Why this matters

Every other article in this block explains one part of content protection; this one is where the parts become a system you can actually build and budget. If you are a media founder, product manager, or streaming engineer about to commission a platform that carries licensed studio content or live rights, a content owner will ask you a precise question — "show me your content-protection architecture" — and a vague answer loses the deal. The architecture also decides real money: get the encryption scheme wrong and you re-encode your whole catalog, put the license layer in the wrong place and you cannot scale to a premiere, skip watermarking and a studio will not license you 4K. This is the reference blueprint that answers the content owner, sizes the cost, and shows your engineers exactly where each secret lives and which standard governs each hop.

The whole protected-video picture in one view

Before the parts, the shape. A protected-video platform is the ordinary streaming pipeline — take in the source, build the quality ladder, wrap the segments, push them through a content delivery network, play them — with a protection system wired through it at four points. The simplest way to hold the whole thing in your head is to follow one video file from the studio to the screen and notice where protection touches it.

The source arrives and is encoded into an encoding ladder — the set of quality versions, from low to high bitrate, that lets the player pick what the network can carry, explained in The Encoding Ladder Explained. Those versions are wrapped into small segments in a single container format, CMAF (ISO/IEC 23000-19), so one set of files can serve every device, the packaging step covered in Packaging: CMAF, HLS, and DASH From One Mezzanine. At packaging time the protection system makes its first appearance: the packager encrypts each segment using a content key it fetched from a key service. The encrypted segments then sit on an origin, fan out across a CDN, and travel to the player completely in the open — anyone can download them, and without the key they are noise.

The key is the whole game, and it is delivered separately. When the player wants to start, it asks for a license — a small, signed message that carries the content key wrapped so that only a trusted component inside that specific device can open it. That request runs through the browser standard EME, hits your platform's gate to check the viewer is entitled, and is answered by a DRM license server. The device decrypts inside a protected module, plays the video, and — if you have enabled it — a forensic watermark stamps an invisible per-viewer identifier into the picture so a leak can later be traced. The diagram below is that whole journey on one canvas; every later section zooms into one band of it.

End-to-end protected-video reference architecture from encryption through multi-DRM licensing, playback, watermarking, and the anti-piracy loop. Figure 1. The protected-video reference architecture. The data plane (top) carries encrypted segments in the open; the protection plane (bottom) keeps keys, licenses, and identity inside a boundary and answers one license request per playback.

The one idea that organizes everything: the protection boundary

If you remember one concept from this article, make it the protection boundary. It is the imaginary line that separates what must stay secret from what is allowed to travel in the open, and almost every protection decision is really a question of which side of that line something belongs on.

Inside the boundary live the secrets: the content keys that unlock the video, the key-management service that stores them, the license server that hands them out under rules, and — at the far end — the content decryption module (CDM), a trusted piece of software or hardware inside the viewer's device that is the only place the key is ever unwrapped and the video is ever decrypted. Outside the boundary lives everything public: the encrypted segments on the CDN, the manifest that lists them, the player user interface, and the network in between. The encrypted segments are designed to be copied freely, because without a key from inside the boundary they decrypt to nothing.

This line is what makes the architecture safe to operate at scale. You can put your encrypted catalog on the cheapest, widest CDN in the world and never worry about it leaking, because the value is not in the segments — it is in the keys, which never ride along with them. Understanding the boundary also tells you exactly what digital rights management does not protect, a point worth stating plainly because it is the most common misunderstanding: protection stops the bytes from being copied and decrypted, but it cannot stop a camera pointed at the screen, because once the picture is light leaving a display it is past the last point the boundary can reach. That gap — the "analog hole" — is why watermarking exists, and why no honest architecture promises to stop piracy outright. We return to both. First, the boundary drawn.

The protection boundary separating the clear secret zone — keys, KMS, license server, device CDM — from the open public zone of encrypted segments on the CDN. Figure 2. The protection boundary. Keys and the license server sit in the secret zone; encrypted segments travel in the open zone; the device CDM is the only place outside your walls that the boundary extends to.

