Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director.

Similar presentations


Presentation on theme: "Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director."— Presentation transcript:

1 Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director of Product Management, Video Delivery Services Ken Shek – Specialist Solutions Architect M&E

2 What is the SPEKE API? The Secure Packager and Encoder Key Exchange (SPEKE) is an open API specification which defines the standard for communication between encryptors and digital rights management (DRM) platforms.  

3 Why do we need to use DRMs?
ReInvent 2018 4/5/2019 2:31 AM Why do we need to use DRMs? Protect and control access to content Monetize content by maintaining control and fulfillment Market coverage Content producers protect Premium video content Sporting events example: FIFA WorldCup 2018 Playback Complexity Consumers watch content on various devices which all have specific Container/DRM requirements The DASH container offers Multi-DRM protected using Widevine and PlayReady Apple HLS is protected using Apple Fairplay Playback on Web Browsers, Multiscreen devices and Set-top boxes Be sure to say that playback on web browsers, multiscreen devices and set-top boxes are all different © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

4 Key Terms Encryptor CPIX SystemID or schemeId Key ID (KID) PSSH
Encoders, transcoders, packagers CPIX Content Protection Information Exchange format (DASH-IF) SystemID or schemeId Unique ID for the underlying DRM vendor: Microsoft PlayReady: 9a04f ab92-e65be0885f95 Google Widevine: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed Registered at: Key ID (KID) Identifier that points to the underlying Key similar to a hash table PSSH Protection System Specific Header, as part of CENC (Common Encryption) Contains a reference to the KeyID, SystemID and custom data for that DRM vendor Stored as an MP4 box in fMP4 Stored as base64 encoding for MP4 box in DASH MPD

5 SPEKE – Democratization of the video workflow
Content Providers (MVPDS and Content distributors) Lowers barrier of DRM solution provider adoption Opportunity cost savings with quicker integration Ability to expand audience/device coverage Content Providers Encryptors (Encoders, Transcoders and Packagers) Robust and lighter application Saves time, effort and cost of custom DRM API integration (4 weeks per custom integration) Savings in testing time and effort (~17% reduction in testing effort) Ability to test DRM workflow with reference servers Encryptors DRM DRM Solution Providers Lowers barrier to adoption Custom integration cost and time savings Ability to establish proven workflows

6 The SPEKE Ecosystem Several DRM solution providers have implemented SPEKE SPEKE also enables customers to develop their own key management solution

7 AWS Management Console AWS Identity and Access Management (IAM)
SPEKE System Diagram AWS Cloud Region z AWS Management Console IAM Role Amazon API Gateway Operators AWS STS HTTPS (TLS 1.2) + AWS Auth AWS Elemental Account Customer AWS Account AWS Identity and Access Management (IAM) DRM Partner Account DRM Key Server Public Interface INSTANCE Public Key Server/ Entitlement Management INSTANCE(S) Elastic Load Balancing Encryptor CloudFront DRM Partner System Example Mutual TLS Auth Client Certificate Trust Store Private Keys AWS Elemental MediaConvert & AWS Elemental MediaPackage Bucket Viewers Encrypted Content Encrypted Content (includes DRM metadata) GET Key Metadata DRM Management Interface Key

8 SPEKE – CPIX Based Encryptor Consumer Model
Packager Encryptor Packager CPIX Document V2 Content Keys PSSH DRM signaling Key format and version CPIX Document V1 Key ID DRM system ID DRM Key Server DRM System

9 SPEKE Request Sample – XML POST Over HTTP
GET Key KeyID SystemID 1 KeyID SystemID 2 GET PSSH

10 SPEKE Response Sample – XML Over HTTP
Key SystemID 1 KeyID SystemID 2 KeyID PSSH

11 DASH Manifest with multi-DRM signaling
KeyID DRM1 PSSH DRM1 SystemID DRM1 SystemID DRM2 KeyID DRM2 PSSH DRM2

12 How Do I Get Started with SPEKE?
SPEKE API Documentation: SPEKE reference server:

13 SPEKE Reference Server
Open source reference key server in GitHub AWS Labs project area Foundational example of a custom SPEKE key server, supporting HLS and DASH Provides pre-built CloudFormation templates and code for a turnkey installation Integrates API Gateway, Lambda, S3, CloudFront, Secrets Manager for key generation Uses secret IV per stream (content ID) Uses key derivation to produce encryption/decryption keys Participate at Fork the project and build your own key server Don’t hesitate to submit issues, questions, pull requests with improvements

14 Demo Secure DRM Workflow with AWS Services with Cognito, CloudFront, S3, and Media services

15 VOD content encryption flow
Amazon S3 CLEAR CONTENT ENCRYYPTED AWS Elemental MediaConvert FILE-BASED PROCESSING Enumerate all clear contents needed to be protected Amazon Lambda ENUMERATOR Submit Job to create DRM contents Store DRM, ABR HLS (and/or DASH) Key Server DRM PROVIDER SPEKE-compatible DRM providers 1 2 4 3 Amazon CloudFront DISTRIBUTION Contents served by CloudFront 5

16 Architectural view WEB CLIENT 4 6 1 2 3 9 5 7 8 Amazon Lambda@Edge
REGION Direct access to S3 is prohibited VIRGINIA REGION Fetch CF Key Pair ID for signing from Parameter Store 4 Amazon SSM PARAMETER STORE Amazon ORIGIN REQUEST SAML / OIDC IDENTITY PROVIDER(S) WEB CLIENT USER IAM policy with authorized access Signing with CF Private Key 6 Sign In Amazon Cognito FEDERATED IDENTITY Amazon CloudFront DISTRIBUTION Amazon S3 PRIVATE ORIGIN 1 Federated Identity 2 3 Return temporary access credential 9 OAID 5 Request to sign URL with Key Pair Id Redirect (302) upon signing completed 7 8 Content requests must contain signed cookies

17 Levels of protection Content SPEKE compatible DRM encryption
Key Retrieval API Gateway with IAM_AUTH Origin S3 Origin Access ID (OAID) Demo URL: Content URL(s) CloudFront Signed Cookies User Cognito Authentication

18 Thank you. Lionel Bringuier – lbringui@amazon
Thank you. Lionel Bringuier – Ken Shek –


Download ppt "Secure Packager and Encoder Key Exchange (SPEKE) Open API Specification for Encoders, Transcoders, Packagers, and DRM Platforms Lionel Bringuier – Director."

Similar presentations


Ads by Google