Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Receivers MUST identify the WMDRM: Network Devices Protocol encryption when parsing and examining the ASF header.
The Advanced Content Encryption object is used in the ASF header to communicate information about the WMDRM: Network Devices Protocol encryption in the ASF file. A content encryption record (in the Advanced Content Encryption Object) with a System ID of ASF_ContentEncryptionSystem_WMDRM_ND_AES indicates the presence of WMDRM: Network Devices Protocol encryption.
Receivers MUST perform the following steps to parse the ASF header:
Identify encrypted streams: A receiver SHOULD examine the stream properties objects present in the ASF header. For each stream that is marked with the encrypted content flag (in the stream properties object), the receiver will need to decrypt the stream. This document discusses only the decryption available in WMDRM: Network Devices Protocol; implementations that have other decryption available SHOULD be able to apply different mechanisms.
Identify WMDRM: Network Devices Protocol content encryption records: After the receiver has identified one or more streams that need decryption, and located stream numbers (in the stream properties objects), it MUST search for content encryption records in the advanced content encryption object. Applicable content encryption objects will have the system ID set to
ASF_ContentEncryptionSystem_WMDRM_ND_AES = {7A079BB6-DAA4-4e12-A5CA-91D38DC11A8D}and the system version set to 1. A different system ID indicates that a different type of encryption is in place, and the content encryption record can be ignored. A higher system version indicates that the receiver is not compatible with the WMDRM: Network Devices Protocol encryption in this file, and MUST be treated as a failure case.For each suitable content encryption record, the receiver SHOULD attempt to match the record with the streams in the ASF file. Content encryption records contain encrypted object records, which identify what is encrypted. An encrypted object record with encrypted object ID type set to 0x0001 indicates that a stream is encrypted; other encrypted object records SHOULD be ignored. If the encrypted object ID type is 1, the encrypted object ID field contains either the special value 0x0000, or an array of 2-byte stream numbers. The special value 0x0000 indicates that every stream in the file is encrypted; otherwise the receiver SHOULD match the stream numbers with the stream numbers from the stream properties objects.
Match streams and WMDRM: Network Devices Protocol records: The receiver SHOULD have a match between content encryption records (in the Advanced Content Encryption object) and streams (per the Stream Properties objects). If there are any encrypted streams that are not matched, the receiver cannot decrypt this file and SHOULD take appropriate action. If a stream cannot be decrypted, the receiver SHOULD provide an informative error indicating that the receiver cannot access this content.
ASF Sample Parsing: After the ASF header has been parsed and a content key has been identified for each encrypted stream, the ASF packets in the data object of the ASF file MAY be parsed. The media object data in the ASF packets MUST be decrypted. All of the other ASF packet properties are not encrypted and can be parsed as usual.
The receiver MUST perform the following steps to parse the ASF packets:
Reassemble the media objects: With WMDRM: Network Devices Protocol, the complete media objects are encrypted, not individual ASF payloads. Thus, for fragmented media objects, the media objects MUST be reassembled into complete objects before applying the AES decryption.
Retrieve the sample ID: For each media object, the sample ID MUST be retrieved. The sample ID is stored as an ASF payload extension system, ID ASF_Payload_Extension_Encryption_SampleID = {6698B84E-0AFA-4330-AEB2-1C0A98D7A44D}. If this payload extension does not exist on a WMDRM: Network Devices Protocol encrypted stream, an error has occurred during authoring and the file SHOULD be treated as corrupted, and an appropriate error SHOULD be generated.
The sample ID is an 8-byte value stored in network byte order. The sample ID MAY be stored as a fixed-size extension (8-bytes), or a variable size extension.
Decrypt the sample (media object): Each sample (complete media object) MUST be decrypted using AES in counter mode as defined here. Note that the decryption is applied per sample (referred to as a media object in the ASF specification [ASF]), rather than per ASF payload.
The process of encrypting and decrypting ASF samples follows the procedure that is defined in section 3.1.5.2.9. The data segment corresponds to the sample and the data segment ID corresponds to the sample ID from the ASF payload extension.
Figure 17: Encrypting and Decrypting ASF Samples
The pseudo-code is as follows:
-
SET SizeOfBlock to 16 SET SizeOfMediaSample to the number of bytes in the Media Sample SET NumberOfBlocks to the size of the SizeOfMediaSample DIVIDED by SizeOfBlock SET RemainderBlockSize = SizeOfMediaSample MODULO SizeOfBlock FOR EACH Block in NumberOfBlocks CALL DecryptBlock with Block and BlockSize RETURNING DecryptedBlock ENDFOR IF RemainderBlockSize NOT EQUAL to 0 CALL DecryptBlock with Block and RemainderBlockSize RETURNING DecryptedBlock ENDIF