Layer 1 — Encrypt once, the right way

The foundation of the whole architecture is a single rule that saves you from the most expensive mistake in the field: encrypt the catalog once, and encrypt it in a way every device can read. Getting this wrong means re-encrypting everything later, so it is the first decision to make and the hardest to reverse.

The standard that makes "encrypt once" possible is Common Encryption, defined in ISO/IEC 23001-7 and explained in depth in CENC, CTR, and CBCS: Common Encryption Explained. Common Encryption lets one encrypted set of files be unlocked by any of the three major protection systems, so you do not make a separate encrypted copy for Google, Microsoft, and Apple. But the standard defines more than one scrambling recipe, and the choice between them is where platforms trip. The third edition (ISO/IEC 23001-7:2023) specifies four schemes; only two ship in practice. The cenc scheme uses the AES cipher in counter mode (AES-CTR). The cbcs scheme uses AES in cipher-block-chaining mode with pattern encryption — it scrambles a repeating fraction of each block of video rather than all of it. They produce different scrambled bytes, so a device can only read the recipe its system understands.

Here is the rule that decides the scheme: Apple FairPlay accepts only cbcs. Modern Widevine and PlayReady accept both. So the entire industry has converged on a single answer — encrypt once with cbcs, packaged as CMAF, and every device from an iPhone to a Samsung TV to a Chrome browser can play the same files. Choosing the older cenc (AES-CTR) scheme is the classic error: it works in your Android and Windows tests, ships to production, and then every Apple device shows a black screen, because FairPlay cannot read it. The fix is not a setting — it is re-encrypting the catalog. Decide cbcs on day one.

The content key the packager uses does not come from the packager itself; it is fetched from a key service, which brings us to the layer that most determines whether your architecture is actually secure.

Layer 2 — Key management: where the secrets live

Encryption is only as strong as the secrecy of the keys, so the key-management layer is the heart of the protection boundary. Two facts organize it: the keys are created and stored in one trusted place, and they reach the packager and the license server through a standardized handoff — never by being copied around by hand.

The trusted place is a key-management service (KMS): a hardened system whose only job is to generate, store, and release content keys under tight access control. When a title is packaged, the packager does not invent a key; it requests one from the key service. The standard that defines this request — the format in which keys and protection metadata move between the key service and the packager — is the DASH-IF Content Protection Information Exchange format, or CPIX. CPIX is an XML document that carries the content keys and the per-system signaling the packager needs, and it can itself be encrypted and signed so the keys are protected in transit. For all DASH-IF members it is the standard for key exchange between a packager and a DRM solution. AWS built a widely adopted API on top of it, SPEKE (Secure Packager and Encoder Key Exchange), which uses the CPIX data structure to deliver keys to AWS Elemental packagers; naming both is useful because you will meet CPIX as the concept and SPEKE as one common implementation.

The second half of key management is the rule that defines the boundary: the content key is never exposed to the player, the page, or the network in the clear — only to the trusted module inside the device, and only wrapped. When the license server answers a request, it does not send a naked key. It sends the key encrypted so that only the content decryption module of that specific device can unwrap it, inside its protected environment, where your code never sees it. This is why a streaming platform can be entirely client-side in its playback and still be secure: the one secret that matters is handled by a component you do not control and cannot read, by design. An architecture that ever logs a content key, embeds it in a manifest, or passes it through application JavaScript has punctured its own boundary, and no amount of CDN security compensates.

Two-phase key flow: at packaging time the key service delivers keys to the packager via CPIX/SPEKE; at playback the device requests a wrapped key through the license proxy and entitlement gate. Figure 3. Keys move twice and only twice: into the packager at packaging time (CPIX/SPEKE), and into the device's decryption module at playback time (wrapped license). They never touch the player code or the open network in the clear.

