Marlin Tutorial - marlin

Transcription

Marlin Tutorial
Applying Marlin Technology
AGENDA
• Quick Introduction: How to build an end-to-end Marlin system in 30 minutes.
• Marlin Organization Overview
• Marlin Technology Primer
• Implementations of Marlin Specifications
◦ Content Packaging and Distribution Technology
◦ Marlin Server Technology
◦ Marlin Client Technology
• Implementation Security
• Q&A
Quick Introduction
Build an End-to-End Marlin System
• Packaging clear-text content into a protected format
• Implementing a Marlin MS3 Streaming-only Server Solution
• Implementing a Marlin Broadband DRM Server Solution
• Implementing an HbbTV application content playback functionality
Marlin Organization Overview
Marlin Organization Overview
What is Marlin?
Founded in 2005 by five companies: Intertrust, Panasonic, Philips, Samsung and Sony
• Marlin Developer Community (MDC)
• Marlin Partner Program (MPP)
• Marlin Trust Management Organization (MTMO)
• Marlin Organization Relationships
• Additional Information
Marlin Developer Community
What is the the MDC?
• MDC formed in 2006 by Intertrust, Panasonic, Philips, Samsung, and Sony
• Charter is to develop open standards based DRM Specifications
• The community develops specification, reference and conformance test criteria
• Promotes Marlin technology worldwide
Marlin Partner Program
What is the the MPP?
• Marlin Partner Program is a forum for solutions providers
• Over 35 partner companies provide expertise across the value chain
• Includes Technology Solutions Providers and System Integrator’s
• MPP membership includes non-commercial access to SDKs
Marlin Partner Network
Who is in the MPP?
Marlin Trust Management Organization
What is the the MTMO?
• Sister organization to the MDC formed in 2006
• Provides compliance and robustness requirements
• Remediation Policy Management
• Manages Marlin PKI Root Certificates
• Delegation of Trust Services to Certified Trust Service Providers (TSP)
◦ Key and Trust Management Operations
Relationship of MDC and MTMO
Functions and Roles
Additional Information
Marlin Developer Community MDC (www.marlin-community.com)
Marlin Partner Program MPP (www.marlin-community.com/partner)
Marlin Trust Management Organization MTMO (www.marlin-trust.com)
Seacert Corporation (www.seacert.com)
Marlin Technology Primer
Marlin Technology Primer
Topics
• Organization of the Specifications
• Why would you care about the Specifications
• Platform Technology & Delivery Systems
• Essential Broadband Service Protocols
• Overview - How Marlin Works
The Marlin Specifications
Organization
• As found in the Download Bundles on the MPP site:
• IPTV-ES (Supports a Japanese National Initiative. deployed in all connected TVs in Japan)
• Marlin Broadband (the bulk of Marlin DRM Technology)
• OMArlin (how to bridge OMA and Marlin)
• Other Specs and Guidelines
• Why care about the Specifications
• Referenced in compliance and conformance rules
• Licensee declares which specification version they implement
• Relevant if you are building an implementation from the specifications
Platform Technology
Platform & Delivery System Specifications
• NEMO Technology Platform
◦ Trusted communications framework
• Octopus DRM Technology Platform
◦ General-purpose DRM technical specification
• Marlin Core System
◦ Defines key and trust management functionality of Marlin
◦ Profiles the NEMO and Octopus technology platform specifications
• Deliver Systems
◦ Define how Platform Technology Specifications are applied to practical End-to-End DRM ecosystems
◦ Provide additional specifications to constrain the diversity implementation otherwise possible
NEMO Framework & Octopus DRM
What is NEMO?
NEMO provides the trusted "plumbing" between the various functional components. NEMO combines
SOAP web services with SAML authorizations to provide end-to-end message integrity and
confidentiality protection, entity authentication, and role-based service authorization.
What is Octopus?
