MPEG-DASH

USP supports Common Encryption (CENC) for MPEG-DASH. The encryption is applied on-the-fly, so there is no preprocessing involved.

The options for enabling encryption are stored in the server manifest file.

Demo streams can be found in the Unified Streaming Demo.

Adding Clearkey Encyption

Attention

Clearkey is not supported.

Adding Marlin DRM

Marlin is a DRM platform, created by an open-standards community initiative called the Marlin Developer Community (MDC). The MDC was formed in 2005 by five companies: Intertrust, Panasonic, Philips, Samsung and Sony.

USP supports adding Marlin protection to MPEG-DASH presentations (and HLS).

The encryption is applied on-the-fly, so there is no preprocessing involved. Please note that offline Marlin packaging is not supported.

Options for Marlin

The options for enabling encryption are stored in the server manifest file. For Marlin DASH encryption a content encryption key (CEK) and key id (KID) are required. You need to provide the following options:

--marlin.key

The KID and CEK are passed with the --marlin.key option where KID and CEK are separated by a colon, e.g. --marlin.key=KID:CEK

Both KID and CEK must be coded in hex (base16).

--marlin.license_server_url

The license server URL

Example

The following command creates a server manifest file with the key information embedded:

mp4split -o video.ism \
  --marlin.key=b366360da82e9c6e0b0984002a362cf2:a0a1a2a3a4a5a6a7a8a9aaabacadaeaf
  video.ismv

Adding PlayReady DRM

Please follow the Adding PlayReady DRM section for HSS to add PlayReady for MPEG-DASH. The same options are used, but when the MPD is requested DRM will be applied similar as when the (Smooth Streaming) Manifest is requested.

Adding Primetime DRM

New in version 1.7.18.

Options for Primetime

The options for enabling encryption are stored in the server manifest file. For Primetime DASH encryption a content encryption key (CEK) and key id (KID) are required. You need to provide the following options:

--hds.key

The KID and CEK are passed with the --hds.key option where KID and CEK are separated by a colon, e.g. --hds.key=KID:CEK

Both KID and CEK must be coded in hex (base16).

--hds.drm_specific_data

The drm specific data used for Primetime DRM, in the case of MPEG-DASH this will be used for the "pssh" box. Please refer to the Adobe documentation on how to obtain this. Can either be a Base64 string or a file with the decoded Base64 data. The file name must include a '.'

Example

#!/bin/bash

KID=000102030405060708090a0b0c0d0e0f
CEK=000102030405060708090a0b0c0d0e0f

mp4spit -o video.ism \
  --hds.key=$(KID):$(CEK) \
  --hds.drm_specific_data=pssh.bin \
  video.ismv

Adding Widevine Modular DRM

For Widevine Modular DRM a content encryption key (CEK) and a key id (KID) are required.

Options for Widevine

You need to provide the following options:

--widevine.key

The KID and CEK are passed with the --widevine.key option where KID and CEK are separated by a colon, e.g. --widevine.key=KID:CEK.

Both KID and CEK must be coded in hex (base16)..

--widevine.drm_specific_data

The DRM specific data provided by the license server (the Widevine PSSH data).

Can either be a Base64 string or a file with the decoded Base64 data. The file name must include a '.'

Example

The following script demonstrates how to call into the Widevine test key server to obtain content_key, key_id, and pssh data to create a server manifest which can then be used to fetch the DASH client manifest from (the .mpd):

#!/bin/bash

wv_url=http://license.uat.widevine.com/cenc/getcontentkey/widevine_test

wvr=$(curl -v -X POST \
      -H 'Content-Type: application/json' \
      -d '{"request": "ewogICJjb250ZW50X2lkIjogIlptdHFNMnhxWVZOa1ptRnNhM0l6YWc9PSIsCiAgInRyYWNrcyI6I FsKICAgIHsgInR5cGUiOiAiU0QiIH0sCiAgICB7ICJ0eXBlIjogIkhEIiB9LAogICAgeyAidHlwZSI 6ICJBVURJTyIgfQogIF0sCiAgImRybV90eXBlcyI6IFsgIldJREVWSU5FIiBdLAogICJwb2xpY3kiO iAiIgp9Cg==", "signature": "kwVLL4xVh9mnlZlPqiEWN0E+FsvG0y+/oy451XXeIMo=", "signer": "widevine_test" }' \
      $wv_url)

dwvr=$(echo $wvr | python3 -c 'import json,sys,base64;obj=json.load(sys.stdin);print(base64.b64decode(obj["response"]).decode("utf-8"))')

key_id=$(echo $dwvr | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["tracks"][0]["key_id"])')
content_key=$(echo $dwvr | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["tracks"][0]["key"])')
pssh=$(echo $dwvr | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["tracks"][0]["pssh"][0]["data"])')

# Widevine API returns base64 so re-encode to base16
kid16=$(echo $key_id | base64 -d | hexdump -e '16/1 "%02x"')
cek16=$(echo $content_key | base64 -d | hexdump -e '16/1 "%02x"')

MP4SPLIT_OPTIONS=
MP4SPLIT_OPTIONS+=" --widevine.key=${kid16}:${cek16}"
MP4SPLIT_OPTIONS+=" --widevine.drm_specific_data=${pssh}"

mp4split -o tos-wv.ism ${MP4SPLIT_OPTIONS} tears-of-steel-avc1-400k.ismv tears-of-steel-aac-64k.isma

Note

Tool sets or programming languages other than bash/python may equally be used.