ROGER PANTOS: Good morning, everyone.
Welcome to this year's Worldwide Developers Conference.
This is your first real session.
Today -- thank you.
Today we are going to be talking about a pretty exciting addition
to HTTP Live Streaming.
You know, we are always looking
at whatever it is that's preventing you guys
from using HLS to deploy your content the way you want to,
and content protection, which is to say allowing your users
to watch your content, listen to your content
without making unauthorized use of it,
has always been a really difficult problem that a lot
of you have had to sort of contend with.
And, as the bit rates get higher,
and the resolutions get higher,
those demands are only going to get louder.
And that's why I am extremely pleased, finally,
to be able to announce today FairPlay Streaming.
So what is it?
First and foremost, it is our best content protection
technology, packaged in a way that allows you to use it
to protect your HLS content.
Now, it is not new.
We have been working for the past three years with some
of our major content partners
to help them deploy FairPlay Streaming
in their apps and on Apple TV.
And at this point, it has been used to protect a lot
of content, including some of the most popular movies
and television shows in the world.
Now, you can use it on iOS, on Apple TV, and on OS X.
Of course, on our mobile devices, battery life is king.
And so, when we designed FairPlay Streaming,
every choice we made was predicated
on giving you good battery life.
The codecs we chose, the encryption we chose,
how we implemented it, even the hardware we took advantage of.
And, so, you get great security,
but you also get great battery life.
And it is also integrated with AirPlay, seamlessly.
And, so, with full protection.
Now, you may be saying, okay, well, that sounds pretty good,
but I've got a lot of content.
I mean, is Apple -- how is Apple going to make me pay
for this FairPlay Streaming thing?
Is going to be like a per movie charge,
per playback, as a flat rate?
We went back and forth on that,
and we eventually did settle on a flat rate.
Zero. If you guys are paying your 99-dollar a year developer
fee to us, you will not need to pay Apple a penny more
to use FairPlay Streaming as much as you want.
So, now, at this point, any marketing folks
in the audience are like: Oh, that sounds awesome!
And the engineer sitting next to you is like: No,
no, really, what is it?
Okay. So, it is really very simple.
What we did is, we attacked the most essential building block
of a DRM system, which is key protection.
And so FairPlay Streaming is essentially
and really only a secure key delivery system.
It's a way to transfer the keys from your server on the Internet
to the device, and use it on that device without allowing it
to be obtained by an attacker so they can decrypt your content.
We designed it to be easy to use and also easy to adopt.
We recognized that a lot of you, particularly
if you are streaming premium content or subscription content,
you are already talking to some kind of secure back end.
And so we designed FairPlay Streaming
so that the delivery part is agnostic,
the protocol you're using.
If you have got a secure connection,
you can adopt FairPlay Streaming extremely easily.
And if you don't, you can just use HTTPS.
It's a great choice.
Finally, a lot of folks have asked me about HDCP in the past.
With FairPlay Streaming is the answer to this.
If your device is connected to a television
or another external input, it must be HDMI,
and HDCP must be active
or any FairPlay Streaming content playback will fail,
Now, when we designed it, we knew that there's a lot
of difference, business rules and logic,
and everybody has their own flavor.
And so we didn't want to build a big, complicated thing
and force you into our box.
So we built just the key delivery mechanism.
We didn't build a big rights expression language evaluator
or create a long list of policies
that you need to adhere to.
And that means that if your business logic requires those
things, you are in control.
You are still the gate keeper.
So, once you give the media stack a FairPlay Streaming key,
we will play it.
No questions asked.
We will protect the key, we'll go and play it.
And so, if you need to do some policy enforcement
or user authentication or per device slot management,
then you can do that on top of FairPlay Streaming.
And so again, it goes into being easy to integrate.
So now let's talk about some concrete steps.
That's kind of what FairPlay Streaming gives you.
Let's talk about the steps that you need to do to adopt it.
Basically there are three steps.
The first one and probably the largest one is
because FairPlay Streaming is an online key delivery protocol,
you must be online to get your key,
and once the playback stops, the key goes poof.
