algorithm-design protocol-design tokenization
Updated Sat, 04 Jun 2022 21:13:52 GMT

DRM simple clone

I have been trying to encrypt media(Video and audio content) from a nodejs server to a client like android or iOS. I heard of DRM but could not get a reliable implementation of DRM.

I wanted to make my own implementation of protecting my content, But am not sure issues i would have with my implementation.


Clients like android would first get authenticated from my server, then my server would pass a token to the android client, then this android client would request for the protected media with some request like


Where id is the video content id and the token in this case is like the key, if the client doesn't have a valid token then the data will not be given to client.

QUESTION: Will this implementation work, can it protect my content from unauthorised clients, what are some of the drawbacks of using this?


I heard of DRM but could not get a reliable implementation of DRM

There is a good reason for this: DRM is a hard problem, and a solution to it could be leveraged to obtain incredible amounts of money. Doing a cursory search for "why DRM doesn't work" yields an abundance of articles explaining the whats and whys.

To win at DRM, let's say you have some piece of information you want only particular clients to have limited/regulated access to. The problem is that information can be copied, so once a client has received the information in question, you need some way to prevent them from copying it. If they can copy it, then they can save the data for a later time, or share it with others en masse.

Assuming that clients have complete control over the device that receives/displays the information, there is little that you can do to prevent them from copying the information using the device itself.

Practical solutions to DRM include:

  • Treacherous hardware (hardware that the user does not have complete control over)
  • Physically restricted access to the information
    • Secure storage facilities and/or armed guards
  • Legal recourse against clients who breach the terms/agreement regarding the data

Will this implementation work, can it protect my content from unauthorised clients, what are some of the drawbacks of using this?

If your goal is to be the exclusive provider of the protected information, then your implementation probably will not succeed - This not because authenticating clients and associating their permissions with session tokens is no good, but because preventing clients from sharing the information after it has been received is very difficult.

You can prevent unauthorized clients from capturing the content off the network as it streams to the the authorized client by encrypting the content - However, you are still trusting the client to not share/record the content, once it is decrypted.

Drawbacks of DRM measures generally may include a less positive user experience - Successful DRM measures are generally invasive.

Comments (5)

  • +0 – Should i say DRM is only meant for the big players, i mean how does netflix protect it's content, there must be some huge amounts of money spent by these companies — Apr 27, 2017 at 00:02  
  • +2 – Stealing "treacherous hardware"... — Apr 27, 2017 at 00:46  
  • +7 – @Tuna What prevents users from doing a screen capture of a netflix video and seeding a torrent of it? The answer is very little, unless you have control of their hardware, physical presence to ensure they don't copy/seed anything, and/or identification+legal recourse against perpetrators. The "big players" appear to mostly rely on the latter in practice - netflix streams are not accompanied by armed guards from netflix, and you can watch netflix on pretty much any kind of hardware, so the other two options don't appear to see as much use in consumer media/software.. — Apr 27, 2017 at 03:19  
  • +4 – Great answer. I think the less-positive-UX aspect is slightly underplayed, it's one of the major reasons why folks pirate content. It's frequently not that users don't want to pay, it's more that it's often a pain to do so. It's why services with low UX barriers for payment are successful. If your prices are reasonable and your DRM isn't awful UX, your chances of avoiding unauthorized sharing are greater. E.g. if you provide content that people will want to share, make a painless way to share it. E.g. Add a one-click payment form with PayPal support to sharable content links. Things like that. — Apr 27, 2017 at 04:14  
  • +3 – @Muzer: which leads to practical solution #5: Make the content so worthless that nobody will bother. Hollywood appears to have been applying this solution for some time. — Apr 27, 2017 at 11:23