HULU Privileged and Confidential
Hulu Japan Device Applications Overview
Draft: July 20, 2011
Privileged and Confidential
Overview
Hulu Japan will support video distribution beyond the computer screen and onto living room devices and mobile devices. Living room devices will include Internet enabled televisions, gaming consoles, and other CE hardware, and mobile devices would include the Apple iPad, Apple iPhone / iTouch, Android phones, and other mobile hardware. This strategy will provide users “three screen” access to Hulu in Japan.
Target Devices
The living room and mobile devices being evaluated are listed below.
All the Hulu device applications will be natively developed applications installed locally on the various devices. Access to Hulu videos will be via wi-fi for the living room devices and wi-fi plus 3G when available for the mobile devices.
User Experience
In the proposed Hulu device applications (both living room and mobile devices), users will be able to browse the entire Hulu content library. Users can browse Hulu content from the device applications in the following ways:
- A list of featured videos, most popular videos, recently added videos, recently added popular shows, and other predefined categories.
- Alphabetical list of titles (both television shows and movie titles).
- Keyword search for videos and show titles.
Content Protection
Video playback will be performed on the various Hulu device applications using the native video player component for those devices. For example, theiPad, iPhone, and iTouch mobile device applicationswill all use the native Apple Media Player framework (MediaPlayer.framework). Similar native video playback components will be used for other mobile devices and living room devices. Using native video player components will allow us to leverage hardware acceleration and other native performance tuning for video playback.
All devices for which Hulu will create device applications will support the following output protection whenever there is output functionality available:
- Analog output: Macrovision, CGMS-A
- Digital output: HDCP over HDMI
The content protection strategy for securing video content delivered to eachHulu device applications is defined in two parts:
- Server protection
- Local device application protection
For Server protection, Hulu will deploy the following mechanisms:
- Expiring authentication tokens will be required for video files, thus restricting access to the physical video file resident on our content delivery network. Users cannot access any device video file on our servers without a valid authentication token. Since these authentication tokens expire, they cannot be cached.
- The location to the video file (including the authentication token) will be encrypted on the server using AES (or comparable) encryption. The encrypted video file locations will prevent an unauthorized user from even requesting the video file, as they will not be able to decrypt the location to even issue the request. Also the encryption key will be rotated so that it also cannot be cached.
- Requests for video URLs will also require a valid device identifier (i.e. a unique ID for the individual device application). This will allow the server to audit the number of daily requests a specific device application makes and block access to that device identifier if necessary.
- During transport, the video file itself will be encrypted using SSL, AES, or comparable encryption to prevent users from monitoring network traffic and saving out readable video content in transit. In addition, the video files may be broken into small segments (5 – 30 seconds in length) such that any compromised video segment would only contain a small portion of the overall video content.
For Local device application protection, Hulu will deploy the following mechanisms:
- All Hulu device applications will be securely distributed onto phones, televisions, and CE devices using AES 128-bit (or comparable) encryption and then stored in secure, protected memory on the devices. This security will prevent each device application from being decompiled, reverse engineered, run in emulation, or used in an unauthorized way.
- In addition to the server side rotating encryption key, a secondary local encryption key stored in the device application itself will be utilized. This secondary local encryption key can be invalidated on the server to force users to upgrade their device application (in order to get a new valid local encryption key).
- All video files will be played back using the native device video playback component. All devices that we are evaluating only cache a small portion of the video file in temporary application memory (and not persistent storage memory). The video file is therefore never stored locally in its entirety and even the small portion that is cached cannot be easily retrieved out of memory since the memory is temporary storage and protected.
All communications involving key exchange will be conducted over SSL to secure the data from being monitored in transit and to hide the server end points.
An end-to-end video playback call stack would therefore look as follows (see Figure 1):
- The Hulu device applicationswill first call the Hulu Site webservice via SSL and retrieves an encryption key. This encryption key is then combined with a local encryption key stored securely in the application code.
- The user will request to watch a video from within the Hulu device application.
- The device application then contacts the Hulu Video Content Management System via SSL to request the URL to the video file and provides the unique device identifier for the current device (either a living room device or a mobile device). If this device has not been blocked due to inappropriate access, the server responds with an encrypted location to the video file.
- The device application then uses the combined server and local encryption keys to decrypt the video file location returned by the video CMS.
- The device application then sends the decrypted video file location to the native video playback component on the device and begins streaming the video. At this point, secure video playback begins. The video is encrypted in transport using SSL, AES, or comparable encryption. No significant portion of the video content is cached on the device, and any small cache is only stored in temporary application memory.
