Widevine
Original author(s) | |
---|---|
Stable release | 1.4.9.1088
|
Written in | C++ |
Operating system | Cross-platform |
Type | Digital rights management |
Website | widevine |
Widevine is a proprietary digital rights management (DRM) system developed by Google. It provides content protection for media. Widevine is divided into three security levels with differing levels of protection depending on the hardware present on the device. Widevine is included in most major web browsers and in Android and iOS.
Widevine was originally developed by Internet Direct Media, who later rebranded as Widevine Technologies. Following several rounds of funding, the company was acquired by Google in 2010 for an undisclosed amount.
History
Origins (1998–2006)
Widevine was created by Seattle-based Internet Direct Media in 1999 as Widevine Cypher.[1] The company, founded by executive Brian Baker and cryptography researcher Jeremy Horwitz, changed its name to Widevine Technologies.[2][3]
In February 2001, Widevine Technologies released Widevine Cypher Enterprise; at the time, techniques such as screen recording and network request monitoring were common. Widevine Cypher used DES-X encryption to prevent these techniques.[4] Widevine Technologies partnered with Bellevue-based streaming company Midstream Technologies in April.[5] Baker returned to the company in 2001, leading it through a restructuring process; the process involved recapitalizing the company and firing many of its employees.[6]
In June 2003, Widevine Technologies secured US$7.8 million in funding from
Widevine Technologies branched out into digital watermarking in 2005, partnering with content processing company TVN Entertainment (now Vubiquity) for its Mensor system.[10] Widevine Mensor inserts a 64-bit payload into the signal, a computationally inexpensive operation.[11]
Growth (2006–2010)
In April 2006, Constellation Ventures, Pacesetter Capital, Phoenix Capital Partners, and VantagePoint Venture Partners joined digital communications company
On August 3, 2007, Widevine Technologies filed a patent infringement lawsuit against content security company Verimatrix.[14] The two companies reached a settlement in March 2010.[15]
Vendors utilizing Widevine steadily increased up until 2010. In August 2008,
In December 2009, Widevine received an additional $15 million in funding from telecommunications company Liberty Global and Samsung Ventures, the venture capital subsidiary of Samsung.[19] Samsung would expand its use of Widevine in June 2010.[20] LoveFilm signed a deal with Widevine in July 2010.[21]
Acquisition by Google (2010–present)
On December 3, 2010,
Architecture
Widevine is divided into three security levels. The security level used is dependent on the usage of a
In
Input → output overview
Widevine uses multiple standards and specifications, including MPEG Common Encryption (CENC), Encrypted Media Extensions (EME), Media Source Extensions (MSE), and Dynamic Adaptive Streaming over HTTP (DASH).[30] In addition, Widevine supports the HTTP Live Streaming (HLS) protocol, developed by Apple Inc. in 2009.[31]
In one implementation of Widevine, a browser receives encrypted content from a
Vendors may implement their own proxy server within the license server, in cases where user authorization is managed by the vendor's preexisting proxy server.[36] This setup requires the use of the proxy server as a middleman.[37] Widevine requires the use of service certificates beginning in Chrome 59, along with iOS and some configurations of ChromeOS.[38][note 1] A proxy server may choose to refuse to issue licenses for browsers that do not implement a "verifiable" framework, otherwise known as Verified Media Path (VMP). Notably, browsers running on Linux are not included in VMP.[40] Similarly, the High-bandwidth Digital Content Protection (HDCP) version used on the client device may be enforced by the proxy server.[41]
In Widevine L1 devices, certificate provisioning is usually performed once. During provisioning, the CDM creates a
Field | Description | Size (bytes) |
---|---|---|
Device ID | Obtained in the OEMCrypto module using OEMCrypto_GetDeviceID
|
32 |
Device key | 128-bit AES key. Derived into multiple keys in the OEMCrypto module using OEMCrypto_GenerateDerivedKeys
|
16 |
Provisioning token | Also known as "key data". Used to provision requests. Obtained in the OEMCrypto module using OEMCrypto_GetKeyData
|
72 |
