Marlin Tutorial - marlin-community.com
105
Marlin Tutorial
Transcript of Marlin Tutorial - marlin-community.com
Marlin Tutorial
Applying Marlin TechnologyAGENDA
• Quick Introduction: How to build an end-to-end Marlin system in 30 minutes.
• Marlin Organization Overview
• Marlin Technology Primer
• Implementations of Marlin Specifications
◦ Content Packaging and Distribution Technology
◦ Marlin Server Technology
◦ Marlin Client Technology
• Implementation Security
• Q&A
Quick IntroductionBuild an End-to-End Marlin System
• Packaging clear-text content into a protected format
• Implementing a Marlin MS3 Streaming-only Server Solution
• Implementing a Marlin Broadband DRM Server Solution
• Implementing an HbbTV application content playback functionality
Marlin Organization Overview
Marlin Organization OverviewWhat is Marlin?
Founded in 2005 by five companies: Intertrust, Panasonic, Philips, Samsung and Sony
• Marlin Developer Community (MDC)
• Marlin Partner Program (MPP)
• Marlin Trust Management Organization (MTMO)
• Marlin Organization Relationships
• Additional Information
Marlin Developer CommunityWhat is the the MDC?
• MDC formed in 2006 by Intertrust, Panasonic, Philips, Samsung, and Sony
• Charter is to develop open standards based DRM Specifications
• The community develops specification, reference and conformance test criteria
• Promotes Marlin technology worldwide
Marlin Partner ProgramWhat is the the MPP?
• Marlin Partner Program is a forum for solutions providers
• Over 35 partner companies provide expertise across the value chain
• Includes Technology Solutions Providers and System Integrator’s
• MPP membership includes non-commercial access to SDKs
Marlin Partner NetworkWho is in the MPP?
Marlin Trust Management OrganizationWhat is the the MTMO?
• Sister organization to the MDC formed in 2006
• Provides compliance and robustness requirements
• Remediation Policy Management
• Manages Marlin PKI Root Certificates
• Delegation of Trust Services to Certified Trust Service Providers (TSP)
◦ Key and Trust Management Operations
Relationship of MDC and MTMOFunctions and Roles
Additional InformationMarlin Developer Community MDC (www.marlin-community.com)
Marlin Partner Program MPP (www.marlin-community.com/partner)
Marlin Trust Management Organization MTMO (www.marlin-trust.com)
Seacert Corporation (www.seacert.com)
Marlin Technology Primer
Marlin Technology PrimerTopics
• Organization of the Specifications
• Why would you care about the Specifications
• Platform Technology & Delivery Systems
• Essential Broadband Service Protocols
• Overview - How Marlin Works
The Marlin SpecificationsOrganization
• As found in the Download Bundles on the MPP site:
• IPTV-ES (Supports a Japanese National Initiative. deployed in all connected TVs in Japan)
• Marlin Broadband (the bulk of Marlin DRM Technology)
• OMArlin (how to bridge OMA and Marlin)
• Other Specs and Guidelines
• Why care about the Specifications
• Referenced in compliance and conformance rules
• Licensee declares which specification version they implement
• Relevant if you are building an implementation from the specifications
Platform TechnologyPlatform & Delivery System Specifications
• NEMO Technology Platform
◦ Trusted communications framework
• Octopus DRM Technology Platform
◦ General-purpose DRM technical specification
• Marlin Core System
◦ Defines key and trust management functionality of Marlin
◦ Profiles the NEMO and Octopus technology platform specifications
• Deliver Systems
◦ Define how Platform Technology Specifications are applied to practical End-to-End DRM eco-systems
◦ Provide additional specifications to constrain the diversity implementation otherwise possible
NEMO Framework & Octopus DRMWhat is NEMO?
NEMO provides the trusted "plumbing" between the various functional components. NEMO combinesSOAP web services with SAML authorizations to provide end-to-end message integrity andconfidentiality protection, entity authentication, and role-based service authorization.
What is Octopus?
Octopus is a general-purpose DRM architecture composed of:
• Object Model used to model application specific entities and their relationship (Nodes and Link)
• Control Model represents rules and enforces governance (Plankton)
• Key Distribution System overlay (Scuba)
• Secure State Management (Seashell)
Marlin Core System (MCS)What is MCS?
The Marlin Core System Specification defines a common infrastructure for all Marlin Delivery Systemsto build upon. Fundamentally the goal of MCS is to enable interoperation among disparateimplementations of Marlin technology.
