-DASH, HLS, MSS streaming protocols. It also has support for CMAF, CENC, and HTML5 standards such as EME & MSE.

 How Does Widevine DRM Work?

In this section, let us understand how Widevine works.

Step 1: The first step begins when the user presses “Play,” The application downloads the mpd from the CDN (Know TOVP CDN supported by Tencent Cloud.). After parsing the mpd, it is easy to determine if the video is encrypted using Widevine. The Browser extracts the initialization data (InitData) from the content and sends it to the player as an event.

Note: we assume that the user has been authenticated at this point. Widevine does not do this, and the application has to handle it by itself.

Step 2: The player cannot decrypt the content and needs the help of specialized software for decryption. And, so it sends the InitData to the Content Decryption Module.

Step 3: The CDM (Content Decryption Module) receives the InitData from the player and creates a “license request” and sends this back to the player.

Step 4: After the player receives the license request, it sends it to the Widevine License Server via a proxy. The license request is also encrypted so that nobody can access or crack it in transit.

Step 5: The License Server receives the request sent by the player. It then decrypts the request, extracts the InitData and uses it to find the license from its database. After finding the license, it encrypts it and sends it back to the player. The encrypted message contains the key to decrypt the content and also information about the license (expiry time, etc.)

Step 6: The player receives the license from the License Server and passes it to the CDM (via the EME). Since the message is encrypted, the player and any other software cannot read it and misuse it.

Step 7: Because the CDM is not in the Trusted Layer of the device, it must pass the information to the OEMCrypto Module, which does reside in the Trusted layer of the device. The actual decryption takes place in the OEMCrypto Module. In some implementations, the decoding takes place there also. The Browser does the actual parsing of the container.

Step 8: once the content is demultiplexed, decrypted, and decoded, it is sent to the screen in small chunks and is not stored anywhere on the device.

Here is a flow diagram from Widevine that demonstrates what we’ve just learned.


Widevine Security Levels – L1, L2, L3

• L1 or Security Level 1
L1 is the highest level of security in Widevine and provides hardware-level decryption (safer than software). Content decryption, media decoding, and rendering are all done within the TEE. If you want to stream HD content from content providers, your device will need to be certified to meet L1 specifications.

• L2 or Security Level 2
In L2, only the media decryption is performed within the TEE. The decrypted video is sent to the application for decoding and rendering.


 • L3 or Security Level 3
L3 is the least secure and is used in low-end hardware without a TEE. The decryption is performed in a software-CDM (like the ones inside the browser). Content providers block encrypted HD video playback in devices with L3 security.

Business Rules

Below is a snippet of the payload that signifies the business rules and license rules that can be inserted in Widevine. It is quite explicit in explaining the rental, playback, renewal, and license durations for a certain asset. A content provider can use this to create complex rules to suit their business models.{

   “payload”:” “,

   “content_id”:”

   “provider”:” “,

   “allowed_track_types”:””,

   “content_key_specs”:[      {

         “track_type”:” ”      },      {

         “track_type”:” ”      },

      “…”   ],

   “policy_overrides”:{

      “can_play”:””,

      “can persist”:””,

      “can_renew”:””,

      “rental_duration_seconds”:””,

      “playback_duration_seconds”:” “,

      “license_duration_seconds”:” “,

      “renewal_recovery_duration_seconds”:””,

      “renewal_server_url”:””,

      “renewal_delay_seconds”:””,

      “renewal_retry_interval_seconds”:””,

      “renew_with_usage”:””   }}

Where Is Widevine DRM Supported

Widevine Modular or simply, Widevine is supported on several platforms bellow:l Android (4.4+)l Android TVsl Amazon Fire TVl Chromecastl Smart TVsl Browsers such as Chrome, Firefox, Edge.

If a hardware vendor wants to support Widevine, they can get in touch with Google to sign a contract and get the required support (such as the Content Decryption Module, test vectors, etc.)

Conclusion

I hope by now, you have a good understanding of how Google’s Widevine DRM works. There is a lot of information online (code samples, players, and SDKs) to help you go deeper into Widevine. Know TOVP DRM standalone product for more infos!

Previous Post Next Post