You need to integrate what we call a key security module
into your key server.
And so that's the biggest step, and we'll go into a lot
of detail about that in a second.
But the second thing is, then you need to add a little bit
of code to your application,
called an AV asset resource loader delegate.
And that code is going to be responsible
for relaying the key requests from AV foundation
to your back end, and then returning the response
from your back end back to AV foundation.
Then finally what you need to do is, prepare your content.
And that means you need to encrypt it,
using the AES Sample encryption.
This is the format that we introduced, oh,
three years ago, coincidentally.
And so, rather than the traditional bulk entire segment
encryption that HLS is using originally,
this just encrypts small slices of each sample and it ensures
that we can drive the decryption
down to the lowest level of the system.
And so you need to pick a content key, store that away
in your back end database, encrypt your content,
and then put a reference to that key into your playlist so that
when you your little bit of code receives a request
for that key it knows which one to ask your back end for.
And so what I would like to do next is have us go
into greater detail on all three of those steps.
And to do that, I would like to introduce a colleague of mine
who works on the FairPlay team, Gianpaolo Fasoli.
GIANPAOLO FASOLI: Thank you, Roger.
Good morning, everyone.
My name's Gianpaolo Fasoli,
and I am a FairPlay Streaming Engineer at Apple.
So, with Roger's overview in mind, I'd like to talk to you
about what it takes to design a FairPlay Streaming system.
And the first thing I'm going to talk about is the purpose
and the importance of what we refer
to as the FairPlay Streaming credentials.
Next up, I'm going to identify the actors
in the system and the data flows.
Then I'm going to talk about what Apple provides
in the things that you are going to build and in the things
that you are going to build, we're going to start by talking
about the server side and how
to integrate the key security module that Roger was talking
about into your key server.
We're going to talk about how to test that integration.
We're going to move on to the client side and how
to integrate FairPlay Streaming into your application,
and then we're also going to be talking
about the updates you are going to be making
to your content authoring workflow, in order to encrypt
that content and verify the changes
that you are making to your workflow.
So when we talk about FairPlay Streaming credentials,
the reason we have those is
so that we can differentiate your FairPlay Streaming
deployment from other FPS deployments out there.
And the reason they are required is because you need them
so that your customers can actually play their content
on the customer devices.
For those reasons, it is critical
that you protect those FairPlay Streaming credential assets
at all times, when they are deployed in your server,
and when they're used in your server.
Make sure they are protected.
So now moving on to the diagram, we've got the server components
on the left-hand side, namely your key server
that has the FairPlay Streaming key security module integrated
in it; the key database that contains the content key values
that were used to encrypt your streams.
And then on the right-hand side we've got the client actors,
namely your application,
the AVFoundation Delegate Roger was talking about,
and AVFoundation that's provided us part of the operating system
with our iOS or Mac OS X.
So lLet's talk about what happens
when the user hits play in your application.
First thing that's going to happen is,
your application is going to invoke AVFoundation
and provide it with the m3u8 URL to the encrypted content.
AVFoundation is going to pull that playlist from the Internet,
it's going to parse it, and when it notices
that the content is encrypted, it is going to call back
into your delegate, telling it
that it needs a key to play the content.
The delegate is going to handle that by calling
into AVFoundation and asking it to create what we refer
to as the Server Playback Context.
In FPS parlance we use SPC for short.
And what that is, is a key request
that your delegate then is going to post to your key server
in order for the key server to do its job
and deliver the content key.
What is important to note here is that the SPC is created
in a FairPlay Streaming delivery context on the client.
And that is a session-specific context that only
that device was able to create,
for which that device will only be able
to process the response from the server.
It is tied to the device and to that session.
So then your server is going to make use of the KSM to crack
that SPC queue request open, validate it from a format point
of view and from a cryptographic point of view,
and look up the corresponding content key
in the key server database.
It's going to then wrap that content key value
into what we refer to as a content key context,
or CKC for short, and the last step
that your app delegate is going to perform,
is provide that CKC back to AVFoundation.