• Concretely specifies the NEMO security mechanisms, bindings and policies
• Defines the representation of Octopus Objects
• Defines the relationship of Octopus Objects to enable various business models
• Defines Octopus Control actions needed to govern access to A/V content
• Defines a Trust Model and a Key Management System
(Notable) Delivery Systems• Marlin Broadband Delivery System (MBB)
◦ Persistent content protection
◦ Flexible and extensible rights management
◦ Business models include: electronic sell-through, rental, and subscription
• Marlin Simple Stream Setup (MS3)
◦ Simple subset of Marlin Broadband
◦ Persistent content protection
◦ Streaming only
• Marlin IPTV-ES
◦ Streaming to Connected TVs, STBs & BluRay players
◦ Support for PVR
How Marlin WorksA simple Use Case Illustrated
• http://www.marlin-community.com/technology/how_marlin_works
MBB Protocol
MS3 Protocol
Content Technology
Content Packaging and DistributionFormat Families
Common Elements• Structured file and data structures
• Encrypted payloads
• Metadata
• Delivery Protocols
Packaging Process
Marlin BBTS• Marlin Broadband Transport Stream Specification
• MPEG2-TS
• Based on ISO/IEC 62455
• Packet encryption: CBC with ANSI/SCTE block termination
• Optional single-key-layer mode
Packaging BBTS ContentContent Identification (program-based or service-based):
cid:marlin#P||serviceBaseCID||"@"||hex(program_CID_extension)cid:marlin#S||serviceBaseCID||"@"||hex(service_CID_extension)
Example:
cid:marlin#Purn:marlin:organization:example:video:1234@00000001
The content id (CID) is composed of a services namespace identifier and content item specific 32-bithex-encoded value.
serviceBaseCID = urn:marlin:organization:hms:bbtsservice_CID_extension = 0a0b0c0d
Content Key (128-bit value):
000102030405060708090a0b0c0d0e0f
Ts2Encrypt Command LineBBTS Encryption
Ts2Encrypt --keycid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f--rights-issuer http://example.combigbucksbunny-trailer.ts bigbucksbunny-trailer.bbts
BBTS Decryption
Ts2Decrypt --keycid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0fbigbucksbunny-trailer.bbts bigbucksbunny-trailer.ts
Download the clear-text bigbucksbunny-trailer.ts
Ts2Info Command LineBBTS Information
Ts2Info bigbucksbunny-trailer.bbts
Marlin Protected file:Marlin content id iscid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0fRights issuer url is http://example.com
DCF• Specified in OMA DCF 2.x
• Wrapper for any media type
• Bulk Encryption: AES 128 CBC, CTR
• ISO MP4 file format structure
• Standardized metadata: Content ID, Rights Issuer URL
• Custom headers for extensions
• Mime Type: application/vnd.oma.drm.dcf
• File Extensions: .odf, .oda (Audio), .odv (Video), .mra (Marlin Audio), .mrv (Marlin Video)
Packaging DCF ContentEncrypting DCF with mp4dcfpackager
mp4dcfpackager --method CBC--content-type audio/mp3--content-id urn:marlin:organization:example:01234--rights-issuer http://example.com--key 00112233445566778899aabbccddeeff:00000000000000000000000000000000song.mp3 song.mra
Unpackaging DCF
mp4decrypt --key 1:00112233445566778899aabbccddeeffsong.mra song-clear.odf
NB: resulting file is still in DCF format (cleartext). Use mp4extract to extract ‘odda’ box and cut first 8bytes
PDCF• Specified in OMA DCF 2.x
• For media in ISO MP4 containers
• Per-frame Encryption: AES 128 CBC, CTR
• ISO MP4 Encryption signaling (enca, encv)
• Custom headers for extensions
• Mime Type: video/mp4
• File Extensions: .mp4, .m4a (Audio), .m4v (Video), .mla (Marlin Audio), .mlv (Marlin Video)
Packaging PDCF ContentMP4 files packaged as PDCF content can have individual tracks encrypted with the same or differentkeys. For each protected track, a unique content id must be chosen.