Figure 1. Hulu Device Application Secure Video Playback Call Stack
Hulu Rights Management System Principles
The above content protection scheme is collectively called the Hulu Rights Management (HRM) system and is governed by the following security principles:
- Secure video delivery
Video content will always be delivered securely from Hulu servers (or the servers of Hulu partners such as Content Delivery Networks) to client devices. Secure delivery of the video is defined as encryption during transport using AES 128-bit (or comparable) encryption, and no exposed media on the server such that streaming source URLs are not exposed to end users and expire within 5 minutes of being accessed.
- No persistent client-side video cache
Video content will never be stored permanently on the device in its entirety. The devices will only temporarily store a limited amount of video content as a buffer to provide for uninterrupted playback of the content, and this buffer will be maintained in protected system memory.
- Video output protection
Video output from devices will be protected using the best available content protection mechanisms on devices to disable copying and unauthorized retransmission. Analog output will be protected by CGMS-A (set to "Copy Never") or comparable protection. Digital output will be protected by HDCP or comparable protection.
- Secure application runtime environment
All Hulu applications including the video playback components will be securely distributed onto devices using AES 128-bit (or comparable) encryption and then stored in secure, protected memory on the devices. This security will prevent each device application from being decompiled, reverse engineered, run in emulation, or used in any unauthorized way. In addition, each device will be uniquely identified so that access requests can be audited and disabled per device.
Launch Plan
The devices (both mobile devices and living room devices) that will be supported follow:
Device / Secure Application Storage on Device? / Applications are uniquely identified? / Applications can be invalidated?Sony televisions / Yes / Yes / Yes
Sony Blu-ray players / Yes / Yes / Yes
Panasonic televisions / Yes / Yes / Yes
Panasonic Blu-ray players / Yes / Yes / Yes
Sony PlayStation 3 / Yes / Yes / Yes
Microsoft Xbox 360 / Yes / Yes / Yes
Apple TV / Yes / Yes / Yes
Apple iPad / Yes / Yes / Yes
Apple iPhone / Yes / Yes / Yes
Apple iTouch / Yes / Yes / Yes
Device / Content secure during transport (streaming delivery)? / Content not permanently saved on device?
Sony televisions / Yes (HTTPS) / Yes
Sony Blu-ray players / Yes (HTTPS) / Yes
Panasonic televisions / Yes (HTTPS) / Yes
Panasonic Blu-ray players / Yes (HTTPS) / Yes
Sony PlayStation 3 / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Microsoft Xbox 360 / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Apple TV / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Apple iPad / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Apple iPhone / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Apple iTouch / Yes (HTTP Live Streaming with AES 128-bit encryption) / Yes
Device / Digital Output Protection? / Analog Output Protection? / All Output Protection Enabled by default?
Sony televisions / HDCP over HDMI; CCI (“Copy Control Information”) set to “Copy Never” / All analog outputs shall have CGMS enabled / Yes
(cannot be disabled)
Sony Blu-ray players / HDCP over HDMI; CCI (“Copy Control Information”) set to “Copy Never” / All analog outputs shall have CGMS enabled / Yes
(cannot bedisabled)
Panasonic televisions / Not Applicable
(no digital output) / Not Applicable
(no analog output) / Not Applicable
Panasonic Blu-ray players / HDCP over HDMI / Macrovision,
CGMS-A / Yes
(cannot be disabled)
Sony PlayStation 3 / HDCP over HDMI / CGMS-A / Yes
(cannot be disabled)
Microsoft Xbox 360 / HDCP over HDMI / CGMS-A / Yes
(cannot be disabled)
Apple TV / HDCP over HDMI / Not Applicable
(no analog output) / Yes
(cannot be disabled)
Apple iPad / None
(will not enable any Digital Output) / Not Applicable
(no analog output) / No
Apple iPhone / None
(will not enable any Digital Output) / Not Applicable
(no analog output) / No
Apple iTouch / None
(will not enable any Digital Output) / Not Applicable
(no analog output) / No
Table 1. Content Protection Summary for Hulu Device Applications
For the Apple iPad, iPhone, and iTouch, digital output protection is currently not supported by these devices. Therefore, Hulu will not enable digital output capabilities from within the iPad, iPhone, and iTouch applications. Specifically, the Hulu applications will not respond to the following OS notifications and create an output for these notifications:
- UIScreenDidConnectNotification
- UIScreenDidDisconnectNotification
- UIScreenModeDidChangeNotification
1