7 min read
We chose CPIX to take advanced content protection to the next level: here's why
Content protection is one of the most important topics in video streaming and as it becomes more advanced and harder to circumvent, it also becomes more complicated to implement.
The next generation of content protection is a good example of this, as it no longer relies on a single key to encrypt content, but on different keys for different tracks or on keys that rotate over time.
To enable support for these types of content protection and to streamline the use of DRM with the Unified Streaming Platform, we rely on CPIX, which is short for Content Protection Information Exchange.
What is CPIX?
CPIX is a new guideline developed by DASH-IF. It specifies how to store all content protection related information in an XML formatted document, allowing this information to be easily exchanged between the different parts of a video streaming setup.
The CPIX document contains the key(s) that the content should be encrypted with, as well as the Digital Rights Management (DRM) information associated with the key(s). This DRM information is crucial, as the player on an end-user device must be able to request the license that enables it to decrypt and successfully play back the content.
DRM workflow
In order to get a better understanding of CPIX’s potential, it is helpful to look at a content protection workflow. In such a workflow, different parts of a video streaming setup must work together to successfully protect the content. In short, it entails:
- Encrypting to your content, whether on-disk or on-the-fly
- Translating your business logic into DRM licenses that define the restrictions on your content
- Running a license server that handles requests from end-user devices
Figure 1, which is taken from the CPIX specification itself, provides an overview of the parts of a video streaming setup that may be involved in such a workflow:
When using Unified Packager to package your content statically or Unified Origin to package and serve it dynamically, they represent the ‘Packager Encryptor’ and ‘Manifest Creator’ in the figure above, as both can:
- Encrypt your content (note that pre-encrypted content can be used as well)
- Package your content
- Generate the manifest
In order for Unified Packager or Unified Origin to provide these steps in a DRM workflow, they need to be informed about the following:
- Key(s) to encrypt the content
- Key(s) to identify the content with (Key ID)
- DRM information
Why CPIX is useful
Of course, there already are existing methods of exchanging DRM information between different parts of a video streaming setup, but those are connected to specific DRM vendors instead of being platform independent like CPIX.
Therefore, CPIX is useful not only because it can streamline the exchange of advanced DRM configurations with multiple keys, but also because it:
- Breaks vendor lock-in
- Reduces time-to-market
CPIX helps to reduce vendor lock-in because it allows for standardized integration of DRM in your setup, thus making it easier to switch to a different DRM vendor who also supports CPIX, or switch to a different packager or encryptor.
CPIX can also help to reduce time-to-market for video streaming services because DRM can be one of the more complex parts to set up correctly, however if each part of your set up ‘speaks the same language’, i.e. CPIX, this will lead to a quicker and more reliable integration.
A closer look
Below is an example of a CPIX document for a stream protected by DRM with multiple keys. This is the same document that is used for our demo that showcases our new DRM with multiple keys functionality. It includes 5 key IDs that are associated with 5 content encryption keys. It also includes DRM information for one DRM system and filters that define which keys are associated with which of the content’s audio and video tracks. The DRM information is presented as a PSSH, or Protection System Specific Header.
The elements in this example document have the following meaning:
- A
ContentKeyList
that lists Key ID and encryption key pairs, with each of those pairs being contained in aContentKey
element and each Key ID serving as the representation of theContentKey
in which it is stored - A
DRMSystemList
that lists Key ID and DRM system pairs, with each of those pairs being contained in aDRMSystem
element that must contain a PSSH and can contain additional format specific signaling - A
ContentKeyUsageRuleList
that lists the different Key IDs, with each Key ID being associated with certain audio, video and bitrate filters in aContentKeyUsageRule
element
Thus, a CPIX document is used to associate a ContentKey
with a DRMSystem
, and to associate a ContentKey
and DRMSystem
pair with tracks that are filtered out by a ContentKeyUsageRule
.