Content Identification
audio: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100video: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
Content Key
000102030405060708090a0b0c0d0e0f
Cryptographic Algorithm and Initialization Vector
OMA-PDCF-CTR0000000000000000
PDCF Packagingmp4encrypt Command Line
mp4encrypt --method OMA-PDCF-CTR--key 1:000102030405060708090a0b0c0d0e0f:0000000000000000--key 2:000102030405060708090a0b0c0d0e0f:0000000000000000--property
1:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100--property
2:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101bigbucksbunny-trailer.mp4 bigbucksbunny-trailer.mlv
mp4decrypt Command Line
mp4decrypt--key 1:000102030405060708090a0b0c0d0e0f:0000000000000000--key 2:000102030405060708090a0b0c0d0e0f:0000000000000000bigbucksbunny-trailer.mlv bigbucksbunny-trailer.mp4
Download the clear-text bigbucksbunny-trailer.mp4
Adaptive Streaming• Source audio & video is encoded at one or more bit-rate variants, with aligned GOPs (Group of
Pictures)
• Each variant is split into small segments (2-10 seconds) each with one or more GOPs
• An index provides a description, duration and location (URL) of segments
• Client retrieves the index, and segments one by one using HTTP
• Client can switch to a different bit-rate at each new segment
Adaptive Streaming
Marlin Mappings• Marlin Adaptive Streaming Specification -Simple Profile
• MPEG DASH
◦ MP4: Fragmented MP4 with Common Encryption (CENC, AES-128 CTR)
◦ MPEG2-TS: BBTS segments
• HLS
◦ BBTS segments (AES 128 CBC)
◦ Whole-segment encryption (AES-128 CBC)
HLS• draft-pantos-http-live-streaming-07
• Segments encrypted with BBTS or Bulk
Bulk:
◦ METHOD=AES-128 (MANDATORY) as specified in [HLS], §3.2.3
◦ IV (OPTIONAL) as specified in [HLS]
◦ CID="<ContentId>" (MANDATORY) content identifier
BBTS:
◦ METHOD=MARLIN-BBTS (MANDATORY)
◦ CID="<ContentId>" (MANDATORY) content identifier
HLS Packaging• Encrypt each segment (Bulk or BBTS)
• Use same key for all bit-rates
• BBTS: use Ts2AdaptiveAwareEncrypt to guarantee that IVs will match
MPEG DASH• ISO/IEC 23009-1 (Information technology — Dynamic adaptive streaming over HTTP (DASH) —
Part 1: Media presentation description and segment formats)
• ISO/IEC 23001-7 (Information technology — MPEG systems technologies — Part 7: Commonencryption in ISO base media file format files)
DASH MP4• Input must be GOP-aligned
• Fragment MP4 if not already fragmented mp4fragment tool
• Encrypt fragmented MP4 file
• Insert Marlin info in MPD
Server Side Technology
Marlin Server Side TechnologyServer Side Implementation Options
• Hosted Marlin Service
• Bluewhale Marlin Broadband Server
• Roll-your-own DRM Server
Hosted Marlin Service (HMS)HMS Overview
Service Architecture using HMS
HMS Overview• A REST API for issuing rights to content
• Content packaging tools
• Sample clients and tools to verify your service implementation
• Simple and cost-effective to operate
HMS Architecture
Setting Up an HMS Service5 Easy Steps
• Set up an account
• Review the REST API
• Integrate DRM support into the content store interface
• Package the content
• Test the system with actual target devices or the command line
device simulators
Set Up an Account• Sign up for the service at https://www.hostedmarlin.com/
• Subsequent to sign up a customer authentication code is created
◦ This will be used to identify from your service to HMS
Review the REST API• HMS provides a simple REST API to issue rights to content
• The result of the REST API is either an MS3 compound URI or a
Marlin Broadband Action Token
• HMS Rest API documentation and tutorial are available at: https://www.hostedmarlin.com/help.
HMS Under the HoodTransaction Tokens
HMS operates by issuing transaction tokens to service providers that are then redeemed, by a mediaaware client application, to a DRM object such as a license for a particular content item.
HMS supports three types of transaction tokens:
• MS3 License
• Marlin Broadband License
• Marlin Broadband Registration
MS3 Transaction Token ParameterscustomerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
contentId
For single content id the syntax is contentId=. For multiple contentIds the syntax is contentId.N=.
contentKey
For single content key the syntax is contentKey=. For multiple contentKeys the syntax iscontentKey.N=. The value of N must correspond with the contentId having the same value.
contentURL
This is the URL where the protected content can be downloaded. It will be embedded in thetransaction token (a URL for MS3 Licenses).
