502 Content Protection For HTTP Live Streaming PDF

Media #WWDC15
Content Protection  
for HTTP Live Streaming
Session 502
Roger Pantos HTTP Live Streaming Engineer
© 2015 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.
FairPlay Streaming
Overview of FairPlay Streaming (FPS)
Industrial-strength protection for your HTTP Live Streaming audio & video
Already delivering keys in the premium content industry
Built into iOS, Apple TV, and OS X
Power-efficient on mobile devices
Integrated with AirPlay
Integrated with AirPlay
Offered under the Apple Developer Program License Agreement
Scope of FairPlay Streaming—What It Is
FairPlay Streaming is:


• A secure key delivery mechanism
- Content Key is protected on the network and on the client during playback

• Key delivery is transport agnostic
- Easy to integrate with existing key server infrastructure

• Key delivery is transport agnostic
- Easy to integrate with existing key server infrastructure
• Requires protected HDMI for external output
Scope of FairPlay Streaming—What It Isn’t
FairPlay Streaming does NOT:

• Provide DRM rights expression or policy enforcement, or
• Provide user authentication or per-device authorization
These can be implemented separately and combined with FPS
How to Use FairPlay Streaming
What Do You Need to Do?
Integrate a FairPlay Streaming Key Security Module (KSM) into your key server
Add code to your app to relay key requests and responses
Add code to your app to relay key requests and responses
For each HLS asset that you wish to protect:
• Generate and store a Content Key (CK) in your back-end database
• Encrypt the asset using AES Sample encryption
• Put a reference to the CK into your HLS playlist
Designing a FairPlay Streaming System
Gianpaolo Fasoli
FairPlay Streaming Engineer
Purpose and importance of your credentials


Building blocks and data flows

What we provide, what you have to build

Integrating FPS into your Key Server

Testing your Key Security Module

Integrating FPS into your app

Integrating FPS into your app
Encrypting and testing your content
FairPlay Streaming Credentials
KSM Credentials differentiate you from other FPS deployments


• Playing content on a customer device requires production credentials

• Playing content on a customer device requires production credentials
• You must protect your production credentials
FairPlay Streaming—Request Flow
Your App
Your Key Your Key   Internet AVFoundation

Database Server Delegate
FPS KSM
Existing
Provided AVFoundation
Your Implementation
1 Your app asks AVFoundation to play your protected HLS asset
Your App

FPS KSM
1
Existing
Your Implementation
2 AVFoundation will download your m3u8 playlist containing the KEY tag
Your App

FPS KSM
2 1
Existing
Your Implementation
3 AVFoundation will call your app delegate to request the key
Your App

FPS KSM
2 1 3
Existing
Your Implementation
4 Your app delegate calls AVFoundation to create an FPS Server Playback Context request
Your App

FPS KSM
2 1 3 4
Existing
Your Implementation
5 Your app delegate sends the FPS SPC to your key server
Your App
5 5
FPS KSM
2 1 3 4
Existing
Your Implementation
6 Key server unwraps the SPC with your FPS KSM and performs CK lookup
Your App
5 5
Your Key 6 Your Key   Internet AVFoundation
FPS KSM
2 1 3 4
Existing
Your Implementation
7 After lookup, your FPS KSM wraps the content key into a Content Key Context response
Your App
5 5
7 7
FPS KSM
2 1 3 4
Existing
Your Implementation
8 Your app delegate provides the CKC to AVFoundation
Your App
5 5
7 7
FPS KSM
2 1 3 4 8
Existing
Your Implementation
9 Now the device can decrypt and play the content
9 Your App
5 5
7 7
FPS KSM
2 1 3 4 8
Existing
Your Implementation
What Is Provided
What Is Provided
AVFoundation, including API for AVAssetResourceLoader delegate

What Is Provided

FairPlay Streaming SDK
What Is Provided

• Protocol specification
What Is Provided

• Server reference implementation
What Is Provided

• Server test vectors and validation tools
What Is Provided

• Example content
What Is Provided

• Example content
• Client example code
Integrating FPS Into Your Key Server
Your Key Server must:

• Decrypt and validate SPC request
• Lookup CK by the asset identifier
• Produce CKC response