Octopus is a general-purpose DRM architecture composed of:
• Object Model used to model application specific entities and their relationship (Nodes and Link)
• Control Model represents rules and enforces governance (Plankton)
• Key Distribution System overlay (Scuba)
• Secure State Management (Seashell)
Marlin Core System (MCS)
What is MCS?
The Marlin Core System Specification defines a common infrastructure for all Marlin Delivery Systems
to build upon. Fundamentally the goal of MCS is to enable interoperation among disparate
implementations of Marlin technology.
• Concretely specifies the NEMO security mechanisms, bindings and policies
• Defines the representation of Octopus Objects
• Defines the relationship of Octopus Objects to enable various business models
• Defines Octopus Control actions needed to govern access to A/V content
• Defines a Trust Model and a Key Management System
(Notable) Delivery Systems
• Marlin Broadband Delivery System (MBB)
◦ Persistent content protection
◦ Flexible and extensible rights management
◦ Business models include: electronic sell-through, rental, and subscription
• Marlin Simple Stream Setup (MS3)
◦ Simple subset of Marlin Broadband
◦ Persistent content protection
◦ Streaming only
• Marlin IPTV-ES
◦ Streaming to Connected TVs, STBs & BluRay players
◦ Support for PVR
How Marlin Works
A simple Use Case Illustrated
• http://www.marlin-community.com/technology/how_marlin_works
MBB Protocol
MS3 Protocol
Content Technology
Content Packaging and Distribution
Format Families
Common Elements
• Structured file and data structures
• Encrypted payloads
• Metadata
• Delivery Protocols
Packaging Process
Marlin BBTS
• Marlin Broadband Transport Stream Specification
• MPEG2-TS
• Based on ISO/IEC 62455
• Packet encryption: CBC with ANSI/SCTE block termination
• Optional single-key-layer mode
Packaging BBTS Content
Content Identification (program-based or service-based):
cid:marlin#P||serviceBaseCID||"@"||hex(program_CID_extension)
cid:marlin#S||serviceBaseCID||"@"||hex(service_CID_extension)
Example:
cid:marlin#Purn:marlin:organization:example:video:1234@00000001
The content id (CID) is composed of a services namespace identifier and content item specific 32-bit
hex-encoded value.
serviceBaseCID = urn:marlin:organization:hms:bbts
service_CID_extension = 0a0b0c0d
Content Key (128-bit value):
000102030405060708090a0b0c0d0e0f
Ts2Encrypt Command Line
BBTS Encryption
Ts2Encrypt --key
cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f
--rights-issuer http://example.com
bigbucksbunny-trailer.ts bigbucksbunny-trailer.bbts
BBTS Decryption
Ts2Decrypt --key
bigbucksbunny-trailer.bbts bigbucksbunny-trailer.ts
Download the clear-text bigbucksbunny-trailer.ts
Ts2Info Command Line
BBTS Information
Ts2Info bigbucksbunny-trailer.bbts
Marlin Protected file:
Marlin content id is
Rights issuer url is http://example.com
DCF
• Specified in OMA DCF 2.x
• Wrapper for any media type
• Bulk Encryption: AES 128 CBC, CTR
• ISO MP4 file format structure
• Standardized metadata: Content ID, Rights Issuer URL
• Custom headers for extensions
• Mime Type: application/vnd.oma.drm.dcf
• File Extensions: .odf, .oda (Audio), .odv (Video), .mra (Marlin Audio), .mrv (Marlin Video)
Packaging DCF Content
Encrypting DCF with mp4dcfpackager
mp4dcfpackager --method CBC
--content-type audio/mp3
--content-id urn:marlin:organization:example:01234
--rights-issuer http://example.com
--key 00112233445566778899aabbccddeeff:00000000000000000000000000000000
song.mp3 song.mra
Unpackaging DCF
mp4decrypt --key 1:00112233445566778899aabbccddeeff
song.mra song-clear.odf
NB: resulting file is still in DCF format (cleartext). Use mp4extract to extract ‘odda’ box and cut first 8
bytes
PDCF
• Specified in OMA DCF 2.x
• For media in ISO MP4 containers
• Per-frame Encryption: AES 128 CBC, CTR
• ISO MP4 Encryption signaling (enca, encv)
• Custom headers for extensions
• Mime Type: video/mp4
• File Extensions: .mp4, .m4a (Audio), .m4v (Video), .mla (Marlin Audio), .mlv (Marlin Video)
Packaging PDCF Content
MP4 files packaged as PDCF content can have individual tracks encrypted with the same or different
keys. For each protected track, a unique content id must be chosen.