Layer 3 — The license layer: multi-DRM, the entitlement gate, and the proxy

With segments encrypted and keys safe, the architecture needs to answer the one runtime question that happens on every single play: should this viewer get the key right now, and in what form? That is the license layer, and it has three parts that beginners often collapse into one.

The first part is the multi-DRM license server, which issues licenses across all three systems. No single protection system covers every device — Widevine runs on Android and Chrome, PlayReady on Windows, Xbox, and most smart TVs, FairPlay on Apple — so a real platform must speak all three, the device reality laid out in The Three DRM Systems: Widevine, PlayReady, FairPlay and stitched into one workflow in Multi-DRM: One Workflow, Every Device. Each system has its own dialect of the request — Widevine has a license request, PlayReady a challenge, FairPlay an SPC/CKC exchange — but the shape is identical: the device asks, the server checks, the server returns the wrapped key. Because of the cbcs foundation in Layer 1, all three serve from the same encrypted files; multi-DRM means many licenses, not many encodes.

The second part is the entitlement gate, and architecturally it is the most important box in the whole diagram, because it is where business rules meet protection. The license server's job is cryptographic; the entitlement service's job is to answer "is this account allowed to watch this title, on this device, right now?" — has the subscription lapsed, is the rental window open, is the account over its concurrent-stream limit, is the title available in this country? This is the same entitlement service that governs billing and access, described in Subscription Billing and Entitlement, and the cardinal rule of the architecture is that the license request must pass through the entitlement check before a key is ever issued. A platform that issues licenses without an entitlement gate has DRM that protects the file from strangers but not from its own lapsed subscribers.

The third part is the license proxy: a thin service of yours that sits between the player and the DRM license server. The player talks to your proxy; your proxy authenticates the session, calls the entitlement service, and only then forwards the request to the license server (often a third-party multi-DRM service) and relays the response. The proxy is what lets you keep entitlement logic and credentials on your side while using a managed license server, and it is the natural place to attach the rules from License Policy: Rentals, Offline, Output Control, and Rights — how long the key is valid, whether offline playback is allowed, and what output protection is required.

Layer 4 — The client: EME, the CDM, and the security-level reality

The architecture ends inside the viewer's device, where two standards and one hardware fact decide what actually plays. This is the layer founders underestimate, because it is where the clean diagram meets the messy reality of thousands of device models.

In a browser, the player reaches the protection system through Encrypted Media Extensions (EME), a W3C Recommendation (2017) that is the standard JavaScript interface between a web player and the device's decryption module, detailed in Encrypted Media Extensions and the Browser DRM Stack. EME does not decrypt anything itself; it is the wiring that lets the player hand encrypted data and license messages to the content decryption module (CDM) — the trusted black box (Widevine in Chrome, PlayReady in Edge, FairPlay in Safari) that does the actual unwrapping and decryption out of reach of your code. EME works alongside Media Source Extensions (MSE), the companion W3C standard that lets the player feed adaptive segments to the video element. Together they are why DRM-protected adaptive streaming works in a browser at all, without a plug-in.

The hardware fact is security levels, and it directly controls picture quality. Each protection system defines a strong, hardware-backed level and a weaker, software-only level. Widevine's hardware level is L1 (decryption happens inside a hardware Trusted Execution Environment, a protected zone in the chip); its software level is L3. PlayReady's equivalents are SL3000 (hardware) and SL2000 (software). FairPlay relies on Apple's hardware Secure Enclave. The consequence is the rule that surprises every first-time platform owner: content owners tie maximum resolution to the security level. Studios licensing 4K Ultra HD typically require the hardware level — Widevine L1, PlayReady SL3000, or FairPlay on Apple hardware — and a separate output-protection standard, HDCP 2.2 or later, on the connection to the display. A device with only software DRM (Widevine L3, PlayReady SL2000) is generally capped to standard definition by the same rules. Your architecture must therefore read the device's security level at license time and issue a license whose resolution cap matches what the content owner allows — the entitlement gate and license policy doing their job. The map below is the one every platform must satisfy.

