if you have ever watched Netflix you know that you can't record it you can't download it you cannot do anything for example I'm on Netflix right now and if I play this video for example you will see that this video is playing Black right you can see I even I cannot see this video right but the moment I stop this video recording which is going on so my screen is getting recorded right now but the moment I stop this it'll automatically like become visible so you can see in the preview frames I'm able to see
the preview I can see the caption I can also hear the audio but I cannot record this I cannot download this there is no way to if I right click this inspect this even if I find something that would be like pretty much garbage how does this work let's figure this out so for a very long time I tried to understand what this exactly is because this is one of the things that we offer on Fon also so if you go to F on.app to set up your own platform where you are selling let's say
courses or content optionally you can opt into a feature that is known as DRM DRM protection with wide wi and fair so we'll discuss about this because I had to research this I had to talk to companies like Google also I have like one of my part of contacts in Google who told me how this thing exactly works from a pricing point of view so I'll share that information with you in this video hopefully this is useful for you this information first of all okay let's let's start with DRM in general so DRM stands for
digital Rights Management and this is sort of a way for companies like Netflix for example or night like Amazon Prime or like Hulu or all these players like us for example at for on if you're selling your courses a way for your client the system on which the videos running to protect it at some capacity right now DRM by Nature by definition it's not bulletproof it's not foolproof because at the end the video is getting played right I can always take my phone and just start recording the screen like that right but till a lot
of extent it prevents a lot of piracy because you can't just download it directly you can't just screen record it all of that is prevented so how does that work so before understanding DRM let's just take a step back and understand a few more basic things right so let's say that this is a playable video format this is a playable mp4 file right your typical files which you download on your computer and play with VLC media player for example what happens is that there are certain things you can do with this file to make it
encrypted right one of the most common ways is that you will encrypt this file with something called as AES 128 encryption so AES is an advanced encryption scheme it's an algorithm basically that takes this file for example and it encrypts it into some garbage right so this becomes a garbage file however in order to decrypt this file what you need are two keys the first is an encryption key and the second is an initialization Vector IV so these are like two pieces of information you plug it in you get this file back and if you
plug it back in you will get this file back again right so you will get a playable MP4 again so the first level of DRM which is like a basic level DRM clear key encryption it works exactly like what I told you over here so what you will do is you will take a playable file you will use AES encryption somehow 128 encryption to encrypt that file and you will get these two pieces of information key and initialization Vector so what's going to happen is that now this particular file this file would go on some
cloud storage right so it could be like it could be anything like S3 R2 herzner storage whatever whatever you want to call it right so this corrupted file or whatever this file encrypted file would go on the cloud storage these two things ideally would go inside your database right so this goes into cloud storage this goes into database and now whenever somebody let's say a user comes so a user comes over here and they want to play this video whatever that video is right so they will request for a playback they say I want to
playback this video what you will say as a server right here ec2 or whatever Lambda whatever this is is that you will verify user access right obviously first things first then then you will return signed URL for Clear key encrypted video right which is this garbage over here and return key and IV over here right so once you return all of this either in a single call or in multiple calls for example doesn't matter once you do all of this the user is now able to play back the specific video however this is very basic
right and it will not achieve what we just saw on Netflix that the video recording gets stopped or the screen goes blank when you're trying to record so what's happening here well you see that this over here is known as clear key encryption the reason for this is that even though you can mess around with this key and all uh you know you can just make it a little bit encrypted so that the client has to do some work to decrypt the key itself in order to resume the playback but still this key is getting
transmitted in clear fashion right it's clearly you know you are able to see as a user you are able to right click inspect inside the browser go to the networx tab you able to intercept that key that is why this is known as clear key encryption where you encrypt the key with a certain key which is like AES encryption the encryption itself is very strong you cannot break it without a key but the key transfer happens in like plain site basically or even if you're doing some sort of manipulation over here you can possibly decrypt
it over here right now what Google and apple did then is that they said okay this looks bad what we don't want to do is like you know we want to encrypt the video so this part we want to do obviously we have to use it in a certain way now they might or might not use the exact same algorithm they might use some something else also they want to use the same encryption keys and all of that but what they don't want is people to have the ability to see this key in plain text
that is number one second thing is that they want to retain access of the devices the quality of devices on which these things are played on let me give you an example for example you might have heard that there are certain phones that restrict Netflix quality to 480p or 780p 720p right or there are certain browsers for example Firefox on Linux they are not able to play Netflix at all how does that work so in that specific case let's talk about DRM wi wine encryption so wide wine is an encryption scheme which is developed by
