VOD Deep Dive Part 8: DRM Content Protection — Why Netflix Can't Be Screen-Recorded
Widevine, FairPlay, PlayReady explained. CENC/CBCS unified encryption, license flow, L1/L2/L3 security levels, HDCP, SPEKE integration, and lightweight protection for short-form video.
This is Part 8 of the VOD Streaming Deep Dive series.
Why Video Needs “Encryption + Licensing”
When you pay $15/month for Netflix, Netflix must guarantee:
- Only you can watch (no copying to friends)
- Only during your subscription (expires when you cancel)
- Only on authorized devices (no exporting to rogue players)
- 4K only on secure devices (prevent high-quality leaks)
This is DRM (Digital Rights Management). The core approach:
- Encrypt the video with a Content Encryption Key (CEK)
- Key distribution requires strict validation (who are you? subscribed? device secure?)
- The key never leaves the hardware secure enclave — invisible to app-layer code
Three Things Called “Encryption” — Only One Is DRM
| Name | Is it DRM? | Strength |
|---|---|---|
| HTTPS / TLS | No — transport encryption only | Interceptable with proxy tools |
| HLS AES-128 | No — lightweight encryption | Key URL leaks = game over |
| CENC + Widevine/FairPlay/PlayReady | Yes — real DRM | Strong |
HLS AES-128 (Lightweight)
#EXT-X-KEY:METHOD=AES-128,URI="https://api.example.com/key?ep=123",IV=0x1234...
#EXTINF:6.000,
seg_00001.tsSegments encrypted with AES-128-CBC. The 16-byte key is fetched from a URL. Simple, widely supported, but the key is visible in JavaScript on web. Good enough to prevent casual hotlinking; not enough for premium content.
The Big Three DRM Systems
| DRM | Vendor | Platforms |
|---|---|---|
| Widevine | Android, ChromeOS, Chrome, Firefox, Edge, most smart TVs | |
| FairPlay Streaming | Apple | iOS, iPadOS, macOS (Safari), tvOS |
| PlayReady | Microsoft | Windows, Xbox, Edge, some smart TVs |
The question: Does the same movie need separate encryption for iPhone and Android?
No. That’s what CENC solves.
CENC: Encrypt Once, Play Everywhere
CENC (Common Encryption), ISO/IEC 23001-7, defines a unified encryption format that all three DRM systems can decrypt.
| Mode | Algorithm | DRM support |
|---|---|---|
cenc | AES-128 CTR | Widevine, PlayReady (classic) |
cbcs | AES-128 CBC + Pattern | FairPlay (required), Widevine (modern), PlayReady (modern) |
Use cbcs mode: one encryption pass → Widevine + FairPlay + PlayReady all work. This is the CMAF + CBCS golden combination.
The Complete DRM Flow
┌─────────────┐ ┌──────────────┐
│ Packager │── KID + CEK ──────────► │ Key Store │
│ (encrypts) │ │ (KMS) │
└─────────────┘ └──────────────┘
│ ▲
│ Encrypted segments │
▼ │
┌─────────────┐ ┌──────────────┐
│ CDN │ │ License │
│ │ │ Server │
└──┬──────────┘ └──────────────┘
│ ▲
│ ① fetch manifest │
│ ② fetch encrypted segment │
▼ │ ④ license request
┌──────────────────┐ │
│ Player │ │
│ ┌──────────┐ │ │
│ │ CDM │────┼───── ③ challenge ───────┘
│ │ (secure) │◄───┼────── ⑤ license + CEK
│ │ │ │
│ │ Inside │ │
│ │ TEE │ │
│ └──────────┘ │
└──────────────────┘Key concepts:
- KID (Key ID): Identifies which key encrypts which segment
- CEK (Content Encryption Key): The 16-byte AES key
- CDM (Content Decryption Module): The DRM component inside the player, operating in a hardware secure enclave (TEE)
- License: Server response containing the encrypted CEK + usage rules
The flow:
- Packager gets KID + CEK from the Key Store, encrypts segments, writes DRM metadata into manifests
- Player loads the manifest, detects DRM, initializes the CDM
- CDM generates a challenge (contains device fingerprint, public key)
- Player sends the challenge to the License Server
- License Server validates: subscribed? device secure enough?
- If approved → returns a license (CEK encrypted with CDM’s public key)
- CDM decrypts the license inside TEE → decrypts segments → sends frames directly to GPU
The CEK never enters application memory or JavaScript. This is DRM’s fundamental security guarantee.
