Securing the P2P CDN With Forensic Watermarks to Prevent Restreaming

by Andrei Klimenko | September 3, 2019
8 min read
Is your business prepared for the rise of digital piracy in the new streaming era? We'll help you be informed and be prepared.

In the booming video streaming universe, many things happen from year to year. New streaming services appear on the scene, new markets open, and new users connect to the Internet and start watching more and more video. This is a major challenge for Internet infrastructure, and it requires effective solutions to maintain such rapid growth. Therefore, dozens of new promising technologies come out.

Naturally, new opportunities always go hand in hand with new threats. As for video streaming, digital piracy evolves sometimes even faster, capturing leadership in this technological race. Will the market ever have the ultimate solution for piracy prevention? We can't be sure. But we must safeguard against taking any step backward from the level of content security that we have already achieved.

In this article, we dive into some technical aspects of the content protection measures applied by content delivery networks — CDNs — that are streaming live and VoD content. We also take a very close look at the specifics of peer-to-peer CDNs, and we discuss how threats have changed and how protection measures must also change accordingly.

Who Is Guarding the Content On the CDN?

When broadcasters delegate video delivery to a CDN, they care about copyright protection and keeping control over content distribution. Who is watching our content? Are they our registered users? Did they pay for it? Or do they see ads on my platform, and I am paid by the advertiser for the video playback? On the technical level, content control means that some users are granted access to certain video streams, while other users are restricted from accessing these files.

Content delivery networks on a global scale are built of thousands of servers. Based on location, viewers of one video stream can be connected to different servers. Just imagine, all those CDN servers must implement the same coordinated mechanism of content control.

To get access to the video, each viewer's device receives a so-called "manifest." This is essentially a text file that contains a list of URLs to video segments. When a video player requests these URLs, the request comes to a particular CDN server.

Then a CDN node checks if this particular device (having a particular cookie, connecting from a particular geo zone, and so on) has permission to download the content. One of today's most widely used methods for this is token-based authentication. Tokens are generated by special algorithms and are unique for every user and device. Often tokens are implemented as part of the URLs of video segments in the manifest.

CDN can validate each request individually by the token string
A sample of the URLs from the manifest file of two users, A and B. Both users get the same segments of the same video, but at the same time the CDN can validate each request individually by the token string.
Those long letter-numeric combinations h1qx67zKxoMa5fMnvKnTyg and gBWHO5U_8jYSvRNwz8TCdA within URLs are the tokens.
When a video player requests a file using these URLs, a CDN server extracts the tokens from the URLs to validate the stream. If User B tries to request URLs without tokens, or with the tokens of another user, the CDN doesn't provide the segments. Thus, a broadcaster can be sure that only authorized devices have access to the video — and that users cannot share their manifest files with strangers or allow anyone else to watch the video without proper authorization.

At the same time, you may have noticed that the ending of each URL is the same for each viewer. The reason is simple: To save space, the CDN does not store a unique video file for every viewer; it stores the video once only (or a few versions for a few different bitrates).
How Token-Based Authentication Works in a P2P Network

Let's take a look at what is happening within a P2P CDN. Users get their manifest files with tokens as usual. But now they request video chunks primarily from other users (called peers). How do other peers understand which tokens are valid and which are not? In an unsecured P2P CDN... they ignore tokens. That's right — they just ignore them! And if peers ignore tokens, does this mean that any user can forge tokens or use tokens that belong to other users? Again, for unsecured P2P networks, the answer is yes.

To close the breach, a P2P network must be designed in such a way that every peer verifies tokens by contacting the central server and asking if any given token is valid. While this is technically feasible, it slows down the P2P network significantly, decreasing its advantages over traditional CDNs to nearly zero.

It is possible to avoid messaging with a centralized server by teaching peers to check tokens by themselves. But to teach them how to check tokens means ... teaching them how to produce tokens! And a peer that knows how to produce tokens also knows how to forge tokens! Except for some special ways of creating tokens that we are going to describe below.

One can think that this risk is negligible since all peers follow the same protocol, and also because the source code of a P2P node needs to be downloaded from a centralized server, which is under the control of P2P CDN operator. This is true; however, a malicious user may alter the way JavaScript code of P2P node works directly in the browsers and so change the way of how just one single peer acts. This is enough to create a back door for serious threats like:

— Letting unauthorized viewers obtain access to video
— Circumventing geo-restrictions
— Circumventing paywalls

A single peer that can break the rules of the distribution of video chunks can also retrieve any segment of video, even the segments that were not assigned to it; it can host WebRTC connections to unauthorized peers; and it can re-stream segments to those peers. Is there a way to avoid this?

