From my knowledge, Widevine DRM has security levels like L1, L2, L3 where L1 being highest security level. Most flagship phones have L1 security level certification and hence are able to play HD,4K video. While for browsers like chrome on desktop, the certification level is L3 which is least security level. My question is how we are able to play 4K HD video in providers like Netflix, amazon prime in these browsers with L3 security level certification?
Firstly, it is worth saying that media security is constantly evolving so you need to recheck the current status, especially if reading this some time after the time of writing.
Widevine's security levels reflect the different ways the content is protected in the application and on the device during playback.
For L1 Widevine security the requirement is for a hardware protected key and for the decrypted stream to be protected by a secure media path in the device so no other application or even the system can access the decrypted content.
As browsers use a Content Decryption Module to play encrypted videos. This is a pice of software that is used by the browser as part of the Encrypted Media Extensions mechanism within HTML5.
The CDM implementation is provided by the CDM provider - if they have a way to leverage a secure media path within the device then they can offer L1 security.
As mentioned in the comments some CDM's, the PlayReady one for Edge on Windows machines is an example at the time of writing, support this and hence offer L1 security. AFAIK, and again at the time of writhing, Widevine CDM with Chrome or Firefox on windows, Linux or Mac does not support L1 at this time.
Related
I found that Netfilx can prevent users from screen capturing on their videos. If you do screen capture on their videos, you will get black screen.
How does it work? What technique is involved in?
This is usually functionality provided by the DRM systems and the devices or browsers secure media path.
You may find that certain browsers support this and other don't, depending on where the combination of device, browser or player and DRM system supports it.
It is an evolving story and those that don't currently support it typically will have plans to add support.
A server is in the middle
And we want you to send live video to it
And on the other hand, watch it through the HTTPS like https://server/live.pm4
What protocols can be used for this purpose?
I used to do this experimentally with nodejs dgram and ffmpeg on the raw UDP and it worked fine !
but stability and security is an issue that must be observed !
Most live (or VOD) video, for services where quality is important and/or there are a large number or users, use Adaptive Bit Rate streaming protocols at this time.
The two leading ones are HLS and MPEG DASH.
As a very high level general rule, noting that there are exceptions:
Android, Chrome Browser, Edge Browser - use MPEG DASH
iOS, Safari browser - use HLS
The introduction of CMAF () has consolidated the two formats making life for service provider easier, and the media streams can be the same for both and just tine manifest of index files to the streams are specific to DASH and HLS. Unfortunately, encrypted stream support for CMAF is not yet rolled out across all consumer devices so many services cannot use it fully yet.
On the security side, nearly all services use DRM to encrypt content and control entitlements. The leading DRM's are Google Widevine, Apple FairPlay and Microsoft PlayReady. Again, these are generally platform specific, with the usual use being:
Android, Chrome browser - Widevine
Edge Browser, X-Box - PlayReady
iOS, Safari - FairPlay
There are so many different codecs for phone calls and many of them have very high license fees, meaning it will take a lot of time before everyone can use normal telephony with wide band audio.
Is Opus supported for VoLTE?
The usual codecs for VoLTE are AMR, AMR-WB and EVS (see links below for more info - thanks, #Mikael DĂși Bolinder).
As with most mainstream voice (and video codecs) there is IPR and licensing associate with these. However, for end users the network providers and device manufacturers have included the licensing and the codecs in their rollouts so a typical operator service will use these.
I'm not aware of any restrictions from 3GPP on using other codecs if the devices and the network support them, but the above are definitely the default and the most widely used.
If you want to create your own voice service, e.g a VoIP service running over the data connection to the phone, then in theory you can use whatever codec you want. It's worth being aware that for software based codecs, which they will be unless they are tightly integrated in the device's hardware, the efficiency is important as an inefficient implementation may impact performance, battery life etc.
For Opus in particular there are several open source projects which provide Android libraries for this, for example. Opus is also supposed to be supported on devices from Android 5+ (https://developer.android.com/guide/topics/media/media-formats).
amr-licensing-wikipedia: https://en.wikipedia.org/wiki/Adaptive_Multi-Rate_audio_codec#Licensing_and_patent_issues "AMR licensing (and issues) on Wikipedia"
amr-wb-licensing-wikipedia: https://en.wikipedia.org/wiki/Adaptive_Multi-Rate_Wideband#Licensing "AMR-WB licensing on Wikipedia"
evs-news-patent-pool: http://www.mpegla.com/Lists/MPEG%20LA%20News%20List/Attachments/97/n-16-01-20.pdf "MPEG developing a patent pool for EVS"
what's the current use of java cards? The documentation is either really old or really sparse.
After googling for some time, this is my perceived idea:
eID: signing document hash with private key, issued by central authority (government) - signing legal documents
unique ID - identification (of person) by ID, protected by PIN and secured by TLS
java connected edition web application - I've not been able to find any documentation for the usage of this, except template applications in IDEs. Why are APDU's still used when there's this layer available? Is the application for this non-existent?
