Content Protection for HTTP Live Streaming€¦ · Industrial-strength protection for your HTTP...

#WWDC15

Content Protection for HTTP Live Streaming

Roger Pantos HTTP Live Streaming Engineer

Session 502

FairPlay Streaming

Overview of FairPlay Streaming (FPS)

Industrial-strength protection for your HTTP Live Streaming audio & video

Industrial-strength protection for your HTTP Live Streaming audio & videoAlready delivering keys in the premium content industry

Industrial-strength protection for your HTTP Live Streaming audio & videoAlready delivering keys in the premium content industryBuilt into iOS, Apple TV, and OS X

Industrial-strength protection for your HTTP Live Streaming audio & videoAlready delivering keys in the premium content industryBuilt into iOS, Apple TV, and OS XPower-efficient on mobile devices

Industrial-strength protection for your HTTP Live Streaming audio & videoAlready delivering keys in the premium content industryBuilt into iOS, Apple TV, and OS XPower-efficient on mobile devicesIntegrated with AirPlay

Industrial-strength protection for your HTTP Live Streaming audio & videoAlready delivering keys in the premium content industryBuilt into iOS, Apple TV, and OS XPower-efficient on mobile devicesIntegrated with AirPlayOffered under the Apple Developer Program License Agreement

Scope of FairPlay Streaming—What It Is

FairPlay Streaming is:

FairPlay Streaming is:• A secure key delivery mechanism

- Content Key is protected on the network and on the client during playback

- Content Key is protected on the network and on the client during playback• Key delivery is transport agnostic

- Easy to integrate with existing key server infrastructure

- Content Key is protected on the network and on the client during playback• Key delivery is transport agnostic

- Easy to integrate with existing key server infrastructure• Requires protected HDMI for external output

Scope of FairPlay Streaming—What It Isn’t

FairPlay Streaming does NOT:• Provide DRM rights expression or policy enforcement, or • Provide user authentication or per-device authorization

These can be implemented separately and combined with FPS

How to Use FairPlay Streaming

What Do You Need to Do?

Integrate a FairPlay Streaming Key Security Module (KSM) into your key server

Integrate a FairPlay Streaming Key Security Module (KSM) into your key serverAdd code to your app to relay key requests and responses

Integrate a FairPlay Streaming Key Security Module (KSM) into your key serverAdd code to your app to relay key requests and responsesFor each HLS asset that you wish to protect:• Generate and store a Content Key (CK) in your back-end database• Encrypt the asset using AES Sample encryption • Put a reference to the CK into your HLS playlist

Designing a FairPlay Streaming System

Gianpaolo FasoliFairPlay Streaming Engineer

Purpose and importance of your credentials

Purpose and importance of your credentialsBuilding blocks and data flows

Purpose and importance of your credentialsBuilding blocks and data flowsWhat we provide, what you have to build

Purpose and importance of your credentialsBuilding blocks and data flowsWhat we provide, what you have to buildIntegrating FPS into your Key Server

Purpose and importance of your credentialsBuilding blocks and data flowsWhat we provide, what you have to buildIntegrating FPS into your Key ServerTesting your Key Security Module

Purpose and importance of your credentialsBuilding blocks and data flowsWhat we provide, what you have to buildIntegrating FPS into your Key ServerTesting your Key Security ModuleIntegrating FPS into your app

Purpose and importance of your credentialsBuilding blocks and data flowsWhat we provide, what you have to buildIntegrating FPS into your Key ServerTesting your Key Security ModuleIntegrating FPS into your appEncrypting and testing your content

FairPlay Streaming Credentials

KSM Credentials differentiate you from other FPS deployments

KSM Credentials differentiate you from other FPS deployments• Playing content on a customer device requires production credentials

KSM Credentials differentiate you from other FPS deployments• Playing content on a customer device requires production credentials• You must protect your production credentials