• KSM: Decrypt and validate SPC request
• Produce CKC response

• KSM: Produce CKC response

Implement KSM logic from scratch using protocol specification, or


Implement KSM logic from scratch using protocol specification, or

Customize the C reference implementation in the SDK (language, integration)
Testing Your Key Security Module
Supplied test vectors should be used to validate correctness of responses produced


• Your KSM implementation will consume test SPC request and produce response

• Supplied tool will validate your produced CKC response

 
Test vectors are based on non-functional development credentials

 
Test vectors are based on non-functional development credentials
End-to-end playback test on device requires production credentials!
Integrating FPS Into Your App
Register an AVAssetResourceLoader delegate with AVAsset


AVAssetResourceLoader delegate must:

• Generate the SPC

- handle shouldWaitForLoadingOfRequestedResource: for key requests
- call -[AVAssetResourceLoadingRequest streamingContentKeyRequestDataForApp:
contentIdentifier: options: error: ] to produce SPC


• Send SPC request to your Key Server


• Send SPC request to your Key Server
• Provide CKC response (or error) to AVAssetResourceLoadingRequest
Encrypting and Testing Your Content
Encrypt your content with HLS Sample Encryption


• METHOD=SAMPLE-AES

• KEYFORMAT=“com.apple.streamingkeydelivery”

Many 3rd-party encoders support HLS sample encryption



To check your encryption workflow


• SDK contains an example of sample-encrypted content for comparison


• SDK contains an example of sample-encrypted content for comparison
• HLS mediafilesegmenter can produce encrypted content for comparison
FairPlay Streaming with AirPlay
AirPlay Video will transfer streaming operation to Apple TV


No additional code needs to be written!

SPC request is generated by FPS on Apple TV and CKC response is for Apple TV

• Your app on the sending device relays messages between Apple TV and your key server

Provides the same level of security as local playback

Provides the same level of security as local playback
FPS content is disabled by AirPlay Mirroring, not rendered in screenshots or recordings
FairPlay Streaming in Safari on OS X
FairPlay Streaming accessed through HTML5 Encrypted Media Extensions


Key delivery code must be written in JavaScript

• Example provided with FPS SDK

Same KSM can support both iOS clients and Safari on OS X

Same KSM can support both iOS clients and Safari on OS X
Supports AirPlay
Integrating FPS Into Your Web Page
Set m3u8 URL as src attribute of HTML <video> tag (as usual)
Add EventListener for ‘webkitneedkey‘ to video element:
Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“
Create keySession on “video/mp4” to relay messages with the keySystem
Add Event handler for ‘webkitkeymessage’ to keySession:
Send SPC request to your Key Server
Send SPC request to your Key Server
Provide CKC response to keySession.update()
Safari Request Flow
Safari
Your Key Your Key   Your Site

Database Server Internet
Your JS
FPS KSM
Existing
Provided EME
Your Implementation
Safari Request Flow
1 User hits Play
Safari

Your JS
FPS KSM
Existing
Provided EME
Your Implementation
Safari Request Flow
2 Your Event Listener receives ‘webkitneedkey’ message
Safari

Your JS
FPS KSM
Existing
Provided EME
Your Implementation
Safari Request Flow
3 Your Event Listener creates keySession and waits for ‘webkitkeymessage’ Event
Safari

Your JS
FPS KSM
2 3
Existing
Provided EME
Your Implementation
Safari Request Flow
4 Your ‘webkitkeymessage’ Event Handler receives message containing SPC
Safari

Your JS
FPS KSM
2 3 4
Existing
Provided EME
Your Implementation
Safari Request Flow
5 Your Event Handler sends SPC to your Key Server
Safari
Your Key Your Key   5 5 Your Site

Your JS
FPS KSM
2 3 4
Existing
Provided EME
Your Implementation
Safari Request Flow
6 You update keySession upon receipt of CKC response
Safari
Your Key Your Key   5 5 Your Site

Your JS
6 6
FPS KSM
2 3 4 6
Existing
Provided EME
Your Implementation
FairPlay Streaming  
Integration Troubleshooting
Troubleshooting
Content  
Doesn’t Play
Content  
or Key?
Troubleshooting
Content  
Doesn’t Play
KEYFORMAT=“identity”
Content  
or Key?
Troubleshooting
Content  
Doesn’t Play
Content
Content  
or Key?
• Sample level encryption

• PAT/PMT, audio setup info
• Use supported codecs
• CK rotation on HLS segments
Troubleshooting
Content  
Doesn’t Play
Content Key Delivery