Content Identification
audio: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100
video: urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
Content Key
000102030405060708090a0b0c0d0e0f
Cryptographic Algorithm and Initialization Vector
OMA-PDCF-CTR
0000000000000000
PDCF Packaging
mp4encrypt Command Line
mp4encrypt --method OMA-PDCF-CTR
--key 1:000102030405060708090a0b0c0d0e0f:0000000000000000
--key 2:000102030405060708090a0b0c0d0e0f:0000000000000000
--property
1:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100
--property
2:ContentId:urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000101
bigbucksbunny-trailer.mp4 bigbucksbunny-trailer.mlv
mp4decrypt Command Line
mp4decrypt
--key 1:000102030405060708090a0b0c0d0e0f:0000000000000000
--key 2:000102030405060708090a0b0c0d0e0f:0000000000000000
bigbucksbunny-trailer.mlv bigbucksbunny-trailer.mp4
Download the clear-text bigbucksbunny-trailer.mp4
Adaptive Streaming
• Source audio & video is encoded at one or more bit-rate variants, with aligned GOPs (Group of
Pictures)
• Each variant is split into small segments (2-10 seconds) each with one or more GOPs
• An index provides a description, duration and location (URL) of segments
• Client retrieves the index, and segments one by one using HTTP
• Client can switch to a different bit-rate at each new segment
Adaptive Streaming
Marlin Mappings
• Marlin Adaptive Streaming Specification -Simple Profile
• MPEG DASH
◦ MP4: Fragmented MP4 with Common Encryption (CENC, AES-128 CTR)
◦ MPEG2-TS: BBTS segments
• HLS
◦ BBTS segments (AES 128 CBC)
◦ Whole-segment encryption (AES-128 CBC)
HLS
• draft-pantos-http-live-streaming-07
• Segments encrypted with BBTS or Bulk
Bulk:
◦ METHOD=AES-128 (MANDATORY) as specified in [HLS], §3.2.3
◦ IV (OPTIONAL) as specified in [HLS]
◦ CID="<ContentId>" (MANDATORY) content identifier
BBTS:
◦ METHOD=MARLIN-BBTS (MANDATORY)
◦ CID="<ContentId>" (MANDATORY) content identifier
HLS Packaging
• Encrypt each segment (Bulk or BBTS)
• Use same key for all bit-rates
• BBTS: use Ts2AdaptiveAwareEncrypt to guarantee that IVs will match
MPEG DASH
• ISO/IEC 23009-1 (Information technology — Dynamic adaptive streaming over HTTP (DASH) —
Part 1: Media presentation description and segment formats)
• ISO/IEC 23001-7 (Information technology — MPEG systems technologies — Part 7: Common
encryption in ISO base media file format files)
DASH MP4
• Input must be GOP-aligned
• Fragment MP4 if not already fragmented mp4fragment tool
• Encrypt fragmented MP4 file
• Insert Marlin info in MPD
Server Side Technology
Marlin Server Side Technology
Server Side Implementation Options
• Hosted Marlin Service
• Bluewhale Marlin Broadband Server
• Roll-your-own DRM Server
Hosted Marlin Service (HMS)
HMS Overview
Service Architecture using HMS
HMS Overview
• A REST API for issuing rights to content
• Content packaging tools
• Sample clients and tools to verify your service implementation
• Simple and cost-effective to operate
HMS Architecture
Setting Up an HMS Service
5 Easy Steps
• Set up an account
• Review the REST API
• Integrate DRM support into the content store interface
• Package the content
• Test the system with actual target devices or the command line
device simulators
Set Up an Account
• Sign up for the service at https://www.hostedmarlin.com/
• Subsequent to sign up a customer authentication code is created
◦ This will be used to identify from your service to HMS
Review the REST API
• HMS provides a simple REST API to issue rights to content
• The result of the REST API is either an MS3 compound URI or a
Marlin Broadband Action Token
• HMS Rest API documentation and tutorial are available at: https://www.hostedmarlin.com/help.
