Encrypt DRM content

Prev Next

One Click Multi DRM supports the ability to encrypt DRM content using CPIX-based APIs, including Live Station.

Note
  • The CPIX API is an API implemented according to the Content Protection Information Exchange Format (CPIX) standard guide defined by the DASH Industry Forum, which defines the specifications for integrating keys required for applying multi-DRM during the packaging process of media content.
  • The API allows easy integration of DoveRunner (formerly PallyCon) multi-DRM with encoder/transcoder solutions that support CPIX-based key integration.
  • After creating a site, you must activate the site before you can issue a license.
  • One Click Multi DRM supports easy integration with NAVER Cloud Live Station. For more information on integration, see the Live Station DRM application guide.

Apply content encryption for One Click Multi DRM utilization

Type Path Description
DoveRunner (formerly PallyCon) CPIX API [Go to DoveRunner (formerly PallyCon) CPIX client guide] (https://github.com/inka-pallycon/pallycon-cpix-api-client){target=_blank } This CPIX API is implemented by DoveRunner (formerly PallyCon), and can be used by encoder/transcoder solution providers to integrate with DoveRunner (formerly PallyCon) Multi DRM. DoveRunner (formerly PallyCon) CPIX API is applied for integration with Flussonic Media Server.
SPEKE API Go to SPEKE guide{target=_blank} This CPIX API, implemented by AWS Elemental, is pre-integrated with DoveRunner (formerly PallyCon) to easily apply DoveRunner (formerly PallyCon) multi-DRM to MediaPackage or MediaConvert products of AWS Elemental Media Services. For more information on SPEKE API integration, see the guide.
ATEME NEA-DVR CPIX API Go to guide This CPIX API, implemented by Anevia (acquired by ATEME), is pre-integrated with the NEA-DVR solution and can easily apply DoveRunner (formerly PallyCon) multi-DRM.
Note
  • The DoveRunner (formerly PallyCon) CPIX API client provides pre-implemented CPIX client modules for each major development language.
  • This module implements the features of creating XML-compliant request data and interpreting response data for communication with the KMS server.

Supported specifications for DoveRunner (formerly PallyCon) CPIX API

Currently, the DoveRunner (formerly PallyCon) CPIX API client supports the following specifications.

Category Support specifications Description
Development language C++, C#, Java, Python Sample for each language according to the development environment for DRM packaging integration
DRM type Widevine, PlayReady, FairPlay, NCG, HLS_NCG - cNCG: It is used to encrypt all files to be packaged with NCG, the proprietary DRM of DoveRunner (formerly PallyCon).
- HLS_NCG: It is a method of encrypting the key of AES-128 encrypted HLS content with NCG.
Encryption method CENC, CBC1, CENS, CBCS Specify CENC or CBCS, depending on the AES encryption method supported by the client platform.
Track type ALL_TRACKS, AUDIO, SD, HD, UHD1, UHD2 It is used to apply different encryption keys for each track when packaging multiple keys.

Only two encryption methods are used for multi-DRM content:
CBCS and AES-CBC (AES-CBC with subsample).
CENC is used for DASH content packaging that supports PlayReady and Widevine DRM, and CBCS encryption must be applied when HLS or CMAF packaging requires FairPlay support.

| Encryption method | Protocol | DRM type | Encryption algorithm | Supported devices |
|--- |--- |--- |--- |--- |
| DRM | HLS | FairPlay | AES-CBC | Mac/iOS Safari browser, iOS/iPadOS/tvOS app, HLS HTML5 |
| DRM | DASH | PlayReady, Widevine | CENC (Common Encryption) | MS Edge, Internet Explorer 11, Google Chrome, Firefox, Opera DASH HTML5 |

One Click Multi DRM utilization flow

  • Step 1. Prepare encrypted DRM content.
  • Step 2. Request One Click Multi DRM license issuance from the client by referring to the encrypted DRM content settings (contentId, drmType, etc.).
  • Step 3. Play the DRM content on the client (player).
Caution

A license with playback/security detailed rules applied according to the "Policy" in use on the One Click Multi DRM site is issued.
If the requested license information and the encrypted DRM content information do not match, playback will not be seamless.

