![\"Video](\"http:\/\/blog.denivip.ru\/wp-content\/uploads\/2012\/04\/VideoDRM.jpg\" "\\"Video")
<\/a><\/center><\/p>\nToday, we are happy to publish a post on the new features of Adobe Flash Access 3.0. This is sort of a belated attempt to compensate certain gaps in the Adobe’s documentation. However, as soon as the next generation of Adobe Flash Access supporting iOS will have been announced, the basic features of the current release will become even more important. <\/p>\n
Introduction<\/b><\/p>\n
Adobe Flash Access 3.0 DRM was released in the second half of 2011, evolving from Adobe Flash Access 2.0. The new version of Flash Access introduced new advanced features, such as device domains, license preparation, encryption key rotation, clock sync, etc. So, Adobe has been progressing in the following main directions: prepare a product for performance sensitive projects and extend the range of business models supported.<\/p>\n
The Flash Access 3.0 ecosystem includes:<\/p>\n
- \n
- Flash Access Java SDK, with a reference implementation of the license server and command line tool<\/li>\n
- Flash Player 11 for Windows 32-bit<\/li>\n
- AIR 3 for Windows 32-bit<\/li>\n
- Flash Player 11 for Android 2.2,2.3,3.0,3.1 and 3.2<\/li>\n
- AIR 3 for Android 2.3,3.0 and 3.1<\/li>\n
- AIR 3 SDK that can create Action Script applications for desktops and Android devices<\/li>\n
- Test video player<\/li>\n<\/ul>\n
Flash Access SDK<\/strong>
\nWith the advent of Flash Access 3.0, two types of SDK are offered to developers:<\/p>\n- \n
- Flash Access Core SDK provides Flash Access 2.0 functionality and includes basic features of Flash Access 3.0, such as key rotation, domain support, forced client\/server syncing, etc.<\/li>\n
- Flash Access Professional SDK enhances the features of Flash Access Core SDK by generating license files to be hosted on a Web server and embedding licenses into encoded content.<\/li>\n<\/ul>\n
Flash Access SDK Features<\/p>\n
Key Rotation<\/b>
\nTo strengthen encrypted content protection, key rotation has been introduced in Flash Access 3.0. With key rotation, individual blocks of content are encoded by different keys, to substantially enhance content protection.
\nTo enable "Key Rotation" feature in the AdobePackager encryption utility, set "encrypt.keys.rotation.enable = true" in the "flashaccesstools.properties" configuration file. The keys will be generated automatically and change every 15 minutes.<\/p>\nTo encrypt content with custom keys, list the keys in flashaccesstools.properties, as follows:<\/p>\n
1
2
<\/div><\/td>encrypt.keys.rotation.key.1 = 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
\n#encrypt.keys.rotation.key.n = 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nCustom keys will be rotated.<\/p>\n
Devide domains<\/b>
\nTo share a voucher between multiple devices, Flash Access 3.0 allows for grouping devices into domains. The DRM voucher is generated by the Flash Access license server and contains video content decryption key. Domains can help reduce load on the license server, as a single voucher request is sufficient to play back content on multiple devices.
\nNote that, to support domains you have to create a separate certificate. In contrast to other certificates (License Server, Packager or Transport), a domain certificate is self-signed or issued by the user CA. <\/p>\nThe DRMManager.storeVoucher() function is used to enable sharing of a voucher by multiple devices. If your deployment supports this, you can use the DRMManager.addToDeviceGroup() method to register multiple devices within a group. If a group has one computer with a valid voucher assigned to a domain and granting the right to play back particular content, AIR application can retrieve serialized DRM vouchers using the DRMVoucher.toByteArray() method. To import such vouchers to devices,<\/p>\n
1
<\/div><\/td>DRMManager.storeVoucher()<\/div><\/td><\/tr><\/tbody><\/table><\/div>\ncan be used.<\/p>\n
Licenses<\/b>
\nLicense support in Flash Access 3.0 has changed. In Flash Access 2.0, root and leaf licenses were assigned to the playback device. Now, in order to embed a license into encrypted content streamed to a domain, only a root license requested from the license server is assigned to a playback device.<\/p>\nClient\/Server Syncing<\/b>
\nWhile requesting a license, Flash Access 2.0 could validate client clock against the server clock. However, it had no mechanism for mandatory clock validation and syncing between the client and the server.