HMS Under the Hood
Transaction Tokens
HMS operates by issuing transaction tokens to service providers that are then redeemed, by a media
aware client application, to a DRM object such as a license for a particular content item.
HMS supports three types of transaction tokens:
• MS3 License
• Marlin Broadband License
• Marlin Broadband Registration
MS3 Transaction Token Parameters
customerAuthenticator
The Customer Authenticator that was provided on the CMI web site.
contentId
For single content id the syntax is contentId=. For multiple contentIds the syntax is contentId.N=.
contentKey
For single content key the syntax is contentKey=. For multiple contentKeys the syntax is
contentKey.N=. The value of N must correspond with the contentId having the same value.
contentURL
This is the URL where the protected content can be downloaded. It will be embedded in the
transaction token (a URL for MS3 Licenses).
Acquiring an MS3 Transaction Token
Given the following parameters:
customer authenticator:
FOOBAR
content id:
cid:marlin#Purn:marlin:organization:hms:bbts@0a0b0c0d
content key:
000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/ms3/token?
&customerAuthenticator=FOOBAR
&contentId=cid:marlin%23Purn:marlin:organization:hms:bbts@0a0b0c0d
&contentKey=000102030405060708090a0b0c0d0e0f
&contentURL=http://example.com/bigbucksbunny' > ms3_compound_uri.txt
In the above example, an errorFormat parameter was not specified so the default of HTML will be
used. Alternatively errorFormat=json could have been added to the query string.
Redeeming an MS3 Transaction Token
Assuming the Marlin client has already been personalized (e.g. with WasabiSushiPersonalize) then the
transaction token (i.e., a MS3CompoundURI) can be redeemed for an MS3 Stream Access Statement.
Ms3SampleClient `cat ms3_compound_uri.txt`
--- MS3 Client 1.0 --Retrieving URL
https://eval.hostedmarlin.com:8443/hms/ms3/rights/?...
SAS:
Key 1:
Content ID: f3b4309701e2ed67ff75a069df70f6f73ce202af
Key Value: 000102030405060708090a0b0c0d0e0f
Authenticator:
Flags: (none)
Output Control: (0,0 hex)
[No Extensions]
Content URL: http://example.com/bigbucksbunny
Playing MS3 Protected Media
Using the content id and content key the BBTS file can be decrypted and played:
Ts2Decrypt --key
cid:marlin\#Purn:marlin:organization:hms:bbts@0a0b0c0d::000102030405060708090a0b0c0d0e0f
bigbucksbunny-trailer.bbts decrypted.ts
For BBTS we can also use WasabiCopyMedia by providing the SAS directly:
WasabiCopyMedia -t video/MP2T `cat ms3_compound_uri.txt` decrypted.ts
And finally playback can by invoked with ffplay:
ffplay decrypted.ts
MBB License Acquisition Token
actionTokenType
This value should be 1 for Broadband License Transaction Token.
contentId
The syntax is contentId= or contentId.N= for multiple contentIds.
contentKey
The syntax is contentKey= or contentKey.N= for multiple contentKeys.
rightsType
This value is either BuyToOwn or Rental. Rental requires the rental.periodEndTime and
rental.playDuration parameters.
