Provide Encrypted Streams with ClearKey

[tobbee]

Encrypted streams, and in particular, changing between encrypted and non-encrypted periods, or key rotation would be good things to have.

For low-latency, one would also need to be able to defragment segments and generate the appropriate boxes in each fragment.

It may also be useful to be able to encrypt on the fly in different formats, so that one can test both cenc and cbcs common encryption schemes, without the need to preencrypt the segments.

For this to work out, one first need to extend the mp4ff library to support encryption of segments. That work has started.

[tobbee]

mp4ff library now has support for cenc and cbcs encryption/decryption. A first use case would be to support pre-encrypted segments. For this, two features are needed:

1. The MPD needs to support additional name spaces for the DRM schemes
2. The refragmentation of the segments must hand the encryption boxes, in particular saio, saiz, and senc.

[tobbee]

The MPD now has support for DASH-IF Clear Key Protection (CCP) signalling as defined in https://github.com/Dash-Industry-Forum/ClearKey-Content-Protection.

The example server is not responding right now, so an alternative would be nice to have.

Livesim2 could fill the gap, by providing all of:

1) An MPD with relevant CCP information 2) A License Acquisition Server JSON response 3) Encrypted segments in either cbcs or cenc format

It could work by specifying a new parameter like /ecpp_cenc or /ecpp_cbcs in the URL and let the the LaURL be equal to the MPD URL, except replacing the extension .mpd with _ecpp.json or similar.

@dsilhavy what do you think would be good to have?

[dsilhavy]

Discussed in the dash.js call. IOP document with the updated requirements: https://dashif.org/docs/IOP-Guidelines/DASH-IF-IOP-Part6-v5.0.0.pdf: See Section 11 : Enhanced Clear Key Content Protection (ECCP)

[Murmur]

HbbTV refapp is using this content with clearkey laurl address. CENC https://refapp.hbbtv.org/videos/00_llama_h264_v9/cenc/manifest_ckcenc_1080p.mpd CBCS https://refapp.hbbtv.org/videos/00_llama_h264_v9/cbcs/manifest_ckcenc_1080p.mpd LAURL https://refapp.hbbtv.org/videos/laurl_ck.php?kid=1236

[Murmur]

This is a clearkey live stream with a multiperiod vod2live wrapping at the end of cycle. CENC https://refapp.hbbtv.org/videos/multiperiod_v8.php?drm=ck,cenc&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly CBCS https://refapp.hbbtv.org/videos/multiperiod_v8.php?drm=ck,cbcs&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly LAURL https://refapp.hbbtv.org/videos/laurl_ck.php?kid=1236

@dsilhavy For some reason dashjs demoUI logs an [1386225][ProtectionKeyController] Failed to retrieve clearkeys from ProtectionData error but playback still is fine.

[tobbee]

@Murmur My intention is to support the DASH-IF ECCP as defined in Section 11 of DASH-IF IOP5 where the LaURL is given in the manifest. This avoids sending the LaURL via a side channel. According to Will Law, that scheme is used in production.

Does HbbTV have something like that?

[Murmur]

@tobbee We use dashif:laurl in a vod playready content but HbbTV native players support is poor. It's fine if using dashjs MSE-EME player on HbbTV device. I made a quick modification to provide dashif:laurl live manifest.

Provide ClearkeyDRM laurl in a manifest CENC https://refapp.hbbtv.org/videos/multiperiod_v9.php?drm=ck,cenc,laurl&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly CBCS https://refapp.hbbtv.org/videos/multiperiod_v9.php?drm=ck,cbcs,laurl&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly

Provide ClearkeyDRM-CPS laurl in a manifest CENC https://refapp.hbbtv.org/videos/multiperiod_v9.php?drm=ckcps,cenc,laurl&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly CBCS https://refapp.hbbtv.org/videos/multiperiod_v9.php?drm=ckcps,cbcs,laurl&advert=0&emsg=0&video=v1,v2,v3&audiolang=eng,fin,ger,swe&sublang=0&mup=2&spd=8&config=multiperiod_00llama_h264_mainonly

---

(edit) put both variations to a live-multiperiod test script, see example urls. Is it dashif:laurl or dashif:Laurl field name, probably this is something changed over the period of time? Dashjs seems to support both syntax.

I have always used a lowercase dashif:laurl name as seen in a very early specs examples. https://dashif-documents.azurewebsites.net/Guidelines-Security/master/Guidelines-Security.html#CPS-AdditionalConstraints-W3C

xmlns:dashif="https://dashif.org/"
<ContentProtection schemeIdUri="urn:uuid:e2719d58-a985-b3c9-781a-b030af78d30e" value="ClearKey1.0">
  <dashif:laurl licenseType="EME-1.0">https://refapp.hbbtv.org/videos/laurl_ck.php?kid=1236</dashif:laurl>
</ContentProtection>

This example is using firstUpperCase dashif:Laurl syntax. https://dashif.org/docs/IOP-Guidelines/DASH-IF-IOP-Part6-v5.0.0.pdf

xmlns:dashif="https://dashif.org/CPS"
<ContentProtection schemeIdUri="urn:uuid:e2719d58-a985-b3c9-781a-b030af78d30e" value="ClearKey1.0">
    <dashif:Laurl>https://example-license-server.com/license</dashif:Laurl>
</ContentProtection>

[tobbee]

Thanks for the links. I'll try to use them to set up some support in livesim2.

Beyond the capital letter in "Laurl", the namespace has also changed and is now: "https://dashif.org/CPS" instead of "http://dashif.org/guidelines/clearKey"

[tobbee]

I've now implemented ECCP support (including on-the-fly encryption and laurl-server) in livesim2.

I also tested with the assets that @Murmur provided and it worked to run that through livesim2 as well (both as VoD and live) after fixing the namespace and Laurl spelling.