DRM content encryption
    • PDF

    DRM content encryption

    • PDF

    Article summary

    One Click Multi DRM provides functions to encrypt DRM content, including Live Station, using the API based on CPIX.

    Note
    • CPIX API is an API implemented according to the Content Protection Information Exchange Format (CPIX) Standard Guide as defined by the DASH Industry Forum. It defines specifications that integrate the keys required to apply multi-DRM in the process of packaging media content.
    • You can use the API to easily integrate the encoder/transcoder solution that supports keys based on CPIX with PallyCon Multi DRM.
    • You must activate the site after creating it to issue a license.
    • One Click Multi DRM supports effortless integration with NAVER Cloud Live Station products. For details on the integration, see Live Station DRM application guide.

    Apply content encryption to use One Click Multi DRM

    TypePathDescription
    PallyCon CPIX APIGo to Pallycon CPIX client guideA CPIX API implemented by PallyCon that the encoder/transcoder solution vendors can use to integrate with PallyCon Multi DRM. Flussonic Media Server is integrated using PallyCon CPIX API
    SPEKE APIGo to SPEKE guideA CPIX API implemented by AWS Elemental that can be pre-integrated with PallyCon to easily apply PallyCon Multi DRM to MediaPackage or MediaConvert products of AWS Elemental Media Service. For more information about SPEKE API integration, see the guide
    ATEME NEA-DVR CPIX APIGo to the guideA CPIX API implemented by Anevia (acquired by ATEME) that can be pre-integrated with the NEA-DVR solution to easily apply PallyCon Multi DRM
    Note
    • The PallyCon CPIX API client provides pre-implemented CPIX client modules for each key development languages.
    • These modules implement the functions of generating request data and interpreting response data in XML format for communication with the KMS server.

    Specifications supported by Pallycon CPIX API

    Currently, the PallyCon CPIX API client supports the following specifications:

    ItemsSupported specificationsDescription
    Development languageC++, C#, Java, PythonProvides language-specific samples for DRM packaging integration development environments
    DRM typeWidevine, PlayReady, FairPlay, NCG, HLS_NCG- NCG: used to encrypt the entire target file with NCG which is PallyCon’s proprietary DRM
    - HLS_NCG: NCG-compliant key encryption of AES-128 encrypted HLS content
    Encryption methodCENC, CBC1, CENS, CBCSTypically specifies CENC or CBCS, depending on the AES encryption method supported by the client platform
    Track typeALL_TRACKS, AUDIO, SD, HD, UHD1, UHD2Used for multi-key packaging to apply different encryption keys per track

    You can only use 2 encryption methods for multi-DRM content:
    CBCS and AES-CBC (AES-CBC with subsample).
    CENC is used for packaging DASH content that supports PlayReady and Widevine DRM, and CBCS encryption must be applied when packaging HLS or CMAF that requires FairPlay support.

    Encryption methodProtocolDRM typeEncryption algorithmSupported devices
    DRMHLSFairPlayAES-CBCMac/iOS Safari browser, iOS/iPadOS/tvOS app, HLS HTML5
    DRMDASHPlayReady, WidevineCENC (Common Encryption)MS Edge, Internet Explorer 11, Google Chrome, Firefox, Opera DASH HTML5

    One Click Multi DRM use flow

    • STEP 1. Prepare the encrypted DRM content.
    • STEP 2. Refer to the encrypted DRM content settings, such as contentId and drmType, to request the issuance of One Click Multi DRM license from the client.
    • STEP 3. The client (player) plays the DRM content.
    Caution

    The license applied with detailed playback/security rules according to the "Policy" used by the One Click Multi DRM site is issued.
    If the requested license information and the encrypted DRM content information are not identical, the playback may not be successful.

    DRM content encryption

    The following is the encryption method for the preparation of the DRM content.
    For the DRM content encryption, you must first create a Multi DRM site through the NAVER Cloud Platform console or API. For details on the PallyCon CPIX client, see the guide.

    Live content DRM encryption

    1. When using Live Station
      • step 1. Create a site using One Click Multi DRM.
      • step 2. Go to Live Station > DRM settings and select the created site to create a channel for Multi DRM encryption.
    2. When not using Live Station
      • step 1. At the key request URL by API, including PallyCon CPIX API or SPEKE API, used for content DRM encryption, add and call the KMS token obtained via the One Click Multi DRM site details.
      • step 2. Through the issued CPIX JSON response, obtain the encryption data for content encryption.
      • step 3. Enter the DRM encryption information obtained from the CPIX API response to the solution integrated with various third-party encoder/transcoder/packager solutions.

    Note. DRM encryption information obtained from the CPIX API response

    Field nameDescription
    key_id_hex, key_id_b64, key_hex, key_b64, iv_hex, iv_b64Represents the Key ID, Key, and IV values in hexadecimal or Base64 format, respectively.
    psshThe PSSH data used by PlayReady or Widevine (including header).
    pssh_payload_onlyThe portion of the payload with headers removed from the pssh data.
    key_uriThe value of the URI parameter contained in the #EXT-X-Key tag of a FairPlay DRM-enabled HLS m3u8 file.

