FairPlay DRM configuration for iOS and Safari

FairPlay DRM (FPS) configuration for iOS and Safari

Fairplay DRM is the trusted studio-approved DRM for secure playback in Apple IOS app, IOS safari, Mac Safari. In this post, we present a complete guide for implementing Apple FairPlay DRM. FairPlay DRM protects videos from download and also stops screen capture of videos. The second half of the article explains the technology behind Fairplay DRM.

The content owner/distributor has to obtain the required license from Apple to use this. As your streaming partner, we provide the encryption and licensing service to use your FairPlay keys. The complete integration setup is handled directly by VdoCipher, you only need to apply for a license and get the keys.

Difference between default VdoCipher encryption security & Fairplay DRM – VdoCipher provides default encryption security for ios and Safari to prevent downloads. Apple Fairplay DRM is approved by studios and has an additional advantage of prevention from screen capture. But Apple is decently strict about approving FPS license, thus we can’t assure that everyone will be able to use it.

 

Requesting FairPlay DRM production license

  1. Please go to Apple FairPlay page.
  2. Click on the link to Request Deployment Package. You need to have a developer account before this.
  3. If you are an organization you should use the organization account for this purpose. Companies outside the USA need to obtain a DUNS number in order to create an organization account.
  4. After proceeding further, you should see a form to request the deployment package.
  5. Enter your company and content details.
  6. If asked, you can enter our name “VdoCipher” in “Streaming Distribution Partner Name”
  7. Confirm that you already have a “Keyserver module” setup and tested. You now need the “deployment package” for production.

Note that Fairplay DRM is only allowed for entities who are the content owner or have distribution rights to the content. Apple only provides Fairpay license when the video content is premium i.e. can only be accessed after payment.

Using Fairplay DRM Deployment package

You should have received an FPS_deployment package file from Apple. Open the zip file. You should find a PDF document titled: “FPSCertificateCreationGuide.pdf”.

This pdf describes the process of creation of an RSA key-pair and then getting the public key signed by Apple. In the process, it also generates an ASK. This key is a 32 character alphanumeric string associated with your Fairplay DRM. Once the process is complete, you can share your private key, challenge password, signed certificate, and the ASK.

Checklist before proceeding:

  1. Make sure you understand the overall process.
  2. Make sure your hardware and OS is stable enough and has power backup so that it does not shut down unexpectedly. You can not recreate the keys if anything goes wrong, so prepare for such events.
  3. In case of any issue, we are always there for help. If you need help for key generation and signing process, we can offer guidance through a remote desktop session or skype.
  4. Understand that it is your responsibility for the safe-keeping of generated keys.

How we use the above keys?

The Apple FairPlay DRM is a multi-component system. It also requires us to maintain the media keys in our database.

– When the player loads, it requests the signed public certificate.
– The FairPlay DRM in device uses the certificate to create a license request.
– The license servers can read the “license request” using the “private key” and corresponding challenge password.
– The ASK is used to create the license containing the content keys.

How we store your keys?

– We have dedicated license servers and licensing database separate from the rest of our infrastructure. The license database is heavily access controlled.
– We save your encrypted private key for FairPlay DRM in google storage or AWS S3.
– Private keys and challenge passwords are only accessible from license servers.
– The challenge password and ASK is stored in MySQL Database encrypted by a session key held in license server application.
– The signed certificate is kept in separate S3 and is public readable from a CDN. The FairPlay DRM in the player will load this certificate on your website or mobile app.
– We have setup encrypted backups every 6 hours.

Safe-keeping

Although we take extreme care of your keys, we do not allow retrieving the keys in future. We expect you to safe keep all your keys. You should make sure backups of the keys and ensure that they remain accessible to only authorised persons. As a checklist, here is a list of things to keep for FairPlay DRM.

  1. The private key (file)
  2. Challenge password (string)
  3. ASK (string)
  4. Signed certificate (file)

It is recommended not to trust your memory and keep all the files and associated passwords in digital format.

The steps for generating and signing keys

Step 1. Generating key pair with private key (.pem) and signing request(.csr) files.

i) When asked to enter a challenge password, you should first write down the password somewhere safe.
ii) Copy it from there once.
iii) When asked for verification type the password without pasting.

Note that when typing in the terminal, you should not see anything on the screen. That is how terminal hides passwords.

Step 2. Signing the key requires an active Apple developer program membership.

  • Follow the exact process as described in the PDF document provided by Apple.
  • You should receive the ASK and need to type it again. Make sure you have it copied to a safe place before typing it again.
  • After proceeding, it should ask you to download the certificate file. (.cer)
  • The document should ask you to save the certificate in Keychain. This step is only for safe keeping. It does not affect any functionality.
Screenshot when Fairplay DRM ASK is created

Screenshot when FairPlay DRM ASK is created

Screenshot where Fairplay DRM signed certificate is downloaded

Screenshot where FairPlay DRM signed certificate is downloaded

The process is now complete. In the end, you should have the following files safe:

  1. Private key file (.pem)
  2. Challenge password for the private key
  3. ASK
  4. Certificate file (*.cer)

Send your Fairplay DRM keys to VdoCipher:

1. To share the above keys with us, use our email info [at] vdocipher.com. Do NOT use any other email or cc another email to the email. This process is to ensure that the files and passwords remain within our systems.
2. You should delete the email from your email servers after receiving confirmation from us.

Publishing videos on site/app with Fairplay DRM & VdoCipher

Once you have shared the keys with VdoCipher, we will integrate it with streaming for your account at backend. You dont need to do any modification to integrate VdoCipher. With our standard APIs or plugins, you can integrate the our streaming player and enjoy secure embeds in site or app.

Technology Architecture behind Apple Fairplay DRM

The security of content stream lies in the way encrypted content is transferred over the internet in a high secure manner with black-boxed key exchange mechanism.

FairPlay DRM files are encrypted using AES algorithm on mp4 container files. The security of any encryption technology lies in the open-ness/closeness of its key exchange mechanism. For Fairplay DRM, the key for decryption is kept again in encrypted format in a closed box environment. The reason this close box is high secure is that Apple can control the total device and browser environment (Mac & iphone). It is the same reason that same DRM can’t work on android or chrome, because Apple can’t implement a hidden box environment in such cases.

Here are some details of DRM + Streaming infrastructure with VdoCipher

  • Video Ingestion – You can upload videos through the dashboard, or using our upload APIs.
  • Video Transcoding  –
    • Encoding videos to multiple sizes for different devices and net speed.
    • Encrypting the video (CENC).
    • Video File packaging and Key generation from DRM license server
  • Apis or plugins for Video Management 
  • Encrypted video files are streamed through Amazon AWS Cloudfront and Google Cloud Platform CDN Edge locations to ensure fast video streaming
  • Secure Online Video playback
    • Embed Code to generate Dynamic URLs (HTTP Post request including client secret key to get unique OTP)
    • Unique OTP is then sent by DRM license server
    • The encrypted video file is decrypted in Browser/ Device’s trusted environment.The video is rendered via the video player, which can switch across different streams of different bitrates.VdoCipher implements Fairplay DRM video security
  • Multi-DRM: For content creators wishing to stream across all devices and softwares, they need a multi-DRM strategy. At VdoCipher we provide Widevine for Chrome, Fairplay for Apple devices, with Flash as a fallback. This multi-DRM strategy ensures that content providers can fully rely on VdoCipher for distributing content on all devices.