Home » Marlin Simple Secure Streaming (MS3) Specification is now available

The MDC has published a specification to secure streamed content to authorized clients, and further simplify integration with existing services.


To download the Marlin Simple Secure Streaming (MS3) white paper, click here.

Q&A

 

What is Marlin Broadband?
Marlin Broadband is a full-featured DRM technology that easily scales from simple to complex business models, supports downloading or streaming content, subscription or purchase to own usage, and deployments to devices or to domains, to name but a few of the options.

What is MS3?
MS3 is the Marlin Simple Secure Streaming Specification for services to authenticate trusted clients and securely issue content keys or authentication tokens to enable these clients to access streamed content. Content can be clear or protected by one of the supported Marlin File Formats and can be streamed over a variety of protocols.

What are the benefits of using MS3? Beyond offering a secure, simple and low-cost solution for commercial services to get to market with streaming content, other key benefits include:
  • Authentication/authorization of clients even for unprotected content delivery.
  • A technology that easily support emerging HTTP-based adaptive streaming technologies like Microsoft’s Smooth Streaming or Apple’s HTTP Live Streaming
  • The fact that content needs to be package only once for both MS3 and Marlin Broadband deployments, and that it is encrypted prior to streaming, instead of being streamed over a protected channel, thus minimizing overhead for CDNs.
  • Lastly, MS3 is an open standard that can be implemented by any with access to the specification

How does MS3 work?
In an MS3 deployment, a Media Service supplies a client with content location information (C-URL) and the location of an MS3 Service (S-URL) where the authorization to access the content may be obtained. The MS3 Service provides this authorization via Stream Access Statement (SAS) to authorized clients. In a typical scenario, this client contains a web browser for accessing the media service and acquiring a S-URL and C-URL. The client also includes a hardened component responsible for establishing a TLS session with the MS3 Service, retrieving the authorization to access (and the key to decrypt) the content, and feed the content to the media-rendering pipeline in a manner consistent with the content rules.



What elements does MS3 specify?
MS3 specifies the following 3 elements:
  • a container (SAS) that contains a content encryption key and output control flags delivered over a secure channel. SAS’s are typically discarded at completion of the playback session for the content item they authorize access to
  • a simple TLS profile for client authentication and for establishing the secure protocol over which the SAS is delivered. MS3 Services may use a TLS certificate issued by a certificate authority of their choosing, while an MTMO signed certificate is necessary to authenticate an MS3 Client
  • HTTP binding for processing the two URLs defined above. These URLs can be delivered to the client in multiple ways, several examples of which are included in the specification. Although no single one of the mechanisms listed in the specification is mandated, choosing one of them, the simplest for instance (the compound URL method), will help overall interoperability among clients and services.

When do I use the MS3 specification?
Many content distribution use cases simply require the content to be streamed to a (trusted) client, grant access to the content for one-time use only, and signal minimal constraints such as media output controls. The MS3 specification is developed for these use cases to secure access to (clear or protected) streaming content to authorized clients, and designed specifically to make integration into existing services as simple as possible.

What Content Formats does MS3 require?
MS3 is silent on content formats. It is designed to support authorization of trusted clients to access both clear and encrypted content, notably all Marlin content formats. As such, the PDCF (OMArlin) and the Marlin Broadband Transport Stream (BBTS) specifications are perfectly suitable for deployment. Other content formats are under development. A key design point of MS3 is that only the content key delivery is done over an encrypted channel (TLS); the content is kept on the server in a pre-encrypted form and can thus be delivered over a standard HTTP connection, not burdening the content delivery servers with any need for cryptography or specialized protocols. This makes MS3 ideally suited to HTTP based adaptive streaming deployments like those using Microsoft’s Smooth Streaming or Apple’s HTTP Live Streaming.

How do I implement MS3 functionality?
MS3 specifications are available to Marlin Adopters or Participants from http://www.marlin-community.com Intertrust provides both MS3 client and server module implementations as part of its Wasabi Media Suite. The server module is available as a small Apache module, and the client functionality is an integral part of the media client modules that also support Marlin Broadband functionality.

What I do I need in order to deploy MS3?
A service based on MS3 requires only a TLS certificate and a simple server module to generate SAS containers, along with readily available tools to encrypt and package content. A client based on MS3 needs to be trusted by the service to comply with Marlin robustness rules in order to be allowed to access content keys. MS3 clients that are also Marlin Broadband clients (as in Intertrust’s implementation) can simply use the credentials issued to them by an existing MTMO authorized Trust Service Provider such as Seacert.

How do I incorporate MS3 client into my STB?
See the MS3 white paper for details.

How do I publish content using MS3?
MS3 content can be hosted on generic Content Distribution Networks (CDNs) without requiring a secure connection between the CDN and the client. MS3 enables authentication of clients for both protected and clear content streaming. Content can be protected using any of the marlin file/protection formats. Content encryption tools are readily available.

Why do I need DRM for streaming content?
If you have a use case that requires protecting streamed content, then the MS3 specification is right for you.

How do STBs acquire their Marlin credentials?
While it is possible to embed a device's unique Marlin credentials at manufacturing time, we recommend embeding a bootstrap secret into the device that can later be used to acquire such credentials online from an MTMO-authorized Trust Service Provider such as Seacert. Intertust's Wasabi Media Application Suite SDK includes functionality for using such as a bootstrap key to securely acquire and store these credentials in a container whose access is protected by a device's hardware security infrastructure.