Acquiring an MBB Action Token
customer authenticator: FOOBAR
audio
content id:
urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100
content key:
000102030405060708090a0b0c0d0e0f
video:
content id:
content key:
000102030405060708090a0b0c0d0e0f
A request for a transaction token could be acquired using curl:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1
&contentId.0=urn:marlin:organization:hms:8puslic:00000000010f510070000000000000007f00000000000100
&contentKey.0=000102030405060708090a0b0c0d0e0f
&rightsType=BuyToOwn' > bb_license_action_token.xml
Redeeming an MBB License Token
transaction token (i.e., an ActionToken) can be redeemed for an MBB License.
WasabiSushiProcessToken --save-license license_device_bound.xml bb_license_action_token.xml
==== Sushi Token Processor V1.0 =======================================
SDK API Version: 0.1.1.6
SDK IMP Version: 1040000
SDK IMP Build:
7157
SDK IMP Details: (c) 2005-2010 Intertrust Technologies / Revision 7157
OnEvent - > BEGIN [SHI_TRANSACTION_TYPE_SERVICE_TOKEN_PROCESSING]
OnEvent - > PROGRESS: 0 of 3
OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION]
OnEvent - >> PROGRESS: 0 of 2
OnEvent - >> EVENT: event type 9
OnEvent - >> END: code=0, message=''
OnEvent - > END: code=0, message=''
OnEvent - DONE
======================================================================
Inspecting the MBB License
The redemption of the Action Token resulted in receiving a file license_device_bound.xml. To
interrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_device_bound.xml
==== Sushi Action V1.0 =============================================
SDK IMP Build:
7157
Action Result: GRANTED
Action Result Info Flag(s):
KEY 0 = 000102030405060708090a0b0c0d0e0f
KEY 1 = 000102030405060708090a0b0c0d0e0f
======================================================================
Playing MBB Protected Media
Using the content id and content key the BBTS file can be decrypted and played:
mp4decrypt --key 1:000102030405060708090a0b0c0d0e0f
--key 2:000102030405060708090a0b0c0d0e0f
bigbucksbunny-trailer.mlv decrypted.mp4
And finally playback can by invoked with ffplay:
ffplay decrypted.mp4
MBB Registration Action Token
actionTokenType
This value should be 0 for Broadband Registration Action Token.
userId
The user id to associate with this user.
userKey
The user key to associate with this user.
Acquiring an MBB Registration Token
userId 12345678
userKey 000102030405060708090a0b0c0d0e0f
Request the token using curl:
curl
'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=0
&userId=12345678
&userKey=000102030405060708090a0b0c0d0e0f' > bb_registration_token.xml
Redeeming a Registration Token
WasabiSushiProcessToken bb_registration_token.xml
==== Sushi Token Processor V1.0 =============================================
SDK IMP Build:
7157
OnEvent - > PROGRESS: ...
OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_USER_REGISTRATION]
OnEvent - >> PROGRESS: ...
OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LINK_ACQUISITION]
OnEvent - DONE
======================================================================
User Bound License Token
To request an Action Token for a user bound license you provide the same parameters for a device
bound license plus the user specific information supplied for registration.
The requisite parameters are:
customerAuthenticator, actionTokenType, contentId, contentKey, rightsType,
userId, userKey
The command line request:
curl 'https://eval.hostedmarlin.com/hms/bb/token?actionTokenType=1
&rightsType=BuyToOwn
&userId=12345678
&userKey=000102030405060708090a0b0c0d0e0f' >
bb_user_bound_license_action_token.xml
Redeeming an User Bound License
WasabiSushiProcessToken --save-license license_user_bound.xml
bb_user_bound_license_action_token.xml
==== Sushi Token Processor V1.0 =============================================
SDK IMP Build:
7157
OnEvent - >> BEGIN [SHI_TRANSACTION_TYPE_LICENSE_ACQUISITION]
OnEvent - >> EVENT: event type 9
OnEvent - DONE
======================================================================
Inspecting the User License
The redemption of the Action Token resulted in receiving a file
bb_user_bound_license_action_token.xml.
