Encrypt DRM content

Prev Next

Available in Classic and VPC

You can apply DRM encryption to content via the CPIX API. The CPIX API is an API implemented based on the Content Protection Information Exchange Format (CPIX) standard defined by the DASH Industry Forum. It defines the key interoperability specifications required for applying multi-DRM during the media content packaging process. Using the CPIX API, you can easily integrate encoder/transcoder solutions supporting CPIX-based key interoperability with DoveRunner (formerly PallyCon) multi-DRM.

Note

For more information on integrating the Live Station service, see Create Live Station channel.

CPIX API-based DRM content encryption

The following describes how to apply DRM content encryption using the CPIX API.

Type Path Description
DoveRunner CPIX API DoveRunner CPIX API integration guide CPIX API implemented by DoveRunner (formerly PallyCon), enabling multi-DRM application when integrated with encoder/transcoder solutions. Also utilized for integration with Flussonic Media Server.
SPEKE API SPEKE guide CPIX API implemented by AWS Elemental, pre-integrated with DoveRunner to enable multi-DRM application in AWS Elemental MediaPackage and MediaConvert
ATEME NEA-DVR CPIX API ATEME NEA-DVR guide CPIX API implemented by Anevia (now acquired by ATEME), pre-integrated with the NEA-DVR solution for multi-DRM application
Note
  • The DoveRunner (formerly PallyCon) CPIX API client provides pre-implemented CPIX client modules for each major development language.
  • Each module generates XML-formatted request data for communication with the KMS server and provides a feature to interpret response data.

DoveRunner CPIX API specifications

The DoveRunner (formerly PallyCon) CPIX API client supports the following specifications.

Item Specification Description
Development language C++, C#, Java, Python Sample code for each language according to the development environment for DRM packaging integration
DRM type Widevine, PlayReady, FairPlay, NCG, HLS_NCG
  • NCG: DoveRunner's proprietary DRM specification, used when encrypting the entire target file for packaging
  • HLS_NCG: Method for re-encrypting the key of HLS content encrypted with AES-128 according to the NCG specification
Encryption method CENC, CBC1, CENS, CBCS Specify CENC or CBCS, depending on the AES encryption method supported by the client platform.
Track type ALL_TRACKS, AUDIO, SD, HD, UHD1, UHD2 Use to apply different encryption keys for each track when packaging multiple keys.

Multi-DRM encryption type

The following describes the encryption methods for DRM content.

Encryption method Protocol DRM type Encryption algorithm Supported devices
DRM HLS
  • FairPlay: DRM technology specification provided by Apple that encrypts each HLS segment with AES-CBC
 AES-CBC Mac/iOS Safari browser, iOS/iPadOS/tvOS app, HLS HTML5
DRM DASH
  • PlayReady: DRM technology provided by Microsoft, encrypted with AES-128 in accordance with the Common Encryption specification
  • Widevine: DRM technology provided by Google, encrypted with AES-128 in accordance with the Common Encryption specification
 CENC (Common Encryption) MS Edge, IE11, Chrome, Firefox, Opera DASH HTML5

One Click Multi DRM scenario

The following describes a usage scenario for the One Click Multi DRM service.

  1. Encrypt DRM content.
  2. Request a DRM license from the client (player). The request requires content configuration information such as contentId and drmType.
  3. Play the DRM content using the license issued to the client.
Caution

The One Click Multi DRM service issues licenses with playback and security rules applied according to the policies set on the site. Therefore, if the requested license information does not match the encrypted DRM content information, playback may be restricted or fail.

Live content DRM encryption

The following describes how to encrypt DRM for live content.

When using Live Station

The following describes how to encrypt the DRM for live content when using Live Station.

  1. Create a site using One Click Multi DRM.
  2. Create a channel in the Live Station > Channel Management menu.
    • When creating, select the site created in Step 1 under the Multi DRM field.

When not using Live Station

The following describes how to encrypt the DRM for live content when not using Live Station.

  1. Call the content DRM encryption API by combining the following items.
    • URL: API-specific key request URL (e.g., DoveRunner (formerly PallyCon) CPIX API or SPEKE API)
    • Additional URI: KMS token obtained via the One Click Multi DRM site details
  2. Obtain the encryption data for content encryption via the API response.
  3. Apply the obtained DRM encryption information to a third-party encoder/transcoder/packager integration solution.
Note

The following describes the DRM encryption information obtained from the CPIX API response.