DRM content encryption

This section introduces the encryption method for preparing DRM content.
To encrypt DRM content, you must first create a Multi DRM site through the NAVER Cloud Platform console or API. For more information on the DoveRunner (formerly PallyCon) CPIX client, see the Guide.

Live content DRM encryption

  1. When using Live Station
    • Step 1. Create a site using One Click Multi DRM.
    • Step 2. Select the created site in Live Station > DRM settings to create a channel for Multi DRM encryption.
  2. If Live Station is not used
    • Step 1. Add the KMS token obtained through the One Click Multi DRM site details to the API-specific key request URL, such as the DoveRunner (formerly PallyCon) CPIX API or SPEKE API, for content DRM encryption.
    • Step 2. Obtain the encryption data for content encryption through the issued CPIX JSON response.
    • Step 3. Enter the DRM encryption information obtained from the CPIX API response into various third-party encoder/transcoder/packager solution integration solutions.

Note. DRM encryption information obtained from the CPIX API response

Field name Description
key_id_hex, key_id_b64, key_hex, key_b64, iv_hex, iv_b64 They represent the key ID, key, and IV values in hexadecimal or Base64 format, respectively.
pssh This is PSSH data used in PlayReady or Widevine (including header).
pssh_payload_only This is the payload part with the header removed from the PSSH data.
key_uri This is the URI parameter value included in the #EXT-X-Key tag of the HLS m3u8 file with FairPlay DRM applied.

VOD content DRM encryption

Note
  • DRM encryption through VOD Station supports only CPIX v1.
  • We plan to support easy DRM integration with One Click Multi DRM product and VOD Station during 2024.
  1. When using VOD Station
    • Step 1. Create a VOD Station channel for Multi DRM encryption.
    • Step 2. When creating a channel, enter the required values for VOD Station DRM encryption settings.
      • Content ID: The unique ID of DRM packaged content. It is the content ID to be included in the XML body when sending CPIX API requests.
      • DRM system ID: The unique ID of a DRM system. It is the system ID to be included in the XML body when sending CPIX API requests. 1 or 2 system IDs have to be included according to the selected encryption settings. Enter one ID per line.
        • Example: 9A04F079-9840-4286-AB92-E65BE0885F95, EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED
      • DRM key URL: It is the CPIX API request URL. Enter the kmsToken obtained from the Multi DRM site into the path.
        • Example: https://kms.pallycon.com/v1/cpix/pallycon/getKey/{kmsToken}
  2. If VOD Station is not used
    • Step 1. Add the KMS token obtained through the One Click Multi DRM site details to the API-specific key request URL, such as the DoveRunner (formerly PallyCon) CPIX API or SPEKE API, for content DRM encryption.
    • Step 2. Obtain the encryption data for content encryption through the issued CPIX JSON response.
    • Step 3. Enter the DRM encryption information obtained from the CPIX API response into various third-party encoder/transcoder/packager solution linkage solutions to apply DRM encryption packaging.

CPIX API request example

POST /v1/cpix/pallycon/getKey/{kmsToken}
HOST: kms.pallycon.com
Content-Type: application/json
x-ncp-apigw-timestamp:1521787414578
x-ncp-iam-access-key:6uxz1nKkcYwUjWRG5Q1V7NsW0i5jErlu2NjBXXgy
x-ncp-apigw-signature-v2:iJFK773KH0WwQ79PasqJ+ZGixtpDQ/abS57WGQdld2M=
x-ncp-region_code:KR