<?xml version='1.0' encoding='UTF-8'?>
<CPIX xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:dashif:org:cpix" xsi:schemaLocation="urn:dashif:org:cpix cpix.xsd">
<ContentKeyList>
<ContentKey kid="e82f184c-3aaa-57b4-ace8-606b5e3febad">
<Data>
<pskc:Secret>
<pskc:PlainValue>wvr2bihSzExKdR8KKpQf2w==</pskc:PlainValue>
</pskc:Secret>
</Data>
</ContentKey>
<ContentKey kid="087bcfc6-f7a5-5716-b840-6aa6eba3369e">
<Data>
<pskc:Secret>
<pskc:PlainValue>goHOjbkINpfZdw2H25YoNQ==</pskc:PlainValue>
</pskc:Secret>
</Data>
</ContentKey>
<ContentKey kid="0d6b4023-8da1-5e75-af68-75c514c59b63">
<Data>
<pskc:Secret>
<pskc:PlainValue>WC1rcWEb4EyI4iqqEEQeLA==</pskc:PlainValue>
</pskc:Secret>
</Data>
</ContentKey>
</ContentKeyList>
<DRMSystemList>
<DRMSystem kid="e82f184c-3aaa-57b4-ace8-606b5e3febad" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<PSSH>AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABIiCnVzcHd2dGVzdDNI49yVmwY=</PSSH>
</DRMSystem>
<DRMSystem kid="e82f184c-3aaa-57b4-ace8-606b5e3febad" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
<PSSH>AAAFyHBzc2gBAAAAmgTweZhAQoarkuZb4IhflQAAAAPoLxhMOqpXtKzoYGteP+utCHvPxvelVxa4QGqm66M2ng1rQCONoV51r2h1xRTFm2MAAAV0dAUAAAEAAQBqBTwAVwBSAE0ASABFAEEARABFAFIAIAB4AG0AbABuAHMAPQAiAGgAdAB0AHAAOgAvAC8AcwBjAGgAZQBtAGEAcwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBEAFIATQAvADIAMAAwADcALwAwADMALwBQAGwAYQB5AFIAZQBhAGQAeQBIAGUAYQBkAGUAcgAiACAAdgBlAHIAcwBpAG8AbgA9ACIANAAuADIALgAwAC4AMAAiAD4APABEAEEAVABBAD4APABQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEsASQBEAFMAPgA8AEsASQBEACAAQQBMAEcASQBEAD0AIgBBAEUAUwBDAFQAUgAiACAAQwBIAEUAQwBLAFMAVQBNAD0AIgArAE4AVgA5AC8AOABqAGIAZgByAHcAPQAiACAAVgBBAEwAVQBFAD0AIgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAiAD4APAAvAEsASQBEAD4APABLAEkARAAgAEEATABHAEkARAA9ACIAQQBFAFMAQwBUAFIAIgAgAEMASABFAEMASwBTAFUATQA9ACIAWgAxADAAaQBPAFkAWQB6AEgAMwBrAD0AIgAgAFYAQQBMAFUARQA9ACIAeABzADkANwBDAEsAWAAzAEYAbABlADQAUQBHAHEAbQA2ADYATQAyAG4AZwA9AD0AIgA+ADwALwBLAEkARAA+ADwASwBJAEQAIABBAEwARwBJAEQAPQAiAEEARQBTAEMAVABSACIAIABDAEgARQBDAEsAUwBVAE0APQAiAE8ARQB1AE0AeQBEAGUAUQAxAHMAOAA9ACIAIABWAEEATABVAEUAPQAiAEkAMABCAHIARABhAEcATgBkAFYANgB2AGEASABYAEYARgBNAFcAYgBZAHcAPQA9ACIAPgA8AC8ASwBJAEQAPgA8AC8ASwBJAEQAUwA+ADwALwBQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBwAGwAYQB5AHIAZQBhAGQAeQAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBzAGUAcgB2AGkAYwBlAC8AcgBpAGcAaAB0AHMAbQBhAG4AYQBnAGUAcgAuAGEAcwBtAHgAPwBjAGYAZwA9ACgAawBpAGQAOgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAsAGMAbwBuAHQAZQBuAHQAawBlAHkAOgB3AHYAcgAyAGIAaQBoAFMAegBFAHgASwBkAFIAOABLAEsAcABRAGYAMgB3AD0APQApACwAKABrAGkAZAA6AHgAcwA5ADcAQwBLAFgAMwBGAGwAZQA0AFEARwBxAG0ANgA2AE0AMgBuAGcAPQA9ACwAYwBvAG4AdABlAG4AdABrAGUAeQA6AGcAbwBIAE8AagBiAGsASQBOAHAAZgBaAGQAdwAyAEgAMgA1AFkAbwBOAFEAPQA9ACkALAAoAGsAaQBkADoASQAwAEIAcgBEAGEARwBOAGQAVgA2AHYAYQBIAFgARgBGAE0AVwBiAFkAdwA9AD0ALABjAG8AbgB0AGUAbgB0AGsAZQB5ADoAVwBDADEAcgBjAFcARQBiADQARQB5AEkANABpAHEAcQBFAEUAUQBlAEwAQQA9AD0AKQA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</PSSH>
</DRMSystem>
<DRMSystem kid="087bcfc6-f7a5-5716-b840-6aa6eba3369e" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<PSSH>AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABIiCnVzcHd2dGVzdDNI49yVmwY=</PSSH>
</DRMSystem>
<DRMSystem kid="087bcfc6-f7a5-5716-b840-6aa6eba3369e" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
<PSSH>AAAFyHBzc2gBAAAAmgTweZhAQoarkuZb4IhflQAAAAPoLxhMOqpXtKzoYGteP+utCHvPxvelVxa4QGqm66M2ng1rQCONoV51r2h1xRTFm2MAAAV0dAUAAAEAAQBqBTwAVwBSAE0ASABFAEEARABFAFIAIAB4AG0AbABuAHMAPQAiAGgAdAB0AHAAOgAvAC8AcwBjAGgAZQBtAGEAcwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBEAFIATQAvADIAMAAwADcALwAwADMALwBQAGwAYQB5AFIAZQBhAGQAeQBIAGUAYQBkAGUAcgAiACAAdgBlAHIAcwBpAG8AbgA9ACIANAAuADIALgAwAC4AMAAiAD4APABEAEEAVABBAD4APABQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEsASQBEAFMAPgA8AEsASQBEACAAQQBMAEcASQBEAD0AIgBBAEUAUwBDAFQAUgAiACAAQwBIAEUAQwBLAFMAVQBNAD0AIgArAE4AVgA5AC8AOABqAGIAZgByAHcAPQAiACAAVgBBAEwAVQBFAD0AIgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAiAD4APAAvAEsASQBEAD4APABLAEkARAAgAEEATABHAEkARAA9ACIAQQBFAFMAQwBUAFIAIgAgAEMASABFAEMASwBTAFUATQA9ACIAWgAxADAAaQBPAFkAWQB6AEgAMwBrAD0AIgAgAFYAQQBMAFUARQA9ACIAeABzADkANwBDAEsAWAAzAEYAbABlADQAUQBHAHEAbQA2ADYATQAyAG4AZwA9AD0AIgA+ADwALwBLAEkARAA+ADwASwBJAEQAIABBAEwARwBJAEQAPQAiAEEARQBTAEMAVABSACIAIABDAEgARQBDAEsAUwBVAE0APQAiAE8ARQB1AE0AeQBEAGUAUQAxAHMAOAA9ACIAIABWAEEATABVAEUAPQAiAEkAMABCAHIARABhAEcATgBkAFYANgB2AGEASABYAEYARgBNAFcAYgBZAHcAPQA9ACIAPgA8AC8ASwBJAEQAPgA8AC8ASwBJAEQAUwA+ADwALwBQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBwAGwAYQB5AHIAZQBhAGQAeQAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBzAGUAcgB2AGkAYwBlAC8AcgBpAGcAaAB0AHMAbQBhAG4AYQBnAGUAcgAuAGEAcwBtAHgAPwBjAGYAZwA9ACgAawBpAGQAOgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAsAGMAbwBuAHQAZQBuAHQAawBlAHkAOgB3AHYAcgAyAGIAaQBoAFMAegBFAHgASwBkAFIAOABLAEsAcABRAGYAMgB3AD0APQApACwAKABrAGkAZAA6AHgAcwA5ADcAQwBLAFgAMwBGAGwAZQA0AFEARwBxAG0ANgA2AE0AMgBuAGcAPQA9ACwAYwBvAG4AdABlAG4AdABrAGUAeQA6AGcAbwBIAE8AagBiAGsASQBOAHAAZgBaAGQAdwAyAEgAMgA1AFkAbwBOAFEAPQA9ACkALAAoAGsAaQBkADoASQAwAEIAcgBEAGEARwBOAGQAVgA2AHYAYQBIAFgARgBGAE0AVwBiAFkAdwA9AD0ALABjAG8AbgB0AGUAbgB0AGsAZQB5ADoAVwBDADEAcgBjAFcARQBiADQARQB5AEkANABpAHEAcQBFAEUAUQBlAEwAQQA9AD0AKQA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</PSSH>