Acquiring an MS3 Transaction TokenGiven the following parameters:
customer authenticator: FOOBAR
content id: cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d
content key: 000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/ms3/token?&customerAuthenticator=FOOBAR&contentId=cid:marlin%23Purn:marlin:organization:hms:bbts@0a0b0c0d&contentKey=000102030405060708090a0b0c0d0e0f&contentURL=http://example.com/bigbucksbunny' > ms3_compound_uri.txt
In the above example, an errorFormat parameter was not specified so the default of HTML will beused. Alternatively errorFormat=json could have been added to the query string.
Redeeming an MS3 Transaction TokenAssuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then thetransaction token (i.e., a MS3CompoundURI) can be redeemed for an MS3 Stream Access Statement.
Ms3SampleClient `cat ms3_compound_uri.txt`
--- MS3 Client 1.0 ---Retrieving URLhttps://eval.hostedmarlin.com:8443/hms/ms3/rights/?...SAS:Key 1:Content ID: f3b4309701e2ed67ff75a069df70f6f73ce202afKey Value: 000102030405060708090a0b0c0d0e0fAuthenticator:Flags: (none)Output Control: (0,0 hex)[No Extensions]Content URL: http://example.com/bigbucksbunny
Playing MS3 Protected MediaUsing the content id and content key the BBTS file can be decrypted and played:
Ts2Decrypt --keycid:marlin\#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0fbigbucksbunny-trailer.bbts decrypted.ts
For BBTS we can also use WasabiCopyMedia by providing the SAS directly:
WasabiCopyMedia -t video/MP2T `cat ms3_compound_uri.txt` decrypted.ts
And finally playback can by invoked with ffplay:
ffplay decrypted.ts
MBB License Acquisition TokencustomerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
actionTokenType
This value should be 1 for Broadband License Transaction Token.
contentId
The syntax is contentId= or contentId.N= for multiple contentIds.
contentKey
The syntax is contentKey= or contentKey.N= for multiple contentKeys.
rightsType
This value is either BuyToOwn or Rental. Rental requires the rental.periodEndTime andrental.playDuration parameters.
Acquiring an MBB Action TokenGiven the following parameters:
customer authenticator: FOOBARaudiocontent id:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100content key:000102030405060708090a0b0c0d0e0f
video:content id:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101content key:000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1&customerAuthenticator=FOOBAR&contentId.0=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100&contentKey.0=000102030405060708090a0b0c0d0e0f&contentId.1=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101&contentKey.1=000102030405060708090a0b0c0d0e0f&rightsType=BuyToOwn' > bb_license_action_token.xml
Redeeming an MBB License TokenAssuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then thetransaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken --save-license license_device_bound.xml bb_license_action_token.xml
==== Sushi Token Processor V1.0 =======================================SDK API Version: 0.1.1.6SDK IMP Version: 1040000SDK IMP Build: 7157SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING]OnEvent - > PROGRESS: 0 of 3OnEvent - > PROGRESS: 1 of 3OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION]OnEvent - >> PROGRESS: 0 of 2OnEvent - >> PROGRESS: 1 of 2OnEvent - >> EVENT: event type 9OnEvent - >> PROGRESS: 2 of 2OnEvent - >> END: code=0, message=''OnEvent - > PROGRESS: 2 of 3OnEvent - > PROGRESS: 3 of 3OnEvent - > END: code=0, message=''OnEvent - DONE======================================================================
Inspecting the MBB LicenseThe redemption of the Action Token resulted in receiving a file license_device_bound.xml. Tointerrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_device_bound.xmlurn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
==== Sushi Action V1.0 =============================================SDK API Version: 0.1.1.6SDK IMP Version: 1040000SDK IMP Build: 7157SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157Action Result: GRANTEDAction Result Info Flag(s):KEY 0 = 000102030405060708090a0b0c0d0e0fKEY 1 = 000102030405060708090a0b0c0d0e0f======================================================================
Playing MBB Protected MediaUsing the content id and content key the BBTS file can be decrypted and played:
mp4decrypt --key 1:000102030405060708090a0b0c0d0e0f--key 2:000102030405060708090a0b0c0d0e0fbigbucksbunny-trailer.mlv decrypted.mp4
And finally playback can by invoked with ffplay:
ffplay decrypted.mp4
MBB Registration Action TokencustomerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
actionTokenType
This value should be 0 for Broadband Registration Action Token.
userId
The user id to associate with this user.
userKey
The user key to associate with this user.