Forensic Watermarks

A very powerful tool that premium content providers implement to be protected against digital piracy is a forensic watermark. This is an invisible modification applied to video frames that encodes a user account. If a user re-streams this video, it is possible to extract the watermark and identify the user account.

To implement forensic watermarks, a broadcaster runs the video through special software that creates two versions of the stream (or sometimes more than two). Each video chunk of the first version contains one watermark, such as "green." Likewise, each video chunk of the second version contains the "blue" watermark. Now, to assign the watermark, which is individual to any particular user, the watermarking server simply assigns a unique sequence of segments for each viewer.

forensic_watermarks
Users A and B watch the same video. Segments are "colored" with an invisible forensic watermark.
As a result, a CDN must now store two versions of the same video. Each manifest file for every viewer now contains not just the tokens. Since there are two versions of the same video segments, the URLs link users to different files — the one corresponding to the green watermark, and the one corresponding to blue. When a user requests these files, the CDN checks not only for the tokens but also to see if the user has asked for the correct version of the segment (in fact, this information is also encoded into the token). If the green user requests the blue segment, the server denies the download. Thus, the content delivery network guarantees that each user gets the right watermark.
watermarked video stream
If a video stream is watermarked, there are two different files for every video chunk.
Forensic watermarking is a cutting-edge technology that helps broadcasters to find cheaters and disconnect them from the video stream in real time, which makes a huge positive impact on the business.

However, it doesn't work this way if a broadcaster runs an unsecured P2P CDN. The fact that a malicious peer may retrieve any segment from the P2P network directly from peers means that a malicious peer can mix random segments that it is able to download. Which means that the re-stream cannot be linked back to a pirating account and cannot be terminated.

How can this be fixed?
Teleport Media Full Stream Protection

The main idea behind our peer-to-peer protection mechanism is to use forensic watermarks and make any peer, even a fraudulent one, be unable to retrieve video chunks that are not assigned to it by the manifest file. Meaning, each peer must be able to download only those segments that are assigned to it. How do we achieve this?

If you are interested in looking into the very core of the solution, please read our patent, which is filed in multiple countries around the globe:
https://patentscope.wipo.int/search/en/detail.jsf?...

Briefly, we create very specific manifest files that contain special keys instead of file names. The keys are unique for every segment and every user; that is, even if two users receive the same "blue" segment, they get absolutely different keys to this particular segment in their manifest.

protecting stream keys
Sample keys that are used to protect a stream in the Teleport Media network. Keys for the same segment of the same "color" are different for each user. Each key is valid only if presented by the user to whom this key was assigned.
If the keys are different, how does User B understand that User A requests the segment that User B is storing now? The secret is in the way that the keys are produced. Each key is the result of a one-way cryptographic hash function, combining the ID of User A with each of the video segments individually. One-way hash functions work in an interesting manner — it is easy and fast to create a hash having the initial information, and it is extremely hard and expensive to "guess" the initial information that was used to produce the hash. (For more information, see https://en.wikipedia.org/wiki/Cryptographic_hash_f...

To check the validity of the key, User B takes all the segments that are in their storage and combines them with the ID of User A. If there is a match, it means that User A requested a certain segment with a valid key. If there is no match, User B will not provide any segments.

If User A is fraudulent, this account may produce trillions of artificial keys. The chances that User B is going to find the match is nearly zero thanks to cryptography. For User A to try using another user's key is also nonsense. Since User B verifies keys by producing key samples with the ID of User A, there will never be a match to any of the keys belonging to any other users.

Thus, by using modern cryptography, Teleport Media ensures any node in the P2P CDN receives only permitted video streams and never shares them with unauthorized devices.
Summary

Decentralized content delivery networks provide an unprecedented level of scalability, which is extremely important to maintain the highest quality of service. And there must not be any trade-offs when it comes to content protection.

To protect content owners and broadcasters against rising digital piracy, a P2P network operator needs to focus on specific measures that guarantee the same level of security as with traditional CDNs.

But wait a moment... In fact, even streaming websites that are using only traditional CDNs suffer from re-streaming piracy. Malicious users can watch the content traditionally from the centralized server that validates every request. And at the same time, they can create a P2P network on the side using WebRTC and provide access to their stream to other users! Be sure, someone is producing a browser extension with that feature to simplify piracy.

This can be stopped only by using a combination of forensic watermarks and holistic conditional access systems, including a framework for distributed CDNs like Teleport Media Full Stream Protection.


Visit our IBC 2019 booth H14. D-50!
Learn more about Full Stream Protection and schedule a free test for your company www.teleport.media/events/ibc_2019.