惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recent Commits to openclaw:main
Recent Commits to openclaw:main
L
LangChain Blog
月光博客
月光博客
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
宝玉的分享
宝玉的分享
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Last Week in AI
Last Week in AI
人人都是产品经理
人人都是产品经理
博客园_首页
T
Tailwind CSS Blog
P
Proofpoint News Feed
雷峰网
雷峰网
D
Darknet – Hacking Tools, Hacker News & Cyber Security
IT之家
IT之家
V
Vulnerabilities – Threatpost
阮一峰的网络日志
阮一峰的网络日志
C
CERT Recently Published Vulnerability Notes
Attack and Defense Labs
Attack and Defense Labs
S
Schneier on Security
Security Archives - TechRepublic
Security Archives - TechRepublic
L
Lohrmann on Cybersecurity
V
Visual Studio Blog
云风的 BLOG
云风的 BLOG
WordPress大学
WordPress大学
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
博客园 - 叶小钗
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
S
SegmentFault 最新的问题
C
Cyber Attacks, Cyber Crime and Cyber Security
Google Online Security Blog
Google Online Security Blog
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
L
LINUX DO - 最新话题
Google DeepMind News
Google DeepMind News
P
Privacy International News Feed
I
InfoQ
F
Fortinet All Blogs
Vercel News
Vercel News
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Threatpost
T
Tenable Blog
B
Blog RSS Feed

Henri Sivonen’s pages

Parin vuoden tutkimattomuus crates.io: Rust Package Registry Asiakirjatonta toimintaa It’s not wrong that "🤦🏼‍♂️".length == 7 Koulutartuntojen tilastointimenettely Perusteasiakirjoja hallussapitämättä ikärajoitettu Asiantuntijat ja nukkuva vallan vahtikoira Koronapassilausunto Suppealla tietopohjalla ohimeneväksi väitetty Text Encoding Menu in 2021 The Text Encoding Submenu Is Gone An HTML5 Conformance Checker Not Part of the Technology Stack Browser Technology Stack Bogo-XML Declaration Returns to Gecko A Look at Encoding Detection and Encoding Menu Telemetry from Firefox 86 Why Supporting Unlabeled UTF-8 in HTML on the Web Would Be Problematic Rust Target Names Aren’t Passed to LLVM Toimintamalli Activating Browser Modes with Doctype Johtopäätöksiä mallin rakenteesta Tehtävänmäärittelyä kirjoittamatta ja kuolemia laskematta laumasuojamallinnettu Character Encoding Menu in 2014 Erillissuosituksen tarpeettomuudesta yleissuosituksen poikkeukseksi? STM:n maskiaikajana Rust 2021 Oma-aloitteisesti mallinnettu Kokopinovaatimuksin kilpailutettu chardetng: A More Compact Character Encoding Detector for the Legacy Web Varauksia paisutellen tiedotettu Perusteasiakirjoitta tiedotettu Always Use UTF-8 & Always Label Your HTML Saying So IME Smoke Testing The Validator.nu HTML Parser About the Hiragino Fonts with CSS It’s Time to Stop Adding New Features for Non-Unicode Execution Encodings in C++ Rust 2020 The Last of the Parsing Quirks About about:blank Rust 2019 a Web-Compatible Character Encoding Library in Rust How I Wrote a Modern C++ Library in Rust Using cargo-fuzz to Transfer Code Review of Simple Safe Code to Complex Code that Uses unsafe A Rust Crate that Also Quacks Like a Modern C++ Library #Rust2018 No Namespaces in JSON, Please A Lecture about HTML5 Julkisesti luotettu varmenne ikidomainille TLS:ää (SSL:ää) varten -webkit-HTML5 Lists in Attribute Values The Sad Story of PNG Gamma “Correction” If You Want Software Freedom on Phones, You Should Work on Firefox OS, Custom Hardware and Web App Self-Hostablility HTML5 Parser Improvements ARIA in HTML5 Integration: Document Conformance (Draft, Take Two) Schema.org and Pre-Existing Communities Lowering memory requirements by replacing Schematron HTML5 Parsing in Gecko: A Build Introducing SAX Tree NVDL Support in Validator.nu HOWTO Avoid Being Called a Bozo When Producing XML An Unofficial Q&A about the Discontinuation of the XHTML2 WG Thoughts on HTML5 Becoming a W3C Recommendation Four Finnish Banks Training Users to Give Banking Credentials to Another Site Unimpressed by Leopard Sergeant Semantics The Content Sink Inheritance Diagram – 2006-06-30 About Points and Pixels as Units The Performance Cost of the HTML Tree Builder Social Media Impression Management The spacer Element Is Gone Openmind 2006 Performance Mistake XHTML and Mobile Devices WebM-Enabled Browser Usage Share Exceeds H.264-Enabled Browser Usage Share on Desktop (in StatCounter Numbers) HTML5 Parser-Based View Source Syntax Highlighting Vendor Prefixes Are Hurting the Web Accept-Charset Is No More Dualroids Writing Structural Stylable Document in Mozilla Editor ISO-8859-15 on haitallinen Hourglass The Scientific Method According to Hixie Maemo Source Code Karpelan lukkovertaus ontuu Digitaalisesta arkistoinnista ARIA in HTML5 Integration: Document Conformance (Draft) XHTML—What’s the Point? (Draft, incomplete) Mac OS X Browser Comparison HOWTO Spot a Wannabe Web Standards Advocate An Idea About Intermediate Language Trees and Web UI Generation Thoughts on Using SSL/TLS Certificates as the Solution to Phishing Bureaucracy Meets the Web Europe Day HOWTO Establish a 100% Literacy Rate What to Do with All These Photos? Charmod Norm Checking Validator Web Service Interface Ideas DTDs Don’t Work on the Web EFFI’s Day in Court Speaking at XTech
What is EME?
Henri Sivonen · 2013-10-16 · via Henri Sivonen’s pages

