What is Widevine CDM (Content Decryption Module)?

Learn what Widevine, Widevine CDM & DRM is it and what do we use it for.

Widevine CDM (Content Decryption Module): What is it and what do we use it for?

Widevine DRM was developed initially developed by Widevine company and later bought by Google in 2010 to provide a secure media streaming service and is supported natively by all of the major browsers, Android and other consumer devices. Its goal is to protect the content provided from unauthorized use. It supports various security levels to restrict the consumers' access to the distributed media content according to the rules determined by the content owners.

Widevine DRM is used by streaming services like Netflix, HBO, Disney+ Prime Video, Hulu, Sling, DirectTV and many others. It is free to use by content providers and as such does not require any fees for license generation or device integration.

Widevine supports both the HTTP Live Streaming (HLS) and Dynamic Adaptive Streaming over HTTP (DASH) protocols for media content delivery. As well as Common Media Application Format (CMAF), Common Encryption (CENC) and HTML5 standards such as Encrypted Media Extensions (EME) and Media Source Extensions (MSE).

How Widevine protects the media content

Content providers can choose between the following three security levels:

  • Level 3 (L3) - This is the lowest supported level of protection, where the DRM is entirely Software-based. There is no Trusted Execution Environment (TEE) for DRM encryption to run in and in most cases, the video resolution is limited to 480p.
  • Level 2 (L2) - This is the middle level of protection that now supports TEE for cryptographic operations, however, the media processing happens outside of TEE in software or on dedicated hardware. In most cases, the video resolution is limited to 540p.
  • Level 1 (L1) - This is the highest level of protection, where the cryptographic operations and media processing is entirely done in the TEE. There are no limits to the video resolution and video is normally played at the highest possible resolution.

TEE is a secure part of the device's main processor that guarantees that the code and the data loaded inside are protected with respect to confidentiality and integrity. Code and data under confidentiality protection inside of TEE cannot be seen or accessed by unauthorized entities. On the other hand, code and data under integrity protection inside of TEE cannot be modified or replaced by unauthorized entities.

Widevine security levels.

How media players can access the Widevine-protected media content?

The media player can access the media content protected with Widevine by acting as a mediator between Content Decryption Module (CDM) and the Widevine DRM license server because the player itself is not able to read the encrypted license or media.

The following steps are necessary to decrypt media successfully for playback:

  1. Media is received for the Content Delivery Network (CDN): When media playback is requested in a browser, the browser determines whether the media is encrypted or not. After this, the initialization data (initData) is sent by the browser to the media player.

  2. Data is passed to the Content Decryption Module (CDM): When the media data is encrypted, it is sent from the media player to the CDM.

  3. Player receives the license request from CDM: When CDM receives the data from the media player, it creates a license request and then sends it back to the media player.

  4. Widevine license server receives the request from the media player: The Widevine license server receives the license request from the media player.

  5. Media player receives the license from the server: Widevine license server sends the requested Widevine license to the media player through the encrypted message.

  6. CDM receives the license from the media player: The media player forwards the Widevine license it received to the CDM.

  7. OEMCrypto module receives the data from CDM: CDM sends the encrypted data and the received Widevine license to the OEMCrypto module that does the actual decryption of the data.

  8. Media player receives the media chunks from OEMCrypto module: OEMCrypto module decrypts and decodes the media data and sends it to the media player in small parts or chunks, which the media player can play while ensuring the security of the content.

Widevine DRM Media Playback Security Model.

How does the Widevine DRM platform work?

Widevine DRM provides end to end solution for protecting the media content streamed over the network. It includes all the components from the content preparation to streaming on any device.

The platform starts by preparing the media with Shaka packager for adaptive streaming. Once the media of different quality is prepared it is then encrypted with a license and stored on CDN servers.

When the media player requests the media for playback it receives the encrypted media from the CDN servers and a license for decryption from the license server.

Encrypted media is then sent to the device's CDM, which provides secure media playback with the OEMCrypto module.

Widevine DRM Platform.

Did you find this article helpful?

0 out of 0 Bunnies found this article helpful



DRM, or Digital Rights Management is a set of techniques, often used to protect copyrighted works and media.

Prove your Knowledge.
Earn a bunny diploma.

Test your knowledge in our Junior and Master Quizes to see where you stand. Prove your mastery by getting A+ and recieving a diploma.

Start the QuizBunny with a diploma.