So, at this point the device has everything it needs
to decrypt and play the content.
So now that we've covered the actors and the data flows
in a FairPlay Streaming system,
let's talk about what Apple provides.
We provide AVFoundation, of course.
And part of AVFoundation in iOS and Mac OS is the API
that you are going to be using to implement the delegate.
Another thing we provide is the FairPlay Streaming SDK
And that SDK contains a certain number of things.
First of all, it contains a protocol specification
that has all the details on how the SPC
and the CKC messages are formatted,
and which cryptographic primitives you are going to use
to process the incoming key requests
and also generate the key response.
It contains a key security module server reference
implementation in NCC.
It contains a full suite of server test vectors
and validation tools that you can use
for your server development.
It contains some client-side example content.
And the last bit it contains is a set of client example code.
So the responsibilities of your key server are going to be,
as Roger pointed out, first of all, the decryption
and the validation of the SPC key request.
Then it is going to look up the content key based
on the asset identifier that the customer wants to play,
and then it is going to produce the CKC response.
It's the first and third operation that are going
to be taking place in your KSM.
And the way you go about implementing that is two fold.
You can either decide to implement the logic
from scratch using the protocol specification that's provided
in the FPS SDK.
Or you can just take the C reference implementation
and customize it either by using your language of choice
or by integrating it directly into your existing key server.
So now that that's integrated,
let's talk about how you are going to test the KSM.
Well, the first thing we recommend you do is obviously
use the supplied test vectors that are part of the SDK
to validate the correctness of the responses
that your KSM is going to produce.
And the way you go about doing
that is using the supplied SPC test vectors,
feed them to your KSM implementation,
and then run the output CKC that your KSM produced
through the validation tool to make sure they are correct both
from a cryptographic point of view
and from a format point of view.
It is important to note that the test vectors we provide
in the SDK are based on development credentials.
And they are there exclusively for your development effort.
They cannot be used to deploy a solution
to live customer devices.
To do that you're going to need production FairPlay
So now that we've talked about the server side,
let's talk about the client side.
What does it take to integrate FairPlay Streaming
into your application?
Well, the first thing you're going to want
to do is register an AV asset resource loader delegate
with AVAsset, and the responsibilities
of that delegate are three fold.
The first thing it's going to be doing is generating the SPC.
And you do that by implementing these two steps.
You're first going to handle 'should wait for loading
of requested resource' for the key requests.
And then second of all you're going
to call 'AVAsset resource loading request streaming
content key request data for app' to produce the SPC.
Once you've got that SPC in hand, you're going
to send it to your key server.
And when your key server responds, you're going
to provide the CKC response
to 'AVAsset resource loading request.'
So we've got the server side implemented;
we've got the client side implemented.
Let's talk about the workflow updates
in your content authoring.
What are you going to have to do to encrypt the content?
Well, the first thing you should do is go pull the HLS Sample
Encryption specifications from developer.apple.com,
and that will provide you with all the details you need to know
about encrypting the bit stream itself, whether audio or video.
Once you have got that bit stream encrypted you're going
to have to update the m3u8 playlist to signal,
first of all, what type of encryption mode you use.
And that, you do that by setting the method tag
in the m3u8 playlist to Sample-AES.
Another signal you want to send to the client is the fact
that you want to use FairPlay Streaming for the key delivery.
And the way you do that is an update to another tag
in the m3u8 playlist, that's the key format tag,
you want it to set it to com.apple.streamingkeydelivery.
The fact that we've deployed it for over three years now means
that there's quite some third-party support
in the encoders out there right now.
And you can choose to go with one of those as an alternative
to making updates to the workflow yourself.
Once you have got your workflow updated, here is how you go
about checking the correctness of that encryption workflow.
You can do basically two comparisons.
But they both start in the same way.
You start by taking a clear text piece of content
from the sample SDK and run that through your new workflow.
And then you can compare it either
to the same encrypted asset in the SDK, or you can compare it
to an encrypted version of that asset that you run
through the HLS media file segmenter.