Acquiring an MBB Registration TokenGiven the following parameters:
userId 12345678userKey 000102030405060708090a0b0c0d0e0f
Request the token using curl:
curl'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=0&customerAuthenticator=FOOBAR&userId=12345678&userKey=000102030405060708090a0b0c0d0e0f' > bb_registration_token.xml
Redeeming a Registration TokenAssuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then thetransaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken bb_registration_token.xml==== Sushi Token Processor V1.0 =============================================SDK API Version: 0.1.1.6SDK IMP Version: 1040000SDK IMP Build: 7157SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING]OnEvent - > PROGRESS: ...OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_USER_REGISTRATION]OnEvent - >> PROGRESS: ...OnEvent - >> END: code=0, message=''OnEvent - > PROGRESS: 2 of 4OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LINK_ACQUISITION]OnEvent - >> PROGRESS: ...OnEvent - >> END: code=0, message=''OnEvent - > PROGRESS: ...OnEvent - > END: code=0, message=''OnEvent - DONE======================================================================
User Bound License TokenTo request an Action Token for a user bound license you provide the same parameters for a devicebound license plus the user specific information supplied for registration.
The requisite parameters are:
customerAuthenticator, actionTokenType, contentId, contentKey, rightsType,userId, userKey
The command line request:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1&customerAuthenticator=FOOBAR&contentId.0=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100&contentKey.0=000102030405060708090a0b0c0d0e0f&contentId.1=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101&contentKey.1=000102030405060708090a0b0c0d0e0f&rightsType=BuyToOwn&userId=12345678&userKey=000102030405060708090a0b0c0d0e0f' >bb_user_bound_license_action_token.xml
Redeeming an User Bound LicenseAssuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then thetransaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken --save-license license_user_bound.xmlbb_user_bound_license_action_token.xml
==== Sushi Token Processor V1.0 =============================================SDK API Version: 0.1.1.6SDK IMP Version: 1040000SDK IMP Build: 7157SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING]OnEvent - > PROGRESS: ...OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION]OnEvent - >> PROGRESS: ...OnEvent - >> EVENT: event type 9OnEvent - >> PROGRESS: ...OnEvent - >> END: code=0, message=''OnEvent - > PROGRESS: ...OnEvent - > END: code=0, message=''OnEvent - DONE======================================================================
Inspecting the User LicenseThe redemption of the Action Token resulted in receiving a filebb_user_bound_license_action_token.xml.
To interrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_user_bound.xmlurn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
==== Sushi Action V1.0 =============================================SDK API Version: 0.1.1.6SDK IMP Version: 1040000SDK IMP Build: 7157SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157Action Result: GRANTEDAction Result Info Flag(s):KEY 0 = 000102030405060708090a0b0c0d0e0fKEY 1 = 000102030405060708090a0b0c0d0e0f======================================================================
Integrate DRM Support• To distribute content to various Marlin devices, you need to understand the interfaces required by
your customers’ devices
• The device will provide interfaces for processing Marlin Action Tokens or MS3 URLs as part of itscontent acquisition workflow. Typically, these interfaces are implemented through browser plug-ins that are invoked in JavaScript on your store’s web page
• In the request to HMS, you supply all the information necessary for a content license and HMSsends you back an Action Token or an MS3 URL to pass to your customer’s device
• Once you transfer the value retrieved from HMS to the device, the device’s Marlin DRM systemcontacts HMS and redeems the value to obtain the rights to the content
• Through this entire interaction, HMS does not store any of your data. All the necessaryinformation required to issue the content rights is encrypted in the Action Token or the MS3 URLreturned from the REST API
Package Content• A downloadable set of binary tools is available to encrypt content
• These tools allow you to encrypt and package MP4 and MPEG-2 TS media into Marlin-protectedcontent
• Tools also support other formats
End-to-End Testing• Verify using the supplied command line tools
