Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director.

Slides:



Advertisements
Similar presentations
Integrated Part of the Windows Media Ecosystem Rich Video as a 1 st class citizen Flexible Branded experiences Multiple delivery methods Monetized Helps.
Advertisements

What is Microsoft Azure Media Services Architecture and Features Video-on-demand service Basic media workflow Dynamic packaging Secure delivery Live Streaming.
| Basel Discovering Windows Azure Mobile Services and Media Services Ken Casada
* Who we are? * Animation Industry, Challenges… * What is Render Cloud Farm? * Render Cloud Farm for Whom? * Scope of Blender? * Types of Rendering farms.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
35% of Internet traffic is video today, by % Growing at ~50% CAGR TV IP Delivery ~50 million internet connected TVs sold this year 150M+ video.
 What is Windows Azure Media Services  Architecture and Features  SDK and REST API.
Bizfss File Sync and Sharing Solution, Built on Microsoft Azure, Allows Businesses to Sync, Share, Back Up Using Their Own Cloud Storage MICROSOFT AZURE.
CloudBerry Explorer for S3. CB Explorer Free to use Browse and manage files PowerShell functions Open and edit files  CloudBerry Explorer is an easy.
Flix Premiere Web App Product Development Architecture Prepared by Alexander Adu-Sarkodie Flix Premiere Confidential.
Access Policy - Federation March 23, 2016
AWS Simple Icons v AWS Simple Icons: Usage Guidelines
TV Broadcasting What to look for Architecture TV Broadcasting Solution
Amazon Web Services (aws)
Training for developers of X-Road interfaces
AWS Solution Architect Associate Exam associate-dumps.html Free AWS Solution Training Exam Question.
THE BATTLE OF CLOUDS Openstack vs. Amazon
100% Exam Passing Guarantee & Money Back Assurance
Scalable Web Apps Target this solution to brand leaders responsible for customer engagement and roll-out of global marketing campaigns. Implement scenarios.
Amazon AWS Solution Architect Associate Exam Questions PDF associate.html AWS Solution Training Exam.
Live Global Sports Events
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.
Introduction to Windows Azure AppFabric
5/25/2018 2:39 AM © 2006 Microsoft Corporation. All rights reserved.
Axway MailGate Unifies “Safe-for-Work” Solutions to Keep Your Enterprise as Secure as Possible in the Azure Cloud and/or Any Hybrid Environment MICROSOFT.
Enterprise Town Hall solution
Node.js Express Web Applications
Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.
Vidcoding Introduces Scalable Video and TV Encoding in the Cloud at an Affordable Price by Utilizing the Processing Power of Azure Batch MICROSOFT AZURE.
Amazon Storage- S3 and Glacier
Power BI Security Best Practices
Stylelabs Develops the Marketing Content Hub to Offer Enterprises a High-End Marketing Content Management Platform Based on Microsoft Azure MICROSOFT AZURE.
COMP3220 Web Infrastructure COMP6218 Web Architecture
Nimble Streamer Helps Media Content Providers Create Streaming Networks Cost-Effectively and Easily by Utilizing Azure’s Worldwide Scalability MICROSOFT.
Welcome to AWS Certification Exam
Scalable Web Apps Target this solution to brand leaders responsible for customer engagement and roll-out of global marketing campaigns. Implement scenarios.
Language Understanding Intelligent Service and Microsoft Azure Enable Rover, PLEX.AI’s Artificial Intelligence-Powered Virtual Insurance Advisor MICROSOFT.
With Help from the Microsoft Azure Cloud,
Take Control of Insurance Product Management: Build, Test, and Launch Any Product Globally 10x Faster, 10x More Cheaply with INSTANDA on Azure Partner.
Amazon AWS Solution Architect Associate Exam Dumps For Full Exam Info Visit This Link:
Amazon AWS Solution Architect Associate Exam Questions PDF associate-dumps.html AWS Solution Training.
2018 Amazon AWS DevOps Engineer Professional Dumps - DumpsProfessor
© 2016 Global Market Insights, Inc. USA. All Rights Reserved Fuel Cell Market size worth $25.5bn by 2024 Digital Rights Management Market.
Azure AD Line Of Business Application Integration
Protecting Premium Video in Windows
Be Better: Achieve Customer Service Excellence and Create a Lean RMA and Returns Process with Renewity RMA and the Power of Microsoft Azure MICROSOFT AZURE.
Voice Analytics on Microsoft Azure Allows Various Customers to Get the Most Out of Conversations with Clients Through Efficient Content Analysis MICROSOFT.
Auth0 Is Identity Made Simple for Developers, Built by Developers and Supported by the High Availability and Performance of Microsoft Azure MICROSOFT AZURE.
The Only Digital Asset Management System on Microsoft Azure, MediaValet Is Uniquely Equipped to Meet Any Company’s Needs MICROSOFT AZURE ISV PROFILE: MEDIAVALET.
Data Security for Microsoft Azure
Secure Electronic Procurement of Transcripts, HRD Attestations, and Certificates of Origin, Made Easy with Myeasydocs and Power of Microsoft Azure MICROSOFT.
AllDigital Brevity on Microsoft Azure Cloud Platform Supercharges Media Workloads by Encoding During High-Speed File Transmission MICROSOFT AZURE ISV PROFILE:
Technical Approach Chris Louden Enspier
Keep Your Digital Media Assets Safe and Save Time by Choosing ImageVault to be Your Digital Asset Management Solution, Hosted in Microsoft Azure Partner.
One-Stop Shop Manages All Technical Vendor Data and Documentation and is Globally Deployed Using Microsoft Azure to Support Asset Owners/Operators MICROSOFT.
Media365 Portal by Ctrl365 is Powered by Azure and Enables Easy and Seamless Dissemination of Video for Enhanced B2C and B2B Communication MICROSOFT AZURE.
Office 365 Identity Management
AWS Cloud Computing Masaki.
NEW PRODUCT INTRODUCTION CONEKT™ Mobile Smartphone Access Control Identification Solution June 2018.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
敦群數位科技有限公司(vanGene Digital Inc.) 游家德(Jade Yu.)
Building Security into Your System
Western Mass Microsoft Technology Users Group
Security for Science Gateways Initial Design Discussions
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
IoT Security and Privacy
Presentation transcript:

Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director of Product Management, Video Delivery Services Ken Shek – Specialist Solutions Architect M&E

What is the SPEKE API? The Secure Packager and Encoder Key Exchange (SPEKE) is an open API specification which defines the standard for communication between encryptors and digital rights management (DRM) platforms.  

Why do we need to use DRMs? ReInvent 2018 4/5/2019 2:31 AM Why do we need to use DRMs? Protect and control access to content Monetize content by maintaining control and fulfillment Market coverage Content producers protect Premium video content Sporting events example: FIFA WorldCup 2018 Playback Complexity Consumers watch content on various devices which all have specific Container/DRM requirements The DASH container offers Multi-DRM protected using Widevine and PlayReady Apple HLS is protected using Apple Fairplay Playback on Web Browsers, Multiscreen devices and Set-top boxes Be sure to say that playback on web browsers, multiscreen devices and set-top boxes are all different © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Key Terms Encryptor CPIX SystemID or schemeId Key ID (KID) PSSH Encoders, transcoders, packagers CPIX Content Protection Information Exchange format (DASH-IF) SystemID or schemeId Unique ID for the underlying DRM vendor: Microsoft PlayReady: 9a04f079-9840-4286-ab92-e65be0885f95 Google Widevine: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed Registered at: https://dashif.org/identifiers/protection/ Key ID (KID) Identifier that points to the underlying Key similar to a hash table PSSH Protection System Specific Header, as part of CENC (Common Encryption) Contains a reference to the KeyID, SystemID and custom data for that DRM vendor Stored as an MP4 box in fMP4 Stored as base64 encoding for MP4 box in DASH MPD

SPEKE – Democratization of the video workflow Content Providers (MVPDS and Content distributors) Lowers barrier of DRM solution provider adoption Opportunity cost savings with quicker integration Ability to expand audience/device coverage Content Providers Encryptors (Encoders, Transcoders and Packagers) Robust and lighter application Saves time, effort and cost of custom DRM API integration (4 weeks per custom integration) Savings in testing time and effort (~17% reduction in testing effort) Ability to test DRM workflow with reference servers Encryptors DRM DRM Solution Providers Lowers barrier to adoption Custom integration cost and time savings Ability to establish proven workflows