\nNow, to create a policy with mandatory syncing, use a policy management utility called AdobePolicyManager, specifying parameter "-sync1
2
3
4
<\/div><\/td>try{
\n SyncFrequencyRequirements syncReq = new SyncFrequencyRequirements(3600);
\n play.setSyncFrequencyRequirements(syncReq);
\n }catch(Exception ex){System.out.println(ex);}<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nSyncing messages are necessary to ensure secure content playback, since they are responsible for client clock validation against the server. Subsequent clock syncing might be mandatory or optional. If syncing fails in case of mandatory syncing, content playback is stopped until Flash Access server is available.<\/p>\n
Hosting of pre-generated licenses on a Web server<\/b>
\nWith Flash Access 3.0 (i.e., Flash Access Professional SDK), you can create licenses for certain playback devices in advance. You can host such licenses on a common Web server to serve client requests. To support pre-generated licenses, install Flash Player 11 and Adobe AIR 3.0 (or later versions of these products).
\nTo create a license file, do the following:
\no\tEncrypt your content with the AdobePackager utility, specifying the required parameters in the flashaccesstools.properties configuration file, e.g.:<\/p>\n1
2
3
4
5
<\/div><\/td>java -jar AdobePackager.jar pr.f4v proff.f4v -p ad-policy.pol -c flashaccesstools.properties
\nLicense ID: 3E7680FE-5461-3A99-AC62-59D04964701D
\nPackaging timestamp: Tue Mar 06 19:34:52 MSK 2012
\nProcessing time: 10441 ms
\nSUCCESS<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nOn license request, the license server validates device certificate using the<\/p>\n
1
<\/div><\/td>getMachineCertificate().GetEncoded()<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nfunction. Save the received device certificate in a file, e.g.: "mcert.der"
\no\tCreate a leaf license to play back content on the device, for example:<\/p>\n1
<\/div><\/td>java -jar AdobeLicenseGenerator.jar -c flashaccesstools.properties -m proff.f4v.metadata -o -r mcert.der -leaf leaf-license<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n1
2
3
4
5
6
<\/div><\/td>Adobe(R) Flash Access License Generator
\nversion 3.1.0435
\n=======================
\nSigning credentials: trial-pro.pfx
\nLicense type: Leaf
\nDestination file: D:\\....\\libs\\leaf-license<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n1
2
3
4
5
6
7
8
9
10
<\/div><\/td>Generated Leaf license:
\nLicense Server: http:\/\/127.0.0.1\/flashaccess
\nLicense ID: BFCB5B72-4387-39D9-BE2F-6C7DD42BE693
\nPolicy ID: 2C5843B7-1B4F-3ABC-B86B-3F09EC9BA4F3
\nLicense End Date: Mon May 28 03:59:59 MSD 2012
\nUnlimited License Caching
\nRight: Play
\nRecipients:
\n Public Key Id: b3e397b821fee63886d6dba0c935500cd5a67c1a
\nSUCCESS<\/div><\/td><\/tr><\/tbody><\/table><\/div>\no\tPut a leaf license file to a Web server to serve playback requests from a given device.
\no\tRequest a pre-generated license and place it to a local cache of Flash Player LSO (Local Shared Object) by using the<\/p>\n1
<\/div><\/td>DRMManager.storeVoucher()<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nActionScript function. If the license is not found on a Web server or in the local LSO cache, the license is requested repeatedly from the Flash Access server.<\/p>\n
License Embedding into Encrypted Content<\/b>
\nUsing Flash Access 3.0 (Flash Access Professional SDK), you can embed pre-generated licenses into encrypted content. This way the user can still play back the content, even if the Flash Access license server is not available.
\nTo embed pre-generated license in the encrypted content, run the AdobeLicenseEmbedder utility with the name of encrypted content and the name of a previously created license as arguments, for example:<\/p>\n1
2
3
4
5
6
7
8
9
<\/div><\/td>java -jar AdobeLicenseEmbedder.jar proff.f4v proffpre.f4v -l leaf-license
\nAdobe(R) Flash Access License Embedder
\nversion 3.1.0435
\n=======================
\nLicense file: leaf-license
\nSource file: D:\\....\\libs\\proff.f4v
\nDestination file: D:\\....\\libs\\proffpre.f4v
\n"proffpre.f4v" created successfully.
\nSUCCESS<\/div><\/td><\/tr><\/tbody><\/table><\/div>\nAt playback, no license is requested from the Flash Access server, as the license is embedded into content.<\/p>\n
Restore Factory Defaults<\/strong>
\nWhen the user reverts to factory defaults, device certificate is removed from the operating system. To continue protected content playback, Flash application has to re-register the device at the Adobe Individualization Server. If Flash Access clients receive an expired license (or a pre-generated license), they would reject it as the license has been created for an earlier device ID version.<\/p>\nFor more details on Flash Access, please visit Adobe’s site, article “Using digital rights management”.<\/p>\n
Network and Security<\/b>
\nHaving installed Flash Access, please make sure that the system is secure.
