Introduction: Upholding the Integrity of Digital Assets with Widevine DRM

In the intricate landscape of digital content protection, a nuanced understanding of device security levels, robustness rules, and the meticulous use of multiple keys is imperative. This blog post embarks on an exploration of Widevine DRM, unraveling the intricacies that interweave device security, robustness rules, and the strategic implementation of multiple keys to fortify a formidable shield against unauthorized access.

Navigating Device Security Levels

Distinctions within Security Levels

In the realm of Widevine DRM, the concept of security levels is foundational, categorizing devices into three distinct tiers: Security Level 1 (L1), Security Level 2 (L2), and Security Level 3 (L3). The nuanced differences between these security levels play a pivotal role in shaping the device's capacity to securely process and display content.

Security Level 1 (L1): Fortifying Content with Hardware Precision

At the pinnacle of the security hierarchy stands Security Level 1 (L1), characterized by its robust hardware-based security architecture. Devices that attain L1 certification boast dedicated hardware components, such as Trusted Execution Environments (TEE), providing a secure enclave for cryptographic operations. This fortified hardware foundation not only safeguards against tampering but also enables devices to securely process and display high-definition (HD) and ultra-high-definition (UHD) content.

Security Level 2 (L2): A Balance of Security and Flexibility

Security Level 2 (L2) occupies an intermediary position, offering a balance between security and flexibility. While L2 devices may incorporate some hardware-based security features, they might not meet all the stringent requirements of L1. As a result, these devices are often employed for lower-resolution content, striking a compromise between security measures and operational adaptability.

Security Level 3 (L3): Software-Centric Security

Security Level 3 (L3) represents the lowest tier of the security hierarchy, relying predominantly on software-based security mechanisms. L3 devices lack the dedicated hardware components found in their L1 counterparts, making them suitable for standard-definition (SD) content. While L3 devices offer a more accessible and versatile solution, they are inherently less secure due to their reliance on software-centric security measures.

Robustness Rules: Sentinels of DRM Integrity Explored

Defining Robustness Rules

Robustness rules serve as the steadfast guardians of Digital Rights Management (DRM) integrity, providing a set of guidelines and requirements to fortify content against potential threats and breaches. Within the context of Widevine DRM, these rules are meticulously designed to address a spectrum of scenarios, including tampering attempts, interception of communication, and unauthorized access to cryptographic keys.

The core tenets of robustness rules include secure key exchange, encrypted content delivery, and the prevention of unauthorized tampering or interception during the content playback process. By adhering to these rules, Widevine ensures a secure environment for the delivery and consumption of digital content.

EME Robustness Rules and Correspondence to Device Security Levels

Encrypted Media Extensions (EME) robustness rules, which are set within a player, act as a bridge between the security measures mandated by Widevine DRM and the capabilities of the end-user device. The implementation of these rules in a player directly corresponds to the device's security level, establishing a harmonious relationship between the player's robustness and the device's capacity to meet the stringent security requirements.

Let’s describe these EME robustness rules one by one.

SW_SECURE_CRYPTO

• Meaning: Software Secure Cryptography
• WV Security level: 3
• Description: This robustness rule pertains to the use of software-based mechanisms for cryptographic operations. In the context of DRM, it indicates that cryptographic operations, such as key management and content decryption, are handled by software components rather than dedicated hardware.

SW_SECURE_DECODE

• Meaning: Software Secure Decoding
• WV Security Level: 3
• Description: SW_SECURE_DECODE signifies that the decoding process, which involves rendering encrypted content into a viewable format, is performed using software-based mechanisms. Devices adhering to this rule do not necessarily have dedicated hardware support for secure decoding.

HW_SECURE_CRYPTO

• Meaning: Hardware Secure Cryptography
• WV Security Level: 2
• Description: HW_SECURE_CRYPTO involves the use of dedicated hardware components, such as secure enclaves or hardware security modules, to handle cryptographic operations securely. Devices adhering to this rule employ hardware-based mechanisms for key management and cryptographic functions.

