Supported content protection features

License chaining: HLS DRM using FAXS protection scheme makes use of Enhanced License Chaining similar to HDS DRM. HLS Packager or Origin Server generates leaf license containing CEK- encrypted using a root key and embed it into the DRM metadata. FAXS iOS SDK requests root license from License Server and then extract CEK from leaf license using root license. Policy file used needs to specify the root policy for FAXS protection scheme. For PHDS/PHLS/chained license, the cache headers of JIT DRM response from Origin are set as per the license validity date. If TTL values are also specified in the configuration, the license end date overrides the corresponding values in the configuration. For PHDS/PHLS/chained license, the cache headers of JIT DRM response from Origin is set as per the license validity date. If TTL values are also specified in the configuration, the license end date overrides the corresponding values in the configuration.
Note:
Primetime Origin does not create an expired leaf license for chained license policy. Leaf license properties, such as validity, start date, and end date are determined from the policy. To create an expired leaf license to enforce the license validity from root license, specify the end data in the policy.
Key rotation: If Key Rotation is enabled, instead of encrypting content directly with the Content Encryption Key (CEK), the Rotation Key (RK) is used to encrypt the content. The Rotation Key changes in the specified key rotation interval. Each Rotation Key is encrypted with CEK.
- HLS Key rotation: If key rotation is enabled, FAXS API provides the encrypted rotation key used to encrypt ts fragments. This encrypted rotation key is specified as value for the EncryptedRK parameter in the key URI in m3u8.
- To support random access, the encrypted rotation key is provided at the beginning of each encrypted audio or video packet. To decrypt the packet, the player uses CEK to decrypt the rotation key. Then uses the rotation key to decrypt the content.
PHDS/PHLS: For PHDS or PHLS, License Server is not required, because the license is embedded in the DRM metadata. To enable PHDS or PHLS, policy file specified should have LicenseBindingType set for embedded license. One or more recipient certificates of the type SharedDomain can be configured at the time of generation of DRM metadata. The Recipient key certificates (private key associated with the Shared Domain certificates) are included in the FAXS client.
Path of directory containing Shared domain certificates will be configured in ContentProtection/RecipientCertificates. The set of shared domain certificates may change over time in response to security breaches or other reasons. In such events, new Shared Domain Certificates will be released. Upon notification from Adobe or a security alert, customers need to retrieve new Shared Domain certificates from a secured Adobe website, which would host those updates and update them in the directory specified in ContentProtection/RecipientCertificates.
App whitelisting: App whitelisting can be used for PHDS/PHLS protection scheme. App whitelisting restricts playback of encrypted content only to the specified apps/swfs. app Information (Swf Hash/iOS App Information) is included in the embedded license. FAXS client ensures that the app information provided in the embedded license matches that of the app used for playback. If the user wants to enable app whitelisting for PHDS/PHLS, they can specify the WhitelistFolder tag in the configuration file.