Using Silverlight With Windows Media DRM-Whitepaper FINAL

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content

Using Silverlight™ DRM, Powered by PlayReady®, with Windows Media® DRM Content

Microsoft Corporation

November 2008

Applies to

Microsoft® Silverlight™ browser plug-in and PlayReady® content access technology.

Summary

The Microsoft Silverlight browser plug-in empowers content providers to create rich applications to deliver high quality media. This white paper discusses the advantages of developing a rich media client experience using Silverlight and connecting it to an existing Windows Media DRM ecosystem.

Microsoft Confidential.

© 2008 Microsoft Corporation. All rights reserved. These materials are confidential and are to be maintained as a trade secret of Microsoft Corporation. Information in these materials is restricted to Microsoft authorized recipients only. Any use, distribution or public discussion of these materials is prohibited. Microsoft shall be free to use, disclose, reproduce, license, or otherwise distribute and exploit any feedback provided to Microsoft by the Microsoft authorized recipients as it sees fit, entirely without obligation or restriction of any kind on account of intellectual property rights or otherwise. By providing any feedback on these materials to Microsoft, you agree to these terms.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content

Contents

1. Introduction 1

1.1 Overview 1

1.2 Audience 1

1.3 Definitions 1

2. Using Silverlight to Deliver Content 2

2.1 Overview of Silverlight 2

2.2 Media delivery scenarios 2

2.3 Media features 2

3. Silverlight DRM, Powered by PlayReady 3

3.1 Features 3

3.2 How Silverlight DRM, Powered by PlayReady, works 3

3.2.1 Architecture 3

3.2.2 Components 4

3.2.3 Flow 4

4. Using Silverlight DRM, Powered by PlayReady with An Existing WMDRM Ecosystem 5

4.1 Getting started with Silverlight DRM, Powered by PlayReady 5

4.2 Delivering licenses for WMDRM content 5

4.3 Migrating WMDRM content to PlayReady 6

4.4 Setting up a PlayReady license server 6

4.5 Developing a client application using Silverlight 7

5. Licensing Microsoft PlayReady Technology 8

6. References 9

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 1

1. Introduction

1.1 OverviewThe Microsoft® Silverlight™ browser plug-in empowers designers and developers to rapidly create rich application experiences on the Web. Central to Silverlight is the ability to deliver high quality media. Microsoft Silverlight DRM, Powered by PlayReady®, is seamlessly integrated into the Silverlight plug-in to allow content providers to protect intellectual property. Content providers with an existing library of Windows Media® digital rights management (WMDRM) protected content can use the PlayReady Server SDK to deliver licenses for this content to Silverlight clients on Windows® based computers and on the Macintosh. This white paper discusses the advantages of developing a rich media client experience using Silverlight and connecting that experience to an existing WMDRM content library.

1.2 AudienceThis paper targets technical decision makers who manage a server infrastructure that delivers content over the Web and encrypts the content with WMDRM. It is expected that readers are familiar with basic concepts of digital rights management, as well as the feature set, configuration options, and technologies used in WMDRM.

1.3 DefinitionsThe following terms and acronyms are used throughout this document.

WMDRM—The Windows Media Digital Rights Management 10 technology. For the purpose of this paper, WMDRM refers to the packaging of protected Windows Media content.

LAURL—The PlayReady license acquisition URL that identifies where to make a request for a valid license for a piece of content.

WMRMS—The Windows Media Rights Management Sever. In a WMDRM ecosystem, the WMRMS is responsible for issuing licenses to clients.

PlayReady—Microsoft PlayReady content access technology is the most recent digital rights management technology from Microsoft. It provides a platform for applying business models to the distribution and use of digital content.

PlayReady Server SDK—The PlayReady Server SDK is a set of APIs, tools, and libraries created to assist developers in implementing services for packaging, delivering, and issuing licenses to PlayReady content.

Silverlight—Microsoft Silverlight is a cross-browser, cross-platform plug-in for delivering .Net based media experiences and rich interactive applications for the Web.

Silverlight DRM, Powered by PlayReady—Silverlight DRM, Powered by PlayReady, is the component of Silverlight responsible for acquiring licenses to the media content and enforcing the access rules defined by the content provider.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 2

2. Using Silverlight to Deliver Content

2.1 Overview of SilverlightThe Microsoft Silverlight browser plug-in enables the creation of rich interactive Web applications using vector graphics, images, animation, and multimedia. Silverlight is cross-browser and cross-platform, creating a consistent experience, regardless of the end users’ hardware. Integrating with existing Web standards, Silverlight exposes information about its applications to make that information discoverable to search engines and reportable by analytics tools.