To interrogate the license supply the relevant contentIds to WasabiSushiAction:
WasabiSushiAction Perform Play license_user_bound.xml
==== Sushi Action V1.0 =============================================
SDK IMP Build:
7157
Action Result: GRANTED
Action Result Info Flag(s):
KEY 0 = 000102030405060708090a0b0c0d0e0f
KEY 1 = 000102030405060708090a0b0c0d0e0f
======================================================================
Integrate DRM Support
• To distribute content to various Marlin devices, you need to understand the interfaces required by
your customers’ devices
• The device will provide interfaces for processing Marlin Action Tokens or MS3 URLs as part of its
content acquisition workflow. Typically, these interfaces are implemented through browser plugins that are invoked in JavaScript on your store’s web page
• In the request to HMS, you supply all the information necessary for a content license and HMS
sends you back an Action Token or an MS3 URL to pass to your customer’s device
• Once you transfer the value retrieved from HMS to the device, the device’s Marlin DRM system
contacts HMS and redeems the value to obtain the rights to the content
• Through this entire interaction, HMS does not store any of your data. All the necessary
information required to issue the content rights is encrypted in the Action Token or the MS3 URL
returned from the REST API
Package Content
• A downloadable set of binary tools is available to encrypt content
• These tools allow you to encrypt and package MP4 and MPEG-2 TS media into Marlin-protected
content
• Tools also support other formats
End-to-End Testing
• Verify using the supplied command line tools
• Verify using a Marlin-enabled device
Bluewhale Marlin Broadband Server
Bluewhale Overview
Service Architecture using Bluewhale
Roll Your Own Solution
Overview
Client Side Technology
Marlin Client Side Technology
Wasabi in-depth
• What is Wasabi
• Wasabi API
• Wasabi on Mobile
• Wasabi on STB/TV
• Wasabi for HTML5
Wasabi Integration Options
Wasabi w/ Integrated HW Security
Wasabi Integration Options
Wasabi w/o Integrated HW Security
Wasabi SDK Overview
Wasabi SDK Architecture
Wasabi Documentation
• Wasabi Developer's Guide
◦ High Level description of the APIs
◦ Tells which API is available for which system (desktop, mobile, STB)
• Wasabi SDK API C Developer's Guide
◦ In-depth documentation of the Wasabi C APIs
• Wasabi Extensions
◦ Addresses PlaylistProxy for mobile and Wasabi Chromium integration
Wasabi on Mobile
Availability
• iOS and Android Platforms
HTTP Proxy functionalities
• License / MS3 SAS Evaluation
• Content Decryption
• Serves decrypted content (HLS format)
Use of the native player to render the content
• Connect to obfuscated local URL (to the proxy)
• Saves battery life
Wasabi on Mobile (cont'd)
Example: iOS Playlist Proxy
Playing a file (iOS example)
// create and start the proxy
WSB_PlaylistProxy* proxy = NULL;
WSB_PlaylistProxy_Create(&proxy);
WSB_PlaylistProxy_Start(proxy);
// get a proxy URL to feed the native player
const char* proxy_url;
WSB_PlaylistProxy_MakeUrl(proxy,
ms3_url,
WSB_PPMST_SINGLE_FILE,
NULL,
&proxy_url);
// now feed the proxy_url to the player (iOS specific code)
MPMoviePlayerControlller* player = NULL;
player = [[MPMoviePlayerController alloc] initWithContentURL:proxy_url];
[player play];
...
// cleanup after content is done
[player release];
WSB_PlaylistProxy_Stop(proxy);
WSB_PlaylistProxy_Destroy(proxy);
Wasabi on STB/TV: Main APIs
• Sushi API
◦ Retrieves BB objects (Registration, Licenses)
◦ Access to DRM Metadata (Registration Status, etc...)
