Skip to main content

Overview

All premium content is protected by a multi-DRM system using CMAF (Common Media Application Format) with dual-encryption profiles. A single set of encrypted segments serves all clients — no per-DRM content duplication. DRM key management is governed by a three-tier key hierarchy enforced through the KMS + HSM layer. Playback requires a valid DRM license bound to an authenticated session.
Architecture note: CMAF CENC+CBCS dual-encryption was selected to serve iOS (FairPlay, CBCS only), Android/Chrome (Widevine, CENC), and desktop/Smart TV (PlayReady, CENC) from a single segment set. See ADR-004 for the full decision record.

DRM System Comparison

PropertyWidevineFairPlayPlayReady
OwnerGoogleAppleMicrosoft
Encryption profileCENC (CTR mode)CBCS (CBC mode)CENC (CTR mode)
PlatformAndroid, Chrome, ChromeOSiOS, macOS, Safari, tvOSWindows, Xbox, Smart TV (Samsung/LG)
Security levelsL1 (hardware), L2, L3 (software)Not tiered (hardware-backed on modern devices)SL2000, SL3000 (hardware)
License serverMulti-DRM provider (Axinom or EZDRM)Multi-DRM providerMulti-DRM provider
CDN token bindingVia license request URL tokenVia license request URL tokenVia license request URL token

CMAF Dual-Encryption Model

Shaka Packager produces CMAF segments encrypted with both CENC (CTR) and CBCS (CBC) profiles simultaneously. A single init segment contains both pssh boxes (one per DRM system). The CDN delivery layer serves the same byte-identical files to all clients.
Segment fileCENC (for Widevine/PlayReady)CBCS (for FairPlay)
Video init segment✅ PSSH box✅ PSSH box
Video segments✅ CTR-encrypted✅ CBC-encrypted
Audio segments✅ CTR-encrypted✅ CBC-encrypted

Key Hierarchy

Keys are managed in a three-tier hierarchy:
TierKeyStorage
RootMaster Encryption Key (MEK)HSM only — never in software
IntermediateKey Encryption Key (KEK) — per-content-categoryKMS (AWS KMS or GCP CMEK) — encrypted under MEK
LeafContent Encryption Key (CEK) — per content itemEncrypted under KEK, stored in key store DB
Key rotation schedule:
  • MEK: Annual rotation, HSM-enforced
  • KEK: Per-content-category, rotated on new content batch or on compromise event
  • CEK: Per content item — generated fresh on DRM packaging, never reused across content items

License Acquisition Flow

1

Client encounters PSSH box

On stream load, the client’s DRM module detects the encrypted init segment and extracts the relevant PSSH box (Widevine, FairPlay, or PlayReady).
2

Client calls Playback Service

Client calls GET /api/v1/playback/token/{contentId} with a valid session JWT. Playback Service validates the entitlement: subscription is active, content is accessible in user’s region, user has not exceeded concurrent stream limit.
3

Signed license URL issued

Playback Service generates a signed, expiring license acquisition URL (TTL: 30 seconds) bound to the user’s session and content ID. The URL is returned to the client.
4

License request

Client’s DRM module sends the license challenge to the multi-DRM provider (Axinom or EZDRM) via the signed URL. License request includes the PSSH data and the platform’s signed token.
5

License generation

The multi-DRM provider calls the Playback Service’s key retrieval callback. Playback Service retrieves the CEK from the key store (decrypting with the KEK via KMS), returns it to the provider. Provider issues the DRM license.
6

License delivery

License is returned to the client. The DRM module decrypts the segments in the protected media pipeline. Playback begins.
7

License expiry and renewal

License TTL is 4 hours. For a session exceeding this duration, the player silently re-acquires a license via the same flow. Re-acquisition requires a valid session JWT — expired sessions cannot renew licenses.

Screen Capture Mitigation

Widevine L3 (software security level) and PlayReady SL2000 do not prevent screen capture on desktop browsers and mid-range Android devices. Hardware-backed TEE (L1/SL3000) is the only reliable mechanism. The following mitigations reduce but do not eliminate the risk on L3/SL2000 devices:
MitigationEffectivenessCoverage
Visual watermarkingForensic identification after leak — does not prevent captureAll platforms, all tiers
Session-bound watermarkRoutes leaked content to specific user sessionAll platforms, all tiers
Widevine L1 enforcementBlocks capture entirelyMobile devices with L1 hardware (most modern Android phones)
FairPlay hardware enforcementBlocks capture entirelyAll iOS/macOS/tvOS devices (hardware always enforced)
PlayReady SL3000Blocks capture entirelyXbox, hardware-secured Smart TVs
Output protection policyBlocks HDMI capture adapters on WindowsWindows + PlayReady
Require Widevine L1 for premium (highest-tier) content playback on Android. L3 devices receive a notice directing them to the native app, which can enforce L1 via the Android MediaDrm API with requireSecureDecoder().

Visual Watermarking

Every video stream carries a per-session imperceptible watermark (A/B watermarking via a Forensic Watermarking service such as NAGRA or Civolution). Watermark parameters:
  • Embedded at segment delivery time by the CDN origin response handler
  • Watermark contains: user_id, session_id, content_id, timestamp_of_first_play
  • Watermark is invisible to the viewer and survives re-encoding, cropping, and colour-grading with > 95% recovery accuracy
  • Positive identification enables takedown requests and, where applicable, account suspension

Kafka Topics Used

The DRM pipeline produces no Kafka events as a primary producer. It is a synchronous request/response system. Upstream pipeline produces media.drm.packaged after Shaka Packager completes:
TopicDirectionPurpose
media.drm.packagedConsumed (by Content Service)Signals that encrypted CMAF segments are available and content can be published
media.drm.packagedProduced (by Transcoding Worker)Written after Shaka Packager completes dual-CMAF packaging

Failure Handling

FailureBehaviour
DRM packaging failureContent remains in PACKAGING state. Alert triggered. Packager retries automatically (up to 3 attempts). On persistent failure, content enters PACKAGE_FAILED and the creator is notified.
KMS unavailableLicense callback to key store fails. License issuance fails. Playback Service returns HTTP 503 with RETRY_AFTER header. Client retries up to 3 times. If KMS is unreachable > 5 minutes, incident declared.
Multi-DRM provider unreachableLicense acquisition fails. Client shows “Playback unavailable, try again shortly”. No fallback to unencrypted delivery under any circumstance.
CEK retrieval fails (key not found)Indicates a data integrity issue. Playback Service returns HTTP 404. Alert triggered for immediate investigation.
Zero-Trust boundary. Every inter-service call on MCSP requires a valid mTLS client certificate issued per service identity. No internal endpoint is reachable without mutual authentication — the service mesh (Istio) enforces this independently of application code.

Build docs developers (and LLMs) love

Get started for freeTalk to us