• Verify using a Marlin-enabled device
Bluewhale Marlin Broadband ServerBluewhale Overview
Service Architecture using Bluewhale
Roll Your Own SolutionOverview
Client Side Technology
Marlin Client Side TechnologyWasabi in-depth
• What is Wasabi
• Wasabi API
• Wasabi on Mobile
• Wasabi on STB/TV
• Wasabi for HTML5
Wasabi Integration OptionsWasabi w/ Integrated HW Security
Wasabi Integration OptionsWasabi w/o Integrated HW Security
Wasabi SDK OverviewWasabi SDK Architecture
Wasabi Documentation• Wasabi Developer's Guide
◦ High Level description of the APIs
◦ Tells which API is available for which system (desktop, mobile, STB)
• Wasabi SDK API C Developer's Guide
◦ In-depth documentation of the Wasabi C APIs
• Wasabi Extensions
◦ Addresses PlaylistProxy for mobile and Wasabi Chromium integration
Wasabi on MobileAvailability
• iOS and Android Platforms
HTTP Proxy functionalities
• License / MS3 SAS Evaluation
• Content Decryption
• Serves decrypted content (HLS format)
Use of the native player to render the content
• Connect to obfuscated local URL (to the proxy)
• Saves battery life
Wasabi on Mobile (cont'd)Example: iOS Playlist Proxy
Playing a file (iOS example)// create and start the proxyWSB_PlaylistProxy* proxy = NULL;WSB_PlaylistProxy_Create(&proxy);WSB_PlaylistProxy_Start(proxy);
// get a proxy URL to feed the native playerconst char* proxy_url;WSB_PlaylistProxy_MakeUrl(proxy,
ms3_url,WSB_PPMST_SINGLE_FILE,NULL,&proxy_url);
// now feed the proxy_url to the player (iOS specific code)MPMoviePlayerControlller* player = NULL;player = [[MPMoviePlayerController alloc] initWithContentURL:proxy_url];[player play];...
// cleanup after content is done[player release];WSB_PlaylistProxy_Stop(proxy);WSB_PlaylistProxy_Destroy(proxy);
Wasabi on STB/TV: Main APIs• Sushi API
◦ Retrieves BB objects (Registration, Licenses)
◦ Access to DRM Metadata (Registration Status, etc...)
• WSB_LicenseStore
◦ Stores/Finds BB licenses based on Content IDs
• WSB_MediaFile
◦ Access to file/stream metadata (e.g. DRM Content ID)
• WSB_PlaybackEnabler
◦ Retrieves / Evaluates Rights (BB or MS3)
◦ Populates the Key Manager
Wasabi on STB/TV: Main APIs (cont'd)• WSB_KeyManager
◦ Stores the Keys to be used in the Media Stack
• WSB_EcmDecrypter (MPEG2TS)
◦ Works in conjunction with the Native Hardware Demux
◦ Decrypts traffic keys (Control Words) to be programmed in HW Demux
• Bento4 (MP4)
◦ General MP4/ISO/Common file format parsing library
◦ Supports PDCF/Common file format/IPMP encryption/decryption
Sushi and License Store (BB only)// create a license manager objectclass LicenseRetriever {public:
// forwarding methodstatic void OnEvent_(SHI_EngineListener self,
SHI_EngineEventType type,const SHI_EngineEvent* event) {
((LicenseRetriever*)self.instance)->OnEvent(type, event);}
// constructorLicenseRetriever() : m_DrmEngine(NULL), m_LicenseStore(NULL) {
// create a drm engine with ourselves as a listenerSHI_EngineConfig config;const SHI_EngineListenerInterface iface = { OnEvent_ };config.flags = 0;config.listener.iface = &iface;config.listener.instance = (SHI_EngineListenerInstance*)this;SHI_Engine_Create(&config, &m_DrmEngine);
WSB_LicenseStore_Open(&m_LicenseStore);};...
Sushi and License Store (cont'd)void OnEvent(SHI_EngineEventType type, const SHI_EngineEvent* event) {
switch(type) {case SHI_ENGINE_EVENT_LICENSE_DATA_RECEIVED: {
SHI_LicenseDataReceivedEvent* lic_event = NULL;lic_Event = (SHI_LicenseDataReceivedEvent*)event;WSB_LicenseStore_AddLicense(store, lic_event->data,
lic_event->size, NULL, NULL);break;
}...
}
WSB_Result ProcessToken(const char* lic_token) {return SHI_Engine_ProcessServiceToken(lic_token);
}
private:// membersSHI_Engine* m_DrmEngine;WSB_LicenseStore* m_LicenseStore;
};
// using our objectLicenseRetriever* retriever = new LicenseRetriever;retriever->ProcessToken(my_license_token);
Wasabi on STB/TV: BBTS ExampleUsing Wasabi with a Hardware DeMux
Wasabi on DesktopChoosing the right approach for your needs
• Build your own player using the WSB_Player API
◦ More work but more control
• Use our Chromium/Berkelium build
◦ The <video> and <audio> tags go through our secure media stack
◦ Interact with the DRM servers using our Javascript DRM API
Wasabi PlayerThe Wasabi Player API (WSB_Player) allows you to do the following
• Set Outputs (audio and video)
◦ You can specify which window you want to use to render your content
• Specifying your input
◦ Can be an MS3 or a content URL
◦ Use of dedicated schemes (hls:// for HLS, dash:// for DASH etc...) and/or mime types
• Playback Controls
◦ Pause, Stop, Seek, Volume
• Get Notified with Events
◦ Timecode, decoder state, drm state etc...
