Widevine DRM introduction, security and integration
Widevine DRM is a widely used DRM licensing and encryption technology owned and maintained by Google. It protects your videos from being downloaded illegally on browsers such as Chrome, Firefox, and Edge. It also protects content on devices such as Android devices, Android TV, and Chromecast. Widevine DRM is compatible with streaming by MPEG DASH and HLS.
One of the main reasons several OTT and e-learning platforms use Widevine DRM is to ensure they earn maximum revenues from their content by restricting illegal free distribution of their content due to video piracy.
Widevine Security Levels
Google Widevine DRM provides three security levels based on either the security used on hardware or software level. The three levels are Widevine L1, L2 & L3.
Widevine L1 is the highest level of security in Widevine. DRM keys and decrypted content are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values and the media content is decrypted by the secure hardware.
Many movie platforms like Netflix purposefully restrict full HD playback to only L1 devices. This is due to the fact that L1 devices can block screen capture with 100% security in mobile apps.
For Widevine L1, TEE does all the video decryption, decoding, and processing.
TEE is Trusted Execution Environment. What TEE essentially does is that it makes sure that either of the decryption keys and decryption videos remains protected and can’t be stolen.
DRM keys and decrypted content are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values and the media content is decrypted by the secure hardware. However, one major difference is that, clear media buffers are returned to the CPU for delivery to the video decoder.
Widevine L2 is not used for mobile devices.
This refers to a software-only based solution. L3 does not have TEE and decoding happens directly via software. Many old phones, especially budget phones have L3. Desktop Chromium based browers also implement L3.
We have detailed document on DRM Compatibility across different browsers and OS.
How Does Widevine DRM Work?
In Widevine DRM, secure decryption is done via a series of exchanges between the Content Decryption Module and the Widevine DRM license server. The HTML5 video player acts as a mediator for these exchanges. Although, by itself, the player cannot read the encrypted license or video.
These are the following steps that take place to decrypt a video for playback:
- Video is received from the CDN or Content Delivery Network
- When you press the ‘play button, at first your browser’s media engine will identify whether the video is encrypted or not. After identifying it, ‘initData’ or initialization data is taken by the browser and is sent to your player.
- Data is passed to the CDM or Content Decryption Module
- After this, your video player sends the data to CDM.
- Player receives the license request from CDM
- After receiving the data from the player, CDM creates a license request and then passes the license back to the player
- Widevine License server receives the request from the player
- In the next step, the Widevine license server receives the license request from your video player..
- Player receives the license from server
- Upon receiving the request, the license server sends the Widevine licence to the video player through an encrypted message.
- CDM receives the license from the player
- The Player then sends the license to CDM
- OEMCrypto Module receives the data from CDM
- The OEMCrypto module then receives the data from CDM and the actual decryption happens.
- Video player receives the video chunks from OEMCrypto Module
- After the video is decrypted and decoded, it is then sent to your video player in small chunks. The viewer is able to play the video and security is also ensured. And voila, you get video playback on your device.
Updated 9 months ago