</DRMSystem>
<DRMSystem kid="0d6b4023-8da1-5e75-af68-75c514c59b63" systemId="edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
<PSSH>AAAAMnBzc2gAAAAA7e+LqXnWSs6jyCfc1R0h7QAAABIiCnVzcHd2dGVzdDNI49yVmwY=</PSSH>
</DRMSystem>
<DRMSystem kid="0d6b4023-8da1-5e75-af68-75c514c59b63" systemId="9a04f079-9840-4286-ab92-e65be0885f95">
<PSSH>AAAFyHBzc2gBAAAAmgTweZhAQoarkuZb4IhflQAAAAPoLxhMOqpXtKzoYGteP+utCHvPxvelVxa4QGqm66M2ng1rQCONoV51r2h1xRTFm2MAAAV0dAUAAAEAAQBqBTwAVwBSAE0ASABFAEEARABFAFIAIAB4AG0AbABuAHMAPQAiAGgAdAB0AHAAOgAvAC8AcwBjAGgAZQBtAGEAcwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBEAFIATQAvADIAMAAwADcALwAwADMALwBQAGwAYQB5AFIAZQBhAGQAeQBIAGUAYQBkAGUAcgAiACAAdgBlAHIAcwBpAG8AbgA9ACIANAAuADIALgAwAC4AMAAiAD4APABEAEEAVABBAD4APABQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEsASQBEAFMAPgA8AEsASQBEACAAQQBMAEcASQBEAD0AIgBBAEUAUwBDAFQAUgAiACAAQwBIAEUAQwBLAFMAVQBNAD0AIgArAE4AVgA5AC8AOABqAGIAZgByAHcAPQAiACAAVgBBAEwAVQBFAD0AIgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAiAD4APAAvAEsASQBEAD4APABLAEkARAAgAEEATABHAEkARAA9ACIAQQBFAFMAQwBUAFIAIgAgAEMASABFAEMASwBTAFUATQA9ACIAWgAxADAAaQBPAFkAWQB6AEgAMwBrAD0AIgAgAFYAQQBMAFUARQA9ACIAeABzADkANwBDAEsAWAAzAEYAbABlADQAUQBHAHEAbQA2ADYATQAyAG4AZwA9AD0AIgA+ADwALwBLAEkARAA+ADwASwBJAEQAIABBAEwARwBJAEQAPQAiAEEARQBTAEMAVABSACIAIABDAEgARQBDAEsAUwBVAE0APQAiAE8ARQB1AE0AeQBEAGUAUQAxAHMAOAA9ACIAIABWAEEATABVAEUAPQAiAEkAMABCAHIARABhAEcATgBkAFYANgB2AGEASABYAEYARgBNAFcAYgBZAHcAPQA9ACIAPgA8AC8ASwBJAEQAPgA8AC8ASwBJAEQAUwA+ADwALwBQAFIATwBUAEUAQwBUAEkATgBGAE8APgA8AEwAQQBfAFUAUgBMAD4AaAB0AHQAcABzADoALwAvAHQAZQBzAHQALgBwAGwAYQB5AHIAZQBhAGQAeQAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBzAGUAcgB2AGkAYwBlAC8AcgBpAGcAaAB0AHMAbQBhAG4AYQBnAGUAcgAuAGEAcwBtAHgAPwBjAGYAZwA9ACgAawBpAGQAOgBUAEIAZwB2ADYASwBvADYAdABGAGUAcwA2AEcAQgByAFgAagAvAHIAcgBRAD0APQAsAGMAbwBuAHQAZQBuAHQAawBlAHkAOgB3AHYAcgAyAGIAaQBoAFMAegBFAHgASwBkAFIAOABLAEsAcABRAGYAMgB3AD0APQApACwAKABrAGkAZAA6AHgAcwA5ADcAQwBLAFgAMwBGAGwAZQA0AFEARwBxAG0ANgA2AE0AMgBuAGcAPQA9ACwAYwBvAG4AdABlAG4AdABrAGUAeQA6AGcAbwBIAE8AagBiAGsASQBOAHAAZgBaAGQAdwAyAEgAMgA1AFkAbwBOAFEAPQA9ACkALAAoAGsAaQBkADoASQAwAEIAcgBEAGEARwBOAGQAVgA2AHYAYQBIAFgARgBGAE0AVwBiAFkAdwA9AD0ALABjAG8AbgB0AGUAbgB0AGsAZQB5ADoAVwBDADEAcgBjAFcARQBiADQARQB5AEkANABpAHEAcQBFAEUAUQBlAEwAQQA9AD0AKQA8AC8ATABBAF8AVQBSAEwAPgA8AC8ARABBAFQAQQA+ADwALwBXAFIATQBIAEUAQQBEAEUAUgA+AA==</PSSH>
</DRMSystem>
</DRMSystemList>
<ContentKeyUsageRuleList>
<ContentKeyUsageRule kid="e82f184c-3aaa-57b4-ace8-606b5e3febad">
<VideoFilter maxPixels="589824"/>