Device-to-DRM and security-level map showing which protection system, security level, and HDCP requirement each device class needs, with the resolution each unlocks. Figure 4. The device-to-DRM map. Each device class maps to a protection system and a security level; the hardware level plus HDCP 2.2+ unlocks 4K, while software-only DRM is capped to SD by studio rules.

One dated, important detail belongs here because it is exactly the kind of moving part an architecture must plan for. In June 2026 Microsoft shipped PlayReady 4.8 with a new device-certificate revocation list at a new address, in response to a 2025 leak of the device keys that protect 4K — and because the PlayReady client is frozen into each smart-TV's firmware at the model year it shipped, almost all of the migration work lands on your license server, not the TVs. The full dated playbook is in The PlayReady-on-Samsung 2026 Migration; the architectural lesson is that the license layer must be built to update revocation and policy without depending on devices you cannot upgrade.

Layer 5 — Attribution and operations: turning a wall into a loop

The four layers above are a wall: they keep honest devices honest and stop the encrypted bytes from being copied. But a determined leaker can still capture the decrypted picture — the camera-on-a-screen gap the boundary cannot close — so a complete architecture adds two more layers that assume some leakage will happen and plan to trace and respond to it.

The first is forensic watermarking, which embeds an invisible, per-viewer identifier into the video so that a leaked copy can be traced back to the account or session it came from, explained in Forensic Watermarking: Tracing the Leak. It does not prevent the leak; it makes the leak attributable, which both deters insiders and satisfies the studios that require it for premium and early-window content. Architecturally it sits at or near the edge of delivery, stamping each session's stream, and it produces the evidence the final layer consumes.

The second is anti-piracy operations, the running loop of monitoring the open internet for your content, extracting the watermark to identify the source, and acting to remove or cut off the leak, covered in Anti-Piracy Operations: Monitoring and Takedown. This is the layer that reframes the whole architecture from a wall into a loop: prevention (encryption and DRM) and attribution (watermarking) are installed once, but operations runs continuously — monitor, identify, decide, act — and is what converts a pile of protection technology into actual enforcement. The honest framing for any content owner is that the loop does not eliminate piracy; it raises the pirate's cost, protects the high-value window, and meets the contractual obligations that come with a licensed catalog.

Defense-in-depth stack: encryption, multi-DRM licensing, output protection, forensic watermarking, and anti-piracy operations, each labeled with what it stops and what it does not. Figure 5. Defense in depth. Each layer stops a different attack and none is sufficient alone; the architecture is the set, with operations as the running loop that closes the gap the others cannot.

A worked example: the cost of getting Layer 1 wrong, and sizing the license layer

Two numbers make the architecture concrete. The first prices the single most common mistake; the second sizes the one service that must not fall over during a premiere. Walk through both with the arithmetic shown.

The "encrypt once" saving. Suppose you carry a 10,000-hour catalog, encoded into a six-rung ladder, and the average encrypted size across the ladder works out to about 3 GB per hour of content. The naive belief that "multi-DRM means three encrypted copies — one for Widevine, one for PlayReady, one for FairPlay" implies you store and manage three full encrypted catalogs:

naive storage  = 10,000 hours × 3 GB/hour × 3 copies = 90,000 GB = 90 TB

The reality, because Layer 1 encrypts once with cbcs and all three systems license from the same files, is a single encrypted catalog:

correct storage = 10,000 hours × 3 GB/hour × 1 copy = 30,000 GB = 30 TB
saved           = 90 TB − 30 TB = 60 TB of stored, replicated, CDN-distributed data

The saving is not just two-thirds of storage; it is two-thirds of the data you push to the origin and pay a CDN to distribute, every byte of which recurs. The architectural decision in Layer 1 is what produces the saving — and the platform that chose cenc and later discovered FairPlay is the one paying to re-encrypt all 10,000 hours.