Widevine L1 / L2 / L3
| Level | Decryption | Decoding | Security | Max quality |
|---|---|---|---|---|
| L1 | TEE (hardware) | TEE | Highest | 4K / HDR |
| L2 | TEE | Software | Medium | 1080p |
| L3 | Software | Software | Lowest | 480p / 720p |
Why is 4K restricted to L1? A Netflix 4K stream represents millions in licensing value. If L3 devices could decode 4K, attackers could extract the stream using virtual machines and reverse engineering.
Netflix and Disney+ enforce securityLevel >= L1 in the License Server before issuing 4K keys.
FairPlay doesn’t have levels — all Apple devices use Secure Enclave, effectively equivalent to L1.
PlayReady has SL150 (≈L3), SL2000 (≈L2), SL3000 (≈L1).
HDCP: Your HDMI Cable Gets Checked Too
HDCP (High-bandwidth Digital Content Protection) protects the HDMI/DisplayPort link between device and display.
When you connect an iPad to a TV via HDMI and play Netflix:
- HDMI cable only supports HDCP 1.4 → Netflix may cap at 1080p
- Both cable and display support HDCP 2.2 → 4K allowed
License Servers often enforce requireHdcp: "2.2" for 4K content.
SPEKE: Packager ↔ Key Server Protocol
SPEKE (Secure Packager and Encoder Key Exchange) is AWS’s standard interface for Packager-to-Key-Server communication.
With SPEKE: configure a URL pointing to EZDRM/PallyCon’s SPEKE endpoint → the Packager automatically requests KID + CEK → generates DRM-enabled manifests.
This is the industry standard for DRM integration.
Offline Playback (Download to Go)
Downloads also go through DRM:
- Client downloads encrypted segments to local storage
- License Server issues a persistent license (“valid offline for 48 hours”)
- CDM stores the license in the hardware secure enclave
- Offline playback uses the stored license
“Can I copy downloaded files from my SD card to another phone?” — No. The encrypted segments are useless without the license, and the license is bound to the device.
Lightweight Protection for Short-Form Video
Short-form video platforms face different economics:
- Per-episode value is low (cents to a few dollars)
- Massive user base = huge license request volume
- “Watch first, pay later” model (friction = user loss)
Full DRM is often overkill. Common tiered approach:
L0 (free preview): Clear HLS + Signed URL
(first few episodes)
L1 (standard paid): HLS AES-128 + dynamic IV + Signed URL
+ client SDK key derivation + anti-sniffing
(majority of paid content)
L2 (premium): Full Multi-DRM (CBCS + Widevine + FairPlay)
(exclusive blockbusters)Supplementary protections: key rotation (change keys every N seconds), anti-screen-recording (FLAG_SECURE on Android, UIScreen.isCaptured on iOS), anti-debugging/jailbreak detection, and dynamic watermarking (overlay user_id + timestamp for leak tracing).
Selection Guide
What is your content?
│
├── Hollywood movies / premium exclusive long-form
│ → Full Multi-DRM (CBCS + Widevine L1 + FairPlay + PlayReady SL3000)
│ → Enforce HDCP 2.2 + securityLevel=L1 for 4K
│
├── Standard VOD (B-movies, documentaries, courses)
│ → Widevine L3 + FairPlay + PlayReady (relax hardware requirements)
│
├── Paid short-form / mid-value content
│ → HLS AES-128 + Signed URL + anti-screen-recording
│
├── Subscription self-produced content
│ → Per rights-holder requirements (usually DRM + watermark)
│
└── Free / UGC
→ No encryption, Signed URL anti-hotlinking onlyKey Takeaways
- DRM = content encryption + strict key distribution + hardware-level decryption.
- HLS AES-128 is not real DRM — just lightweight encryption.
- Three major DRM systems: Widevine (Google), FairPlay (Apple), PlayReady (Microsoft).
- CENC (CBCS mode) lets one CMAF file work with all three DRM systems.
- Widevine L1 = 4K access; L3 caps at 720p.
- HDCP 2.2 is required for 4K external display output.
- Short-form video typically uses lightweight encryption + anti-recording instead of full DRM.
- Production environments use SPEKE to integrate with managed DRM services (EZDRM, PallyCon).
Previous: Part 7: CDN Distribution
Next: Part 9: Video Players