wide wine itself but acquired by Google in some years back right so that's why that's why on firion also we say that inbu DRM protection is with wide Vine and Fair Play Because wide Vine in general is an encryption it's a DRM basically which is developed by wi one as a company but it's owned by Google now and this is like these are the service Ider which wi Vine has devices which wi Vine has directly tied up with chrome and Firefox included right so how this fundamentally works is that let me tell the whole scheme
so from starting you will take a video file playable MP4 let's say and I'm going to keep it simple so I'm going to miss out on a lot of steps and I'm going to simplify this a bit but the general idea remains same what you do is you use something like CLI tool Shaka player etc etc like there are a couple of options you can do over here so this over here what it does is that it does the same thing it gets you know converted into some garbage file but what you also have to
do now is inform Google about this piece of content this is where the magic lies right so over here what you do in a very abstracted way is that you make an API call Api call to Google servers and you inform them about this content thing right so this Shaka player not only just when you when you encrypt it it does not just give you this encrypted file but it also gives you like Content ID and a few more metadata around that so you have to inform Google about some of these metadata IDs right and
then Google once you inform Google about this specific thing Google registers this content piece inside their database now remember Google does not upload the file itself right so it doesn't has the copy of the file so they are not like offering you free storage or anything but they are offering you a licensed server basically think of this as a licensing server right so this is one one thing now the next thing what happens is that once this whole processes has happened what you're going to do as a user you're going to come back to the
FIP site you're going to say I am user and then you're going to go ahead and request for playback again but this time what's going to happen is that your server would just return you this would say verify your identity and then return you the encrypted file right so this specific file is the DRM protected file which you cannot decrypt once you have this file so what's going to happen is that on the user side the client side the player whatever you are using it would also include a licensing server call or something like that
right so where where do you have to like ask for the license for that specific file so this is where the DRM thing starts to kick in the wide wine thing starts to kick in what happens over here is that right here in most of the environments like if this is like a wide wine thing in most of the environments this control will be taken from the user land to whatever the secure environment is that is what is called as trusted PE not TP trusted execution environment so if you look at T and then DRM
wide wine for example so you'll see that over over here on bunny there are three levels of trusted execution environments level one level two level three so level one for example our highest security provided by wide wine it mandates the devices all of that but the basic idea between these two three level one level two level three things is that how trusted is the execution environment where the key exchange is happening right so this trusted execution environment what it's going to do it's going to make some calls to the licensing server right so over here
this is the licensing server this would return a playback key right it'll say okay the here is your playback key now this key is not like you just you know get it by making a fetch call it's not like that this environment itself includes a lot of metadata about the device what's happening what this trusted execution environment is in general who's using it all of that and the biggest thing is that this whole operation is like it's off fiscated right so DRM is a security by officiation that means that there is no material available as
that what this thing is that is one of the things one of the major differences you would have seen if you go to chromium chromium for example the GitHub project or you know whatever their official place is over here you would not be able to find the source code of this which ships with chrome right so the difference one of the big difference between chromium and chrome is that Chrome ships with the ability to decode DRM protected wide wine protected content because it ships with this module this trusted execu executable environment execution environment which only
the Google Chrome team knows how the source code works right so it you can sure you can just take this browser and try to decompile it and reverse engineer it but they have made it in such a way that it would be extremely hard to just sit and figure out how the whole data pipeline is Flowing right and with that being said they also often change it a lot of times this algorithm keeps on changing every single time right you know maybe like I would not be surprised if they also change it over the air
with some remote updates or with you know with every version so all of that keeps keeps on changing but with DRM security level one for example this this trusted execution environment is embedded inside the device itself so you can see like over here if you are trying to play back a video on L1 wi wine that means that the decryption is not happening at all in the browser or in the software layer it's on the hardware level decryption right and the content decoded are executed within the trusted execution environment so this over here it gets
the playback key from the licensing server it gets the video from here also so over here if you see it gets the video content and this this is the brains of the operation right if you're able to hijack this specific environment then you would be able to just download the video in a way like extract out the video but what this does is that it it is smart and it just sends you frame by frame right frame by frame video playback right so it's able to do this frame by frame video playback because this operates
outside of your JavaScript World it operates outside of your normal software World in L1 encryption and in general like 100% outside JavaScript world that is why why if you go to Netflix and right click and inspect you cannot see this key exchange happening because it's not happening on the browser software level I mean it is happening on the browser software level but not on the JavaScript level and that is why when you are inside Chrome if you ever know inside Chrome the highest supported resolution is 720p Netflix highest resolution Chrome so you see over here