Silverlight offers a best-of-breed experience for designers and developers alike. Microsoft Expression® Studio 2 provides a feature-rich suite of tools for designing Silverlight applications, including customizable versions of standard Windows controls, a timeline for manipulating animation, and tools for encoding and editing video. The layout and appearance of a Silverlight application is saved in eXtensible Application Markup Language (XAML), an XML-based file format, allowing designers and developers to work on the same code. Silverlight applications have full access to the HTML document object model (DOM) and a lightweight version of the .Net Framework. Because of this, developers can leverage past experience with programming languages, such as JavaScript and C#, to bring applications to life.

2.2 Media delivery scenariosUsing Silverlight, content providers have options on how to best deliver their content to consumers.

Progressive download—For content providers who want to utilize commodity Web servers (IIS) to serve media and do not need to give users the ability to seek through content as it streams, progressive download is a good option. One drawback to progressive download is that the entire file is downloaded regardless of how long the user actually plays it. Features like Bit Rate Throttling and Fast Start in Microsoft’s IIS7 address some of these issues.

Streaming—For live events, such as concerts or sporting events, as well as video-on-demand content, Silverlight supports streaming from Windows Media Services, a free component of Windows Server 2003 and 2008.

2.3 Media featuresSilverlight offers several exciting new features for delivering media content.

Feature Description

Video Playback Consistency Deliver a consistent experience to users on Windows and Macintosh computers, including high definition video.

Custom Skins Customize the user interface to create and brand a unique user experience.

Ease of Development/Support Take advantage of the .Net Framework to develop applications faster. Leverage the large community of designers and developers now using .Net and Silverlight to discuss implementation strategies, use existing components, and hire new talent.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 3

3. Silverlight DRM, Powered by PlayReadyWhen building a Silverlight client to deliver rich media experiences to end users, a common consideration of content providers is how to protect content. Silverlight DRM, Powered by PlayReady, is a solution built into the Silverlight 2 plug-in that is capable of protecting content, regardless of how the content is delivered. As the name indicates, Silverlight DRM, Powered by PlayReady, is a PlayReady client built specifically for the set of media features within Silverlight. Microsoft PlayReady content access technology is a platform for applying business models to the distribution and use of digital content on computers, phones, and devices.

3.1 FeaturesThere are many benefits to using Silverlight DRM, Powered by PlayReady, to protect content.

End to end content protection—Content stays encrypted from server to Silverlight plug-in until it is decompressed during playback.

Cross platform—Content protected by Silverlight DRM, Powered by PlayReady, can be experienced using Silverlight on both Windows and Macintosh platforms.

Individualization—Silverlight communicates with the Microsoft Individualization Service (maintained and hosted by Microsoft) on the first request to play back protected content on a per, user per machine basis. The encrypted content delivered can only be accessed by the requesting user on the machine used to make the request.

Powered by PlayReady—Silverlight DRM, Powered by PlayReady, is built using PlayReady content access technology, offering many features:

Proven—PlayReady is the most recent digital rights management technology from Microsoft. The Microsoft line of DRM technologies dates back to 1999 and has been deployed and used by some of the largest content providers.

Backwards compatible—A PlayReady license server can be used to issue licenses to PlayReady clients for content encrypted in WMDRM 10. One ecosystem can simultaneously support existing clients using Windows Media Player as well as new clients using a Silverlight application.

AES encryption—PlayReady offers the advanced security of Advanced Encryption Standard (AES), using 128-bit encryption keys.

Note: Currently, encrypting live streams must be done using WMDRM.

3.2 How Silverlight DRM, Powered by PlayReady, works

3.2.1 ArchitectureThe following diagram illustrates the components and communication used to connect a Silverlight client application to a PlayReady ecosystem.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 4

3.2.2 ComponentsEach of the components of the PlayReady ecosystem serves a specific function that is required to deliver encrypted content.

Silverlight client—The end user must have a machine with a browser and the Silverlight 2 plug-in installed. Both Macintosh and Windows platforms are supported. The client side feature set of Silverlight DRM, Powered by PlayReady, is built into the plug-in. The content owner must develop or use an existing Silverlight application to request the content and gracefully handle error scenarios.

Distribution server—The distribution server is used to store and distribute encrypted content. Distribution servers are usually Web servers, but specialized Web servers are not required.

