HTTP Smooth Streaming (HSS)

Adding PlayReady DRM

USP supports PlayReady DRM. The encryption is applied on-the-fly, so there is no preprocessing involved. The options for enabling encryptions are stored in the server manifest file.

Demo streams can be found in the Unified Streaming Demo.

Options for PlayReady

You can enable PlayReady encryption by providing the following options while creating the server manifest.

--iss.key

The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed with the --iss.key option where KID and CEK are separated by a colon, e.g. --iss.key=KID:CEK

The KID uniquely identifies the content. The CEK is the Content Encryption Key. Note this is NOT the PlayReady Key Seed, but the actual content encryption key.

Both KID and CEK must be coded in hex (base16).

Note

The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianess as we always use a big-endian UUID representation of the KID.

--iss.key_iv

The 64 bit AES Initialization Vector (IV). This is a random 64 bit value.

The key_iv is used 'as-is', so you must make sure to guarantee that it is unique when encrypting multiple tracks (the key_iv may be used only once with a certain CEK).

When no key_iv is provided one will be generated.

--iss.license_server_url

The URL used by the player to retrieve the key.

--iss.drm_specific_data

Generally this option is not needed for PlayReady as the software will generate a PlayReady Header Object from the given key information.

The --iss.drm_specific_data parameter specifies the (complete) PlayReady header object (PRO) as a Base64 string.

Normally, if drm_specific_data is necessary, that information is created by the DRM provider.

The optional CUSTOMATTRIBUTES element is part of the WRMHEADER comprising the PRO.

In order to add a custom attribute or extension, it is required to first create a well-formed UTF16 WRMHEADER file (see: https://www.microsoft.com/playready/documents/)

You would then pass the complete PRO in --iss.drm_specific_data as a Base64 encoded string.

Note

This simply replaces the pssh box in the mp4s init segment (which by default would be synthesized from other drm parameters). For details about the WRMHEADER syntax, please refer to Microsoft's documentation.

Use the Webserver for on-the-fly PlayReady

VOD Example

The following command creates a VOD server manifest file with the key information embedded:

#!/bin/bash

KID=10000000100010001000100000000001
CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID_UUID=10000000-1000-1000-1000-100000000001 #UUID representation of KID
CEK_B64="OiobaN0r2bLusl6ExHdmaA==" #Base64 byte array representation of CEK
LAURL="https://test.playready.microsoft.com/service/rightsmanager.asmx?cfg=(kid:${KID_UUID},contentkey:${CEK_B64},ckt:aesctr)"

mp4split -o video.ism \
  --iss.key=$KID:$CEK
  --iss.license_server_url=$LAURL
  video.ismv

Live Example

The following command creates a Live server manifest file with the key information embedded:

#!/bin/bash

KID=10000000100010001000100000000001
CEK=3a2a1b68dd2bd9b2eeb25e84c4776668
KID_UUID=10000000-1000-1000-1000-100000000001 #UUID representation of KID
CEK_B64="OiobaN0r2bLusl6ExHdmaA==" #Base64 byte array representation of CEK
LAURL="https://test.playready.microsoft.com/service/rightsmanager.asmx?cfg=(kid:${KID_UUID},contentkey:${CEK_B64},ckt:aesctr)"

mp4split -o channel1.isml \
  --iss.key=$KID:$CEK
  --iss.license_server_url=$LAURL

Please note the different extension for the Live server manifest: '.isml'

Generating a ContentKey from a KeyId and KeySeed

If your license server does not give you a ContentKey, but only a KeyId and KeySeed then you may have to generate the ContentKey yourself. The ContentKey is derived from the KeyId and KeySeed and more information may be available in the technical specification 'PlayReady Header Object' document.