What is AES Encryption and How Does It Compare to DRM systems For Video?

When you hear the term cyber security, one of the first things that strikes to everyone’s mind is AES(Advanced Encryption Standard). The reason being for the same is the rise of AES at the global standard of encryption and one of the most popular technologies used for security purposes. 

If you or your organization offers or is looking out for some cybersecurity solutions, you must have definitely come across the term Advanced Encryption Standard previously.  In this blog we will be looking to illustrate the distinction between AES-128, secure key exchange protocols and DRM systems. Popular Streaming protocols that use secure key exchange are HLS Encryption and RTMP Encryption. Widevine and FairPlay are the major Digital Rights Management (DRM) systems that are necessary for the best content protection.

In this blog we seek to explain how AES-128 Video Encryption alone is inadequate for protecting premium content. Each step of security, from AES-128 to HLS Encryption to DRM, adds an extra layer of protection when it is used for streaming premium videos.

The Advanced Encryption Standard (AES) is a fast and secure form of encryption used to keep the data safe from hackers or pirates. It is used in the variety of technologies around us for instance messaging or chatting apps like WhatsApp and Signal, various programs like VeraCrypt and WinZip and in a wide range of hardware as well.

Advanced Encryption Standard(AES) is a cipher, i.e., a method used for encryption and decryption of any data or information. Whenever there is an exchange of files over secure file transfer protocols like HTTPS, FTP, SFTP, etc, there’s a good chance your data might well be encrypted by making use of AES ciphers – either AES 256, 192, or 128. 

Various secure file transfer softwares might vary with their selection of encryption algorithms. Some might be using some other ciphers that the others aren’t using. It all began when the US government started looking for a new encryption algorithm that would be used to protect sensitive data.

AES encryption is implemented in software and hardware and is being used all over the world for encrypting sensitive data. It is a critical part for government computer security, cybersecurity and electronic data protection.

Online Video Encryption has become an essential part for all the content creators to keep their video content safe & secure. Even if you want to secure your online video content such as any lectures or recipes, etc from any illegal or unauthorized access, AES is the way to go for you. For instance, if you are looking to sell online video courses, in that case your content should be available only for the subscribed users.

AES consists of three block ciphers which include AES-128, AES-192, and AES-256.

AES-128 uses a 128-bit key length to encrypt and decrypt a block of messages, while AES-192 uses a 192-bit key length and AES-256 a 256-bit key length to encrypt and decrypt messages. Each cipher makes use of cryptographic keys of 128, 192 and 256 bits for encrypting and decrypting the data in blocks of 128 bits 

Symmetric, also known as secret key, ciphers use the same key for encrypting and decrypting, so the sender and the receiver must both know and should be using the same secret key.

The working of AES is explained below:

It consists of 10 rounds for 128-bit keys, 12 rounds for 192-bit keys & 14 rounds for 256-bit keys. One round involves multiple processing stages like substitution, transposition and mixing of the input plaintext to transform it into the final output of ciphertext.

There are numerous transformations that need to be done on the data for AES encryption. The first transformation involves the substitution of data using a substitution table, the second transformation shifts data rows, and the third mixes columns. The last transformation is performed on each column using a different part of the encryption key. Longer keys require more rounds to complete.

When the video encryption takes place, a special key exchange mechanism has to be there to protect your content. Any information or video can’t be encrypted or decrypted without the key even with the use of a supercomputer. AES security has to be supported by key exchange protocol, or else, it is of no use as the key is revealed to the hacker. If any streaming service is only offering AES security, chances are that even a person with good enough tech knowledge who knows basic web development can retrieve the key. 

Aside from AES, the next level of content security involves the use of DRMs (Digital Rights Management Systems). In DRM-based streaming the keys are never ever exposed or revealed to any user, hence making it much more secure and reliable.

Advanced Encryption Standard using block size of 128 bits (abbreviated as AES-128), is a strong encryption standard for protecting premium content. AES encryption is the only publicly available encryption algorithm that is recommended by the NSA. The National Security Agency has recommended AES-128  for use as part of the cryptographic module for top secret communications.