Despite all the new functionalities, I see they're only used as identification for a central repository/provider? And the TLS is used to secure communication between the card and backend server?
Thanks.
SIM cards are usually Java Cards, banking cards from Mastercard and Visa are usually Java card, and so are many others. ePassports can be build using Java Card. There are secure elements within readers that are Java Card. Driver licenses, driver licenses, digital tachograph cards, access control cards, cards holding PGP keys, etc. etc. etc..
There are billions of Java Cards, and Java Card is the only reason why Java was claimed by Sun to be on 3 billion devices (and note that they will probably not count Android as that officially is not Java). Currently the JCF (Java Card Forum) is also pushing Java Card forward as secure / programmable element to be used in IoT devices.
eID can be and usually is used more than for just signing documents. It is mainly used for authentication. It may also be used just to verify specific attributes of a person such as his / her age. And it can of course be used to decrypt information if an encryption key pair is present.
So no, there are many more things that Java Card can be used for.
As for the connected edition: it requires highly expensive hardware (smart cards are products that rely on high volume where every cent matters). Furthermore, a lot of protocols are specified using APDU's: you cannot just replace that with HTTPS to the smart card without respecifying the protocols.
ISO/IEC 7816-4 is a horrible standard - if you can call it that - but it currently is the only broadly accepted one. Java Card RMI has not caught on either; I don't see why the connected edition will suddenly change that.
Is possible download a MPEG Dash content with DRM?
How can I decrypt using the MPD file?
I tried download all M4S segments (audio and video) but when I join the segments the video doesn't work properly.
The site is using Widevine platform for DRM.
I tried too youtube-dl and dash-proxy but again unsuccessfully.
I searched on Google but I didn't succeed.
No because it's not part of the browser. The browser implements EME which allows to 'offload' decoding a video to a 3rd party software.
When you download chrome, you download another compiled "CDM" app which does the decoding and is a 'black box'. So you'd need to modify that black box CDM, not the browser. So only option is then the screen capture.
MS has a system that even prevents screen capture software (since windows controls OS) Chrome desktop CDM has weaknesses but not in the league of 'youtube downloader'.
Also Google doesn't provide CDM for modified browsers.
A researcher on twitter a couple years ago claimed to defeat the encryption by directly cracking the encryption itself, based on knowledge of what the CDM was doing. At this point though, it's beyond 'look the other way' and you would definitely be in legal jeopardy if you distributed such information or content.
In the future, Google would like all of this to be done in hardware further making it hard to defeat. Eg once they got several hardware manufacturers to put a chip in their monitors, they might literally say "if you want to watch google play or netflix, you need an 'secure monitor' (you know, so people don't spy on you...) ".
It's basic economics. If you can't live without netflix, they will lock it down and make you pay for each view. If you're 'meh' they will make it 9.99 and reel you in. If you literally prefer some 'open source movie website where everythings free, though lame' They will just try to track your interests, for a better day when they can make something irresistible you will pay for.
At this point people are pretty 'addicted' so encryption chips are being put into monitors, motherboards, video cards, even cables connecting the monitor to computer. But if they squeeze too hard, people will just walk away. But their data models now would warn them if people were getting to that limit, so it's unlikely.
EDIT: today I came across a code repository which is a chrome extension that will tell you the decryption key as it decrypts a video. I won't post the link here (but it's currently at github publicly). It contains the private key that is used by the Google Widevine CDM to decrypt the keys (which are sent encrypted from the license server). So if you have access to watch a video (eg you rent a video at google play) then you can see the key, download the mp4, then use ffmpeg to decrypt the mp4 with that key that was reported while you played the video. You would then have an unencrypted video. This is why Google tells their content providers to only provide 'low quality' versions for desktop browsers, and reserve high quality (eg 4K) content for environments where decryption is happening in a hardware chip.
I am assuming you are asking how you can handle the DRM part and that the download part is ok, using dash-proxy or similar?
The way the DRM works with DASH streaming is that the player streaming the video will recognise from the manifest and/or the video stream that the video is encrypted when you try to play it and will ask the DRM license server for the license.
For widevine it requires the URL of the license server to be configured or input into the player - see the the example at Shaka player: https://shaka-player-demo.appspot.com and choose custom asset from the drop down list and you will see how you have to enter the License Server URL.
If you have downloaded the video then the player will still need to recognise that the video is encrypted, that the DRM system is widevine and will need to be told the license server to request the license from.
The player can recognise the content is encrypted from the MP4 PSSH box - a header which indicates it is encrypted and the DRM system being used, in your case Widevine.
If you don't have authorisation or the video was originally a live stream or if it had some time constraints you may not be granted a license. Similarly, if you are planing to watch it offline, then you will need to receive a persistent license (one that is valid on the device for some time) which may not be available for the video you want to watch.
If you have the key used for encrypting the content, You can try the dashdownloader script from github hosted in Drm-Dash-stream-downloader repository. It uses ffmpeg for aes-128 encrypted content and mp4decrypt from Bento tools SDK for other cipher suites.