• WSB_LicenseStore
◦ Stores/Finds BB licenses based on Content IDs
• WSB_MediaFile
◦ Access to file/stream metadata (e.g. DRM Content ID)
• WSB_PlaybackEnabler
◦ Retrieves / Evaluates Rights (BB or MS3)
◦ Populates the Key Manager
Wasabi on STB/TV: Main APIs (cont'd)
• WSB_KeyManager
◦ Stores the Keys to be used in the Media Stack
• WSB_EcmDecrypter (MPEG2TS)
◦ Works in conjunction with the Native Hardware Demux
◦ Decrypts traffic keys (Control Words) to be programmed in HW Demux
• Bento4 (MP4)
◦ General MP4/ISO/Common file format parsing library
◦ Supports PDCF/Common file format/IPMP encryption/decryption
Sushi and License Store (BB only)
// create a license manager object
class LicenseRetriever {
public:
// forwarding method
static void OnEvent_(SHI_EngineListener
self,
SHI_EngineEventType
type,
const SHI_EngineEvent* event) {
((LicenseRetriever*)self.instance)->OnEvent(type, event);
}
// constructor
LicenseRetriever() : m_DrmEngine(NULL), m_LicenseStore(NULL) {
// create a drm engine with ourselves as a listener
SHI_EngineConfig config;
const SHI_EngineListenerInterface iface = { OnEvent_ };
config.flags = 0;
config.listener.iface = &iface;
config.listener.instance = (SHI_EngineListenerInstance*)this;
SHI_Engine_Create(&config, &m_DrmEngine);
};
...
WSB_LicenseStore_Open(&m_LicenseStore);
Sushi and License Store (cont'd)
void OnEvent(SHI_EngineEventType type, const SHI_EngineEvent* event) {
switch(type) {
case SHI_ENGINE_EVENT_LICENSE_DATA_RECEIVED: {
SHI_LicenseDataReceivedEvent* lic_event = NULL;
lic_Event = (SHI_LicenseDataReceivedEvent*)event;
WSB_LicenseStore_AddLicense(store, lic_event->data,
lic_event->size, NULL, NULL);
break;
}
...
}
WSB_Result ProcessToken(const char* lic_token) {
return SHI_Engine_ProcessServiceToken(lic_token);
}
private:
// members
SHI_Engine*
m_DrmEngine;
WSB_LicenseStore* m_LicenseStore;
};
// using our object
LicenseRetriever* retriever = new LicenseRetriever;
retriever->ProcessToken(my_license_token);
Wasabi on STB/TV: BBTS Example
Using Wasabi with a Hardware DeMux
Wasabi on Desktop
Choosing the right approach for your needs
• Build your own player using the WSB_Player API
◦ More work but more control
• Use our Chromium/Berkelium build
◦ The <video> and <audio> tags go through our secure media stack
◦ Interact with the DRM servers using our Javascript DRM API
Wasabi Player
The Wasabi Player API (WSB_Player) allows you to do the following
• Set Outputs (audio and video)
◦ You can specify which window you want to use to render your content
• Specifying your input
◦ Can be an MS3 or a content URL
◦ Use of dedicated schemes (hls:// for HLS, dash:// for DASH etc...) and/or mime types
• Playback Controls
◦ Pause, Stop, Seek, Volume
• Get Notified with Events
◦ Timecode, decoder state, drm state etc...
Chromium with Wasabi
You Build your own player and content service using HTML5, JavaScript and CSS 3.
MS3 Example
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>MS3 Video Player Example</title>
</head>
<body>
<video controls width="480" height="320" id="video">
<source src="https://hms-test.intertrust.com:8443/hms/ms3...">
</video>
</body>
</html>
Implementation Security
Implementation Security
Key and Trust Management
• Secure Key Box (aka Sockeye)
• How to get keys from Seacert
• Provisioning keys
◦ Factory
◦ Seacert Online Provisioning Service
◦ Custom
Secure Key Box (SKB)
What Sockeye is?
