Scribd Logo
Upload

Welcome to Scribd!

  • Hulu Content Protection Technologies and Processes

    Uploaded by

    Jinga
    140 views5 pages
    Hulu employs robust content security technologies to protect streaming video content, including: 1) encrypting video delivery and storage using AES-128 or comparable encryption, 2) preventing unauthorized recording or copying of streamed content on devices through digital rights management controls, and 3) authenticating clients and devices to allow access only from authorized locations and prevent hacking or tampering with security protocols. The document provides technical details on Hulu's implementation of these protections for different streaming methods and device types.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Hulu employs robust content security technologies to protect streaming video content, including: 1) encrypting video delivery and storage using AES-128 or comparable encryption, 2) preventing unauthorized recording or copying of streamed content on devices through digital rights management controls, and 3) authenticating clients and devices to allow access only from authorized locations and prevent hacking or tampering with security protocols. The document provides technical details on Hulu's implementation of these protections for different streaming methods and device types.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    140 views5 pages

    Hulu Content Protection Technologies and Processes

    Uploaded by

    Jinga
    Hulu employs robust content security technologies to protect streaming video content, including: 1) encrypting video delivery and storage using AES-128 or comparable encryption, 2) preventing unauthorized recording or copying of streamed content on devices through digital rights management controls, and 3) authenticating clients and devices to allow access only from authorized locations and prevent hacking or tampering with security protocols. The document provides technical details on Hulu's implementation of these protections for different streaming methods and device types.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Confidential

    HULU CONTENT PROTECTION TECHNOLOGIES AND PROCESSES


    I. Core Content Protection Guiding Principles

    Hulu employs robust, industry-accepted content security and protection technologies for streaming online
    video, governed by the following principles:

    1. Secure video delivery


    2. Secure video on clients
    3. Protection against hacking
    4. Maintenance of content integrity
    5. Geofiltering
    6. Network service protection
    7. Ongoing maintenance

    Hulu at all times ensures a primary technical contact is available for questions and comments. The
    primary technical contact is currently: Richard Tom, richard@hulu.com, (310) 571-4802.

    II. Secure Video Delivery

    A. General

    1. Video content is securely delivered from Hulu servers (or the servers of Hulu partners such as
    Content Delivery Networks) to clients, including via:
    a. cryptographic algorithms during transport for encryption, decryption, signatures, hashing,
    random number generation and key generation utilizing cryptographic protocols and
    algorithms
    b. use of AES 128-bit (or comparable) protocol
    c. encrypted transmission of critical security parameters (“CSPs”) such as keys, tokens,
    passwords and other information critical to cryptographic strength
    d. expiring CSPs so they cannot be cached
    e. no exposed media on the server, i.e. streaming source URLs are not exposed to end users
    and expire shortly after being accessed
    2. Video content and CSPs are never transmitted to unauthenticated clients
    3. Streaming source URLs are short-lived and individualized

    B. Flash Streaming

    Video content is streamed to PCs using Adobe Flash Media Server 3.5, which offers the following
    content protection features:

    1. Unique transfer protocol: video content is wrapped inside an unpublished, proprietary Adobe
    protocol called RTMP (or Real Time Messaging Protocol), minimizing the ability of
    unauthorized programs to capture video content
    2. No exposed media on server: content delivered by Flash Media Server is not exposed to HTTP,
    FTP, or other transfer mechanisms, so media cannot be copied directly from server
    Confidential

    3. Referrer URL checks: the video player requesting the content must reside on Hulu.com or an
    approved domain
    4. Encrypted streams: streaming via a 128-bit encrypted version of RTMP called RTMPE

    C. HTTP Live Streaming

    The following content protection features are offered when streaming video content using HTTP Live
    Streaming:

    1. Video content streaming is encrypted using AES 128 encryption, i.e. the METHOD for EXT-X-
    KEY is ‘AES-128’
    2. The m3u8 manifest file is only delivered to requesting, authenticated clients
    3. The content encryption key is delivered via SSL, i.e. the URI for EXT-X-KEY is a https URL
    4. The content encryption key is stored securely within the application using obfuscation
    5. The URL from which the m3u8 manifest file is requested is short-lived and unique to each
    requesting client

    D. Streaming over SSL

    The following content protection features are offered when streaming video content over SSL:

    1. Video content streaming is encrypted using AES 128 encryption or SSL cipher of similar strength
    and industry acceptance
    2. The content encryption key is delivered encrypted
    3. The content encryption key is stored securely within the application using obfuscation