Content  
or Key?
• Sample level encryption • SPC generation failure

• PAT/PMT, audio setup info • Transport
• Use supported codecs • CK lookup
• CK rotation on HLS segments • CKC processing failure
Summary of FairPlay Streaming
FairPlay Streaming provides industrial-strength content protection for HLS

Built into on iOS, Apple TV and Safari on OS X
Deeply integrated into the OS
Designed for power-efficient playback
Supports platform features such as AirPlay, external output protection, and HTML5
More Information
Documentation and Videos

FairPlay Streaming
http://developer.apple.com/streaming/fps/
Technical Support
Apple Developer Forums
http://developer.apple.com/forums
Developer Technical Support

http://developer.apple.com/support/technical
Labs
Graphics, Games
HTTP Live Streaming Lab and Media Lab B
Tuesday 11:00AM
Graphics, Games
AirPlay Lab and Media Lab B
Tuesday 3:30PM
Graphics, Games
AVKit and AV Foundation Lab and Media Lab A
Wednesday 1:30PM
Graphics, Games
AVKit and AV Foundation Lab and Media Lab B
Thursday 11:00AM
Graphics, Games
HTTP Live Streaming Lab and Media Lab C
Thursday 11:00AM

502 Content Protection For HTTP Live Streaming PDF

Uploaded by

Copyright:

Available Formats

502 Content Protection For HTTP Live Streaming PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

502 Content Protection For HTTP Live Streaming PDF

Uploaded by

Copyright:

Available Formats

Media #WWDC15

Roger Pantos HTTP Live Streaming Engineer

FairPlay Streaming is:

FairPlay Streaming is:

FairPlay Streaming is:

FairPlay Streaming is:

FairPlay Streaming does NOT:

Purpose and importance of your credentials

Purpose and importance of your credentials

Purpose and importance of your credentials

Purpose and importance of your credentials

Purpose and importance of your credentials

Purpose and importance of your credentials

Purpose and importance of your credentials

KSM Credentials diﬀerentiate you from other FPS deployments

KSM Credentials diﬀerentiate you from other FPS deployments

KSM Credentials diﬀerentiate you from other FPS deployments

Your Key Your Key Internet AVFoundation

Your Key Your Key Internet AVFoundation

Your Key Your Key Internet AVFoundation

Your Key Your Key Internet AVFoundation

Your Key Your Key Internet AVFoundation

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

AVFoundation, including API for AVAssetResourceLoader delegate

Your Key Server must:

Your Key Server must:

Your Key Server must:

Your Key Server must:

Implement KSM logic from scratch using protocol specification, or

Your Key Server must:

Implement KSM logic from scratch using protocol specification, or

Supplied test vectors should be used to validate correctness of responses produced

Supplied test vectors should be used to validate correctness of responses produced

Supplied test vectors should be used to validate correctness of responses produced

Supplied test vectors should be used to validate correctness of responses produced

Supplied test vectors should be used to validate correctness of responses produced

Register an AVAssetResourceLoader delegate with AVAsset

Register an AVAssetResourceLoader delegate with AVAsset

Register an AVAssetResourceLoader delegate with AVAsset

• Generate the SPC

Register an AVAssetResourceLoader delegate with AVAsset

• Generate the SPC

Register an AVAssetResourceLoader delegate with AVAsset

• Generate the SPC

Encrypt your content with HLS Sample Encryption

Encrypt your content with HLS Sample Encryption

Encrypt your content with HLS Sample Encryption

Encrypt your content with HLS Sample Encryption

Many 3rd-party encoders support HLS sample encryption

Encrypt your content with HLS Sample Encryption

Many 3rd-party encoders support HLS sample encryption

Encrypt your content with HLS Sample Encryption

Many 3rd-party encoders support HLS sample encryption

Encrypt your content with HLS Sample Encryption

Your Key Your Key   Internet AVFoundation

Your Key Your Key   Internet AVFoundation

Your Key Your Key   Internet AVFoundation

Your Key Your Key   Internet AVFoundation

Your Key Your Key   Internet AVFoundation

Your Key Your Key   Your Site

Your Key Your Key   Your Site

Your Key Your Key   Your Site

Your Key Your Key   Your Site

Your Key Your Key   Your Site

Your Key Your Key   5 5 Your Site

Your Key Your Key   5 5 Your Site