It was suggested at the Mozilla Summit that there isn’t good information around about what Encrypted Media Extensions (EME) actually is. Since I’m on the HTML working group and have been reading the email threads about EME there, I thought that I could provide an introduction that explains things that may not be apparent from the specification itself.

TL;DR

EME is a JavaScript API that is part of a larger system for playing DRMed content in HTML <video>/<audio>. EME doesn’t define the whole system. EME only specifies the JS API that implies some things about the overall system. A DRM component called a Content Decryption Module (CDM) decrypts, likely decodes and perhaps also displays the video. A JavaScript program coordinating the process uses the EME API to pass messages between the CDM and a server that provides decryption keys. EME assumes the existence of one or more CDMs on the client system but it doesn’t define any or even their exact nature (e.g. software vs. hardware). That is, the interesting part is left undefined.

Context

Major Hollywood studios require that companies that license movies from them for streaming use DRM between the streaming company and the end user. Traditionally, in the Web context, this has been done by using the Microsoft PlayReady DRM component inside the Silverlight plug-in or the Adobe Access DRM component inside Flash Player. As the HTML/CSS/JS platform gains more and more capabilities, the general need to use Silverlight or Flash becomes smaller and smaller, such that soon the video DRM capability will be the only thing that Silverlight and Flash have but the HTML/CSS/JS platform doesn’t.

Proposals have been written to augment <video> with features that enable the Netflix player to be ported from Silverlight to <video> without a loss of features. The additions are split across two specifications: Media Source Extensions (MSE) and Encrypted Media Extensions (EME). The noncontroversial parts (giving JS precise control over media-related networking) are in MSE and the controversial parts (DRM interface) are in EME. I will not cover MSE further.

So What’s EME?

EME is a JavaScript API for the HTML <video> and <audio> for dealing with media files that contain encrypted tracks.

EME requires the presence of one or more components called Content Decryption Modules (CDM) which are integrated in some way with the browser. For the purpose of this introduction, the CDM is not considered to be part of the browser. The browser (which, as noted, excludes the CDM) is considered untrusted by copyright holders who require DRM to be used. (The browser is assumed to be trusted by the user as before.) The CDM is trusted by the copyright holders to hide certain pieces of data from the user (and to prevent the user from manipulating that data).

A CDM could be bundled with the browser, downloaded separately, bundled with the operating system, embedded in hardware as firmware running in a second domain of computing (such as ARM TrustZone) or wired into hardware. EME leaves this aspect implementation-dependent.

A CDM implements what is colloquially referred to as a DRM scheme but EME calls a Key System. A CDM implements at minimum a Key System-specific format for messages (byte buffers from the EME point of view) to request and receive keys and the capability to decrypt content with the keys acquired via these messages. The inputs of a CDM are Key System-specific initialization data, Key System-specific messages and encrypted media stream data.

EME specifies a toy Key System called Clear Key, which could be used to demonstrate interoperability of two EME implementations to the point of satisfying the requirements of the W3C Process. So far, there has been no indication that anyone would be interested in deploying Clear Key for non-test purposes.

