Creating a Rights Management System

In this part of the chapter, we will create a Windows Media Rights Manager system using sample files from the companion CD. The samples are included with the whitepaper, “Developing a License Provider Service for Windows Media Encoder.” The whitepaper provides details on how to set up a license provider service that supports DRM profiles in the encoder. We will run the samples and describe the process, but we will not go into the details of using the programming objects and methods. We will also use a VBScript-based program instead of the Visual Basic-based program described in the whitepaper.

To run the sample Windows Media Rights Manager process, you need a computer running Windows 2000 Server, Windows XP Professional, or Windows Server 2003. You will use the computer to both encode and encrypt a Windows Media file from a video file, and issue licenses to play the file. In order to issue licenses, you will set up the computer as a license server.

To run the sample, you need to install the following software and services:

• Microsoft Internet Information Services (IIS). Install IIS using the Windows Components Wizard in the Add or Remove Programs utility in Windows Control Panel.

• Windows Media Encoder 9 Series SDK (available on the companion CD).

• Windows Media Encoder 9 Series (available on the companion CD).

• Windows Media Rights Manager 9 Series SDK. For information about how to get the SDK, go to the MSDN Web site (http://msdn.microsoft.com/library) and see the article, “Getting Started with Windows Media
  Rights Manager SDK,” located in the Digital Rights Management area.

You will also need a sample video file. For the exercise, choose a short video to minimize the wait for the encoding process.

Creating a License Server

After the required software has been installed, set up the computer to issue licenses for the sample process:

1. Create the following folder in the IIS default Web site: %systemdrive%\inetpub\wwwroot\wm.

2. Copy the sample files IssueLicense.asp and IssueLicense_ns.asp from the CD to the new folder.

3. From the Windows Media Rights Manager SDK sample folder, copy Global.asa to the new folder. The SDK sample folder is installed in %systemdrive%\WMSDK\Windows Media Rights Manager.

4. Open the IIS snap-in. In Properties for the \wm folder, create a new application. Then in Execute Permissions, select Scripts and Executables. In creating a new application, you are designating the wm folder as the starting point (application root) for the application, which in our case generates licenses. For more information, see IIS Help or Quick Start in the Windows Media Rights Manager SDK.

5. Stop and then restart the World Wide Web Service so the new settings take effect.

In the following steps, you will get a certificate and revocation list for your license server from the Microsoft Web site. The certificate enables the computer to issue licenses. The revocation list contains all the application certificates of Player software known to be damaged or corrupted and prevents the server from issuing licenses to those copies of the Player. The entire process can take less than a minute to complete.

1. In a browser, go to http://licenseserver.windowsmedia.com. Click Enroll to get a new certificate, and then follow the instructions. After the form has been submitted, an e-mail message will be sent to you containing a token that you will use in the next step.

2. Return to http://licenseserver.windowsmedia.com, and click Complete the enrollment with your e-mail confirmation. In this form, enter the token number, and complete enrollment.

3. Return to http://licenseserver.windowsmedia.com, and click Download the latest License Service Information to install the latest revocation list.

Your computer is now ready to issue licenses.

Encoding and Encrypting a File

In the following steps, you will use a program written with VBScript to encode and encrypt a video file. The program runs using Windows Script Host, which is included with the installation of your Windows operating system. You can use any video file with an .avi, .mpg, or .wmv file name extension as the source.

Keep in mind that, as you follow the process, you will be performing the tasks of both a license service and a content creator on the same computer. In practice, the content creator requests a DRM profile from a license service, which is most often a third-party provider.

Also, think about how the sample process relates to the overview diagram in figure 13.1. Most of the work of encrypting streams and issuing licenses is done automatically with the DRM components on the license server, Windows Media Encoder, and Windows Media Player. The task of developing a Windows Media Rights Manager process is mainly about making sure the different components have the correct information to do their jobs, such as the key ID, license key seed, and content ID. As you follow the process, notice how the information is exchanged between components. In running
the samples, we are not concerned with who has access to the information. In practice, however, information like certificate, seed, and key values should only be shared with trusted employees and vendors.

1. From the CD sample folder, copy DRMEncoderScript.vbs to an empty folder, such as c:\DRMsample, and then double-click the file.

   The program starts running. The user interface for the simple VBScript-based program consists of a series of message and input boxes. Each box stops execution of the program and either informs you of what the program is doing or asks for input.

2. Click OK to close each message and advance to the next part of the program.

   As you do, the program generates and exchanges information between DRM components. The components use the information to create a key
   and content header. The first five messages display values for MS LS Root Certificate, Licensor Certificate, private key, public key, and signed public key. The two certificate values were generated on your computer when you enrolled at the Microsoft certification site. The three keys are generated by the program and are used to sign the content header. By signing the header, you increase security and prevent tampering with the encrypted file.

   In practice, the certification values would be associated with the license provider server, and the keys would be generated by the license provider server prior to creating a DRM profile.

3. In the input box, type the URL of the license provider site, and then click OK. In the sample, the site is the wm folder, http://MyComputer/wm.

   The program creates the DRM profile and installs it automatically on the encoding computer. In practice, the license provider server would create the DRM profile on the encoding computer. The programming method that generates the DRM profile sends certain information back to the provider. The provider then saves this in a database and uses it later to generate a license. In our case, the information that would be returned to the license provider is saved in two text files.

4. Click OK to close the next four messages that show new information generated about the version 7 public key, DRM profile ID, license key seed, and the key ID.

   The DRM profile and a pre-defined encoding profile are used to create an encoding session. The session contains the settings that will be used to encode and encrypt the video file. When the DRM profile is added to the session, a key ID is generated. A key is generated from the key ID and the license key seed. This new key will be used to encrypt the content. The key ID will also be added to the content header. You can use the same key ID if you want multiple files or streams to share the same license. You can use this method for a subscription model for example.