• A means to protect access to secrets using state of the art technology.
• When using a proper SKB implementation, an application can work with keys and secret data
without having access to them in memory.
• A proper implementation will use hardware-assisted security on capable processors, whitebox
cryptography on downloaded applications for PCs and Mobile, or other mechanisms that make it
"very" difficult for a sophisticated attacker to exploit keys or secrets
What Sockeye is not?
• Sockeye is not for verifying trust
What Is Provided?
• SKB (Secure Key Box) API in C
• SKB Documentation (Implementer’s Guide)
• SKB Test Suite
• SKB Software Implementation
◦ Fully implements the SKB API
◦ Provided as standalone source code
◦ No external dependencies
◦ May be used as a code base for porting and adapting
SKB Architecture
SKB API - Objects
• SKB_Engine
• SKB_SecureData
◦ AES & RSA private Keys
◦ Arbitrary Data
• SKB_Transform
◦ Sign: HMAC, RSA
◦ Verify: HMAC
◦ Digest: SHA1, SHA256
• SKB_Cipher
◦ Encrypt/Decrypt, Normal/High Speed
• and more...
SKB Use Case - Import
SKB Use Case - Decrypting
SKB Use Case - Two Domains
Trust Management for OTT Ecosystems
What is Trust Management?
• A trust management framework allows independent entities to trust one another through a Trust
Authority that distributes risk and responsibilities among these entities
• A Digital Rights Management (DRM) framework may combine multiple types of trust management
relationships
Role of the Trust Authority
To provide the framework for cooperation with three main functions:
• Originates and maintains agreements
• Provides framework for electronic credentials and licenses following a ecosystem defined Trust
Model
◦ Entities get well-defined roles defining what services they are trusted to provide
◦ Trust delegation allows scalability of processes
◦ Remediation planning allows orderly maintenance of trust
• Actuates remediation processes
Implementing Trust Management
Trust Authority Contractually:
• Sets criteria under which a device may receive cryptographic credentials -- compliance and
robustness rules
• Authorizes issuance of device cryptographic credentials -- Registration Authority
• Requires service providers to rely on asserted properties of device as part of releasing content
keys to device
Certification Authority Technically:
• Generates and manages Trust Anchors (and other) private keys
• Employs processes to prevent compromise of private keys
• Uses private keys to sign certificates only when authorized
• Provides remediation for issued certificates or credentials
Trust Authority and Certificate Authority need to be highly reliable or immune from faults
Trusted Device
• Secure boot rooted in a hardware and/or tamper resilient trust mechanism
• Secure management of Ecosystem and DRM Keys
• Ensure integrity of trust anchors relied upon by the ecosystem authentication services and the
DRM
• Supports authenticated communications between the device and ecosystem services
• May enable an application security model to ensure the integrity and trustworthiness of
applications
Ecosystem Trust Mechanisms
SDKs and Tools
How to get access to the code
Implementation technology is available from Intertrust.
The Wasabi Marlin Client SDK, Bluewhale Marlin Broadband Server and packaging tools are available
for evaluation :
http://www.intertrust.com/agreements/code_eval
Information regarding the Intertrust's Hosted Marlin Service HMS may be found at:
https://www.hostedmarlin.com/
The media packaging tools are available from Bento4.com

Marlin Tutorial - marlin

Transcription

Similar documents

Marlin don`t grow on trees.

to read more and view images

File - The Solitary Islands Game Fishing

Marlin hopes to give his career a boost with help from Boyer

336 and 1894 RIFLES in DELUXE MODELS

They are passionate people who maintain impressively professional

File - The Solitary Islands Game Fishing

Wireweed - GB non-native species secretariat