DRM and digital media protection with Flash Media Server


chris hook


19 March 2007



User level
If it's true that content is king, then how do you protect the kingdom? How can you safely deliver audio and video content using Macromedia Flash while maintaining the utmost control and protection over it?
Flash has very strong, built-in digital media protection capabilities when you stream your content with Flash Media Server. With an API for enabling publishers to hook up external rights management capabilities, Flash Media Server provides a very practical solution for providing digital rights management (DRM) around streaming content.
This article describes how you can take advantage of those capabilities.
Inherent capabilities built into Flash
Flash offers a number of digital media protection capabilities that are included from the get-go. Delivering content with Flash Media Server provides even more advanced protection (covered next).
Here are a couple of protection features built into all content delivered with Flash Player:
  • No exposed URLs and media file locations: The location of media on the Internet can often be compromised by URLs that point back to the content source. Most media players on the market enable users to see the location of the media clip that is playing rather easily. With Flash, external media file locations are compressed into binary format in the SWF file and are unavailable for website visitors—all but eliminating the ability for visitors to obtain the file and server location for media delivered using Flash Player.
  • Control over information that is exposed: Traditional media players often provide more information about the media than you may be willing to share—for example, filenames, file types, encoding options, delivery methods, and more (see Figure 1).


Figure 1. Traditional media players expose locations of files and servers to end users
With Flash Player you can completely customize your media player to display only the information you want your customers to see (see Figure 2). File information is not readily available unless the publisher chooses to make it so.
Figure 2. Flash Player does not expose files and server locations to end users
Extra protection using Flash Media Server
Delivering your content with Flash Media Server provides even more protection than what Flash Player provides alone:
  • No client cache: Flash video content and MP3s delivered to Flash Player using a normal web server are delivered through progressive download. This content is cached on the end user's hard drive and can be easily accessed—and possibly stolen by the user. By contrast, audio, video, and data streamed to Flash clients using Flash Media Server are not cached on local client machines. You can deliver MP3 files and other media safely and securely knowing that your website visitors will not be able to go to their Temporary Internet Files folder and obtain your media file assets.
  • No exposed media on the server: When you deliver Flash audio and video using progressive download, the content is exposed on a web server. Savvy computer users may be able to obtain the URL of the web server on which the content is stored and access the content directly. In fact, there are a couple of services, such as KeepVid, which use this exact technique to capture Flash progressive download video and save it to a client's disk. With Flash Media Server, however, the content is not exposed to HTTP, FTP, or other transfer mechanisms, so media cannot be copied down from the server.

    Note: Some services erroneously claim to capture "streaming" Flash video but what they really mean is "HTTP streaming" or progressive download.


  • Proxy server capability: Content streamed from Flash Media Server is not only safe from being grabbed from a server, but Flash Media Server even comes in an Edge Edition which you can place on a server outside the firewall, making it act as a reverse proxy serving up content pulled from an Origin Edition on a server that is behind the firewall. This way, your media files are safely kept behind your firewall and no content is stored on a machine that is accessible to the Internet.
  • Unique transfer protocol limits stream ripping: By default, content delivered by Flash Media Server is wrapped inside an Adobe protocol called RTMP. Because this is an unpublished, proprietary format, none of the RTSP stream ripping programs have the capability to rip media delivered over Flash Media Server. This minimizes the ability of unauthorized programs to capture a digital media stream from Flash Media Server to Flash Player. Furthermore, Adobe intends to enhance the RTMP protocol with more security features in the future.
  • Support for SSL and encrypted streams: Flash Media Server provides the ability to deliver encrypted streams to provide the tightest layer of security for delivering digital media. When you use this option, the server encrypts all audio, video, and data streams prior to transport. Once they are safely delivered to the client, Flash Player decrypts the content in real time and provides it to user. This encryption is invoked when the client sends information to the server as well, providing the best way to protect content as it travels between the client and server.
  • Client information: When a client connects to Flash Media Server, Flash Player passes certain information about the client up to the server. Information such as the domain or IP address from which the client is connecting can be used to prevent deep linking and other thefts. You can also use this for syndicating content or a player and content to authorized partners.


Client authentication with Flash Media Server
Using Flash Media Server, there are a number of different ways that publishers can verify and authenticate users before a stream is delivered. Authentication methods available in Flash Media Server 2 include the following:
  • Authentication at the SWF level: In this rather simple method of authentication, the publisher authenticates viewers using existing systems prior to serving the SWF file. Once a user passes authentication and the SWF file is served, audio and video content can be streamed. The benefit of this method is that it fits within your existing workflow, requires no additional changes, and yet authenticates users before serving up content.
  • Authentication at the stream level: With this method, a SWF file is served up without protection but users are authenticated when they connect to the server and request a stream. This authentication can be done two ways with Flash Media Server:
    • Scripting: Using a combination of client-side and server-side ActionScript, client information such as username, password, or even connection information can be passed to the server running Flash Media Server. Once that happens, that information can be used to authenticate users against back-end systems. Support for XML objects and Flash Remoting calls in the server facilitate this process.
    • Executing authentication applications: For the maximum level of control, a plug-in module with Flash Media Server enables publishers to run external applications that are responsible for providing access to the server and content. This is useful for providing access in pay-per-view scenarios or even to prevent rogue sites from deep-linking into your content or server.


The options listed above can be used to support a number of different authentication uses, including:
  • Support streaming in a single sign-on system
  • Authenticate users against an LDAP directory
  • Prevent unauthorized sites from deep-linking to your content
  • Prevent others from stealing bandwidth
  • Support pay-per-view content or events
  • Offer rights management or conditional access to streamed content


Where to go from here
Flash Media Server is the only solution for securely streaming audio and video through the Flash Player. For more information about Flash Media Server, visit adobe.com/go/fms.