Key Rotation Challenges in DRM Content for Offline Playback

Introduction

When streaming services lock content, downloading it lets people watch shows movies without needing WiFi. In the past, systems protecting digital content used static encryption keys. One key was used to decrypt all of the content. As content security gets better, regularly changing the keys used to protect it provides a strong way to improve safety.

Changing encryption keys regularly, like with each section of data, protects your information. If a key gets stolen, only that specific section is at risk, leaving everything else safe. This helps keep things safe, yet it creates a real problem for video apps, especially when you want to watch videos without internet access. The video player used to unlock content with a single PSSH key (Protection System Specific Headers). Now, it finds several different keys scattered throughout the video, so unlocking becomes trickier.

When Key Rotation is disabled:

• From the server, a single PSSH key is being used to decrypt all media chunks, so that offline playback works seamlessly.

When Key Rotation is enabled:

• A unique PSSH key will be integrated in each segment (group of segments also). The player which was designed to handle only one key earlier would have to manage all these extra keys to decrypt the content, and if the player cant find these keys then offline playback fails mid content

This blog details the challenges we solved to get offline viewing working with updated security. To ensure seamless downloading and proper offline video playback, we have updated the core logic of video downloading and license generation whenever we have a content which is enabled with Key Rotation.

The Problem: Why Did Offline Playback Fail?

We found the MPD (Media Presentation Description) file that describes how media plays, including details about video quality, security, and individual pieces of content, started with one PSSH key when Key Rotation was disabled. This let the DRM system to create a decryption license effortlessly..

With Key Rotation enabled:

1. 1. No PSSH key was available in the MPD file.
   2. PSSH keys went into video sections, not the manifest file.
   3. At first, we only got the PSSH key for the initial part. This let us unlock a small portion of the video.
   4. The video stopped working when it moved to a new part protected by a different key. This broke the ability to watch it without internet.

Basically, the DRM didn’t know about all the different keys required to play the full video. We grabbed every PSSH key while downloading, combined them into one set of data , then built a license with all the decryption keys.

The Solution: A Robust Workflow for Key Rotation Support

We fixed the problem with DASH videos on Android devices that use Widevine L3 security. We did this with several changes. The system gets, handles, combines all PSSH keys, while maintaining DRM compliance for smooth downloading and offline playback.

1. Initial PSSH Extraction from the First Segment
The initial PSSH key is very important as it is used to create the first DRM session which allows to start the downloading of content. So to retrieve this key we fetch the first media segment so we can extract its PSSH key.

Extracting the First PSSH Key

Explanation:
This extracted PSSH key is used to setup and intialize the DRM session and this enables the decryption of first few content chunks.

2. Dynamic PSSH Extraction While Downloading Segments
To extract every PSSH key dynamically from each video chunk we created a DashExtractor class which parses the downloaded segment in the form of byte array. To make sure no key is missed, all the unique extracted keys are added to a list (psshList).

Extracting PSSH Keys During Download

Explanation:
By using DashExtractor class we have extracted only the unique PSSH keys, duplicates are avoided and then added to the list.

3. Merging Multiple PSSH Keys
The MergePsshHelper class is used after all chunks are downloaded, to combine all the unique extracted PSSH keys into a single byte array. To create schemeData object the data of all the extracted keys is used using MergePsshHelper.

Merging PSSH Keys

Explanation:
MergePsshHelper merges the PSSH keys byte-by-byte, ensuring the combined data remains valid for the DRM system.

4. Generating the Offline License
After successfully merging all the keys, we need to download the offline license so that whenever video will be played without internet all the segments will have their respective decryption keys via license.

Generating the Offline License

Explanation:
With all the keys merged in a single object and using the same object to generate the offline license which has all keys is stored in keySetId.  This keySetId will be used in decryption of all segments at the time of offline playback.

5. Preserving Database with updated Values
If app restarts and database is not updated with the latest license, then it will use the old license which only contained the first segment PSSH key, this will result in errors while offline playback. So we need to update the database with license generated with all keys i.e. keySetId

Updating Database with offline license

Why This Approach is Effective

1. 1. Extracting PSSH keys dynamically:
      We aimed to get every PSSH key, because missing one caused problems with watching videos. So, during downloads, we used a class called DashExtractor to pull these PSSH keys from each video segment.
   2. Generation of License with all keys:
      To use without internet we created a license which included all the security keys we already had. We combined those keys into one piece of data (schemeData), then the DRM system built a complete offline license.
   3. Support for Offline Playback:
      The license you got has everything including the decryption keys which are needed to unlock the content, so it plays smoothly even when Key Rotation is enabled.

Conclusion

Switching encryption keys for content with digital rights management makes things more involved, however, it really improves how safe the content is. We get security keys from video pieces, combine them, then make one license. This lets you watch DASH videos offline, even those protected by Widevine L3.

This method fixed problems with video playing, it also provides a strong system for managing changing encryption keys in digital rights management.

If developers run into trouble, this process gives a useful, adaptable way to keep videos playing smoothly in changing, protected streaming setups.