Content Keys
Content protection concepts
MK.IO lets you deliver video content to end-consumers in a controlled and secure manner. MK.IO’s streaming endpoints can deliver content using AES-128 (Advanced Encryption Standard) or any of the three major studio-approved digital rights management systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay.
Clear Key protection
Clear Key protection with AES-128 encryption is used to protect content on all devices. Note: AES-128 does not provide the same level of security as the three DRM systems listed below.
Digital Rights Management systems (DRM)
- Apple FairPlay: DRM for iOS, tvOS, iPadOS, Safari, and MacOS devices.
- Google Widevine: DRM for Google Chrome, Firefox, Android, Android TV, and many other streaming devices.
- Microsoft PlayReady: DRM for Microsoft Edge, Xbox, and other streaming video platforms.
JWT tokens
A common use case for applying content protection to your content is to ensure that users have the correct entitlement to access the video content. This is achieved by requiring an HTTP Header in the DRM license request and asking the MK.IO system to validate the values inside of the Issuer and Audience field in the JWT token.
Content Keys
Both AES-128 and DRM (Widevine, FairPlay, PlayReady) are supported on the platform for both live and file-based streaming.
The Content Key Policy is used to configure how the content key (secure access to your assets) is delivered to end clients. You need to set the requirements (restrictions) on the Content Key Policy that must be met in order for keys with the specified configuration to be delivered to clients.
A Content Key Policy is not needed for clear streaming.
In most cases, the Content Key Policy is associated with the Streaming Locator. When creating a custom streaming policy for advanced scenarios, you can specify the content key policy inside of a Streaming Policy.
Each content policy can be assigned one or more DRM.
MK.IO also provides a service for delivering FairPlay, PlayReady and Widevine licenses.
Token restriction
It is not recommended to add Clear Key to a policy that is targeted for DRM as it reduces the security effectiveness.
For each DRM added, you can configure the token restriction:
- No token restriction: only recommended for testing purposes
- Enforce the access to the key with a SWT or JWT token. In such case, it will be required to enter data for the Issuer, the Audience and the Primary Verification Key.
Widevine specific configuration
By default, the license configuration can be left empty and a default license configuration will be generated internally.
It is however possible to add a custom JSON configuration to define specific license parameters such the persistency and the validity of the license. The format of the JSON payload follows the policy overrides and license configuration syntax from Widevine specification.
A sample JSON document is provided below:
{
"policy_overrides": {
"can_play": true,
"can_renew": false,
"can_persist": true,
"playback_duration_seconds": 10800,
"license_duration_seconds": 604800
}
}
For more information on the syntax of this configuration, please contact our support channels.
FairPlay specific configuration
Fairplay DRM requires a specific section to define the configure the Fairplay Certificate. You will be asked to past or upload the certificate value, the certificate password and secret.
By default licenses will be non-persistent which means they will only last as long as the playback session. It is possible to make them non-persistent and enable offline usage of the license. A persistent license can be used with three options:
- No limit: license is not limited in time
- Limited: Rental duration can be specified for the license
- Offline rental: Both Playback duration and Storage duration can be defined for the FairPlay license
PlayReady specific configuration
By default licenses will be non-persistent which means they will only last as long as the playback session. It is possible to make them non-persistent and enable offline usage of the license. A persistent license can be used with three options:
- Start time: the time when the license will become valid
- End time: The end time, absolute or relative to an event, when the license expires
- First play expiration: The amount of the time that the license is valid after the license is first used to play content
- Grace period: Extra time after license expiry during which content remains accessible. Ignored in PlayReady clients version 3.0 and after.
PlayReady DRM configuration allows setting the minimum Security Level Policy:
- SL150: No protection against unauthorized use. For testing purpose.
- SL2000: For hardened devices and applications consuming commercial content. Software or Hardware protection
Finally, it is possible to define one or more advanced output protection settings and the associated levels.
More information on PlayReady license and policies can be found in PlayReady documentation.
Updated 3 months ago