Widevine DRM & CDM for Security of Premium Content The article provides architecture implementation details for Widevine DRM, Advantages, Compatibility & Free 30 day Widevine Trial

Widevine DRM Architecture for Security of Premium Content

Article provides architecture implementation for Widevine DRM, Advantages, Compatibilities & Free 30 Day Widevine Trial

Register for 30 day Widevine Trial

Widevine is Google’s video DRM architecture which enables content creators to stream protected content. Widevine is chiefly supported by devices and softwares running on Google’s ecosystem. On desktop devices Widevine DRM is supported by Chrome, Firefox & Opera browsers via Widevine CDM, and is supported by Android devices. Widevine also enables streaming of protected content via Google Chromecast and Android TV. This ensures that users have best HD streaming experience while keeping the revenue interests of the content provider at the front.

At VdoCipher we have incorporated the Widevine architecture as part of our streaming infrastructure. It includes transcoding and encryption, adaptive streaming, and communication with the DRM license server for secure decryption.

The biggest plus points of Widevine are that it natively supports HTML5 video player and DASH streaming protocol. HTML5 video player is increasingly favoured by browsers over Flash-based video playback. In the absence of native HTML5 DRMs content providers had to get users to install a Silverlight plugin or use the Adobe Access DRM through Flash. Both had the negative aspect that they required users to install things to their device.  Also, it produced some security risk with Flash. (which is the reason it is increasingly being phased out by browsers)

The ultimate endorsement for any Digital Rights Management system is having certifications from Hollywood studios. They have millions of dollars on the line, when they make their content available via online streaming. Hollywood’s Digital Entertainment Content Ecosystem (DECE) endorses Widevine’s DRM for streaming videos. Netflix and Amazon Instant Video use Widevine DRM for streaming on Chrome and Android devices. At VdoCipher our aim is to provide a complete video streaming solution that handles everything from user experience to content protection for our users. In this blog I detail how VdoCipher makes Widevine available for all users.

VdoCipher’s Widevine DRM Architecture + Streaming Setup

  • Video Upload – You can upload videos through the dashboard, or using our upload APIs
  • Video Processing
    • Encoding – Videos are encoded at multiple bitrates
    • File encryption (using CENC).
    • Video File packaging and Key generation from DRM license server
  • Video Management using APIs
  • Encrypted video files are stored on Amazon Cloudfront and Google Cloud Platform CDN Edge locations to ensure fast video streaming
  • Video player customizations
    • Player theme change
    • Overlays/buttons over video
  • Secure Video playback
    • Embed Code to generate Dynamic URLs (HTTP Post request including client secret key to get unique OTP)
    • Unique OTP is then sent by DRM license server
    • Encrypted video file is decrypted in Browser/ Device’s trusted environment.Video is rendered via the video player, which can switch across different streams of different bitrates.
  • Dynamic watermarking to deter screen capture VdoCipher implements Widevine DRM video security Widevine is still an emerging technology. As I mentioned earlier, although ubiquitously supported by Google’s ecosystem (and Firefox), Widevine is not supported by Microsoft’s Internet Explorer or by Apple. For content creators wishing to stream across all devices and softwares, they need a multi-DRM strategy. At VdoCipher we provide Widevine for Chrome, Fairplay for Apple devices, with Flash as fallback. This multi-DRM strategy ensures that content providers can fully rely on VdoCipher for distributing content on all devices.

Widevine CDM for Delivering the Best User Experience

No plugins necessary because of Native Widevine CDM

VdoCipher’s implementation of Widevine DRM makes sure that videos are played on Desktop devices using the native HTML5 video player. Inherently google devices & browser have Widevine CDM (Content Decryption Module), which allows for this hardware based secure HTML5 playback.  Adobe Flash and Silverlight used to be the preferred choice previously, but are now being deprecated in modern browsers. The large security risks and poor user experience of Flash and Silverlight have ensured that content providers prefer HTML5 streaming protocol.