Chromium with WasabiYou Build your own player and content service using HTML5, JavaScript and CSS 3.
MS3 Example
<!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8" /><title>MS3 Video Player Example</title>
</head><body>
<video controls width="480" height="320" id="video"><source src="https://hms-test.intertrust.com:8443/hms/ms3...">
</video></body></html>
Implementation Security
Implementation SecurityKey and Trust Management
• Secure Key Box (aka Sockeye)
• How to get keys from Seacert
• Provisioning keys
◦ Factory
◦ Seacert Online Provisioning Service
◦ Custom
Secure Key Box (SKB)What Sockeye is?
• A means to protect access to secrets using state of the art technology.
• When using a proper SKB implementation, an application can work with keys and secret datawithout having access to them in memory.
• A proper implementation will use hardware-assisted security on capable processors, whiteboxcryptography on downloaded applications for PCs and Mobile, or other mechanisms that make it"very" difficult for a sophisticated attacker to exploit keys or secrets
What Sockeye is not?
• Sockeye is not for verifying trust
What Is Provided?• SKB (Secure Key Box) API in C
• SKB Documentation (Implementer’s Guide)
• SKB Test Suite
• SKB Software Implementation
◦ Fully implements the SKB API
◦ Provided as standalone source code
◦ No external dependencies
◦ May be used as a code base for porting and adapting
SKB Architecture
SKB API - Objects• SKB_Engine
• SKB_SecureData
◦ AES & RSA private Keys
◦ Arbitrary Data
• SKB_Transform
◦ Sign: HMAC, RSA
◦ Verify: HMAC
◦ Digest: SHA1, SHA256
• SKB_Cipher
◦ Encrypt/Decrypt, Normal/High Speed
• and more...
SKB Use Case - Import
SKB Use Case - Decrypting
SKB Use Case - Two Domains
Trust Management for OTT EcosystemsWhat is Trust Management?
• A trust management framework allows independent entities to trust one another through a TrustAuthority that distributes risk and responsibilities among these entities
• A Digital Rights Management (DRM) framework may combine multiple types of trust managementrelationships
Role of the Trust AuthorityTo provide the framework for cooperation with three main functions:
• Originates and maintains agreements
• Provides framework for electronic credentials and licenses following a ecosystem defined TrustModel
◦ Entities get well-defined roles defining what services they are trusted to provide
◦ Trust delegation allows scalability of processes
◦ Remediation planning allows orderly maintenance of trust
• Actuates remediation processes
Implementing Trust ManagementTrust Authority Contractually:
• Sets criteria under which a device may receive cryptographic credentials -- compliance androbustness rules
• Authorizes issuance of device cryptographic credentials -- Registration Authority
• Requires service providers to rely on asserted properties of device as part of releasing contentkeys to device
Certification Authority Technically:
• Generates and manages Trust Anchors (and other) private keys
• Employs processes to prevent compromise of private keys
• Uses private keys to sign certificates only when authorized
• Provides remediation for issued certificates or credentials
Trust Authority and Certificate Authority need to be highly reliable or immune from faults
Trusted Device• Secure boot rooted in a hardware and/or tamper resilient trust mechanism
• Secure management of Ecosystem and DRM Keys
• Ensure integrity of trust anchors relied upon by the ecosystem authentication services and theDRM
• Supports authenticated communications between the device and ecosystem services
• May enable an application security model to ensure the integrity and trustworthiness ofapplications
Ecosystem Trust Mechanisms
SDKs and ToolsHow to get access to the code
Implementation technology is available from Intertrust.
The Wasabi Marlin Client SDK, Bluewhale Marlin Broadband Server and packaging tools are availablefor evaluation :
http://www.intertrust.com/agreements/code_eval
Information regarding the Intertrust's Hosted Marlin Service HMS may be found at:
https://www.hostedmarlin.com/
The media packaging tools are available from Bento4.com
