Flash Access 3.0: More Features

This post is also available in: Russian

Video DRM

Today, we are happy to publish a post on the new features of Adobe Flash Access 3.0. This is sort of a belated attempt to compensate certain gaps in the Adobe’s documentation. However, as soon as the next generation of Adobe Flash Access supporting iOS will have been announced, the basic features of the current release will become even more important.

Introduction

Adobe Flash Access 3.0 DRM was released in the second half of 2011, evolving from Adobe Flash Access 2.0. The new version of Flash Access introduced new advanced features, such as device domains, license preparation, encryption key rotation, clock sync, etc. So, Adobe has been progressing in the following main directions: prepare a product for performance sensitive projects and extend the range of business models supported.

The Flash Access 3.0 ecosystem includes:

  • Flash Access Java SDK, with a reference implementation of the license server and command line tool
  • Flash Player 11 for Windows 32-bit
  • AIR 3 for Windows 32-bit
  • Flash Player 11 for Android 2.2,2.3,3.0,3.1 and 3.2
  • AIR 3 for Android 2.3,3.0 and 3.1
  • AIR 3 SDK that can create Action Script applications for desktops and Android devices
  • Test video player

Flash Access SDK
With the advent of Flash Access 3.0, two types of SDK are offered to developers:

  • Flash Access Core SDK provides Flash Access 2.0 functionality and includes basic features of Flash Access 3.0, such as key rotation, domain support, forced client/server syncing, etc.
  • Flash Access Professional SDK enhances the features of Flash Access Core SDK by generating license files to be hosted on a Web server and embedding licenses into encoded content.

Flash Access SDK Features

Key Rotation
To strengthen encrypted content protection, key rotation has been introduced in Flash Access 3.0. With key rotation, individual blocks of content are encoded by different keys, to substantially enhance content protection.
To enable "Key Rotation" feature in the AdobePackager encryption utility, set "encrypt.keys.rotation.enable = true" in the "flashaccesstools.properties" configuration file. The keys will be generated automatically and change every 15 minutes.

To encrypt content with custom keys, list the keys in flashaccesstools.properties, as follows:

1
2
encrypt.keys.rotation.key.1 = 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
#encrypt.keys.rotation.key.n = 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20

Custom keys will be rotated.

Devide domains
To share a voucher between multiple devices, Flash Access 3.0 allows for grouping devices into domains. The DRM voucher is generated by the Flash Access license server and contains video content decryption key. Domains can help reduce load on the license server, as a single voucher request is sufficient to play back content on multiple devices.
Note that, to support domains you have to create a separate certificate. In contrast to other certificates (License Server, Packager or Transport), a domain certificate is self-signed or issued by the user CA.

The DRMManager.storeVoucher() function is used to enable sharing of a voucher by multiple devices. If your deployment supports this, you can use the DRMManager.addToDeviceGroup() method to register multiple devices within a group. If a group has one computer with a valid voucher assigned to a domain and granting the right to play back particular content, AIR application can retrieve serialized DRM vouchers using the DRMVoucher.toByteArray() method. To import such vouchers to devices,

1
DRMManager.storeVoucher()

can be used.

Licenses
License support in Flash Access 3.0 has changed. In Flash Access 2.0, root and leaf licenses were assigned to the playback device. Now, in order to embed a license into encrypted content streamed to a domain, only a root license requested from the license server is assigned to a playback device.

Client/Server Syncing
While requesting a license, Flash Access 2.0 could validate client clock against the server clock. However, it had no mechanism for mandatory clock validation and syncing between the client and the server.
Now, to create a policy with mandatory syncing, use a policy management utility called AdobePolicyManager, specifying parameter "-sync ". Then, add a new rule to your policy using Flash Access SDK:

1
2
3
4
    try{
     SyncFrequencyRequirements syncReq = new SyncFrequencyRequirements(3600);
     play.setSyncFrequencyRequirements(syncReq);  
    }catch(Exception ex){System.out.println(ex);}

Syncing messages are necessary to ensure secure content playback, since they are responsible for client clock validation against the server. Subsequent clock syncing might be mandatory or optional. If syncing fails in case of mandatory syncing, content playback is stopped until Flash Access server is available.

Hosting of pre-generated licenses on a Web server
With Flash Access 3.0 (i.e., Flash Access Professional SDK), you can create licenses for certain playback devices in advance. You can host such licenses on a common Web server to serve client requests. To support pre-generated licenses, install Flash Player 11 and Adobe AIR 3.0 (or later versions of these products).
To create a license file, do the following:
o Encrypt your content with the AdobePackager utility, specifying the required parameters in the flashaccesstools.properties configuration file, e.g.:

1
2
3
4
5
 java -jar AdobePackager.jar pr.f4v proff.f4v -p ad-policy.pol -c flashaccesstools.properties
License ID: 3E7680FE-5461-3A99-AC62-59D04964701D
Packaging timestamp: Tue Mar 06 19:34:52 MSK 2012
Processing time: 10441 ms
SUCCESS

On license request, the license server validates device certificate using the

1
getMachineCertificate().GetEncoded()

function. Save the received device certificate in a file, e.g.: "mcert.der"
o Create a leaf license to play back content on the device, for example:

1
java -jar AdobeLicenseGenerator.jar -c flashaccesstools.properties -m  proff.f4v.metadata -o -r mcert.der   -leaf leaf-license
1
2
3
4
5
6
Adobe(R) Flash Access License Generator
version 3.1.0435
=======================
Signing credentials: trial-pro.pfx
License type: Leaf
Destination file: D:\....\libs\leaf-license
1
2
3
4
5
6
7
8
9
10
Generated Leaf license:
License Server: http://127.0.0.1/flashaccess
License ID: BFCB5B72-4387-39D9-BE2F-6C7DD42BE693
Policy ID: 2C5843B7-1B4F-3ABC-B86B-3F09EC9BA4F3
License End Date: Mon May 28 03:59:59 MSD 2012
Unlimited License Caching
Right: Play
Recipients:
        Public Key Id: b3e397b821fee63886d6dba0c935500cd5a67c1a
SUCCESS

o Put a leaf license file to a Web server to serve playback requests from a given device.
o Request a pre-generated license and place it to a local cache of Flash Player LSO (Local Shared Object) by using the

1
DRMManager.storeVoucher()

ActionScript function. If the license is not found on a Web server or in the local LSO cache, the license is requested repeatedly from the Flash Access server.

License Embedding into Encrypted Content
Using Flash Access 3.0 (Flash Access Professional SDK), you can embed pre-generated licenses into encrypted content. This way the user can still play back the content, even if the Flash Access license server is not available.
To embed pre-generated license in the encrypted content, run the AdobeLicenseEmbedder utility with the name of encrypted content and the name of a previously created license as arguments, for example:

1
2
3
4
5
6
7
8
9
java -jar AdobeLicenseEmbedder.jar proff.f4v proffpre.f4v -l leaf-license
Adobe(R) Flash Access License Embedder
version 3.1.0435
=======================
License file: leaf-license
Source file: D:\....\libs\proff.f4v
Destination file: D:\....\libs\proffpre.f4v
"proffpre.f4v" created successfully.
SUCCESS

At playback, no license is requested from the Flash Access server, as the license is embedded into content.

Restore Factory Defaults
When the user reverts to factory defaults, device certificate is removed from the operating system. To continue protected content playback, Flash application has to re-register the device at the Adobe Individualization Server. If Flash Access clients receive an expired license (or a pre-generated license), they would reject it as the license has been created for an earlier device ID version.

For more details on Flash Access, please visit Adobe’s site, article “Using digital rights management”.

Network and Security
Having installed Flash Access, please make sure that the system is secure.
To protect Flash Access server from unauthorized access and compromising, set up a reverse proxy in the demilitarized zone (DMZ). Reverse proxy will accept requests from the Web and forward them to the Flash Access server. Reverse proxy is designed to prevent direct client access to the Flash Access server.

Enabling Access to the Server
Incoming Requests Flash Access 3.0 License Server accepts requests over HTTP and processes them at the following basic Web interfaces:

  • ../flashaccess/getServerVersion/v3 responds to customer requests, returning Flash Access License Server version
  • ../flashaccess/authn/v1 serves requests for login/password authentication
  • ../flashaccess/authn/v3 serves requests for login/password authentication
  • ../flashaccess/license/v1 serves license requests
  • ../flashaccess/license/v3 serves license requests
  • ../flashaccess/sync/v3 serves client-server syncing requests
  • ../flashaccess/domain/v3 serves domain registration requests
  • ../flashaccess/dereg/v3 serves domain deregistration requests

Outgoing Requests To ensure proper Flash Access operation, please provide access to Adobe’s certificate revocation lists (CRL):

  • http://crl2.adobe.com/Adobe/FlashAccessRootCA.crl
  • http://crl2.adobe.com/Adobe/FlashAccessIntermediateCA.crl
  • http://crl3.adobe.com/ AdobeSystemsIncorporatedFlashAccessRuntime/LatestCRL.crl
  • http://crl2.adobe.com/Adobe/FlashAccessIndividualizationCA.crl

If access to these lists is disabled, the server will no longer accept incoming requests from the clients.

Enable Encryption in Flash Media Server 4.5.1
Starting with FlashAccess 2.0, the DRM can integrate with Flash Media Server 4.0. Starting with FlashAccess 3.0, integration with Flash Media Server 4.5.1 is provided. This enables Flash Media Server with HTTP DS encrypted streaming, eliminating the possibility of unauthorized interception and recording of data.

To enable stream encryption in FMS 4.5.1, do the following:
1. Edit the "rootinstall/applications/livepkgr/events/_definst_ /liveevent /Event.xml" configuration file by adding the following parameters:

1
2
3
4
5
6
7
<Recording>
      <ContentProtection enabled="true">
        <ProtectionScheme>FlashAccessV3</ProtectionScheme>
        <FlashAccessV3>
        </FlashAccessV3>
     </ContentProtection>
    </Recording>

After the parameters are added and streaming starts, the following files will emerge in rootinstall /applications/ livepkgr/streams/_definst_ /…/ directory:
• .bootstrap – contains information needed for quick content playback launch , and specifies the location of content and the segment table, etc.
• .control – contains information necessary for Live Packager.
.
• .drmmeta – additional details of Flash Access files
• .f4f – encrypted content
• .f4x – index file
• .meta – contains metadata, such as bit rate, window size, etc.
To enable key rotation, add the following parameters to "rootinstall/applications/livepkgr/events/_definst_/liveevent/Event.xml":
• EnableKeyRotation – enable key rotation. By default, key rotation is disabled –
true
• KeyRotationInterval – key rotation interval. Default interval is 15 minutes.
900
• KeyRotationFilePath – user key file
rotationkeyfile

For more detail on using Flash Media Server 4.5.1 with Flash Access 3.0, please refer to Protected HTTP streaming Adobe’s document.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please type the characters of this captcha image in the input box

Please type the characters of this captcha image in the input box