Highest Quality Adaptive Streaming with DASH

  • VdoCipher’s implementation of Widevine also makes use of the DASH streaming protocol. It is an open-source and widely adopted video streaming standard.  DASH ensures that the same video file can be used across all devices (with the exception of iphone). This considerably reduces the storage requirements on Server/Content Delivery Network, as they only need to store one file container that would stream on most devices.
  • The most valuable aspect of DASH protocol is adpative playback,  to stream best quality for a given network bandwidth. In the urban locations where users watch videos, network connection can often fluctuate wildly. This can be because the viewer may be watching while travelling, or that more people are logging in to the shared network at the same time. VdoCipher video player monitors the user’s network quality and , and streams the best possible resolution for that given network quality.
  • DASH is also used for streaming via HTTP, which is not blocked by firewalls, which is the case for streaming formats such as RTMP.

Encrypted Streaming + DRM License 

Video Encoding at multiple bitrates

As mentioned in the previous section, video streaming in urban networks requires adaptive bitrate streaming. Video encoding process optimizes the video size to deliver the highest quality at the lowest bitrate. The most popular video codecs in use today are H.264 and VP9.  SD resolution streams are encoded using H.264 codec, which has the widest decoder support. On the other hand HD resolution streams are encoded using VP9, for delivery of 1080p streams to devices such as Android TV. As of February 2018, hardware-level decryption for Widevine-encrypted streams are available for Smart TVs by the following device makers: LG (WebOS) , Panasonic (FirefoxOS), Philips (AndroidTV), Samsung (Tizen), Sharp Aquos (AndroidTV), Sony Bravia (AndroidTV. Different files of different bitrate and resolution are broken down into fragmented MP4 segments of equal length.

Videos files of different bitrates are each encrypted with CENC

In Widevine DRM each individual video track is separately encrypted, using CENC (Common encryption Scheme). CENC ensures that each video segment is encrypted only once. The keys can be reused by different suplinporting DRMs (such as Playready). Fairplay has not yet made this API available, thus Fairplay streams have to be separately encoded currently.

VdoCipher communicates with Widevine license server to send the content decryption keys

On packaging and encrypting the video, VdoCipher packager requests for content decryption keys from the Widevine DRM license server. Widevine DRM license server subsequently returns this data to VdoCipher.

The information regarding the encryption/ decryption key is then inserted to the Media Presentation Description (MPD). This information can only be understood by the blackboxed Content Decryption module inside the browser/ device.  It uses the info to prepare a license request from the Widevine license server.

Make Highly Specific DRM Licenses with VdoCipher

Using VdoCipher’s  Widevine DRM architecture, you can create highly specific DRM licenses at the time of video upload. For instance you can limit HD Streaming only to devices that support L1 video decryption (wherein decryption and decoding are both hardware based). You can limit devices having L3 security (Widevine CDM is limited to browser) to only SD playback. Hollywood studios and DECE often require streaming services to follow this policy, giving higher priority of security for HD video content.

Licenses also enable you to have a rental model in addition to a transaction video on demand model. Most Electronic Sell-Through platforms such as iTunes and Google Play Movies enable their users to either rent films for a period of time, or purchase the license outright for unlimited viewings. Options to rent films tend to limit users to only view the film within a period of 48 hours from first starting playback. VdoCipher’s implementation of DRM license enables you to customize for how long a license is valid once it has been served for the first-time.

Automate Video Workflow with Developer-Friendly APIs

At VdoCipher we have designed our service to be API first. We also have a video dashboard that you can automatically use to manage your videos. Using our APIs you can automate the flow of video that you upload to our AWS servers.

Basic features we provide for automated video management are:

  • Upload APIs
    • Upload videos using Dashboard
    • Import/Upload videos using API
      • HTTP PUT request to dev.vdocipher.com/api/videos with title of video
      • curl -X PUT https://dev.vdocipher.com/api/videos?title=title-of-video -H  "accept: application/json" -H "content-type: application/json" -H "Authorization: Apisecret 1234567890"
      • This returns a JSON string that includes an upload key, a playback policy and the AWS S3 bucket endpoint, to which you send an HTTP POST request with the file to be uploaded.
    • Import videos from URL through both Dashboard
    • Import videos using API
      • HTTP PUT request to dev.vdocipher.com/api/videos/importURL with url of video
      • curl -X PUT https://dev.vdocipher.com/api/videos/importUrl -H  "accept: application/json" -H "content-type: application/json" -H  "Authorization: Apisecret 12345567890" -d "{ "url": "string"}"
      • Your video would be ready for encoding, encryption and packaging
  • Add and Retrieve tags using APIs:
    • GET Request to dev.vdocipher.com/api/videos/tags to retrieve list of tags for the given user account
    • POST Request to dev.vdocipher.com/api/videos/tags to bulk add tags to a group of videos
    • PUT Request to dev.vdocipher.com/api/videos/tags to set tags for a single video and to delete previous tag records
  • Retrieve video based information (including Poster image, video file size)
    • GET Request to dev.vdocipher.com/api/videos/{videoID}
    • POST Request to dev.vdocipher.com/api/videos/{videoID} to update video related information
    • PUT Request to dev.vdocipher.com/api/videos/{videoID} to upload new version of a video
  • Video Pagination for retrieving list of most popular videos