PlayReady license server—The license server stores the content protection information and rights for playing the content. Before a client can play back protected content it must acquire a license from a license server.

3.2.3 Flow The following steps must be taken for a Silverlight application to acquire and consume protected content, whether the content is protected using WMDRM or PlayReady.

Step 1: The Silverlight client application makes a request to the distribution server for a piece of content.

Step 2: The distribution server receives the request and sends the content, encrypted, to the client.

Step 3: The client reads the clear header of encrypted content and determines that the content is encrypted. To decrypt the content, the client must receive a key from a license server located by a license acquisition URL (LAURL). The client attempts to get a license by sending a license challenge to the LAURL.

If this is the first time the user has attempted to access protected content on this machine, individualization must occur before requesting a license. Individualization is the process of acquiring the individualization component, a software component embedded into the Silverlight plug-in, to handle requesting licenses and protecting sensitive data used in the decryption process. To individualize, the client will send a request to the Microsoft Individualization Service and is returned the individualization component.

Step 4: The license server receives a request for a license from the PlayReady client, performs the necessary authentication checks to verify identity, executes business logic to ensure that the user is authorized to consume the requested content, and issues a license to the client with the appropriate usage rights and restrictions.

Step 5: The client uses the license to decrypt the content.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 5

4. Using Silverlight DRM, Powered by PlayReady, with An Existing WMDRM EcosystemThis section covers the steps required to connect an existing WMDRM ecosystem with a Silverlight client application in a protected manner using Silverlight DRM, Powered by PlayReady.

4.1 Getting started with Silverlight DRM, Powered by PlayReadyA PlayReady ecosystem requires a PlayReady license server to deliver licenses to a Silverlight DRM, Powered by PlayReady client. The PlayReady Server SDK includes APIs to deliver PlayReady licenses and provides detailed documentation on building a license server. The PlayReady Server SDK requires a server running either Windows Server® 2003 or the 64-bit version of Windows Server 2008 (more on how to acquire the PlayReady Server SDK can be found in Section 5, Licensing Microsoft PlayReady Technology).

The PlayReady Server SDK also includes APIs to package content for PlayReady. It should be noted that using PlayReady encryption is optional. The libraries in the PlayReady Server SDK do not support packaging content in WMDRM encryption; however, the licensing APIs can be used to provide licenses to PlayReady encrypted content or content previously encrypted in WMDRM.

4.2 Delivering licenses for WMDRM contentA PlayReady license server can provide licenses to content encrypted using WMDRM 10 technology. To enable a base of WMDRM content to be experienced on a PlayReady client, such as a Silverlight DRM, Powered by PlayReady client, the use of a PlayReady license server is needed to deliver licenses for the content. The diagram below illustrates the new ecosystem.

This ecosystem now contains both a Windows Media Rights Management Server (WMRMS) to support legacy WMDRM clients and a PlayReady license server to support the new Silverlight DRM, Powered by PlayReady clients. It is important to note that the WMRMS and the PlayReady license server can reside on the same physical machine, eliminating the need for hardware upgrades.

Note: Though a PlayReady license server can serve licenses for WMDRM-protected content to PlayReady clients, PlayReady license servers cannot provide licenses to WMDRM client applications. WMDRM clients cannot decrypt PlayReady encrypted content.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 6

4.3 Migrating WMDRM content to PlayReadyIf a content provider only plans to support PlayReady clients, there are advantages to packaging content using PlayReady encryption. PlayReady content is encrypted using a 128-bit key instead of a 56-bit key, which makes it more resilient against brute force attacks. For providers considering supporting portable devices, some devices are capable of hardware acceleration of standard cryptographic algorithms such as AES, which is used to encrypt PlayReady content. Further, if only PlayReady clients are supported, WMRMS may not need to remain in the ecosystem, simplifying management of the content access infrastructure.

The PlayReady Server SDK includes content packaging APIs to encrypt content. The PlayReady Server SDK does support directly converting content encrypted in WMDRM 10 to PlayReady encryption; however, there are a number of other options for growing a library of PlayReady content.

Encrypt new content with PlayReady encryption—This strategy allows the content provider to take advantage of the benefits of PlayReady encryption for new content, without having to update existing content.

Package clear content in PlayReady encryption—For content providers in possession of the clear version of the protected content they distribute, the content packaging APIs can be used to create a PlayReady encrypted version of the content. With this strategy, all content benefits from the advantages of PlayReady encryption.