</ContentKeyUsageRule>
<ContentKeyUsageRule kid="087bcfc6-f7a5-5716-b840-6aa6eba3369e">
<VideoFilter minPixels="589825" maxPixels="2073600"/>
</ContentKeyUsageRule>
<ContentKeyUsageRule kid="0d6b4023-8da1-5e75-af68-75c514c59b63">
<AudioFilter/>
</ContentKeyUsageRule>
</ContentKeyUsageRuleList>
</CPIX>
How to start using CPIX
On the most basic level, you can set up a DRM protected stream using CPIX by specifying a CPIX document on the command-line when creating a server manifest. You can do this by using the --[hls|mpd|iss|hds]cpix
option for each play-out format that you want to enable. For example, the CPIX document shown could be used to create a DASH stream that is protected by multiple keys, like so:
mp4split -o tears-of-steel-multikey-cenc.ism \
--mpd.cpix=multiple-keys-cenc.cpix \
tears-of-steel-aac-64k.mp4 \
tears-of-steel-avc1-400k.mp4 \
tears-of-steel-avc1-750k.mp4 \
tears-of-steel-avc1-1500k.mp4
Ideally, all relevant parts of your video streaming setup support CPIX. In such a scenario, much of the content protection workflow that normally requires custom implementations will be automated without additional work, making it easier and less prone to errors.
In such a case, it is possible to use the CPIX command-line options for each relevant play-out format to point to a URL that Unified Origin will use to retrieve the CPIX document when the stream is requested for play-out and it needs to be protected on-the-fly. This enables a workflow where a CPIX document is retrieved directly from the server of the DRM provider.
In case you DRM provider does not yet support CPIX, we have a Python library available for you that will help you generate valid CPIX documents. It also allows you to modify existing documents by adding additional keys to them, for example.
To get you up and running with the library as quickly as possible, it includes example scripts that can be used with Widevine’s and PlayReady’s test servers to get or create keys and produce a CPIX document.
Although implementing a new workflow will always be somewhat cumbersome, technology cannot advance without change. We believe that CPIX provides an important step in content protection, one that will, once implemented, be much more powerful, and easier to maintain.
Given the number of DRM providers that have already implemented it into their workflow or are working hard on doing so, the industry seems ready to take this next step forward. If you are eager to start using CPIX as well, to allow for more advanced forms of content protection like using multiple encryption keys per asset, please contact us.