FairPlay Streaming—Request Flow

ExistingProvidedYour Implementation

Internet

AVFoundation

Your App

AVFoundation Delegate

Your Key Server

FPS KSM

Your Key Database

Your app asks AVFoundation to play your protected HLS asset1

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

AVFoundation will download your m3u8 playlist containing the KEY tag2

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

AVFoundation will call your app delegate to request the key3

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

Your app delegate calls AVFoundation to create an FPS Server Playback Context request4

1 32 4

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

Your app delegate sends the FPS SPC to your key server5

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

Key server unwraps the SPC with your FPS KSM and performs CK lookup6

6 Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

After lookup, your FPS KSM wraps the content key into a Content Key Context response7

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

81 3 4

Your app delegate provides the CKC to AVFoundation8

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

81 3 4

Now the device can decrypt and play the content9

Internet

AVFoundation

Your App

Your Key Server

FPS KSM

Your Key Database

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegate

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK• Protocol specification

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK• Protocol specification• Server reference implementation

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK• Protocol specification• Server reference implementation• Server test vectors and validation tools

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK• Protocol specification• Server reference implementation• Server test vectors and validation tools• Example content

What Is Provided

AVFoundation, including API for AVAssetResourceLoader delegateFairPlay Streaming SDK• Protocol specification• Server reference implementation• Server test vectors and validation tools• Example content• Client example code

Integrating FPS Into Your Key Server

Your Key Server must:• • Lookup CK by the asset identifier• Produce CKC response

Decrypt and validate SPC request

Decrypt and validate SPC requestKSM:

Implement KSM logic from scratch using protocol specification, or

Implement KSM logic from scratch using protocol specification, orCustomize the C reference implementation in the SDK (language, integration)

Testing Your Key Security Module

Supplied test vectors should be used to validate correctness of responses produced

Supplied test vectors should be used to validate correctness of responses produced• Your KSM implementation will consume test SPC request and produce response

Supplied test vectors should be used to validate correctness of responses produced• Your KSM implementation will consume test SPC request and produce response• Supplied tool will validate your produced CKC response

Test vectors are based on non-functional development credentials

Test vectors are based on non-functional development credentialsEnd-to-end playback test on device requires production credentials!

Integrating FPS Into Your App

Register an AVAssetResourceLoader delegate with AVAsset

AVAssetResourceLoader delegate must:

• Generate the SPC- handle shouldWaitForLoadingOfRequestedResource: for key requests- call -[AVAssetResourceLoadingRequest streamingContentKeyRequestDataForApp: contentIdentifier: options: error: ] to produce SPC

• Send SPC request to your Key Server

• Send SPC request to your Key Server• Provide CKC response (or error) to AVAssetResourceLoadingRequest

Encrypting and Testing Your Content

Encrypt your content with HLS Sample Encryption

Encrypt your content with HLS Sample Encryption • METHOD=SAMPLE-AES

Encrypt your content with HLS Sample Encryption • METHOD=SAMPLE-AES• KEYFORMAT=“com.apple.streamingkeydelivery”

Many 3rd-party encoders support HLS sample encryption

Many 3rd-party encoders support HLS sample encryption To check your encryption workflow

Many 3rd-party encoders support HLS sample encryption To check your encryption workflow• SDK contains an example of sample-encrypted content for comparison

Many 3rd-party encoders support HLS sample encryption To check your encryption workflow• SDK contains an example of sample-encrypted content for comparison• HLS mediafilesegmenter can produce encrypted content for comparison

FairPlay Streaming with AirPlay

AirPlay Video will transfer streaming operation to Apple TV

AirPlay Video will transfer streaming operation to Apple TVNo additional code needs to be written!