Magic number | Referred to as "kbox" | 4 |
CRC-32 | Validates the integrity of the keybox | 4 |
Each content key is associated with a 128-bit key control block, specifying security constraints. The key control block ensures data path security requirements on clients such as Android, where video and audio are encrypted separately, and to provide a timeout value to the TEE. The block is
Client support
Widevine is included in most major web browsers, including
In Android, Widevine is implemented through a
liboemcrypto.so
marshals and unmarshals requests to the Widevine trustlet for Widevine L1 through a specialized TEE driver, such as QSEEComAPI.so
for Qualcomm Secure Execution Environment (QSEE).[55]iOS does not natively support DASH or CENC. To work around this limitation, Widevine transmuxes DASH to HLS; the Universal DASH Transmuxer (UDT) parses the DASH manifest using an XML parser, such as libxml2. The UDT then creates an HLS playlist.[56]
Security
Widevine has been exploited multiple times. Researchers at Ben-Gurion University of the Negev discovered a vulnerability in Widevine in June 2016; the vulnerability allowed users to obtain a decrypted version of protected content in cache.[57]
In January 2019, security researcher David Buchanan claimed to have broken Widevine L3 through a
In 2021, the Android version of Widevine L3 was reverse engineered and broken by security researchers.[61] The same year, Qi Zhao presented the first attack breaking Widevine L1 in Android by recovering the L1 keybox.[62]
See also
Notes
- ^ In ChromeOS, service certificates are required when
remote_attestation_verified
is enabled.remote_attestation_verified
requires the use of a Trusted Platform Module (TPM) and is enabled at boot for devices with a TPM.[39]
References
Citations
- ^ Chiang, Oliver (December 3, 2010). "Google Buys Digital Video Company Widevine, Building Up Video On-Demand Service". Forbes. Retrieved March 13, 2023.
- ^ Dudley, Brier (December 3, 2010). "Google acquires Widevine". The Seattle Times. Retrieved March 13, 2023.
- ^ "Internet Direct Media rebrands as Widevine Technologies". Ad Age. September 29, 2000. Retrieved March 13, 2023.
- ^ Kieskowski, Ellie (February 12, 2001). "Widevine Releases Enterprise Targeted Security Solution". Streaming Media. Retrieved March 13, 2023.
- ^ "Midstream Teams with Widevine". InternetNews. April 18, 2001. Retrieved March 13, 2023.
- ^ Cook, John (April 18, 2006). "$16 million boost for Seattle's Widevine". Seattle Post-Intelligencer. Retrieved March 13, 2023.
- ^ "Widevine raises $7.8 million". Puget Sound Business Journal. June 17, 2003. Retrieved March 13, 2023.
- ^ Meisner, Jeff (March 7, 2004). "VCs betting on Widevine's data-encryption software". Puget Sound Business Journal. Retrieved March 13, 2023.
- ^ "Widevine raises $13 million". Puget Sound Business Journal. February 10, 2004. Retrieved March 13, 2023.
- ^ White, Peter (November 16, 2005). "VCs betting on Widevine's data-encryption software". Rethink Technology Research. Retrieved March 13, 2023.
- ^ Rassool, Reza (August 1, 2007). "Widevine's Mensor". TV Technology. Retrieved March 13, 2023.
- ^ Reardon, Marguerite (April 19, 2006). "Cisco backs DRM start-up". CNET. Retrieved March 13, 2023.
- ^ "TELUS Selects Widevine". Converge Digest. November 12, 2006. Retrieved March 13, 2023.
- ^ "Widevine alleges patent breach". Advanced Television. August 3, 2007. Retrieved March 13, 2023.
- ^ Spangler, Todd (March 24, 2010). "Widevine, Verimatrix Settle Patent Dispute". Multichannel News. Retrieved March 13, 2023.
- ^ Healey, Jon (August 18, 2008). "CinemaNow, Widevine bring movies to more devices". Los Angeles Times. Retrieved March 13, 2023.
- ^ "Microsoft, Silverlight and Widevine". Los Angeles Times. April 14, 2008. Retrieved March 13, 2023.
- ^ Nicole, Kristen (January 3, 2008). "Sony, Warner Virtual World Cinemas Sign Widevine for DRM Protection". Mashable. Retrieved March 13, 2023.
- Seattle Times. December 14, 2009. Retrieved March 13, 2023.
- ^ Dickson, Glen (June 22, 2010). "Samsung Taps Widevine for Connected Devices". Broadcasting & Cable. Retrieved March 13, 2023.
- ^ O'Hear, Steve (July 29, 2010). "Lovefilm, the Netflix-of-Europe, signs deal with Widevine to beef up multi-platform play". TechCrunch. Retrieved March 13, 2023.
- ^ Healey, Jon (December 3, 2010). "Google buys anti-piracy firm Widevine". Los Angeles Times. Retrieved March 13, 2023.