Field Description
key_id_hex, key_id_b64, key_hex, key_b64, iv_hex, iv_b64 Hexadecimal or Base64-encoded key ID, key, and IV values
pssh PSSH data (including headers) used by PlayReady or Widevine
pssh_payload_only Payload portion of PSSH data, excluding headers
key_uri URI parameter value contained in the #EXT-X-Key tag of an HLS m3u8 file with FairPlay DRM applied

VOD content DRM encryption

The following describes how to encrypt the DRM for VOD content.

When using VOD Station

The following describes how to encrypt the DRM for VOD content when using VOD Station.

  1. Create a site using One Click Multi DRM.
    • When using an external DRM service, you can skip this step.
  2. Create a channel in the VOD Station > Channel menu.
    • When creating, apply one of the following to the Multi DRM field.
      • One Click Multi DRM
        • DRM site: Select an enabled DRM site.
        • Content ID: Unique identifier of the content to be played (used during DRM packaging)
          • Example: drm-contents
      • External DRM
        • DRM type: Select the DRM type to use.
        • Content ID: Unique identifier of the content to be played (included in the CPIX API request body (XML))
          • Example: drm-contents
        • DRM system ID: Unique identifier of the DRM system (included in the CPIX API request body (XML))
          • Depending on the selected DRM type, one or two system IDs are required. Make sure to enter each on a separate line.
          • Example: 9A04F079-9840-4286-AB92-E65BE0885F95, EDEF8BA9-79D6-4ACE-A3C8-27DCD51D21ED
        • DRM key URL: CPIX API request URL
          • Enter according to the DRM provider's encryption key request format.
          • Example: https://kms.example.com/cpix/v1/key/ujllldopmquy==
Caution

DRM encryption through VOD Station supports only CPIX v1.

When not using VOD Station

The following describes how to encrypt the DRM for VOD content when not using VOD Station.

  1. Call the content DRM encryption API by combining the following items.
    • URL: API-specific key request URL (e.g., DoveRunner (formerly PallyCon) CPIX API or SPEKE API)
    • Additional URI: KMS token obtained via the One Click Multi DRM site details
  2. Obtain the encryption data for content encryption via the API response.
  3. Apply the obtained DRM encryption information to a third-party encoder/transcoder/packager integration solution.

Request

The following describes the request format using the DoveRunner (formerly PallyCon) CPIX API.

  • Request URL
    • POST https://kms.pallycon.com/v1/cpix/pallycon/getKey/{kmsToken}
  • Request headers
  • Request body
    Field Type Required Description
    cpix:CPIX Object Required Root element of the CPIX document containing content keys and DRM system information
    cpix:ContentKeyList Object Required Container element defining the list of content keys
     └ cpix:ContentKey Object Required Individual content key information with the kid (key ID) attribute
    cpix:DRMSystemList Object Required Container element defining the list of DRM systems
      └ cpix:DRMSystem Object Required Information for each DRM system with kid (key ID) and systemId (DRM system identifier) attributes
  • Request example
    curl --location --request POST 'https://kms.pallycon.com/v1/cpix/pallycon/getKey/{kmsToken}' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/xml' \
--header 'x-ncp-region_code: KR' \
--data '<?xml version="1.0" encoding="UTF-8"?>
<cpix:CPIX id="your-content-id" xmlns:cpix="urn:dashif:org:cpix" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:speke="urn:aws:amazon:com:speke">
  <cpix:ContentKeyList>
      <cpix:ContentKey kid="681e5b39-49f2-4dfa-b744-86573c22e6fb"></cpix:ContentKey>
  </cpix:ContentKeyList>
  <cpix:DRMSystemList>
      <!-- Common encryption / MSS (Playready) -->
      <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="9a04f079-9840-4286-ab92-e65be0885f95" />
      <!-- Common encryption (Widevine)-->
      <cpix:DRMSystem kid="681e5b39-49f2-4dfa-b744-86573c22e6fb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed" />
  </cpix:DRMSystemList>
</cpix:CPIX>'

Response

The following describes the response format using the DoveRunner (formerly PallyCon) CPIX API.