    VOD content DRM encryption

    • DRM encryption through VOD Station only supports CPIX v1.
    • During 2024, we plan to support the effortless DRM integration between One Click Multi DRM product and VOD Station.
    1. When using VOD Station
      • step 1. Create a VOD Station channel for the Multi DRM encryption.
      • step 2. When creating the channel, enter the necessary value for VOD Station DRM encryption settings.
        • Content ID: it is a unique identifier for DRM-packaged content, and the Content ID value to be included in the XML Body when requesting the CPIX API.
        • DRM System ID: it is a unique identifier for DRM system, and the System ID to be included in the XML Body when requesting the CPIX API. 1 or 2 system IDs have to be included according to the selected encryption settings. Enter 1 ID per line.
          • \<example> 9A04F079-9840-4286-AB92-E65BE0885F95, EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED
        • DRM Key URL: it is the URL requested by CPIX API. Insert the KMS token obtained from the Multi DRM site into the path and enter it.
          • \<example> https://kms.pallycon.com/v1/cpix/pallycon/getKey/{kmsToken}
    2. When not using VOD Station
      • step 1. At the key request URL by API, including PallyCon CPIX API or SPEKE API, used for content DRM encryption, add and call the KMS token obtained via the One Click Multi DRM site details.
      • step 2. Through the issued CPIX JSON response, obtain the encryption data for content encryption.
      • step 3. Enter the DRM encryption information obtained from the CPIX API response to the solution integrated with various third-party encoder/transcoder/packager solutions to apply the DRM encryption packaging.

    CPIX API request example

    POST /v1/cpix/pallycon/getKey/{kmsToken}
    HOST: kms.pallycon.com
    Content-Type: application/json
    x-ncp-apigw-timestamp:1521787414578
    x-ncp-iam-access-key:6uxz1nKkcYwUjWRG5Q1V7NsW0i5jErlu2NjBXXgy
    x-ncp-apigw-signature-v2:iJFK773KH0WwQ79PasqJ+ZGixtpDQ/abS57WGQdld2M=
    x-ncp-region_code:KR
    

    Request body

    /* step 1. vod dash content request xml */
    <?xml version="1.0" encoding="UTF-8"?>
    <cpix:CPIX id="your-content-id" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
      <cpix:ContentKeyList>
          <cpix:ContentKey kid="681e5b39-49f2-4dfa-b744-86573c22e6fb"></cpix:ContentKey>
      </cpix:ContentKeyList>
      <cpix:DRMSystemList>
          <!-- Common encryption / MSS (Playready) -->
          <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="9a04f079-9840-4286-ab92-e65be0885f95" />
          <!-- Common encryption (Widevine)-->
          <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" />
      </cpix:DRMSystemList>
    </cpix:CPIX>
    

    Response example

    /* step 2. vod dash content response xml */
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <cpix:CPIX id="cpix-test-cid" xmlns:cpix="urn:dashif:org:cpix" xmlns:speke="urn:aws:amazon:com:speke" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" >
       <cpix:ContentKeyList>
           <cpix:ContentKey explicitIV="MDEyMzQ1Njc4OWFiY2RlZg==" kid="12ea753c-23e7-bc02-4474-b2b976c43beb">
               <cpix:Data>
                   <pskc:Secret>
                       <pskc:PlainValue>SzC1qc1cEpyFU6t/lL7Byw==</pskc:PlainValue>
                   </pskc:Secret>
               </cpix:Data>
           </cpix:ContentKey>
       </cpix:ContentKeyList>
       <cpix:DRMSystemList>
           <!-- Common encryption / MSS (Playready) -->
           <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
                <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- added to V2-->
               <cpix:PSSH>AAACwnBzc2gAAAAAmgTweZhAQoarkuZb4IhflQAAAqKiAgAAAQABAJgCPABXAFIATQBIAEUAQQBEAEUAUgAgAHgAbQBsAG4AcwA9ACIAaAB0AHQAcAA6AC8ALwBzAGMAaABlAG0AYQBzAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEQAUgBNAC8AMgAwADAANwAvADAAMwAvAFAAbABhAHkAUgBlAGEAZAB5AEgAZQBhAGQAZQByACIAIAB2AGUAcgBzAGkAbwBuAD0AIgA0AC4AMAAuADAALgAwACIAPgA8AEQAQQBUAEEAPgA8AFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBFAFkATABFAE4APgAxADYAPAAvAEsARQBZAEwARQBOAD4APABBAEwARwBJAEQAPgBBAEUAUwBDAFQAUgA8AC8AQQBMAEcASQBEAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBJAEQAPgBQAEgAWABxAEUAdQBjAGoAQQByAHgARQBkAEwASwA1AGQAcwBRADcANgB3AD0APQA8AC8ASwBJAEQAPgA8AEMASABFAEMASwBTAFUATQA+AC8ARgA3AEIAMQBmAEgAMgBlADAAYwA9ADwALwBDAEgARQBDAEsAUwBVAE0APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQAdABvAGsAeQBvAC4AcABhAGwAbAB5AGMAbwBuAC4AYwBvAG0ALwByAGkALwBwAGwAYQB5AHIAZQBhAGQAeQAvAGwAaQBjAGUAbgBzAGUATQBhAG4AYQBnAGUAcgAuAGQAbwA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</cpix:PSSH>
           </cpix:DRMSystem>
           <!-- Common encryption (Widevine)-->
           <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
                <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- added to V2-->
               <cpix:PSSH>AAAAVXBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADUIARIQEup1PCPnvAJEdLK5dsQ76xoMaW5rYWVudHdvcmtzIg1jcGl4LXRlc3QtY2lkKgJIRA==</cpix:PSSH>
           </cpix:DRMSystem>
       </cpix:DRMSystemList>
    </cpix:CPIX>
    
    Note

    <cpix:CPIX id="">: the CID value entered in the request data is returned.
    <cpix:ContentKey>: the key value for the content encryption (<pskc:PlainValue>), IV(explicitIV), and the kid value for the key are returned. The kid value is applied with the value newly generated in KMS regardless of the value entered to the request data. The key and IV are returned in Base64 encoding format.
    <cpix:DRMSystem>: The PSSH data for the DRM of both PlayReady and Widevine are returned. The <cpix:PSSH> tag displays the default PSSH value, and the <cpix:ContentProtectionData> tag displays the PSSH data with the header section removed.


    Was this article helpful?

    What's Next
    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.