Reheader—The headers of WMDRM content files can be updated to follow the PlayReady format. The advantages of this strategy are a consistent file format across all content, and all content files now contain a LAURL. The disadvantages of this strategy are that the updated content files retain the 56-bit keys and will no longer work with WMDRM clients.

Note: The APIs used to reheader content are a part of the PlayReady PC SDK. This requires a separate license.

4.4 Setting up a PlayReady license serverThe PlayReady license server is the one new component required to enable an existing WMDRM ecosystem to support PlayReady clients. The PlayReady Server SDK is used to build a license server that exists on the Internet or the provider’s network and issues licenses to PlayReady clients. It implements business logic and controls the usage rights provided to Silverlight applications, computers, and devices.

Note: Currently, the Silverlight 2 client only supports Play Once Non-Persistent licenses. This is handled using the SimpleNonPersist license class to generate the license.

For a PlayReady license server to properly issue licenses for content, the developer of the ecosystem must take steps to recreate aspects of the process used by the WMRMS to issue licenses. If a seed value has been used to generate keys, this asset must be securely shared with the PlayReady license server. Business logic used for authorization or restrictions will also need to be ported to the PlayReady license server.

While a new server may be added to the existing environment to serve as the license server, it is possible to use the PlayReady Server SDK on the same physical machine as the Windows Media Rights Manager SDK. Therefore, it is possible to use the same physical machine for the WMRMS and the PlayReady license server. In this case, two virtual roots (vroot) must be configured in IIS. Configure the vroot using the Windows Media Rights Manager SDK for ASP, and configure the vroot using the PlayReady Server SDK for ASP.NET.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 7

4.5 Developing a client application using SilverlightA quality Silverlight application offers a content provider an opportunity to enhance the end user experience with the content. Features such as custom skins, overlays, and non-rectangular rendering spaces are just a few of the possibilities available to designers and developers. The full capabilities of Silverlight are beyond the scope of this document, but more information can be found at http://www.microsoft.com/silverlight. This section covers the basics of delivering protected content through Silverlight DRM, Powered by PlayReady.

Adding protected content to a Silverlight application is easy to do. In fact, it is no different from adding clear content. Silverlight uses the XML-based eXtensible Application Markup Language (XAML) to describe the user interface layout. The following XAML element adds a protected video to a Silverlight application.

<MediaElement x:Name="myMediaElement" Source="myProtectedVideo.wmv" />

As described in Section 3.2.3, when the Silverlight application attempts to play the file, myProtectedVideo, it will determine that the file is encrypted and send a license challenge to the license server listed in the LAURL.

It is important to note that only content encrypted by PlayReady can provide its own LAURL. For content encrypted using WMDRM or encrypted using PlayReady where no LAURL is specified, it is the responsibility of the Silverlight client to provide the LAURL. The following code snippet demonstrates how this can be done for the MediaElement object, myMediaElement, created for the video above.

myMediaElement.LicenseAcquirer.LicenseServerUriOverride = new Uri(“http://myLicenseServer.asmx”, UriKind.Absolute);

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 8

5. Licensing Microsoft PlayReady TechnologySilverlight DRM, Powered by PlayReady, is now available through the PlayReady Server SDK, which can be obtained by visiting the Web page Licensing Microsoft PlayReady Server Technology. Companies who want to develop or deploy content protection solutions for Silverlight may use the PlayReady Server SDK for both encrypting and serving licenses for protected content.

Using Silverlight DRM, Powered by PlayReady, with Windows Media DRM Content 9

6. References

Silverlight Developer Center: Getting Started with Silverlight:http://msdn.microsoft.com/en-us/library/bb404703(VS.95).aspx

The official Microsoft Silverlight site: http://www.microsoft.com/silverlight/

Microsoft PlayReady Content Access Technology:http://download.microsoft.com/download/b/8/3/b8316f44-e7a9-48ff-b03a-44fb92a73904/Microsoft%20PlayReady%20Content%20Access%20Technology-Whitepaper.docx

Licensing Microsoft PlayReady Server Technology:http://www.microsoft.com/playready/licensing/server_technology.mspx

Silverlight Community site:http://www.silverlight.net

Silverlight Developer Center: Audio and Videohttp://msdn.microsoft.com/en-us/library/cc189027(VS.95).aspx

The official Microsoft Expression site:http://www.microsoft.com/expression/

Silverlight Developer Center: Digital Rights Management (DRM)http://msdn.microsoft.com/en-us/library/cc838192(VS.95).aspx

Windows Media Digital Rights Management (DRM):http://www.microsoft.com/windows/windowsmedia/forpros/drm/default.mspx