5

I am trying to understand EME with Clear Key encryption. I am using MP4Box. From the documentation here, you specify decryption keys in an XML file that is used to encrypt/decrypt your mp4 files. https://gpac.wp.mines-telecom.fr/mp4box/encryption/common-encryption/

Basically, is there any point to EME with clear key encryption and is it possible to use this to protect content?

From my understanding, the encryption keys you specify in this XML, are the keys the clients need to use on the front end to decrypt the HTML5 audio/video streams. This means, at any time, the user could use a browser's dev tools to get the keys.

I suppose I could obfuscate the keys somehow, but anyone with determination would still be able to get the keys.

The other thing I could possibly do, is combine this with stream links that expire, but that also wouldn't project the keys.

I think you could also re-encrypt the media periodically, or encrypt the file multiple times with different keys, but that doesn't seem like it would scale well. Having a 1 time use key for each playback would be nice, but again, probably horribly inefficient.

Here is an example of an XML config for specific encryption keys:

<?xml version="1.0" encoding="UTF-8"?>
<GPACDRM type="CENC AES-CTR">
<!-- example for GPAC 'clear' DRM System - keys are listed after the     content and UL follows -->
<DRMInfo type="pssh" version="1" cypherOffset="9"    cypherKey="0x6770616363656E6364726D746F6F6C31"  cypherIV="0x00000000000000000000000000000001">
<BS ID128="6770616363656E6364726D746F6F6C31"/>
<BS value="2" bits="32"/>
<BS ID128="0x279926496a7f5d25da69f2b3b2799a7f"/>
<BS ID128="0x676cb88f302d10227992649885984045"/>
<BS bits="8" string="CID=Toto"/>
<BS ID128="0xccc0f2b3b279926496a7f5d25da692f6"/>
<BS ID128="0xccc0f2b3b279926496a7f5d25da692d6"/>
</DRMInfo>
<CrypTrack trackID="1" IsEncrypted="1" IV_size="16"  first_IV="0x0a610676cb88f302d10ac8bc66e039ed" saiSavedBox="senc">
<key KID="0x279926496a7f5d25da69f2b3b2799a7f" value="0xccc0f2b3b279926496a7f5d25da692f6"/>
<key KID="0x676cb88f302d10227992649885984045" value="0xccc0f2b3b279926496a7f5d25da692d6"/>
</CrypTrack>
</GPACDRM>
user1152226
  • 153
  • 4

1 Answers1

3

The point of EME with clear key encryption is to provide an easier to implement encryption for content that is slightly more difficult to steal and share. If you really need to protect your content, DRM is currently the strongest solution, ignoring the scenario of not sharing the content in the first place.

On the easy to implement and easy to bypass end is putting a single non-rotating key in the master manifest and trying to control access to the manifest. Once a user gains access to the master manifest it's all in plain sight and can be shared openly with others.

On the harder to implement and harder to bypass end is using short duration key rotation on each segment and utilizing short-lived signed URLs. This means a user has to deal with different keys for different segments and downloading the different segments with valid keys in a timely manner. A user could still pull all the pieces together to steal and share the content but it is no longer just a copy and paste away.

THEOplayer has a slightly more detailed post on the things that I have mentioned here if it's still up and you are interested https://www.theoplayer.com/blog/content-protection-for-hls-with-aes-128-encryption

Mike Grace
  • 208
  • 1
  • 6