标签:android des style http os strong io for
This document introduces Widevine DRM security levels and certification requirements. It explains how to integrate and distribute Widevine DRM for your product. Android provides the Widevine DRM solution with a royalty-free license and we recommend that you use it for your protected playback solution.
Availability of rich digital content is important to users on mobile devices. To make their content widely available,Android developers and digital content publishers need a consistent DRM implementation supported across the Androidecosystem. In order to make that digital content available on Android devices and to ensure that there is at leastone consistent DRM available across all devices, Google provides Widevine DRM for free on compatible Android devices.On Android 3.0 and higher platforms, the Widevine DRM plugin is integrated with the Android DRM framework and useshardware-backed protection to secure movie content and user credentials.
The content protection provided by the Widevine DRM plugin depends on the security and content protection capabilities of the underlying hardware platform. The hardware capabilities of the device include hardware secure boot to establish a chain of trust of security and protection of cryptographic keys. Content protection capabilities of the device include protection of decrypted frames in the device and content output protection via a trusted output protection mechanism. Not all hardware platforms support all the above security and content protection features. Security is never implemented in a single place in the stack, but instead relies on the integration of hardware, software, and services. The combination of hardware security functions, a trusted boot mechanism, and an isolated secure OS for handling security functions is critical to provide a secure device.
Android 3.0 and higher platforms provide an extensible DRM framework that lets applications manage protected content using a choice of DRM mechanisms. For application developers, the framework offers an abstract, unified API that simplifies the management of protected content. The API hides the complexity of DRM operations and allows a consistent operation mode for both protected and unprotected content across a variety of DRM schemes. For device manufacturers, content owners, and Internet digital media providers the DRM framework plugin API provides a means of adding support for a DRM scheme of choice into the Android system, for secure enforcement of content protection.
Note: We recommend that you integrate the Widevine solution as it is already implemented and ready for you to use.
Built on top of the Android DRM framework, the Widevine DRM plugin offers DRM and advanced copy protection features on Android devices. Widevine DRM is available in binary form under a royalty free license from Widevine. The Widevine DRM plugin provides the capability to license, securely distribute, and protect playback of multimedia content. Protected content is secured using an encryption scheme based on the open AES (Advanced Encryption Standard). An application can decrypt the content only if it obtains a license from the Widevine DRM licensing server for the current user. Widevine DRM functions on Android in the same way as it does on other platforms. Figure 1 shows how the WideVine Crypto Plugin fits into the Android stack:
The following sections go over the different security levels that Widevine supports and the requirements that your product must meet tosupport Widevine. After reading the information, you need to determine the security level for your target hardware, integration, and Widevine keybox provisioning requirements.
To integrate and distribute Widevine DRM on Android devices, contact your Android technical account manager to begin Widevine DRM integration.We recommend you engage early in your device development process with the Widevine team to provide the highest level of content protection on the device. Certify devices using the Widevine test player and submit results to your Android technical account manager for approval.
Security is never implemented in a single place in the stack, but instead relies on the integration of hardware, software, and services. The combination of hardware security functions, a trusted boot mechanism, and an isolated secure OS for handling security functions is critical to provide a secure device.
At the system level, Android offers the core security features of the Linux kernel, extended and customized for mobile devices. In the application framework, Android provides an extensible DRM framework and system architecture for checking and enforcing digital rights. The Widevine DRM plugin integrates with the hardware platform to leverage the available security capabilities. The level of security offered is determined by a combination of the security capabilities of the hardware platform and the integration with Android and the Widevine DRM plugin. Widevine DRM security supports the three levels of security shown in the table below.
Security Level | Secure Bootloader | Widevine Key Provisioning | Security Hardware or ARM Trust Zone | Widevine Keybox and Video Key Processing | Hardware Video Path |
---|---|---|---|---|---|
Level 1 | Yes | Factory provisioned Widevine Keys | Yes | Keys never exposed in clear to host CPU | Hardware protected video path |
Level 2 | Yes | Factory provisioned Widevine Keys | Yes | Keys never exposed in clear to host CPU | Hardware protected video path |
Level 3 | Yes* | Field provisioned Widevine Keys | No | Clear keys exposed to host CPU | Clear video streams delivered to video decoder |
*Device implementations may use a trusted bootloader, where in the bootloader is authenticated via an OEM key stored on a system partition.
In this implementation Widevine DRM keys and decrypted content are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values and the media content is decrypted by the secure hardware. This level of security requires factory provisioning of the Widevine key-box or requires the Widevine key-box to be protected by a device key installed at the time of manufacturing. The following describes some key points to this security level:
In this security level, the Widevine keys are never exposed to the host CPU. Only security hardware or a protected security co-processor uses clear key values. An AES crypto block performs the high throughput AES decryption of the media stream. The resulting clear media buffers are returned to the CPU for delivery to the video decoder. This level of security requires factory provisioning of the Widevine key-box or requires the Widevine key box to be protected by a key-box installed at the time of manufacturing. The following list describes some key requirements of this security level:
This security level relies on the secure bootloader to verify the system image. An AES crypto block performs the AES decryption of the media stream and the resulting clear media buffers are returned to the CPU for delivery to the video decoder.
Device manufacturers must provide a bootloader that loads signed system images only. For devices that allow users to load a custom operating system or gain root privileges on the device by unlocking the bootloader, device manufacturers must support the following:
Widevine DRM Provision:
Widevine *DRM and Keybox,布布扣,bubuko.com
标签:android des style http os strong io for
原文地址:http://blog.csdn.net/tody_guo/article/details/38345199