   The version 7 public key is used during license acquisition to verify the version 7 portion of the content header.

5. In the next two input boxes, enter the paths and file names of the input (source) and output video files. The sample program encodes and encrypts a file using a fixed encoding profile. In practice, you would configure your own encoding properties in Windows Media Encoder.

6. Click OK to encode and encrypt the file. For a large file, the process can take several minutes.

To summarize, the DRM profile creation process and the process of adding the DRM profile to the encoder session uses or generates the following information:

• License acquisition URL. When a Player attempts to play the encrypted file without a valid license, it will open the Web page associated with this URL so the end user can obtain a license. The URL is contained in the DRM profile and added to the content header when the file is encoded.

• Private key. This key is added to the DRM profile and will be used to sign the content header.

• Signed public key. Used in signing the header.

• Licensor certificate. Generated when the license server is certified.

• DRM license server root certificate. Generated when the license server is certified.

• Version 7 public key. Generated during the DRM profile creation process. The value is used to verify the version 7 portion of the content header. The value is added to the DRM profile and the license provider database.

• DRM profile ID. Generated during the DRM profile creation process. The value identifies the DRM profile. The value is added to the DRM profile and the license provider database.

• License key seed. Generated during the DRM profile creation process. The value is used with the key ID to create the key that is used to encrypt the file. This value is added to the DRM profile and the license provider database.

• Key ID. A new key ID is generated each time a DRM profile is added to an encoding session. The DRM profile itself does not contain a key ID.

Notice that there does not have to be any content-specific information included in a DRM profile. In the sample, the key ID is the only content-specific information, and it is not part of the DRM profile. Therefore, the same DRM profile can be used to encrypt multiple files and streams.

At this point, the DRM profile is on the computer. After closing the VBScript-based program, you can open Windows Media Encoder and the DRM profile will appear in the list on the Security tab in Session Properties. Later, you can use the DRM profile to try encoding other content, such as a live stream. However, we will continue with the sample process.

The first part of the Windows Media Rights Manager process is finished and an encrypted file has been created.

Transferring Information to the License Server

The license server requires two pieces of information in the DRM profile in order to issue licenses: the version 7 public key and the license key seed. Typically, this information would be kept in a secure database. In our sample, we will copy the information from two text files to a Global.asa in the wm folder of the IIS default site. The sample ASP pages will then retrieve the key and seed values to generate the license.

1. Open LKSEED.txt and PUBKEYV7.txt in Notepad. The files were created by DRMEncoderScript in the same folder as the script file.

2. Open the Global.asa file in Notepad.

3. Copy the LKSEED text to the Application(“seed”) value in the Global.asa. Paste over the placeholder value, xxx, and delete any trailing spaces. For example, the line in the Global.asa might look like this:

   Application("seed") = "QE9foBvvww99901Mma" 

4. Copy the PUBKEYV7 text to the Application(“contentserverpubkey”) value in the Global.asa.

5. Save and close the Global.asa. All other information to license the content will come from the content header and client information when a request is received from the Player.

Generating a License to Play the File

In the following steps, your computer will act as license server and client. In this sample, we will use the standard method of delivering a license. Again, refer to the diagram in figure 13.1 as you run through the steps.

1. Locate the output file and double-click it. Windows Media Player opens the file and launches the license acquisition URL, which is IssueLicense.asp on your computer’s Web site.

   To obtain a license, the Player provides the license server with client information and the content header. Client information includes the type and version of Player and DRM component, and a unique client DRM identification. The content header consists of the following information:

   • Key ID. The value that is used to encrypt and decrypt the file.

   • Content ID. An optional value that uniquely identifies the Windows Media file.

   • License Acquisition URL. Carried over from the DRM profile.

   • Individualization version. An optional value that specifies the minimum version of individualization that an end user’s Player must have to play the file.

   • Attributes. Optional values that a content creator can add.

   The ASP page runs the following processes automatically, resulting in the issuance of a license.

2. Check the individualization version. The version number in the header is used to determine whether the Windows Media Player DRM component is up to date. If not, the message in figure 13.4 is displayed, and the end user can choose to update the component. If they do not update, they will not be able to play the content.

   
   Figure 13.4: The error generated by a Player that is not individualized.

3. Retrieve public key and license key seed from Global.asa.

4. Retrieve content header and client information.

5. Generate a key by using the key ID from the content header and the license key seed.

6. Set the rights, which determine how the end user can use the content. In the sample, the rights contained in the ASP page enable the client to play the file twice. After the second play, the client is prompted to obtain a new license. In practice, rights would be stored in a license provider database, and would be retrieved based on information contained in the content header.

7. Generate the license by using the information that has been gathered. Notice that security is maximized by integrating information from three sources: the content, the license provider database, and the client.

8. Send the license and store the unique license on the client computer. The license cannot be moved or copied, and is associated with the computer on which it is issued.

9. A Play button appears on the Web page displayed by the Player, enabling you to play the file.

In practice, e-commerce processes can be inserted after the content header and client information have been retrieved. For example, a short series of e-commerce pages can gather payment information and then return an authorization code, which either allows the license process to continue or stops it.

Note that a license can be sent using silent or non-silent delivery. If the Player is set for silent delivery, licenses are sent automatically. If the Player is not set to acquire licenses automatically, the IssueLicense_ns.asp page is called. The only difference between the two methods is that a confirmation message is displayed when non-silent delivery is selected.

This sample demonstrates license delivery using the license acquisition URL. To use predelivery, you would typically initiate the license process from a Web page. After authorization was received, the page would pass content information to the license service provider. The license would then be generated and sent to the client, prior to the content being played.