AirPlay Video will transfer streaming operation to Apple TVNo additional code needs to be written!SPC request is generated by FPS on Apple TV and CKC response is for Apple TV

AirPlay Video will transfer streaming operation to Apple TVNo additional code needs to be written!SPC request is generated by FPS on Apple TV and CKC response is for Apple TV• Your app on the sending device relays messages between Apple TV and your key server

Provides the same level of security as local playback

Provides the same level of security as local playbackFPS content is disabled by AirPlay Mirroring, not rendered in screenshots or recordings

FairPlay Streaming in Safari on OS X

FairPlay Streaming accessed through HTML5 Encrypted Media Extensions

FairPlay Streaming accessed through HTML5 Encrypted Media ExtensionsKey delivery code must be written in JavaScript

FairPlay Streaming accessed through HTML5 Encrypted Media ExtensionsKey delivery code must be written in JavaScript• Example provided with FPS SDK

Same KSM can support both iOS clients and Safari on OS X

Same KSM can support both iOS clients and Safari on OS XSupports AirPlay

Integrating FPS Into Your Web Page

Set m3u8 URL as src attribute of HTML <video> tag (as usual)

Set m3u8 URL as src attribute of HTML <video> tag (as usual)Add EventListener for ‘webkitneedkey‘ to video element:

Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“

Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“ Create keySession on “video/mp4” to relay messages with the keySystem

Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“ Create keySession on “video/mp4” to relay messages with the keySystem Add Event handler for ‘webkitkeymessage’ to keySession:

Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“ Create keySession on “video/mp4” to relay messages with the keySystem Add Event handler for ‘webkitkeymessage’ to keySession: Send SPC request to your Key Server

Set EME CDM keySystem (video.webkitSetMediaKeys) to “com.apple.fps.1_0“ Create keySession on “video/mp4” to relay messages with the keySystem Add Event handler for ‘webkitkeymessage’ to keySession: Send SPC request to your Key Server Provide CKC response to keySession.update()

Safari Request Flow

Your Key Database

Safari

Your Site

Your JSInternetYour Key

Server

FPS KSM

EMEExistingProvidedYour Implementation

Safari Request Flow

Your Key Database

Safari

Your Site

Your JSInternetYour Key

Server

FPS KSM

User hits Play1

Safari Request Flow

Your Key Database

Safari

Your Site

Your JSInternet

Your Key Server

FPS KSM

Your Event Listener receives ‘webkitneedkey’ message2

Safari Request Flow

Your Key Database

Safari

Your SiteInternet

Your Key Server

FPS KSM

Your JS

Your Event Listener creates keySession and waits for ‘webkitkeymessage’ Event3

Safari Request Flow

Your Key Database

Safari

Your SiteInternet

Your Key Server

FPS KSM

Your JS

Your ‘webkitkeymessage’ Event Handler receives message containing SPC4

Safari Request Flow

55Your Key Database

Safari

Your SiteInternet

Your Key Server

FPS KSM

Your JS

Your Event Handler sends SPC to your Key Server5

Safari Request Flow

55Your Key Database

Safari

Your Site

Your JS6

Internet6

Your Key Server

FPS KSM

You update keySession upon receipt of CKC response6

FairPlay Streaming Integration Troubleshooting

Troubleshooting

Content or Key?

Content Doesn’t Play

Troubleshooting

KEYFORMAT=“identity”

Content or Key?

Troubleshooting

Content

• Sample level encryption• PAT/PMT, audio setup info• Use supported codecs• CK rotation on HLS segments

Content or Key?

Troubleshooting

Content

• Sample level encryption• PAT/PMT, audio setup info• Use supported codecs• CK rotation on HLS segments

Key Delivery

• SPC generation failure• Transport• CK lookup• CKC processing failure

Content or Key?