The reason why the second point is interesting is
because you can do it with your own content as well rather
than the sample content.
So now that we've talked about what it takes
to develop the client side and the server side,
and updates to your workflow, that leads us
to functional local playback.
I would like to now talk to you
about FairPlay Streaming support in AirPlay.
And the support we have for FairPlay Streaming
and AirPlay is through the AirPlay video path.
And what that means is that when you transition
from local playback in your application to the Apple TV,
it is actually the Apple TV that is pulling the bits
from the Internet, right?
It is not the sender device anymore.
And the good news here is that no new additional code needs
to be written either in your application
or on the server side.
The KSM supports processing increment key requests,
both whether they are coming from an Apple TV
or from an iOS device.
To be clear, the SPC is still generated on the Apple TV
and the CKC response that your key server is producing will
also be processed on the Apple TV.
However, your app is still responsible
for relaying the messages
between the Apple TV and the key server.
So the sending device has to be present.
This gives us the same level of security as local playback
because the SPC and CKC messages both originate and end
on the device that is actually playing the content,
the Apple TV, in this case, in the AirPlay case.
One important point to note is the fact
that FairPlay Streaming content will not be rendered
in AirPlay Mirroring mode.
That also applies to screen shots and recordings
for FairPlay Streaming content that's played
on your local device.
So now that we've spoken about how
to consume the content locally on your app or through AirPlay,
I'm proud to announce this year
that we are adding FairPlay Streaming support to El Capitan.
And the way we go about, the way you would go
about integrating this into your website is
through the encrypted media extensions that are part
of HTML5, that's a W3C specification
that you can download on their website.
The way you go about integrating with EME is
on your website, and we provide an example
of such an implementation in the SDK.
It is more of a snippet.
The good news here is that both on the KSM side
and on the AirPlay side there is no new code that is needed.
It will work out of the box
and everything is fully supported once you have got your
to be writing to add support
for FairPlay Streaming in your Webpage.
The first thing you're going to do is set the m3u8 URL
as a source attribute of the HTML5 video tag as you would
for a non-encrypted piece of content.
Then you are going to add an event listener
for the Web kit need key call to the video element.
That event listener when triggered is going
to set the EME content decryption module
to FairPlay Streaming.
It is also going to create a key session on video/MP4
to relay the messages between the key system
and your key server.
And you're going to add an event handler
for web kit key message to that key session.
That event handler is going to be the one that's responsible
for sending the SPC key request to your key server
and then processing the CKC response
by updating the key session.
In terms of the data flow, we've got very similar actors
on the left-hand side.
We have the same ones on the right-hand side.
We have got Safari now that Apple provides,
along with the EME stack.
Within Safari we have got your site, and the new piece
to support FairPlay Streaming content playback
in your website.
Let's talk about what happens
when the user hits play in Safari.
So, the user hits play.
The first thing that is going to happen is, obviously,
the m3u8 is going to hit the EME and AVFoundation
in the operating system, and EME is going to notice
that the content is encrypted, which is going to cause it
to trigger the Web kit need key message
that your event listener is going to receive.
Then your event listener is going to create the key session
and is going to wait for the Web kit key message,
which in turn is going to trigger the handler,
and that handler is going to receive the SPC,
send it over to your key server, which is going to process it
as usual, pull the content key
and then create the content key response, send that CKC back
down to the EME layer for playback.
As Roger described, we've had this solution deployed now
for over three years, and over the years we've learned a few
tips and tricks on how to troubleshoot integrating issues
with FairPlay Streaming.
And the typical issue you may be facing,
if unfortunately something goes wrong with your integration,
is that content doesn't play.
So how do you go about debugging that situation?
Well, one thing we recommend you do is --
and this is for debug purposes only, we don't recommend
that you do this in a production environment, but --
set your key format tag in the m3u8 playlist to identity,
instead of com.apple.streamingkeydelivery.
What this does is, it allows the same content to get
to your client, but instead of decrypting it
with FairPlay Streaming, it decrypts it
with a clear text AES key.