All video content protection technologies, from basic AES-128 to HLS and RTMP Encryption, to Digital Rights Management Systems such as Widevine and FairPlay use AES-128 as the algorithm for encrypting their content. Content protection mechanisms differ in how they handle the key that is used for decrypting the content.

While AES-128 is indeed one of the most secure video encrypting techniques, for video streaming just the presence of AES-128 does not guarantee complete security.

Some streaming services market AES security as being effective for protecting premium content. The truth around which this little lie is built is that it is near impossible for any hacker, even one with a supercomputer at their disposal, to decrypt the information without the key.

The emphasis on “without the key” is important. An unbreakable lock protects you only when the key itself cannot be accessed by unauthorized elements.

Without a secure way in which the content keys are exchanged, AES-128 is pathetically insufficient for content or video protection. This is because when the key itself is revealed to the hacker, AES encryption is of no use. AES security has to be supported by a secure key exchange protocol.

If a streaming service are ONLY offering AES security, chances are that even a rookie who knows basic web development can retrieve the key. Content Protection using just AES-128 is the programmatic equivalent of buying a state-of-the-art locker for yourself, only to leave the password key written on a slip left under the doormat.

With Secure Key Exchange technologies, you are hiding the content keys and making them accessible to authorized users only. Authorized users in this context are users that have logged in to your site and for whom your website user management system has authorized access to premium content.

Authentication tokens and Signed URLs are means of obfuscating the source from where the key is delivered. Only authorized users can access the key. HLS Encryption and RTMP Encryption are two major streaming protocols that use this form of security.

Going back to our secure locker analogy, a secure key exchange protocol would ensure that only authorized users get the key to the locker itself. However once an authorized user has the key, there is nothing stopping them from sharing the key with non-authorized users. You can choose to automate the locker so that the key is changed every 15 minutes (called key-rotation). However even then chances are that 15 uninterrupted minutes (or even less) are enough to breach the security of your content.

The security in Secure Key Exchange protocols then lies in two facts:

The key is only accessible to authorized user. An unauthorized user has to first get the keys from an authorized user. That is scant content protection for streaming content on the web. When selling premium content you are not likely to have much control over the actual users signing up for your content.The keys are somewhat hard to find – they may be hidden deep within the manifest file (as part of metadata sent as part of the video file). That however is just playing a cat and mouse game, one where you for the protection of your premium content you are relying on hackers giving up before they dig deep enough to find the keys. This is called Security by Obscurity.

The next level of content protection involves using Digital Rights Management systems (DRMs). In DRM-based streaming the content keys are at no time directly exposed to any user. Instead the header file accompanying the video file contains metadata about the AES encryption mechanism used. This metadata is used by a piece of software in the browser/ device, called Content Decryption Module (CDM).

The CDM uses the header metadata to create a license request, which is sent to the remote license server. The license server returns a detailed license containing the content keys. These content keys are then used by the CDM to decrypt the content. The video content is then available to the user for playback. The license request and license information are not accessible to the user, and are handled securely by Encrypted Media Extensions API.

During the time of playback then, there are three elements that come into the picture. The CDM, the License Server and EME API collectively make sure that the content decryption process is completely secure.

Device/ Browser Content Decryption Module – This is the system which receives the header data from the video file. On the basis of the header data the CDM creates a license request. The CDM is a proprietary software, and its source code and algorithms are completely private. This adds to cryptographic security in the content.

Widevine License Server receives the request for information and returns the license containing content keys

Encrypted Media Extensions API – This API plays the role of middleman, enabling communication between the device CDM and the remote license server. At no point does the EME expose the request for license or the license itself to the user.

Examining how this is different from secure key exchange mechanisms, a separate step is created. The header data is a proxy for the key, which is then validated by the browser CDM and the license server collectively. This adds an extra step for providing content protection.