Summary of FairPlay Streaming

FairPlay Streaming provides industrial-strength content protection for HLSBuilt into on iOS, Apple TV and Safari on OS XDeeply integrated into the OSDesigned for power-efficient playbackSupports platform features such as AirPlay, external output protection, and HTML5

More Information

Documentation and VideosFairPlay Streaminghttp://developer.apple.com/streaming/fps/

Technical SupportApple Developer Forumshttp://developer.apple.com/forums

Developer Technical Supporthttp://developer.apple.com/support/technical

HTTP Live Streaming Lab Graphics, Games and Media Lab B Tuesday 11:00AM

AirPlay Lab Graphics, Games and Media Lab B Tuesday 3:30PM

AVKit and AV Foundation Lab Graphics, Games and Media Lab A Wednesday 1:30PM

AVKit and AV Foundation Lab Graphics, Games and Media Lab B Thursday 11:00AM

HTTP Live Streaming Lab Graphics, Games and Media Lab C Thursday 11:00AM

Content Protection for HTTP Live Streaming€¦ · Industrial-strength protection for your HTTP...

Documents

Transcript of Content Protection for HTTP Live Streaming€¦ · Industrial-strength protection for your HTTP...

blake crosby cbc - NANOG Archive3 The#breakdown#for#April#2012# • Live%Radio%Streaming:%312%TB% • HTTP/Website %Delivery:271TB • Live%Video%Streaming:%1,610%TB% • Mobile%Video%Streaming:%9%TB%

Modeling Live Adaptive Streaming over HTTP · HTTP Streaming over di erent access networks is presented in [3]. Muller et al. compared Microsoft Smooth Steaming (MSS), Adobe HTTP

HTTP Live Streaming Abstract the actions to be taken by ... · 1. Introduction to HTTP Live Streaming HTTP Live Streaming provides a reliable, cost-effective means of delivering continuous

An Introduction To HLS (HTTP live streaming)

A Review of HTTP Live Streaming

Http Live Streaming - Mozilla · 2014-04-25 · • HTTP Live Streaming allows you to send/receive live or prerecorded and . • HLS supports multiple alternate

HTTP Streaming of MPEG Media

HIGH DENSITY TV SERVERS OPTIMIZED FOR TV DELIVERY · • Apple HTTP Live Streaming (HLS) • Dynamic Adaptive Streaming over HTTP (MPEG- DASH) • Progressive Download STREAM BITRATES

Live Streaming 101 - An Introduction to Social Live Streaming Apps

Bad Things to Avoid in Streaming Videoprs/15-441-F16/lectures/20-Video.pdf3rd Generation: HTTP Streaming Other terms for similar concepts: Adaptive Streaming, Smooth Streaming, HTTP

GPU-Based Multiplatform Transcoding - NVIDIA · o Microsoft Smooth Streaming, o HTTP Live Streaming, o Windows 8, Windows Phone 8, o Kinect, Xbox, Microsoft Pixelsense, o Enterprise

Interaction Media Streaming Server Technical … Media Streaming Server Technical Reference 7 HyperText Transfer Protocol (HTTP) Interaction Media Streaming Server uses HTTP to allow

Experimental Study of Low-Latency HD VoD Streaming Flexible …web.engr.oregonstate.edu/~benl/Publications/Conferences/CCNC201… · Streaming [5], Apple’s HTTP Live Streaming (HLS)

Live streaming

Kickstarter adds live streaming - Why Crowd Funding Loves Live Streaming

Dynamic Adaptive Streaming over HTTP (DASH)

SERVICE AND USER-BASED DISTRIBUTED SELECTION OF … Call 2… · Adaptive mechanisms are coping the market (Microsoft Smooth Streaming, HTTP Live Streaming, Adobe HTTP Dynamic Streaming,

Determining meaningful metrics for Adaptive Bit-rate ... · Apple HTTP Live Streaming (HLS) is the Apple format of the adaptive bit-rate streaming technique[7]. Apple packs baseline

SmoothCache: HTTP-Live Streaming Goes Peer-To-Peer · 2020-04-06 · SmoothCache: HTTP-Live Streaming Goes Peer-To-Peer Roberto Roverso 1; 2, Sameh El-Ansary , and Seif Haridi 1 Peerialism

HTTP Live Streaming Overview