And what we end up is either in one of two situations.
Your content is still not playing,
in which case this is probably facing a content authoring
issue, and those issues typically fall
into one of four buckets.
Either your sample of encryption has an issue and in
that case I'd refer you
to the HLS Sample encryption specification.
It could be an issue with your PAT/PMT audio set up.
Those are steps that you need to perform on audio streams
that are encoded, that are encrypted
with FairPlay Streaming.
There are a few metadata updates that need to happen.
It may be the case that you are not using one
of the supported codecs.
And as Roger mentioned earlier, what we support right now
in FairPlay Streaming is H.264, AAC, and encrypted AC3.
Last but not least, it may be you are rotating your content
key on something that isn't an HLS segment.
So we recommend that you rotate your keys either on HLS segments
at the most granular level or you can also decide
to change your content key value on a bit rate switch.
If your content is playing after you update the key format tag
to identity, you are probably facing a key delivery issue.
And in that case, what you want to do is you want to trace
through the data flow that we went
through in the earlier diagrams, and make sure
that the SPC is properly generated by the client,
that it's sent to your server, that your server can process
that key request without any failures,
that your server is looking up the right key in the database,
that your server is also capable of packaging the content key
into content key response, and that the client is able
to process that without any errors.
So, now that we went over all the various ways
of consuming FairPlay Streaming content in the Apple ecosystem,
I would like to hand it back to Roger to wrap the session up.
Thank you very much for your time.
ROGER PANTOS: Thanks very much, GP.
So, let's do a quick recap here.
FairPlay Streaming for HTTP Live Streaming, it provides you
with industrial strength tools to protect your content
with HTTP live streaming.
You have got it available on iOS,
on Apple TV, and now on OS X.
iOS, it's available since iOS 6, so there's a fair amount
of backward compatibility, and also on Apple TV.
OS X is a little bit newer, and so you can come down and talk
to us in the labs, and we will give you the entire scoop
on where you can use it.
It has been deeply integrated into the OS.
That means that it is down as low as we can get it,
as secure as we can make it.
It is as power efficient as we can do.
And so it gives you great battery life
as well as great security.
And it also supports all of our ecosystem features
such as AirPlay, such as HDCP, HTML5, and we will continue
to do so as we roll out new features going forward.
So, what's next?
First stop is our new FairPlay Streaming portal
It's live now, so you can go there, you know,
you can go there right now.
And you can, from there you can download the SDK.
You can look at the overview document
that gives you a little bit of a deeper insight into some
of the details of FairPlay Streaming.
And you can also, through that site,
apply for your production developer credentials
that are necessary for you to do your round trip playback
to an actual iOS device or Safari.
And the next thing, and I should also mention, actually,
that on that site, on that landing page there,
there may be some of you who don't have an existing back end
or are a little bit intimidated by the idea
of integrating FairPlay Streaming into that back end.
So on that landing page we have a little list
of integration partners we've worked with, folks like Irdeto,
folks like Adobe, who have set up some support for folks
who wish to use FairPlay Streaming
to protect their HLS content.
And so I would recommend checking
out those folks as well.
If you feel like you need a little bit
of help getting FairPlay Streaming up
and running for your content.
It is, it's, I think it's pretty easy to do,
but not everyone is in that business.
And so there's help for you there if you need it.
Also, if you would like to get HLS and FPS working,
and it feels a little bit like there're still questions
or you've tried it and you've got some problems,
if you are not at WWDC,
then your best first stop is our developer forums.
And we've actually set up, I believe it's
in the beta section right now, but we've set
up a new forum specifically for FairPlay Streaming.
And so check that out.
If you are running into a problem
or you have got a question, there's pretty good odds
that somebody else has had the same question, same problem,
and you might just be able to find the answer
by looking in the forums.
Failing that, there is, of course,
your friendly neighborhood developer tech support
representative who will be happy to assist you for a small fee.
I think that's it.
Thank you again for coming.
And have a great show!
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.