Trans DRM

If your content is stored encrypted on disk, then you may be limited in the available playouts. For example PIFF protected content is only compatible with HSS PlayReady (although it may be used for PIFF to CENC (Multi DRM)).

What if you also want to support playout to other formats as for instance HLS or HDS and/or different DRM systems?

The Unified Origin is capable of adding encryption on-the-fly for the various DRM systems. But for this to work the content needs to be in the clear. If your content is stored encrypted on disk, then the Origin is also capable of decrypting it on-the-fly. The decryption process is DRM agnostic. All the information needed for decrypting is the key id (KID) and content encryption key (CEK) pair used to encrypt the original content.

When the Origin is set up to decrypt and re-encrypt on-the-fly we call this trans DRM.

Options for trans DRM

--key

The KID and CEK are passed with the --key option where KID and CEK are separated by a colon, e.g. --key=KID:CEK.

Both KID and CEK must be coded in hex (base16).

The key id value as used here is a UUID formatted big-endian. If your key ids are GUIDs, you have to convert them first, for instance with python from GUID to hex (base16):

import base64, uuid
guid = 'd05d0e1f-5093-4e6b-bbbf-fd9effbba1a9'
print base64.b16encode(uuid.UUID(bytes_le=uuid.UUID(guid).bytes).bytes)
>>> 1F0E5DD093506B4EBBBFFD9EFFBBA1A9

Which can be used as the key id.

To print it as UUID:

print uuid.UUID('1F0E5DD093506B4EBBBFFD9EFFBBA1A9')
>>> 1f0e5dd0-9350-6b4e-bbbf-fd9effbba1a9

Alternatively, you can use HTTP Proxy for requesting the server manifest file from your CMS. The CMS then returns the key information and there is no need to store the key information on disk.

From HSS PlayReady to clear

This is a simple setup that shows the first step in the process. We provide the key information for decrypting the streams and play out to all formats in the clear.

The video-pr.ismv file is a Smooth Streaming file. It was protected using PlayReady using the KID:CEK combination of 10000000100010001000100000000001:3A2A1B68DD2BD9B2EEB25E84C4776668.

KID=10000000100010001000100000000001
CEK=3A2A1B68DD2BD9B2EEB25E84C4776668
mp4split -o video.ism --key=${KID}:${CEK} video-pr.ismv

From HSS PlayReady to HLS (AES-128)

KID="YOUR KEY ID"
CEK="YOUR CONTENT KEY"

AES_CEK=`cat video.key | hexdump -e '16/1 "%02x"'`
AES_LA_URL=http://example.com/transdrm/video.key

mp4split -o example.ism --key=${KID}:${CEK} \
  --hls.content_key=${AES_CEK} \
  --hls.license_server_url=${AES_LA_URL} \
  example.ismv

This will create a server manifest that holds the information that USP needs to stream the encrypted file as HLS with AES-128 applied.

The AES-128 content encryption key in the above example can be created with for instance OpenSSL:

openssl rand 16 > video.key

From HSS PlayReady to HLS (SAMPLE-AES)

Using SAMPLE-AES is possible as well, you would need to follow the SAMPLE-AES instructions to create the server manifest similar as above with AES-128.