Sizing the license server for a premiere. The license layer answers one request per playback start, so size it against your worst concurrency, not your average. Say a popular live premiere drives 200,000 viewers to press play within a two-minute window. Each start is one license request:

requests       = 200,000 starts ÷ 120 seconds ≈ 1,667 license requests/second (peak)

That peak — not the daily total — is what your license proxy and entitlement service must serve without adding seconds to startup, because a license request sits directly in the path between pressing play and seeing video. The lesson is architectural: the entitlement gate and proxy must scale horizontally and cache entitlement decisions, or the protection layer becomes the thing that ruins the premiere it was meant to protect. The delivery side of the same spike is covered in Live Event Delivery and the Premiere Spike; the protection side is this license-request math.

The architecture as a component table

A reference architecture has to be buildable, so here is the whole protection system as a parts list. The last column is the one to read first: what you should own and run yourself versus what you can safely buy as a managed service. The pattern across the section holds — own the parts that carry your business logic and your secrets' policy; buy the commodity cryptographic machinery.

Component Standard / protocol Typical implementation Layer Own it?
Encryption (scheme) cbcs CENC (ISO/IEC 23001-7) Packager-applied at packaging time Encrypt Yes — decide cbcs day one
Packaging container CMAF (ISO/IEC 23000-19) Shaka Packager, managed packager Encrypt Recommended
Key-management service Vendor / cloud KMS Cloud KMS, multi-DRM service vault Keys Yes — the secret store
Key handoff to packager DASH-IF CPIX (+ AWS SPEKE) CPIX/SPEKE exchange Keys Buy (standardized)
Multi-DRM license server Widevine / PlayReady / FairPlay Axinom, EZDRM, BuyDRM, PallyCon, Verimatrix License Usually buy
License proxy Your API Custom service License Yes — your boundary
Entitlement service Internal API Single first-class service License Yes — never per-player
Browser playback API W3C EME + MSE Shaka Player, hls.js, dash.js Client Yes (integrate)
Decryption module (CDM) Widevine / PlayReady / FairPlay Built into the device Client Device-supplied
Output protection HDCP 2.2 / 2.3 Enforced by device + license policy Client Policy you set
Forensic watermarking A/B or edge watermarking NexGuard, Verimatrix, Irdeto Attribution If premium/live
Anti-piracy operations DMCA 17 U.S.C. § 512, EU DSA Monitoring + takedown loop Operations Run it (or managed)

Build vs buy the protection layer

The table's last column adds up to a clear default. Buy the cryptographic machinery; own the boundary. The multi-DRM license server, the CPIX/SPEKE key handoff, and the watermarking engine are commodity, security-critical, and constantly maintained against new device certificates and revocations — building them in-house means re-implementing the work of specialist vendors and owning the liability when a device leak (like the 2025 PlayReady key leak) forces a scramble. By contrast, the license proxy, the entitlement service, and the policy that ties resolution to security level are your business logic and your secrets' rules; they must live on your side of the boundary, because they encode who may watch what, and no vendor can own that for you. The pragmatic architecture for almost every platform is a managed multi-DRM service for the license server and key vault, wrapped by your own proxy and entitlement gate, with watermarking added when a content owner requires it. The full reasoning, applied to the whole platform rather than just protection, is in Build, Buy, or Assemble: OTT Platform Build-vs-Buy.

Common mistakes

The failures in protected-video are almost never broken cryptography; they are architectural, and each maps to a layer above.