the maximum resolution Netflix plays on Chrome is 720p the reason for this is because Chrome by default does this trusted executable environment EX execution within their own software layer right they don't have access to Hardware I mean they do but they don't trust the hardware but that is why when you whenever you are watching Netflix on Google Chrome you are restricted to a maximum of 720p because what they want is that even if you leak it somehow the resolution is not very high however if you're using Safari then you can go crazy right Safari supports
up to 4K resolution on Netflix but only if you're using Mac Mac OS mixer or later and subscribe to Netflix Premium plan the reason for this is because in Safari if you are running it on Mac OS if it is Safari this decryption is happening on Apple's Hardware it's happening on the native Hardware right so that's even more secure because I mean reverse engineering a software is still easy but if you have a trusted executable environment as a hardware chip inside a device that is extremely hard to reverse right so if you look at Apple
Fair Play Hardware so if you look at this some of these documentation from Apple so they do tell you a little bit about you know what what's happening over here and there but nobody really ever talks about what happens inside the trusted executable environment because the source code is not available because if it is available then you can reverse engineer what's happening right so the whole DRM ecosystem and the whole thing is built on two specific things this licensing server how this issues licenses is a completely mystery box number one and by the way like
you can of course build your own server in front of this so you can have like your own ec2 that again does a lot of checks and all whatever it needs and then it talks to the licensing server that is owned by Google this is a Google server so this is how it works fundamentally right at the end there is a Google server which is sitting the wide wine server which is sitting for issuing the license and then this part is on the client side is also controlled by Google or Apple respectively based on wide
wine and fair play and this is how they maintain this secrecy on how the decryption is happening because the license which decrypts the content is also generated by the server this is like a Ed license is attached to the device which for which it is specifically issued so you cannot just take this license and just start playing it anywhere at the same time this decryption which happening is also issued by like this software is written by Google and apple respectively so you cannot even like figure out unless you spend a lot of time figuring out
what is happening if you remember a few years back Chrome had a vulnerability vulnerability DRM issue so Chrome 57 or something in 2016 yeah so if you remember this I yeah so something happened I don't remember the exact version of Chrome but something happened in6 16 where there was a flaw in Chrome's implementation of DRM so that people whoever wants to hack a certain stream of data they were able to like very easily download the stream directly right so if I see this video so now you can see that these are like this is like
a video which they are trying to play which is a DRM protected and they are able to download the decoded video directly so they were able to inject into Chrome's decryption Pipeline and they were able to extract that video data directly and they were able to store it on their file system since then of course Chrome has passed that vulnerability and it's it's basically a cad and mouse game but it's not really a cad and mouse game also because decrypting this is so damn hard and the algorithm keeps on changing and there is so little
information about how this environment works that it's like it's like unless you are a reverse engineer Guru or something like that it's very hard for you to download a video which is DRM predicted of course people do it all the time because you will see like anything that appears on Netflix is available on torrent websites within the next few days so that happens there are software there are people who are able to decrypt RM also but for a common man like you for example if you're just a developer who's starting out you just know a
little bit of front end a little bit of back end even at your scale you would not be able to decrypt this content right so all in all this is how DRM in general works and This Server over here and this trusted executable environment is the secret Source any service that you see outside of this like so if you see for example if I Google DRM Protection Services right so if you see all of this picon lock lizard Gartner right curve video Cipher all of these These are built on top of the services offered by
Google and apple right so Google and apple issues only a few players in the space like there has to be a full thing you have to go through a certain audit and vit and all of that once you do that then and only then you can become This ec2 Server right then and only then you can become a service that can offer you the DRM protection so what other people in the space do is that instead of like taking the service directly from Google they take it from player like video Cipher for example so if
you go to their pricing you will see that they are giving you a certain pricing whatever this is like includes the data and all of that but this is not the real DRM the real DRM is in fact indeed provided by Google and apple what this is is an abstraction a layer above that actual DRM and you can also get that when you become a Google partner and an apple partner right so you have to go through that whole thing in order to avoid this you know tax which you have to pay additional money on
top of it but that's possible so yeah that's that's all there is in DRM that's also something that we offer on Fon so over here if you see for example if you are inside a course and if you're trying to play you would see that in this specific case that video would play because we are using the clear key encryption so if I go to like one of the schools who's using foron and I start to play that video you will see that video right now because it's using clear key encryption but if we switch
if the instructor asks us that okay I don't even want my video to be recorded and it has to flow through this wide wine and fair play pipeline then we can enable that for them and once we do that it automatically Al like Works how a Netflix like implementation would work so yeah that's pretty much it for this video hopefully you learned something new that's all for this one make sure you like And subscribe I'll see you in the next video really soon