HW_SECURE_DECODE

• Meaning: Hardware Secure Decoding
• WV Security Level: 1
• Description: HW_SECURE_DECODE indicates that the decoding process, which transforms encrypted content into a viewable format, is performed using dedicated hardware components. Devices meeting this robustness rule have specialized hardware support to ensure secure decoding.

HW_SECURE_ALL

• Meaning: Hardware Secure All (or Hardware Secure Everything)
• WV Security Level: 1
• Description: HW_SECURE_ALL is a comprehensive robustness rule that encompasses both cryptographic operations and decoding processes, requiring dedicated hardware support for all security-related functions. Devices adhering to HW_SECURE_ALL are expected to have robust hardware-based security measures for handling encrypted content comprehensively.

Platform-Specific Robustness Realities

Not all platforms uniformly support all robustness rules, contributing to a mosaic of compatibility. Content providers must navigate this landscape, considering platform-specific nuances when crafting content protection strategies.

Setting a robustness rule in a player is akin to making a specific request to the platform. The player, in turn, only allows DRM-protected content playback if the requested rules align with the platform's capabilities.

If the set rules are not supported on a particular platform, the key system won't initialize. In such instances, the player will raise an error rather than proceeding with the license generation process.

It's crucial to recognize that support for robustness rules varies not only across platforms but also among different browsers. The level of support can influence how DRM functions and may necessitate tailored approaches for optimal performance.

Content Packaging and License Acquisition: The Intricacy of Multiple Keys

A Prelude to Multiple Keys

In the intricate domain of content packaging within the Widevine DRM framework, the strategic use of multiple keys emerges as a pivotal consideration. The concept of multiple keys represents a nuanced approach to content encryption, offering heightened security, fine-grained access control, and adaptability to diverse use cases.

Enhanced Security Through Key Isolation

One of the primary advantages of employing multiple keys lies in the enhanced security achieved through key isolation. By segregating keys for different components—such as audio and video streams—content providers mitigate the impact of potential key compromises. In the event of a breach, the compromised key only affects a specific component, safeguarding the integrity of the overall content.

Not only that, but use of different keys for audio and video streams allows for different levels of licenses to be issued containing different license policies for different content tracks preventing different use cases, such as screen recording.

Packaging with multiple keys is especially important if you want to implement screen recording prevention because it allows you setting the license security level to the highest possible value leaving level of the license for the audio as low as possible preventing issues on platforms that do not support high-level robustness rules for audio.

Fine-Grained Access Control

The utilization of multiple keys enables content providers to exercise fine-grained control over access to digital assets. Different keys can be assigned to distinct user groups, subscription tiers, or licensing models. This flexibility empowers providers to tailor content access based on the diverse needs and entitlements of their audience, fostering a more personalized and secure streaming experience.

Adapting to Selective Encryption

In certain scenarios, content providers may opt for selective encryption, encrypting specific components while leaving others unencrypted for various reasons, such as performance optimization or support for specific use cases. Multiple keys facilitate this selective encryption strategy, allowing for a dynamic approach to content protection without compromising security.

BuyDRM's Support for Multiple Key Licenses in Widevine DRM

In summarizing our exploration of content protection within the Widevine DRM framework, the strategic deployment of multiple keys emerges as a critical element for fortifying digital assets against potential threats. Through our examination of enhanced security, fine-grained access control, and dynamic licensing, it becomes apparent that the careful orchestration of multiple keys establishes the foundation for a resilient and adaptive content protection strategy.

BuyDRM takes a prominent position in this realm, providing unparalleled support for multiple key licenses within the Widevine ecosystem. As a trusted industry leader, BuyDRM empowers content providers with the tools and expertise necessary for the seamless implementation and optimization of multiple key licensing strategies. This ensures a secure and customized approach to content protection that meets the evolving demands of digital distribution.