  • Encrypting with cenc instead of cbcs. It passes Android and Windows tests, then every Apple device shows a black screen because FairPlay reads only cbcs. The fix is re-encrypting the catalog — decide cbcs on day one.
  • Letting a key touch the player. Logging a content key, embedding it in a manifest, or passing it through page JavaScript punctures the protection boundary. Keys go only to the device's decryption module, wrapped.
  • Issuing licenses without an entitlement gate. DRM then protects the file from strangers but not from your own lapsed, over-limit, or out-of-region accounts. The license request must pass the entitlement check first.
  • Ignoring security levels. Promising 4K to a device with software-only DRM fails the studio's robustness rule; the license must read the level and cap resolution accordingly, with HDCP 2.2+ for premium.
  • Treating DRM as the whole strategy. Encryption stops byte-copying, not a camera on a screen. Premium and live catalogs need watermarking and an operations loop, not a taller wall.
  • Building what you should buy. Hand-rolling a multi-DRM license server means owning device-certificate and revocation churn (e.g. PlayReady 4.8, 2026) forever. Buy the machinery; own the boundary.

Where Fora Soft fits in

The platforms that need this most are the ones carrying a licensed studio catalog or live rights to a large, multi-device audience, where the protection architecture has to satisfy a content owner's robustness requirements and scale to a premiere without adding seconds to startup. Fora Soft has built video streaming, OTT and Internet-TV, live-event, video-conferencing, e-learning, telemedicine, and video-surveillance systems since 2005 — more than 625 projects for 400-plus clients across 20-plus years — and the engineering that matters here is the integration: choosing cbcs/CMAF so one encode serves every device, wiring a CPIX/SPEKE key handoff into the packager, building the license proxy and entitlement gate that keep your access logic and secrets' policy on your side of the boundary, reading device security levels to match resolution to the studio's rules, and closing the loop with watermarking and an anti-piracy operation. We are vendor-neutral about which multi-DRM, KMS, or watermarking service you license; the deliverable is a content-protection architecture that meets the content owner's requirements and that your paying viewers never feel.

What to read next

Download the Multi-DRM Integration Reference Pack (PDF)