The SPEKE Ecosystem Several DRM solution providers have implemented SPEKE SPEKE also enables customers to develop their own key management solution

AWS Management Console AWS Identity and Access Management (IAM) SPEKE System Diagram AWS Cloud Region z AWS Management Console IAM Role Amazon API Gateway Operators AWS STS HTTPS (TLS 1.2) + AWS Auth AWS Elemental Account Customer AWS Account AWS Identity and Access Management (IAM) DRM Partner Account DRM Key Server Public Interface INSTANCE Public Key Server/ Entitlement Management INSTANCE(S) Elastic Load Balancing Encryptor CloudFront DRM Partner System Example Mutual TLS Auth Client Certificate Trust Store Private Keys AWS Elemental MediaConvert & AWS Elemental MediaPackage Bucket Viewers Encrypted Content Encrypted Content (includes DRM metadata) GET Key Metadata DRM Management Interface Key

SPEKE – CPIX Based Encryptor Consumer Model Packager Encryptor Packager CPIX Document V2 Content Keys PSSH DRM signaling Key format and version CPIX Document V1 Key ID DRM system ID DRM Key Server DRM System

SPEKE Request Sample – XML POST Over HTTP GET Key KeyID SystemID 1 KeyID SystemID 2 GET PSSH

SPEKE Response Sample – XML Over HTTP Key SystemID 1 KeyID SystemID 2 KeyID PSSH

DASH Manifest with multi-DRM signaling KeyID DRM1 PSSH DRM1 SystemID DRM1 SystemID DRM2 KeyID DRM2 PSSH DRM2

How Do I Get Started with SPEKE? SPEKE API Documentation: https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html SPEKE reference server: https://github.com/awslabs/speke-reference-server

SPEKE Reference Server Open source reference key server in GitHub AWS Labs project area Foundational example of a custom SPEKE key server, supporting HLS and DASH Provides pre-built CloudFormation templates and code for a turnkey installation Integrates API Gateway, Lambda, S3, CloudFront, Secrets Manager for key generation Uses secret IV per stream (content ID) Uses key derivation to produce encryption/decryption keys Participate at https://github.com/awslabs/speke-reference-server Fork the project and build your own key server Don’t hesitate to submit issues, questions, pull requests with improvements

Demo Secure DRM Workflow with AWS Services with Cognito, CloudFront, Lambda@Edge, S3, and Media services

VOD content encryption flow Amazon S3 CLEAR CONTENT ENCRYYPTED AWS Elemental MediaConvert FILE-BASED PROCESSING Enumerate all clear contents needed to be protected Amazon Lambda ENUMERATOR Submit Job to create DRM contents Store DRM, ABR HLS (and/or DASH) Key Server DRM PROVIDER SPEKE-compatible DRM providers 1 2 4 3 Amazon CloudFront DISTRIBUTION Contents served by CloudFront 5

Architectural view WEB CLIENT 4 6 1 2 3 9 5 7 8 Amazon Lambda@Edge REGION Direct access to S3 is prohibited VIRGINIA REGION Fetch CF Key Pair ID for signing from Parameter Store 4 Amazon SSM PARAMETER STORE Amazon Lambda@Edge ORIGIN REQUEST SAML / OIDC IDENTITY PROVIDER(S) WEB CLIENT USER IAM policy with authorized access Signing with CF Private Key 6 Sign In Amazon Cognito FEDERATED IDENTITY Amazon CloudFront DISTRIBUTION Amazon S3 PRIVATE ORIGIN https://dhvrm06plqjdh.cloudfront.net/demo/signin.html 1 Federated Identity 2 3 Return temporary access credential 9 OAID 5 Request to sign URL with Key Pair Id Redirect (302) upon signing completed 7 8 Content requests must contain signed cookies

Levels of protection Content SPEKE compatible DRM encryption Key Retrieval API Gateway with IAM_AUTH Origin S3 Origin Access ID (OAID) Demo URL: https://dhvrm06plqjdh.cloudfront.net/demo/signin.html Content URL(s) CloudFront Signed Cookies User Cognito Authentication

Thank you. Lionel Bringuier – lbringui@amazon Thank you. Lionel Bringuier – lbringui@amazon.com Ken Shek – kenshek@amazon.fr

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.