Securing OTT Content

Written by: Boris Asadanin, Streaming Media Consultant at Eyevinn Technology

Background

How is the consumption of OTT content controlled and commercialized? The technology of securing content has been adapting to emerging technologies for distribution of content. As todays content distribution technology is more fragmented than ever before, allowing consumers watching any content over the internet on any device, from any location, and at any time, securing the content for monetization has become increasingly complex.

Today’s OTT content is mainly being secured by DRM — Digital Rights Management, but there are also other important techniques preventing sharing URLs, screen capturing, and much more.

This is the main article behind securing OTT content covering some history of content security, token authentication, and HTTPs. DRM and Watermarking techniques are explained in respective articles.

This publication is part of a series of articles describing the principles of the technology behind video streaming. It could be read without any prior knowledge on the subject.

Introduction — History

The dawn of pay TV in the 1950s brought a need for controlling who was consuming the broadcasted media. How else would you ensure consumers paying for the content? Since then the technical solutions for managing content viewing naturally depended on the various TV distribution technologies, but even more if the distribution was analogue or digital.

During the 1970s and 1980s the satellite and cable transmissions gained wide-spread popularity. The video distributions were analogue in which viewing control were mainly built on various synchronization signal suppression methods.

During the 1990s the TV distributions slowly turned digital and with that came Conditional Access Systems, CAS. The CA Systems defined methods to obfuscate digital TV streams giving access to subscribers with decryption smart cards. The smart cards were regularly sent out over mail by the TV service companies and were inserted in the TV Receiver box.

In the beginning of the new millennium IPTV emerged as the first commercial video distribution technology over the internet network platform (read more about IPTV in the Internet Video Streaming — IPTV article). Today, while the satellite, cable, and the IPTV distribution system popularity declines, the TV distribution over the open internet gains popularity and is quite quickly changing how people consume media content.

Distributing TV over the open internet requires a complete new set of tools to securing the content.

Fig 1: Encrypted content. Square pixels indicate digital content format.

Securing OTT Content

There are many ways to protect video content. The tools used are active or passive and offer various level of security in each respective area.

Tokens and HTTPs are general tools for integrity and security used on the internet. DRM and watermarking are more video content centric security tools. The two first, tokens and HTTPs, are described in this article. DRM and watermarking described in separate articles.

Tokens and Additional Security

Encrypting content seem quite robust. But how does encrypting content prevent URL or key sharing? Well, it does not. Instead, other functionalities within the streaming chain protect from various sharing methods. These additional security functions are presented below to give a more comprehensive security understanding.

Tokens

Tokens are used to validate the consistency and integrity of an incoming request. When a client request is received by a server, the incoming token is validated the originating request, i.e. preventing URL sharing, tampering or other changes. See more details in the OTT Overview article.

When a client player browses the video portal and selects a piece of content, it is being redirected to a content specific URL.

Fig 2: Contents of content URL including token.

The token appended at the end of the example URL in fig 2 is an arbitrary text string and secures the URL in the following ways:

• Content switching — a user buys a movie but changes the contentID in the URL to watch another movie.
• URL sharing — a user buys a movie and shares the URL to other client players
• Token modifications — a user changes the token to reflect other URL parameters such as contentID, IP or other.
• 3rdparty referral — a user uses a fake or 3rdparty video service which is technically equal to constructing own tokens.
• Other ways specified by the token parameters.

So what is the magic behind tokens? Fig 3 below defines token creation and contents.

Fig 3: Md5 algorithm-based token construction with protection.

A token is quite simply created as a hashed value (text string uniquely identifying data and securing its integrity) of various parameter strings, in this case:

• ContentID is the unique content identifier, in this case “batman”.
• ClientIP is the requesting client IP address.
• Secret is a text string or a password which is known only to the video platform. The secret guarantees that only the video portal has constructed the token. Otherwise anyone could create their own tokens using the same hashing function.

When a video service entity (streaming service, DRM system etc.) receives a request with a token, like in fig 2, the URL parameters are verified against the token. All video service entities know the secret string and can perform this validation. If anything would be changed within the URL or the token, there would be a mismatch between them, and the video service entity would deny the request.

Note that additional token parameters may be added to the token. For instance, deviceType could guarantee that a user doesn’t change devices for playout, a time parameter could guarantee a token expiration time, and so on.