EME does not specify the sort of Key System that one could expect to be deployed for the purpose of streaming Hollywood movies. The non-toy Key System supported by IE 11 on Windows 8.1 is PlayReady (proprietary to Microsoft and bundled with Windows 8.1) and the non-toy Key System supported by Chrome on Chrome OS is Widevine (proprietary to Google and bundled with Chrome OS). Therefore, a Web site that wishes to be cross-browser-compatible needs to support multiple Key Systems.

EME does not specify the output abstraction for CDMs. It leaves open several options. The CDM could:

  • Merely perform decryption and hand back the encoded media (e.g. H.264) to the browser.
  • Perform both decryption and video decoding and hand back the raw frames to the browser for painting.
  • Perform decryption and decoding and transfer decoded pixels directly to an operating system compositor in a way that bypasses the browser.
  • Perform decryption and decoding and then work together with the GPU so that not even the operating system gets the opportunity to read the pixels back from the GPU.

The more the CDM does to conceal the decryption keys, the elementary stream data or the decoded data from software that the user can control, the more likely the CDM is to be approved by the copyright holders for use with content that they hold copyright to. Also, the requirements placed by the copyright holders on CDMs permitted to play HD content may be stricter than the requirements placed on CDMs permitted to play SD content.

If you compare this system to NPAPI plug-ins, the EME JavaScript API is analogous to the <object> element. However, in the EME case there is no standardized analog to NPAPI, since as noted above, even the level of output abstraction isn’t specified.

The media that requires a CDM to play comes in one of the usual container formats. Since the W3C has avoided specifying mandatory formats for <video>, EME doesn’t normatively require support for a specific container format. The EME specification contains guidance for the MP4 (typically used with H.264) and WebM (typically used with VP8) containers. EME does not have normative requirements on whether encryption happens inside or outside the container, but in practice, encryption happens inside the container. Compared to ordinary use of MP4 or WebM, one or more of the elementary streams (“tracks”) inside the container format is encrypted with a key that is not included in the media file. The EME specification does not require a particular encryption scheme, and there are multiple possible ways to have encrypted tracks in MP4. However, when a scheme called Common Encryption is used, one MP4 file can be used with multiple Key Systems.

When a browser that supports EME encounters an encrypted track, it fires an event to a JavaScript program running in the context of the page that contains the <video> element to indicate that in order to decrypt the track, the JavaScript program needs to supply a key to do so. The event comes with initialization data that the browser has extracted from the media file. At this point, the JavaScript program creates a session using a Key System that’s available and pushes initialization data to the CDM that implements the Key System. If the media file works with multiple Key System there are multiple applicable Key Systems implementations (multiple CDMs or a multi-Key System CDM) available to the browser, the JavaScript program gets to choose which Key System to use.

Subsequently, events fired to JavaScript include byte buffers that contain messages in a format specific to the Key System that’s in use for the session. Neither the browser nor the JavaScript program understand the bytes. However, the bytes are expected to form a message that includes an identifier for a key that the CDM needs to decrypt content and likely some cryptographic evidence of the provenance of the CDM to demonstrate to the server that the CDM was provided by an entity that the content copyright holders trust to provide tamper-resistant CDMs. From the perspective of EME, these messages are simply opaque.

The JavaScript program then uses whatever method chosen by the Web application developer to pass the Key System-specific message to the server. Most likely, the JavaScript program does an HTTP POST using XHR. At this point, XHR automatically picks up the session cookie of the user, so user identification can work as in Web apps in general and the CDM does not need to be able to deal with handling user identity. This is in contrast to other plausible architectures where a component analogous to a CDM performs networking directly.

The server side of the Web app needs to have Key System-specific software for each Key System that the Web app supports in order to be able to make sense of the messages received and in order to be able to construct responses.

When the JavaScript program receives a message back from the server, it uses the EME API to push the message to the browser, which in turn pushes it to the CDM. The message is assumed to be encrypted in such a way that neither the JavaScript program nor the browser can make sense of it but the CDM can. The message contains at least the key that the CDM needs to decrypt the encrypted media track(s).

EME doesn’t define how many messages are emitted by the CDM and how many by the server. There might be any number, including new ones during playback, depending on the Key System.

EME does not specify any policy about the conditions under which the CDM may be allowed to decrypt media or a vocabulary for expressing such a policy. EME doesn’t even specify whether a policy is enforced on the server based on information that got sent there or whether a policy is enforced on the CDM based on information received back. That’s all Key System-specific.