How Windows Media Rights Manager Works

In order to maximize the security of the Windows Media Rights Manager system, a number of interlocking features and algorithms are used. The goal of Windows Media Rights Manager is to make compromising the system and playing content without authorization as difficult as possible. To that end, Windows Media Rights Manager designers have created a complex system that takes many potential security breaches into account. The system can be a challenge to understand, and requires software development expertise to implement. For that reason, many businesses, including Contoso Movies Online, choose to contract with third-party DRM license service providers. The provider handles the complexities of the system, maintains license records, and issues licenses to clients.

With a licensing service to handle content security and an e-commerce service to handle transactions and accounting, Contoso can concentrate on the content: acquiring the titles and encoding the movies with encryption. Windows Media Encoder
makes working with Windows Media Rights Manager easy. Through the encoder, you can access a license provider service that will create a DRM profile on your computer. You can then use the DRM profile to encode and encrypt files or live streams in one step.

All of the code and components to create custom solutions for licensing Windows Media Rights Manager content can be found in the Windows Media Rights Manager 9 Series SDK. The Windows Media Encoder 9 Series SDK is also required to generate DRM profiles for the encoder. The SDKs also provide information on how Windows Media Rights Manager systems work. A licensing system can be created using a number of scripting and programming languages. For example, a complete licensing system can be written with ASP pages and VBScript, and hosted on a Web server.

Figure 13.1 provides an overview of the Windows Media Rights Manager system. To understand the overall functioning of a Windows Media Rights Manager system, we have combined a lot of the details. The diagram shows a typical Windows Media Rights Manager scenario. Keep in mind, however, that because you create systems with SDKs, there are many possible solutions.

Figure 13.1: Using Windows Media Rights Manager in a DRM system.

Three entities are involved in a Windows Media Rights Manager system:
the license provider, content creator, and end user. Security is provided by encrypting content; however, at least half of the system is involved with the other part of the process, which is selectively enabling end users to decrypt the files so they can be played.

The following process describes the content creation part of the Windows Media Rights Manager scenario in the diagram:

1. The content creator opens Windows Media Encoder and sends a request for a DRM profile to the license provider. The DRM profile contains all the data needed for configuring the encoder to encrypt a file or live stream.

2. The profile creation process opens in the encoder. Typically, the process consists of one or more forms created by the license provider, such as the one in figure 13.2. The content creator fills in details, such as the movie title, and selects the rights that apply. For example, you could apply a special offer to a movie that allows a customer to play it once at no cost. All of the basic rights and rules have already been established with the provider.

   
   Figure 13.2: Creating a DRM profile.

3. The license provider generates a DRM profile on the encoding computer from the information just provided and from existing account information. The DRM profile contains a license key seed, which is one of two components needed to generate a key. The key is used to encrypt the file or stream. The DRM profile also contains information that is added to the content header of the file or stream, including a license acquisition URL.

4. The content creator adds the DRM profile to the encoding session and a key ID is created, which is the other component needed to generate a key. Figure 13.3 shows a DRM profile in Session Properties after it has been added to a session and the key ID has been generated.

   
   Figure 13.3: The properties created for a DRM profile.

5. Information used to create the DRM profile is also saved in a license provider database.

6. The content creator encodes the movie with the DRM profile and key ID, and then copies it to the Windows Media server.

When the file is made available for streaming, end users can come to the site and pay to rent the movie. The site could also enable end users to purchase movies. The only difference between configuring Windows Media Rights Manager for purchasing and for renting is the way in which rights are applied in the license. For rentals, you would configure the rights with an expiration time of, say, 48 hours, or a limited number of plays. For movie purchases, you would simply give the file unlimited plays and no expiration.

After an end user’s payment has been approved by the e-commerce service, the license provider receives approval and the licensing process begins.

1. E-commerce and content identification information are received by the license provider. Content information comes from the Web page through which the end user ordered the movie. E-commerce information is sent by the e-commerce provider. Typically, the only e-commerce information needed by a license provider is whether license issuance has been approved.

2. Content information is used to locate the DRM profile record in the license provider database. The content information on the Web page could be a simple ID number, which is used by the database engine to locate corresponding information that should not be exposed to the public, such as the license key seed.

3. Rights associated with the content are also retrieved from a database. Rights determine how the content can be used. For example, you can set the number of plays for a file or stream and an expiration date.

4. Content information, the key used to protect the content, and rights are used to generate a unique license, which is then issued to the client. When the license is issued, it is installed on the end user’s computer.

5. The end user can then download or begin streaming the movie.

6. Windows Media Player searches the computer for a valid license. If the license exists, the movie plays.

This method for obtaining a license is called silent predelivery. With this method, the end user may not even be aware a license process is occurring. With predelivery, a license is generated before an end user begins playing encrypted content. After receiving the go-ahead from the e-commerce service, the download or streaming process begins. During the first few moments of the process, the license is generated and installed on the client without any need for further intervention by the end user.

Predelivery can be made moments before streaming begins or at any other time prior to playing the content. You could create a subscription service by predelivering a license that covers a number of files or streams. An end user could then purchase a license that covers content that will be delivered over several months or a year, for example.

An end user can also obtain a license through the standard delivery method, which involves the use of the license acquisition URL that was added to the content header when the stream was encoded. This is the method shown in figure 13.1. With standard delivery, the license acquisition process begins after an end user attempts to play encrypted content. Whenever an end user starts to play an encrypted file or stream, Windows Media Player checks the computer for a valid license. If there is none, the Player extracts the URL from the content header and opens the Web page. The page used by the Contoso Movies Online site will guide the end user through the process of paying for a movie rental, and then issue a license.

With this method, an end user does not even have to receive the encrypted stream from the content owner’s site. For example, an end user could copy the file from a friend’s computer, from a CD, or from another site. It does not matter where the file comes from because the only way to play the file is by obtaining a license from the Web page identified in the license acquisition URL.