Entitlement

A natural follow up question to the token description above is of course about clients sharing the same public IP address. Consider the scenario where multiple clients are located behind a NAT gateway and thus share the same IP address, like within a company or university network. Can the client players share URLs?

The usual way to control access to content is by having users logging in to a web content portal. By this log in, the service provider can control how many sessions are allowed in parallel, what client devices are used to watch content, and much more.

Entitlement systems are also integrated and linked closely to the customer management systems which control what services customers are entitled to. Parallel streaming sessions is a good example here. Video services commonly come as a basic account, or a family account where more parallel streams are included.

Read more about Entitlement in the OTT Systems Overview article.

HTTPs

HTTPs was originally developed by Netscape to securing HTTP traffic using SSL (Secure Socket Layer). Since then TLS (Transport Layer Security) support has been added. HTTPs is not primarily associated with video streaming, but it has become standard to use for original HTTP applications and therefore also HTTP video streaming. The details of HTTPs and how it works lies outside of the scope for this article. Instead we will look at how HTTPs is used in OTT.

In recent years it has become more common to use HTTPs also for streaming. Facebook, Netflix and other major video streaming industry players require HTTPs for video streaming on their platforms. Streaming over unsecure HTTP the traffic is sent in clear, which means that the meta data for the video streaming session is compromised. Anyone can potentially pick up any information about the streaming session, including video title, subscriber id etc. On large scale someone could study all Netflix traffic to map out who is streaming what video content title.

Understanding HTTPs, we know that users and servers are properly authenticated with each other and that a secure connection is established between the two. The actual traffic between server and client is encrypted and so is the metadata. HTTPs secures th confidentiality of the complete video session.

Fig 4: HTTPs secures integrity.

How HTTPs relates to DRM (Digital Rights Management) is described below.

DRM — Digital Rights Management

DRM — Digital Rights Management, is a digital licensing system that allows content owners to control how and by whom their content is being consumed.

DRM is often mistaken for being equal to encryption. While encryption is the process of obfuscating digital data, DRM is the complete system for managing content access. DRM includes the distribution of encryption and decryption keys, backend licensing servers with various functionalities such as policy control and offline playback control.

The content owners require selected commercial DRMs to secure their content. To get any content from content owners, broadcasters, OTT players or other online distributors must comply to using the selected DRM systems.

DRM is covered separately in the Securing OTT Content — DRM article.

DRM vs. HTTPS

Most non-user generated video content is already encrypted by DRMs, what is the reason to add another encryption layer on top?

While DRM secures the video content itself from being consumed by anyone, HTTPs secures the entire communication link between the server and the client, making sure that all viewing session metadata is kept secret.

The opposite perspective is just as important. Why is DRM used if HTTPS still encrypts the content? DRM offers far more options to how content may be consumed than HTTPs does. More details about this in the Securing OTT Content — DRM article.

An analogy for us above 35: encryption is like having people sharing scrambled films on VHS video tapes with the movie name written on it. You know what is on the tapes and can watch the content only if you can unscramble it. HTTPs traffic would be like people sharing locked boxes with unknown content. It could be VHS tapes, books, groceries, or clothes. The boxes all look the same and cannot be opened by anyone except the sender and the receiver.

Fig 5: DRM vs HTTPs between server and client. Encrypted content (top) sent over unsecure HTTP, and HTTPs content (bottom) sent over HTTPs.

Watermarking

Looking at the history of securing content we have been obfuscating, encrypting, or by analogue methods introduced interference signals to control who has the right to watch content. But all these methods share one as common as important flaw; when the content is played on a screen the security is completely gone.

Watermarking is an old passive content security technique which has now started to gain more interest, mainly because there are new ways to distribute live content. More details about how watermarking works and why it is being used is covered separately in the Securing OTT Content — Watermarking article.

Fig 6: Visual watermark preventing illegal live content sharing.

Conclusion

Complete content security uses many techniques in parallel to guarantee content integrity, accessibility, and monetization. While this article has described some general techniques for content security, the follow up articles give a good insight of how the more content security specific techniques; DRM and Watermarking, are used to prevent illegal content distribution.

Keep reading — keep learning — keep specializing.

Eyevinn Technology is the leading independent consultant firm specializing in video technology and media distribution, and proud organizer of the yearly nordic conference Streaming Tech Sweden.