\nTo protect Flash Access server from unauthorized access and compromising, set up a reverse proxy in the demilitarized zone (DMZ). Reverse proxy will accept requests from the Web and forward them to the Flash Access server. Reverse proxy is designed to prevent direct client access to the Flash Access server.<\/p>\nEnabling Access to the Server<\/strong>
\nIncoming Requests Flash Access 3.0 License Server accepts requests over HTTP and processes them at the following basic Web interfaces:<\/p>\n- \n
- ..\/flashaccess\/getServerVersion\/v3\tresponds to customer requests, returning Flash Access License Server version<\/li>\n
- ..\/flashaccess\/authn\/v1\tserves requests for login\/password authentication<\/li>\n
- ..\/flashaccess\/authn\/v3\tserves requests for login\/password authentication<\/li>\n
- ..\/flashaccess\/license\/v1\tserves license requests<\/li>\n
- ..\/flashaccess\/license\/v3\tserves license requests<\/li>\n
- ..\/flashaccess\/sync\/v3\tserves client-server syncing requests<\/li>\n
- ..\/flashaccess\/domain\/v3\tserves domain registration requests<\/li>\n
- ..\/flashaccess\/dereg\/v3\tserves domain deregistration requests<\/li>\n<\/ul>\n
Outgoing Requests To ensure proper Flash Access operation, please provide access to Adobe’s certificate revocation lists (CRL): <\/p>\n
- \n
- http:\/\/crl2.adobe.com\/Adobe\/FlashAccessRootCA.crl<\/li>\n
- http:\/\/crl2.adobe.com\/Adobe\/FlashAccessIntermediateCA.crl<\/li>\n
- http:\/\/crl3.adobe.com\/ AdobeSystemsIncorporatedFlashAccessRuntime\/LatestCRL.crl<\/li>\n
- http:\/\/crl2.adobe.com\/Adobe\/FlashAccessIndividualizationCA.crl<\/li>\n<\/ul>\n
If access to these lists is disabled, the server will no longer accept incoming requests from the clients.<\/p>\n
Enable Encryption in Flash Media Server 4.5.1<\/strong>
\nStarting with FlashAccess 2.0, the DRM can integrate with Flash Media Server 4.0. Starting with FlashAccess 3.0, integration with Flash Media Server 4.5.1 is provided. This enables Flash Media Server with HTTP DS encrypted streaming, eliminating the possibility of unauthorized interception and recording of data.<\/p>\nTo enable stream encryption in FMS 4.5.1, do the following:
\n1.\tEdit the "rootinstall\/applications\/livepkgr\/events\/_definst_ \/liveevent \/Event.xml" configuration file by adding the following parameters:<\/p>\n1
2
3
4
5
6
7
<\/div><\/td><Recording>
\n <ContentProtection enabled="true">
\n <ProtectionScheme>FlashAccessV3<\/ProtectionScheme>
\n <FlashAccessV3>
\n <\/FlashAccessV3>
\n <\/ContentProtection>
\n <\/Recording><\/div><\/td><\/tr><\/tbody><\/table><\/div>\nAfter the parameters are added and streaming starts, the following files will emerge in rootinstall \/applications\/ livepkgr\/streams\/_definst_ \/…\/ directory:
\n\u2022\t.bootstrap – contains information needed for quick content playback launch , and specifies the location of content and the segment table, etc.
\n\u2022\t.control — contains information necessary for Live Packager.
\n.
\n\u2022\t.drmmeta – additional details of Flash Access files
\n\u2022\t.f4f – encrypted content
\n\u2022\t.f4x – index file
\n\u2022\t.meta — contains metadata, such as bit rate, window size, etc.
\nTo enable key rotation, add the following parameters to "rootinstall\/applications\/livepkgr\/events\/_definst_\/liveevent\/Event.xml":
\n\u2022\tEnableKeyRotation — enable key rotation. By default, key rotation is disabled —
\ntrue<\/EnableKeyRotation>
\n\u2022\tKeyRotationInterval — key rotation interval. Default interval is 15 minutes.
\n900<\/KeyRotationInterval>
\n\u2022\tKeyRotationFilePath — user key file
\nrotationkeyfile<\/KeyRotationFilePath> <\/p>\n For more detail on using Flash Media Server 4.5.1 with Flash Access 3.0, please refer to Protected HTTP streaming Adobe’s document.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today, we are happy to publish a post on the new features of Adobe Flash Access 3.0. This is sort of a belated attempt to compensate certain gaps in the Adobe’s documentation. However, as soon as the next generation of Adobe Flash Access supporting iOS will have been announced, the basic features of the current […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/posts\/2541"}],"collection":[{"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/comments?post=2541"}],"version-history":[{"count":7,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/posts\/2541\/revisions"}],"predecessor-version":[{"id":2548,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/posts\/2541\/revisions\/2548"}],"wp:attachment":[{"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/media?parent=2541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/categories?post=2541"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.denivip.ru\/index.php\/wp-json\/wp\/v2\/tags?post=2541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}