    III. Secure Video on Clients

    A. General

    1. Video content
    a. Video content cannot be recorded, copied, stored, re-broadcast or retransmitted by clients
    b. Video content is never stored permanently at a client in its entirety
    c. Video content is decrypted into buffer memory temporarily and only in limited portions
    for the purpose of decoding and rendering uninterrupted playback of content
    d. Buffered memory is maintained in secure system memory
    e. Recording of video content onto recordable or removable media is prohibited
    2. CSPs
    a. Server-side CSPs are always encrypted, stored in secure locations and rotated so they
    cannot be cached
    3. Client authentication
    a. Unique CSPs are associated with each client, preventing unauthenticated clients from
    requesting video files
    b. Valid device identifiers are required, allowing audits on the number of video file requests
    made from a specific device
    Confidential

    c. Ability to revoke client and device access to video content, including via class-level
    device parameters providing server-side ability to revoke access from entire classes of
    devices

    B. PC Video Protection

    Video content is protected on PCs using Adobe Flash Media Server 3.5, which offers the following
    content protection features:

    1. No client cache: video content delivered through Flash Media Server is not stored locally on
    client computers in their web browser cache
    2. SWF Verification: verifies the client Flash file (i.e. SWF File) before allowing this file to connect
    to the Flash server and receive streaming content

    C. Connected Device, Mobile and Tablet Video Protection

    1. Secure video output protection


    a. Video output is protected using content protection mechanisms on devices to disable
    copying and unauthorized retransmission
    b. Analog output is protected by CGMS-A content protection (set to “Copy Never”) or
    comparable protection
    c. Digital output is protected by HDCP or comparable protection (e.g. Digital Transmission
    Copy Protection)
    2. Secure application runtime environment
    a. All applications, including video playback components, are securely distributed to
    devices using AES 128-bit (or comparable) encryption and stored in secure, protected
    memory on devices
    b. Encryption and security prevents applications from being decompiled, reverse
    engineered, run in emulation or used in any unauthorized manner
    3. Local encryption CSPs
    a. In addition to server-side rotating CSPs, a secondary local encryption key is stored in
    device applications that can be invalidated on the server to force end users to upgrade
    their application and obtain a new, valid local encryption key
    4. Resident device operating systems
    a. Content is displayed on clients using APIs provided by resident device operating systems
    to the greatest possible extent
    b. Applications follow all relevant resident device operating system best practices,
    specifications and guidelines to ensure security and robustness to the greatest possible
    extent

    IV. Protection Against Hacking

    1. Content protection technologies employ industry-standard tamper-resistant technology such as:


    Confidential

    a. Code and data obfuscation: the executable binary dynamically encrypts and decrypts
    itself in memory so that the algorithm is not unnecessarily exposed to disassembly or
    reverse engineering
    b. Anti-debugging detection: applications are actively monitored for external debugging
    tools attempting to access application memory
    c. Red herring code: the security modules use extra software routines that mimic security
    modules but do not have access to CSPs
    2. Security-critical data is cryptographically protected against tampering, forging and spoofing
    3. Secure internal data channels are used to prevent interception of data transmitted between system
    processes

    V. Maintenance of Content Integrity

    1. Content protection technology maintains the integrity of all video content and detects
    modification and tampering of content from its originally encrypted form
    2. Embedded information
    a. Content protection technology does not remove or interfere with embedded watermarks
    in video content
    b. Video content delivery systems pass through embedded copy control information without
    intentional alteration, modification or degradation (other than in the ordinary course of
    distribution)

    VI. Geofiltering

    1. Only clients with IPs originating from authorized geographic territories may access video content
    2. Video content stored on content delivery networks (e.g. Akamai, Level, Limelight) is filtered
    based on IP address and secure CSPs using industry-standard geofiltering technology, including:
    a. look-up tables
    b. screening for web proxy and anonymizing services
    c. roaming prevention (in the case of mobile delivery)

    VII. Network Service Protection

    1. All licensed content is protected at operations sites and facilities, including operational controls
    and procedures for the reception, preparation, management, storage and return of video content
    2. Access to content in unprotected formats is limited to authorized personnel, and auditable records
    of actual access is maintained
    3. All facilities that process and store content are reasonably available for audits

    VIII. Ongoing Maintenance

    1. Content protection technology is promptly and securely updated in the event of a security breach
    2. Content protection technology is renewable and securely and remotely updateable
    Confidential

    3. Hulu uses commercially reasonable efforts to keep its content security and protection technology
    systems up to date to reflect security enhancements available in the marketplace and accepted as
    industry practice

    You might also like