- ^ Murph, Darren (December 5, 2010). "Google spends a few more million, picks up Widevine DRM software firm". Engadget. Retrieved March 13, 2023.
- ^ Konrad, Alex (August 16, 2011). "Google's 10 biggest acquisitions (so far)". CNN. Retrieved March 13, 2023.
- ^ Triggs, Robert (November 27, 2022). "What is Widevine digital rights management (DRM) and why does it matter?". Android Police. Retrieved March 13, 2023.
- XDA Developers. Retrieved March 13, 2023.
- ^ "Media". Android Open Source Project. Retrieved March 13, 2023.
- ^ Zeng, Thomas (February 8, 2012). "The Android ION memory allocator". LWN.net. Retrieved March 13, 2023.
- ^ "Protecting your premium HD content with Widevine Digital rights management (DRM) on Inforce platforms". Penguin Solutions. September 10, 2016. Retrieved March 13, 2023.
- ^ a b Google 2017, p. 5.
- ^ Google 2017, p. 9.
- ^ Google 2017, pp. 10–13.
- ^ Google 2013, p. 9.
- ^ Google 2017, p. 11.
- ^ Google 2017, p. 10.
- ^ Google 2019, p. 6.
- ^ Google 2019, p. 7.
- ^ Google 2019, p. 20.
- ^ Santos, Gummadi & Rodrigues 2009, p. 3.
- ^ Salter, Jim (January 31, 2020). "Linux Star Trek fans, rejoice: CBS All Access now works in your OS". Ars Technica. Retrieved March 15, 2023.
- ^ Google 2019, p. 31.
- ^ Patat, Sabt & Fouque 2022a, p. 5.
- ^ Patat, Sabt & Fouque 2022a, p. 6.
- ^ Patat, Sabt & Fouque 2022a, p. 7.
- ^ Google 2013, p. 16.
- ^ Google 2013, p. 17.
- ^ Patat, Sabt & Fouque 2022b, p. 5.
- XDA Developers. Retrieved March 15, 2023.
- BleepingComputer. Retrieved March 15, 2023.
- ^ "Mozilla To Test Widevine CDM in Firefox Nightly To Facilitate Video Watching Online". Mozilla. April 7, 2016. Retrieved March 13, 2023.
- ^ Patat, Sabt & Fouque 2022a, p. 1.
- ^ "Overview". Widevine.
- ^ Google 2017, p. 23.
- ^ Humphries, Matthew (February 2, 2021). "Firefox 85 for Android Allows DRM-Protected Content to Play Again". PCMag. Retrieved March 13, 2023.
- ^ Patat, Sabt & Fouque 2022a, p. 3.
- ^ Google 2017, p. 24.
- ^ Chirgwin, Richard (June 28, 2016). "Google's Widevine DRM doesn't quite manage". The Register. Retrieved March 13, 2023.
- ^ Humphries, Matthew (January 3, 2019). "Report: Google's Widevine L3 DRM Cracked". PCMag. Retrieved March 13, 2023.
- ^ Hager, Ryne (January 3, 2019). "Google's Widevine L3 DRM, used by Netflix, Hulu, and HBO, has been broken". Android Police. Retrieved March 13, 2023.
- ^ Krebs, Brian (March 13, 2023). "Google Mending Another Crack in Widevine". Krebs on Security. Retrieved March 13, 2023.
- ^ Patat, Sabt & Fouque 2022a, p. 10.
- ^ Zhao, Qi. "Wideshears: Investigating and Breaking Widevine on QTEE" (PDF). Hyrathon's Blog. Retrieved 26 July 2023.
Bibliography
- Google (April 3, 2019). Widevine DRM Proxy Integration.
- Google (March 6, 2017). Widevine DRM Architecture Overview.
- Google (February 25, 2013). WV Modular DRM Security Integration Guide for Common Encryption (CENC).
- Patat, Gwendal; Sabt, Mohamed; Fouque, Pierre-Alain (2022a). Exploring Widevine for Fun and Profit. IEEE.
- Patat, Gwendal; Sabt, Mohamed; Fouque, Pierre-Alain (2022b). WideLeak: How Over-the-Top Platforms Fail in Android. IEEE.
- Santos, Nuno; Gummadi, Krishna; Rodrigues, Rodrigo (June 15, 2009). Towards trusted cloud computing. Association for Computing Machinery.