Call to action

References

  1. ISO/IEC 23001-7:2023 — Common Encryption in ISO base media file format files (3rd edition). The controlling standard for "encrypt once." Defines the four Common Encryption schemes — cenc (AES-CTR full/subsample), cbc1, cens, and cbcs (AES-CBC pattern encryption) — the metadata boxes, and the rule that lets one encrypted file feed multiple DRM and key-management systems. The basis for the cbcs-everywhere foundation and the FairPlay-needs-cbcs constraint. Tier 1 (official standard). https://www.iso.org/standard/84637.html — accessed 2026-06-17.
  2. W3C Encrypted Media Extensions (EME) — W3C Recommendation, 18 September 2017. The browser standard that wires a web player to the device's Content Decryption Module (CDM), enabling DRM-protected playback without a plug-in. The basis for the client layer and the CDM-as-trusted-module framing. Tier 1 (official W3C Recommendation). https://www.w3.org/TR/encrypted-media/ — accessed 2026-06-17.
  3. W3C Media Source Extensions (MSE) — W3C Recommendation, 17 November 2016. The companion standard to EME that lets a web player feed adaptive segments to the video element; together they make protected adaptive streaming work in a browser. Tier 1 (official W3C Recommendation). https://www.w3.org/TR/media-source/ — accessed 2026-06-17.
  4. ISO/IEC 23000-19 — Common Media Application Format (CMAF). The single fragmented-MP4 container that lets one set of encrypted segments serve both HLS and DASH, the packaging foundation that makes "encrypt once, deliver everywhere" practical. Tier 1 (official standard). https://www.iso.org/standard/85623.html — accessed 2026-06-17.
  5. DASH-IF Implementation Guidelines: Content Protection Information Exchange Format (CPIX). The XML format for exchanging content keys and DRM signaling between a key/DRM system and a packager — the standard key handoff into Layer 1/2. The document itself can be encrypted, signed, and authenticated. The DASH-IF standard for packager-to-DRM key exchange. Tier 2 (issuing-body interoperability guideline). https://dashif.org/CPIX/ — accessed 2026-06-17.
  6. AWS Elemental — Secure Packager and Encoder Key Exchange (SPEKE) API specification. A widely adopted implementation built on the DASH-IF CPIX data structure, delivering keys and DRM signaling from a DRM system to AWS Elemental encryptors/packagers for FairPlay, PlayReady, and Widevine/CENC. The concrete example of the CPIX key handoff in Figure 3. Tier 3 (first-party standard author / cloud vendor). https://docs.aws.amazon.com/speke/latest/documentation/the-speke-api.html — accessed 2026-06-17.
  7. Google Widevine — DRM architecture and security levels (L1/L2/L3). First-party documentation for the Widevine system: the license-request flow and the hardware (L1, TEE) versus software (L3) security levels that gate resolution. The basis for the security-level reality in Layer 4. Tier 3 (first-party vendor). https://developers.google.com/widevine/drm/overview — accessed 2026-06-17.
  8. Microsoft PlayReady — security levels (SL2000/SL3000) and client-server compatibility / migration. First-party documentation for PlayReady's hardware (SL3000) and software (SL2000) levels and the server-side migration model; the source for the smart-TV hardware-level reality and the PlayReady 4.8 (June 2026) revocation change referenced in Layer 4. Tier 3 (first-party vendor) — dated; re-verify at re-baseline. https://learn.microsoft.com/en-us/playready/overview/client-server-compatibility — accessed 2026-06-17.
  9. Apple — FairPlay Streaming overview and HLS authoring. First-party documentation for FairPlay: the SPC/CKC license exchange, the cbcs-only requirement, and Secure Enclave hardware protection on Apple devices. The basis for the FairPlay constraints across Layers 1, 3, and 4. Tier 3 (first-party vendor). https://developer.apple.com/streaming/fps/ — accessed 2026-06-17.
  10. Digital Content Protection LLC — HDCP 2.3 specification (output protection). The output-protection standard required on the link to the display for premium resolutions; HDCP 2.2/2.3 is the studio condition for 4K, with non-compliant chains capped to lower resolution. The basis for the output-protection row in Layer 4 and the component table. Tier 1 (specification owner). https://www.digital-cp.com/hdcp-specifications — accessed 2026-06-17.
  11. 17 U.S.C. § 512 — DMCA notice-and-takedown. The U.S. statutory basis for the takedown half of the anti-piracy operations layer (Layer 5), included because the operations loop closes the architecture. Tier 1 (official statute). https://www.copyright.gov/512/ — accessed 2026-06-17.
  12. Mux — Multi-DRM for developers: Widevine, FairPlay, and PlayReady. First-party engineering orientation corroborating the device-to-DRM map, the encrypt-once/license-many model, and security-level practice; used for orientation, with all spec claims traced to refs. 1–10. Tier 4 (vendor engineering). https://www.mux.com/articles/multi-drm-video-streaming-widevine-fairplay-playready — accessed 2026-06-17.

Per the section's source hierarchy, every protection mechanism traces to a tier-1 primary: Common Encryption and the cbcs scheme to ISO/IEC 23001-7:2023 (ref. 1), the browser DRM stack to W3C EME and MSE (refs. 2–3), the single-container foundation to CMAF (ref. 4), and output protection to HDCP (ref. 10), with the takedown layer to 17 U.S.C. § 512 (ref. 11). The key-handoff standard is the DASH-IF CPIX interoperability guideline (ref. 5) with AWS SPEKE as its widely adopted implementation (ref. 6). Vendor-specific behavior (security levels, the PlayReady 4.8 2026 revocation change, FairPlay's cbcs-only rule) is cited to first-party docs (refs. 7–9) and dated for re-verification. One common error is corrected against the spec: "multi-DRM means three encodes" — per ref. 1, one cbcs encode serves all three systems; multi-DRM means many licenses, not many encodes. DRM and content protection are this section's unique core; every internal link stays in-section (articles-ott).