1. Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director of Product Management, Video Delivery Services Ken Shek – Specialist Solutions Architect M&E

2. What is the SPEKE API?
The Secure Packager and Encoder Key Exchange (SPEKE) is an open API specification which defines the standard for communication between encryptors and digital rights management (DRM) platforms.  

3. Why do we need to use DRMs?
ReInvent 2018
4/5/2019 2:31 AM
Why do we need to use DRMs?
Protect and control access to content
Monetize content by maintaining control and fulfillment
Market coverage
Content producers protect Premium video content
Sporting events example: FIFA WorldCup 2018
Playback Complexity
Consumers watch content on various devices which all have specific Container/DRM requirements
The DASH container offers Multi-DRM protected using Widevine and PlayReady
Apple HLS is protected using Apple Fairplay
Playback on Web Browsers, Multiscreen devices and Set-top boxes
Be sure to say that playback on web browsers, multiscreen devices and set-top boxes are all different
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

4. Key Terms Encryptor CPIX SystemID or schemeId Key ID (KID) PSSH
Encoders, transcoders, packagers
CPIX
Content Protection Information Exchange format (DASH-IF)
SystemID or schemeId
Unique ID for the underlying DRM vendor:
Microsoft PlayReady: 9a04f ab92-e65be0885f95
Google Widevine: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
Registered at:
Key ID (KID)
Identifier that points to the underlying Key similar to a hash table
PSSH
Protection System Specific Header, as part of CENC (Common Encryption)
Contains a reference to the KeyID, SystemID and custom data for that DRM vendor Stored as an MP4 box in fMP4
Stored as base64 encoding for MP4 box in DASH MPD

5. SPEKE – Democratization of the video workflow
Content Providers
(MVPDS and Content distributors)
Lowers barrier of DRM solution provider adoption
Opportunity cost savings with quicker integration
Ability to expand audience/device coverage
Content Providers
Encryptors
(Encoders, Transcoders and Packagers)
Robust and lighter application
Saves time, effort and cost of custom DRM API integration (4 weeks per custom integration)
Savings in testing time and effort (~17% reduction in testing effort)
Ability to test DRM workflow with reference servers
Encryptors
DRM
DRM Solution Providers
Lowers barrier to adoption
Custom integration cost and time savings
Ability to establish proven workflows

6. The SPEKE Ecosystem
Several DRM solution providers have implemented SPEKE
SPEKE also enables customers to develop their own key management solution

7. AWS Management Console AWS Identity and Access Management (IAM)
SPEKE System Diagram
AWS Cloud Region z
AWS Management Console
IAM Role
Amazon
API Gateway
Operators
AWS STS
HTTPS (TLS 1.2)
+ AWS Auth
AWS Elemental Account
Customer AWS Account
AWS Identity and Access Management (IAM)
DRM Partner Account
DRM Key Server Public Interface
INSTANCE
Public Key Server/
Entitlement Management
INSTANCE(S)
Elastic Load Balancing
Encryptor
CloudFront
DRM Partner System Example
Mutual TLS Auth
Client Certificate
Trust Store
Private Keys
AWS Elemental MediaConvert & AWS Elemental MediaPackage
Bucket
Viewers
Encrypted Content
Encrypted Content (includes DRM metadata)
GET Key Metadata
DRM Management Interface
Key

8. SPEKE – CPIX Based Encryptor Consumer Model
Packager
Encryptor
Packager
CPIX Document V2
Content Keys
PSSH DRM signaling
Key format and version
CPIX Document V1
Key ID
DRM system ID
DRM
Key Server
DRM System

9. SPEKE Request Sample – XML POST Over HTTP
GET Key
KeyID
SystemID 1
KeyID
SystemID 2
GET PSSH

10. SPEKE Response Sample – XML Over HTTP
Key
SystemID 1
KeyID
SystemID 2
KeyID
PSSH

11. DASH Manifest with multi-DRM signaling
KeyID DRM1
PSSH DRM1
SystemID DRM1
SystemID DRM2
KeyID DRM2
PSSH DRM2

12. How Do I Get Started with SPEKE?
SPEKE API Documentation:
SPEKE reference server:

13. SPEKE Reference Server
Open source reference key server in GitHub AWS Labs project area
Foundational example of a custom SPEKE key server, supporting HLS and DASH
Provides pre-built CloudFormation templates and code for a turnkey installation
Integrates API Gateway, Lambda, S3, CloudFront, Secrets Manager for key generation
Uses secret IV per stream (content ID)
Uses key derivation to produce encryption/decryption keys
Participate at
Fork the project and build your own key server
Don’t hesitate to submit issues, questions, pull requests with improvements

14. Demo Secure DRM Workflow with AWS Services with Cognito, CloudFront, S3, and Media services

15. VOD content encryption flow
Amazon S3
CLEAR CONTENT
ENCRYYPTED
AWS Elemental MediaConvert
FILE-BASED PROCESSING
Enumerate all clear contents needed to be protected
Amazon Lambda
ENUMERATOR
Submit Job to create DRM contents
Store DRM, ABR HLS (and/or DASH)
Key Server
DRM PROVIDER
SPEKE-compatible DRM providers 1 2 4 3
Amazon CloudFront
DISTRIBUTION
Contents served by CloudFront 5

16. Architectural view WEB CLIENT 4 6 1 2 3 9 5 7 8 Amazon Lambda@Edge
REGION
Direct access to S3 is prohibited
VIRGINIA REGION
Fetch CF Key Pair ID for signing from Parameter Store 4
Amazon SSM
PARAMETER STORE
Amazon
ORIGIN REQUEST
SAML / OIDC
IDENTITY PROVIDER(S)
WEB CLIENT
USER
IAM policy with authorized access
Signing with CF Private Key 6
Sign In
Amazon Cognito
FEDERATED IDENTITY
Amazon CloudFront
DISTRIBUTION
Amazon S3
PRIVATE ORIGIN 1
Federated
Identity 2 3
Return temporary access credential 9
OAID 5
Request to sign URL with Key Pair Id Redirect (302) upon signing completed 7 8
Content requests must contain signed cookies

17. Levels of protection Content SPEKE compatible DRM encryption
Key Retrieval API Gateway with IAM_AUTH
Origin S3 Origin Access ID (OAID)
Demo URL:
Content URL(s) CloudFront Signed Cookies
User Cognito Authentication

18. Thank you. Lionel Bringuier – lbringui@amazon
Thank you. Lionel Bringuier – Ken Shek –