DRM Overview

Why DRM exists

A studio licenses Casino Royale to a streaming service. They need a hard guarantee that the bytes you stream don't end up as a free download on a torrent site within minutes. Encryption alone doesn't solve this — the player still has to decrypt to play, and any general-purpose CPU running attacker-controlled code can dump the result.

DRM solves that mismatch with three coordinated parts:

Take any one of these out and the system collapses. Encrypt without policy → keys live forever, anyone with one key can play everything. Policy without TEE → keys live in regular memory, easy to dump. TEE without server → no way to authenticate or revoke.

What an integrator owns

The pre-class material lists "install, configure and troubleshoot the Widevine system." In practice an integration spans:

• Packaging pipeline. Choose CENC scheme (cenc or cbcs), generate KIDs, encrypt with content keys, write PSSH boxes for each DRM. Tools: Shaka Packager, Bento4, custom.
• Licence server. Receive a request from a player, authenticate the user, look up entitlements, build a policy, hand the request + policy to the SDK, return the SDK's response to the player.
• Player application. Drive the EME (web) or MediaDrm (Android) APIs, ferry messages between the CDM and the licence server, handle renewal, error UX.
• Operations. Monitor licence-issue rates, error codes, device-mix breakdown, key rotation cadence.

How Widevine fits in

Widevine is Google's DRM. It runs on:

• Chrome desktop and mobile browsers
• ChromeOS
• Android (phones, tablets, TV, set-top boxes)
• Most smart TVs (Sony, LG, Samsung Tizen via integration)
• Cast devices (Chromecast, Cast-enabled TVs)

It is one of three DRMs the major studios accept for premium content; the others are Apple FairPlay (iOS, macOS Safari, Apple TV) and Microsoft PlayReady (Edge, Xbox, smart TVs). For most catalogues that need to reach every device, you ship the same CENC content to all three.

The runtime flow at 10,000 ft

The whole point of the architecture is that step 7 (decryption) is impossible without step 6 (a valid licence), and that step 6 succeeded only because the server (step 5) trusted the request from a real, identifiable CDM.

Common Encryption: one packaging, many DRMs

CENC standardises how MP4 files carry encryption metadata. Two relevant subschemes:

• cenc — full-sample AES-CTR. Used historically with Widevine and PlayReady.
• cbcs — pattern-based AES-CBC. Used by FairPlay; modern Widevine and PlayReady also accept cbcs. Today most multi-DRM packaging uses cbcs so a single file plays everywhere.

Each track has one or more Key IDs (KIDs). The PSSH box per DRM tells the CDM "this is content you can identify and issue a request for." When the CDM sends a licence request, the server maps KIDs to actual content keys, applies policy, and returns the licence.

<!-- A simplified DASH ContentProtection element -->
<ContentProtection
  schemeIdUri="urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed"
  value="Widevine">
  <cenc:pssh>AAAAQ3Bzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAACMI...</cenc:pssh>
</ContentProtection>

The UUID edef8ba9-79d6-4ace-a3c8-27dcd51d21ed is the Widevine system ID. Every Widevine-aware client recognises it.

Things to know before Day 2

By the time the in-person class starts, internalise:

1. The runtime flow above (be able to redraw it on a whiteboard).
2. The roles of each component: packager, manifest, CDN, licence server, CDM/TEE, player.
3. The difference between encryption and DRM. (Encryption protects in transit; DRM protects at runtime.)
4. The CENC / PSSH / KID vocabulary. You'll see these in every lab artefact.