  • Response body
    Field Type Required Description
    cpix:CPIX Object - Root element of the CPIX document containing content ID (CID) keys and DRM system information
    cpix:ContentKeyList Object - Container element defining the list of content keys
     └ cpix:ContentKey Object - Individual content key information with kid (key ID) and explicitIV (initialization vector) attributes
    • The kid value is newly generated from KMS, separate from the value entered in the request data. The key and IV are returned in Base64 form.
      └ cpix:Data Object - Element containing the content key data
       └ pskc:Secret Object - Element containing the secret data of the content key
       └ pskc:PlainValue String - Base64-encoded content key value
    cpix:DRMSystemList Object - Container element defining the list of DRM systems
      └ cpix:DRMSystem Object - Information for each DRM system with kid (key ID) and systemId (DRM system identifier) attributes
       └ cpix:ContentProtectionData String - Payload portion of Base64-encoded PSSH data with header removed
       └ cpix:PSSH String - Base64-encoded PSSH data (including header)
  • Response example
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cpix:CPIX id="cpix-test-cid" xmlns:cpix="urn:dashif:org:cpix" xmlns:speke="urn:aws:amazon:com:speke" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" >
  <cpix:ContentKeyList>
      <cpix:ContentKey explicitIV="MDEyMzQ1Njc4OWFiY2RlZg==" kid="12ea753c-23e7-bc02-4474-b2b976c43beb">
          <cpix:Data>
              <pskc:Secret>
                  <pskc:PlainValue>SzC1qc1cEpyFU6t/lL7Byw==</pskc:PlainValue>
              </pskc:Secret>
          </cpix:Data>
      </cpix:ContentKey>
  </cpix:ContentKeyList>
  <cpix:DRMSystemList>
      <!-- Common encryption / MSS (Playready) -->
      <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
            <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- Added in V2 -->
          <cpix:PSSH>AAACwnBzc2gAAAAAmgTweZhAQoarkuZb4IhflQAAAqKiAgAAAQABAJgCPABXAFIATQBIAEUAQQBEAEUAUgAgAHgAbQBsAG4AcwA9ACIAaAB0AHQAcAA6AC8ALwBzAGMAaABlAG0AYQBzAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAEQAUgBNAC8AMgAwADAANwAvADAAMwAvAFAAbABhAHkAUgBlAGEAZAB5AEgAZQBhAGQAZQByACIAIAB2AGUAcgBzAGkAbwBuAD0AIgA0AC4AMAAuADAALgAwACIAPgA8AEQAQQBUAEEAPgA8AFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBFAFkATABFAE4APgAxADYAPAAvAEsARQBZAEwARQBOAD4APABBAEwARwBJAEQAPgBBAEUAUwBDAFQAUgA8AC8AQQBMAEcASQBEAD4APAAvAFAAUgBPAFQARQBDAFQASQBOAEYATwA+ADwASwBJAEQAPgBQAEgAWABxAEUAdQBjAGoAQQByAHgARQBkAEwASwA1AGQAcwBRADcANgB3AD0APQA8AC8ASwBJAEQAPgA8AEMASABFAEMASwBTAFUATQA+AC8ARgA3AEIAMQBmAEgAMgBlADAAYwA9ADwALwBDAEgARQBDAEsAUwBVAE0APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQAdABvAGsAeQBvAC4AcABhAGwAbAB5AGMAbwBuAC4AYwBvAG0ALwByAGkALwBwAGwAYQB5AHIAZQBhAGQAeQAvAGwAaQBjAGUAbgBzAGUATQBhAG4AYQBnAGUAcgAuAGQAbwA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</cpix:PSSH>
      </cpix:DRMSystem>
      <!-- Common encryption (Widevine)-->
      <cpix:DRMSystem kid="12ea753c-23e7-bc02-4474-b2b976c43beb" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
            <cpix:ContentProtectionData>qAUAAAEAAQCeB...A=</cpix:ContentProtectionData><!-- Added in V2 -->
          <cpix:PSSH>AAAAVXBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAADUIARIQEup1PCPnvAJEdLK5dsQ76xoMaW5rYWVudHdvcmtzIg1jcGl4LXRlc3QtY2lkKgJIRA==</cpix:PSSH>
      </cpix:DRMSystem>
  </cpix:DRMSystemList>
</cpix:CPIX>