Request body

/* step 1. vod dash content request xml */
<?xml version="1.0" encoding="UTF-8"?>
<cpix:CPIX id="your-content-id" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
  <cpix:ContentKeyList>
      <cpix:ContentKey kid="681e5b39-49f2-4dfa-b744-86573c22e6fb"></cpix:ContentKey>
  </cpix:ContentKeyList>
  <cpix:DRMSystemList>
      <!-- Common encryption / MSS (Playready) -->
      <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="9a04f079-9840-4286-ab92-e65be0885f95" />
      <!-- Common encryption (Widevine)-->
      <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" />
  </cpix:DRMSystemList>
</cpix:CPIX>

Response example

/* step 2. vod dash content response xml */
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cpix:CPIX id="cpix-test-cid" xmlns:cpix="urn:dashif:org:cpix" xmlns:speke="urn:aws:amazon:com:speke" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" >
   <cpix:ContentKeyList>
       <cpix:ContentKey explicitIV="MDEyMzQ1Njc4OWFiY2RlZg==" kid="12ea753c-23e7-bc02-4474-b2b976c43beb">
           <cpix:Data>
               <pskc:Secret>
                   <pskc:PlainValue>SzC1qc1cEpyFU6t/lL7Byw==</pskc:PlainValue>
               </pskc:Secret>
           </cpix:Data>
       </cpix:ContentKey>
   </cpix:ContentKeyList>
   <cpix:DRMSystemList>
       <!-- Common encryption / MSS (Playready) -->
       <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
            <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- Added in V2 -->
           <cpix:PSSH>AAACwnBzc2gAAAAAmgTweZhAQoarkuZb4IhflQAAAqKiAgAAAQABAJgCPABXAFIATQBIAEUAQQBEAEUAUgAgAHgAbQBsAG4AcwA9ACIAaAB0AHQAcAA6AC8ALwBzAGMAaABlAG0AYQBzAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEQAUgBNAC8AMgAwADAANwAvADAAMwAvAFAAbABhAHkAUgBlAGEAZAB5AEgAZQBhAGQAZQByACIAIAB2AGUAcgBzAGkAbwBuAD0AIgA0AC4AMAAuADAALgAwACIAPgA8AEQAQQBUAEEAPgA8AFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBFAFkATABFAE4APgAxADYAPAAvAEsARQBZAEwARQBOAD4APABBAEwARwBJAEQAPgBBAEUAUwBDAFQAUgA8AC8AQQBMAEcASQBEAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBJAEQAPgBQAEgAWABxAEUAdQBjAGoAQQByAHgARQBkAEwASwA1AGQAcwBRADcANgB3AD0APQA8AC8ASwBJAEQAPgA8AEMASABFAEMASwBTAFUATQA+AC8ARgA3AEIAMQBmAEgAMgBlADAAYwA9ADwALwBDAEgARQBDAEsAUwBVAE0APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQAdABvAGsAeQBvAC4AcABhAGwAbAB5AGMAbwBuAC4AYwBvAG0ALwByAGkALwBwAGwAYQB5AHIAZQBhAGQAeQAvAGwAaQBjAGUAbgBzAGUATQBhAG4AYQBnAGUAcgAuAGQAbwA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</cpix:PSSH>
       </cpix:DRMSystem>
       <!-- Common encryption (Widevine)-->
       <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
            <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- Added in V2 -->
           <cpix:PSSH>AAAAVXBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADUIARIQEup1PCPnvAJEdLK5dsQ76xoMaW5rYWVudHdvcmtzIg1jcGl4LXRlc3QtY2lkKgJIRA==</cpix:PSSH>
       </cpix:DRMSystem>
   </cpix:DRMSystemList>
</cpix:CPIX>
Note

<cpix:CPIX id="">: The CID value entered in the request data is returned.
<cpix:ContentKey>: The key value (<pskc:PlainValue>) to be used for content encryption, IV(explicitIV), and kid value for that key are returned. The kid value is applied as a new value generated by KMS regardless of the value entered in the request data, and the key and IV are returned in Base64-encoded form.
<cpix:DRMSystem>: PSSH data for each DRM, PlayReady and Widevine, is returned. The <cpix:PSSH> tag displays the default PSSH value, and the <cpix:ContentProtectionData> tag displays the PSSH data with the header part removed.