Content protection concepts

MK.IO lets you deliver video content to end-consumers in a controlled and secure manner. MK.IO’s streaming endpoints can deliver content using AES-128 (advanced encryption standard) or any of the three major studio-approved digital rights management systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay.

Clear Key protection

Clear Key protection with AES-128 encryption used to protect content on all devices. Note: AES-128 does not provide the same level of security as the three DRM systems listed below.

Digital Rights Management systems (DRM)

• Apple FairPlay: DRM for iOS, tvOS, iPadOS, Safari, and MacOS devices.
• Google Widevine: DRM for Google Chrome, Firefox, Android, Android TV, and many other streaming devices.
• Microsoft PlayReady: DRM for Microsoft Edge, Xbox, and other streaming video platforms.

JWT tokens

A common use case for applying content protection to your content is to ensure users have the correct entitlement to access the video content. This is achievable by requiring an HTTP Header in the DRM license request and asking the MK.IO system to validate the values inside of the Issuer and Audience field in the JWT token.

Content Keys

Both AES128 and DRM (Widevine, FairPlay, PlayReady) are supported on the platform for both live and file-based streaming.

The Content Key Policy is used to configure how the content key (secure access to your assets) is delivered to end clients. You need to set the requirements (restrictions) on the Content Key Policy that must be met in order for keys with the specified configuration to be delivered to clients.

📘

A Content Key Policy is not needed for clear streaming.

In most cases, the Content Key Policy is associated with the Streaming Locator. When creating a custom streaming policy for advanced scenarios, you can specify the content key policy inside of a Streaming Policy.

Each content policy can be assigned one or more DRM.

MK.IO also provides a service for delivering FairPlay, PlayReady and Widevine licenses.

Token restriction

⚠️

It is not recommended to add Clear Key to a policy that is targeted for DRM as it reduces the security effectiveness.

For each DRM added, you will be able to configure the following sections the token requirements:

• No token restriction: only recommended for testing purposes
• Enforce the access to the key with a SWT or JWT token. In such case, it will be required to enter data for the Issuer, the Audience and the Primary Verification Key.

Widevine specific configuration

By default, the license configuration can be left empty and a default license configuration will be generated internally.

It is however possible to add a custom JSON configuration to define specific license parameters such the persistency and the validity of the license. The format of the JSON payload follows the policy overrides and license configuration syntax from Widevine specification.

A sample JSON document is provided below:

{
    "policy_overrides": {
        "can_play": true,
        "can_renew": false,
        "can_persist": true,
        "playback_duration_seconds": 10800,
        "license_duration_seconds": 604800
    }
}

For more information on the syntax of this configuration, please contact our support channels.

FairPlay specific configuration

Fairplay DRM requires a specific section to define the configure the Fairplay Certificate. You will be asked to past or upload the certificate value, the certificate password and secret.

By default licenses will be non-persistent which means they will only last as long as the playback session. It is possible to make them non-persistent and enable offline usage of the license. A persistent license can be used with three options:

• No limit: license is not limited in time
• Limited: Rental duration can be specified for the license
• Offline rental: Both Playback duration and Storage duration can be defined for the FairPlay license

PlayReady specific configuration

By default licenses will be non-persistent which means they will only last as long as the playback session. It is possible to make them non-persistent and enable offline usage of the license. A persistent license can be used with three options:

• Start time: the time when the license will become valid
• End time: The end time, absolute or relative to an event, when the license expires
• First play expiration: The amount of the time that the license is valid after the license is first used to play content
• Grace period: Extra time after license expiry during which content remains accessible. Ignored in PlayReady clients version 3.0 and after.

PlayReady DRM configuration allows setting the minimum Security Level Policy:

• SL150: No protection against unauthorized use. For testing purpose.
• SL2000: For hardened devices and applications consuming commercial content. Software or Hardware protection

Finally, it is possible to define one or more advanced output protection settings and the associated levels.

More information on PlayReady license and policies can be found in PlayReady documentation.