We also have advanced APIs to enable our users to automate their workflow better. These include options to custom upload poster image (thumbnail) for maximizing user click rate and update specific parameters of your videos. Please get in touch with us if you require any help in automating your video workflow.

Detailed APIs are here. 

Encrypted Video Playback with DRM License

Videos are decrypted securely in device by Widevine CDM with encrypted license from DRM license server

VdoCipher player acts as a blind messenger between the Widevine DRM license server and the Content Decryption Module (CDM) (which is either hardware based or software based). The VdoCipher player itself does not handle any license keys at any point directly.  It gets access to the final video stream when the CDM decrypts the stream for playback. In Desktops, CDM is bundled along with browsers.  In Android phones, the CDM is part of the hardware creating a Trusted Execution Environment. Note that whether software-based or hardware based, the Content Decryption Module is closed-source.  The video player does not know how the CDM decrypts the key. It only uses the APIs which the Widevine CDM makes available for requesting & receiving the DRM license keys.

Android Devices have highest level of security with Encryption, Screen Capture disabled

Using the Trusted Execution Environment in Android Devices, videos are decrypted and decoded in trusted zone of the hardware.  It only then plays on the screen. The upshot of this is that Android devices, through client app and website,  are protected against screen capture. Screen Capture does not work while video is playing in android chrome or android app.

Viewer Specific Watermark feature to deter screen capture on Desktop

Screen recording softwares are sometimes used to pirate video streams from desktop chrome. We have developed our custom watermarking feature which prevents videos from being pirated. This deters users from recording online videos and sharing them illicitly with their peers.

Flash player as Fallback

Inspite of Widevine’s support across the Google ecosystem, the DRM ecosystem is still fragmented across the major players – Google, Apple and Microsoft. Likewise some Android devices may, because of manufacturer neglect, not be compatible with Widevine DRM. If for any reason user’s devices does not support Widevine, VdoCipher video player falls back to Flash video player, which provides the same level of security as Widevine DRM. It is only because of the declining browser support for Flash (owing to its larger size and security concerns) that Widevine has become a viable replacement in the first place. Rest assured, whichever device your viewers are using to watch your videos, VdoCipher will ensure the best possible user experience.


Widevine DRM architecture Android app

Widevine CDM Supports 2 billion Global Devices

There are currently 2 billion monthly active installs for Android devices, and another 2 billion active installs of the Chrome Desktop application. These stats signify that Widevine is by far the most relevant DRM system out there. Widevine DRM is an essential component of any multi-DRM strategy for premium content.

Making Available Hollywood-grade security for your videos

You can rest assured that if Hollywood studios, what with their multi-million dollar deals for films with online streaming services, trust a DRM solution, they would have done their due diligence on the security of the DRM. Widevine is the service that Netflix uses for their encrypted content.

Broadly speaking, Hollywood studios limit video playback at resolution of 720p for Widevine’s L3 profile. In L3 profile the decryption is software based, and the final video is rendered by the video player itself. Studios limit HD and Ultra-HD resolutions for devices that support L1 profile, which provide hardware-based decryption, decoding and rendering. L1 profile of Widevine DRM is supported by most Android smartphones and AndroidTV. Please get back to us if you have similar requests.

For a Free Full version 5 GB Trial with Widevine DRM , Click here.

Free 30 Day Trial for Widevine DRM

Free 30 Day Trial for Widevine DRM