CMAF Brings Prospect of Secure End to end Encrypted Online Delivery

The recent emergence of CMAF (Common Media Application Format) as a new streaming format has been widely heralded as a major milestone for online video services. It has been welcomed across the whole spectrum of online streaming and CDN delivery for promising to create a common format, reducing costs and complexity by avoiding the need for multiple encodes and encryptions within a single service.

But what is just as significant and widely overlooked is that CMAF will fix a major security loophole in CDNs which arises from the complexities involved handling at least two different streaming protocols. Conversion on the edge has meant there have been a number of video files flowing around CDNs unencrypted “in the clear,” with the attendant risks of interception and misappropriation. CMAF avoids that by enabling streams to be encrypted all the way through the CDN.

Why CMAF after DASH?

The buzz around CMAF might seem puzzling to a casual observer of the evolving OTT video scene over the last six years or so, given that MPEG DASH had been trumpeted as the unifying format for streaming, incorporating CENC common encryption. DASH emerged as the OTT video industry was migrating towards adaptive bit rate streaming (ABRS) away from legacy protocols like RTMP, MMS and RTP that effectively required a near continuous end to end connection and failed to take account of varying network conditions.

Three alternative versions of ABRS emerged and gained significant traction, HTTP Live Streaming (HLS) from Apple, Microsoft’s Smooth Streaming and Adobe’s HTTP Dynamic Streaming (HDS).DASH was then released by MPEG in the hope it would take over from these three as a universal streaming protocol with common encryption and file format, but this never fully happened.

While Smooth Streaming has converged towards DASH as HDS has faded away, Apple has persisted with HLS. So given the huge population of MAC OS and iOS devices, content providers have had to maintain and deliver two separate silos of content. HLS requires video to be packaged in TS (transport stream) file containers, while DASH, although supporting TS, in practice normally uses ISO Base Media File Format (ISOBMFF) with a variant known as fragmented fMP4.

Content distributors therefore have to encode and store the same audio and video data twice, one version wrapped in TS containers and the other in fMP4. This doubles the cost of packaging and storage while consuming more network bandwidth and requiring support for two different DRM worlds.

Comprehensive Support for CMAF

CMAF does not unify online streaming at a single stroke but does take a huge stride forward, largely because this time all the major players are on board, with longstanding rivals Apple and Microsoft actually leading the charge together.

CMAF does not unify online streaming at a single stroke but does take a huge stride forward, largely because this time all the major players are on board

The key move given its reluctance to sign up to DASH was Apple’s announcement in June 2016 that it would incorporate fMP4 support in HLS. Since CMAF has evolved from fMP4, Apple is in effect aligning HLS with CMAF, bringing the prospect of a universal format for OTT distribution and playback. The significance of this development was quickly recognized by the CDN industry, as expressed in a seminal blog from Akamai published just five days after Apple’s ground breaking announcement.

CMAF does represent more of a jump for the Apple community than everyone else. While CMAF is almost identical to the file container that DASH already uses today and so requires little change to encoders, workflow or players there, for Apple it involves moving to a new type of container. This has had a galvanizing effect on the whole industry by instilling confidence that this time round OTT convergence around a common format and encryption is coming.

CMAF, DRM, and Encryption – Building Coherence

CMAF uses common encryption that is independent of the DRM. The encryption mechanisms are now described in the manifest files that also specify the various content components and the location of all alternative streams, rather than being buried in the media files.

In practice therefore the OTT worldwill still have to deal with two manifest formats after deploying CMAF, m3u8 for HLS and MPD for DASH. However that is a minor overhead compared to having two different segment formats as has been the case until now.

There is unfortunately another hangover from legacy that remains to be ironed out, relating to the encryption block cipher mode. This may be a technical detail but still splits the content into two camps, with the CBC mode on the HLS side and CTR for DASH. However these too are coming together and this process is likely to accelerate now there is good will on all sides.

CMAF and End-to-End Encrypted Workflow

Another key benefit is that CMAF avoids or at least reduces the compromise between security and efficient within the CDN, with previous models in effect imposing a choice between the two. On one hand they could be secure, but inefficient, because the different versions of the content would each be encrypted and stored separately, incurring processing and storage overhead. The alternative was to transcode and multiplex at the CDN edge, which was more efficient but complex and also insecure because it meant content could be exposed in the clear within the CDN.

CMAF resolves this by establishing the framework for end to end encrypted workflow from post production to client. This results both in greater security by avoiding exposure of clear files and also improved efficiency by cutting out the need to re-encode and re-encrypt during transmission.

With a common file format standard, the ecosystem will converge and a labor-intensive workflow to adjust to different delivery systems, client devices and service levels will hopefully become standardized. Content creators can then focus on encoding quality and security, leaving other players to handle discovery and delivery.Indeed a major attraction of CMAF for studios will be the ability to exert full quality control over the whole end-to-end path at the frame level, removing a major concern they have had over online distribution.

CMAF and Analytics

For Verimatrix as a revenue security specialist, CMAF dovetails neatly with our Verspective Operator Analytics solution, which adds value by enabling secure delivery with cross-platformreporting across multiple CDNs. We can then go further still by combining the CDNs with an operator’s VoD and client-side systems to provide secure end to end content delivery combining legacy broadcast with online channels, integrated into a single system for reporting and data analytics.