Encrypting high-value content has long been a challenge for media customers. The number of digital rights management (DRM) schemes, transcoding and packaging vendors, and packaging formats created hundreds of potential integration points, each requiring extensive engineering resources and time. The Secure Packager and Encoder Key Exchange (SPEKE) is a single, open REST API specification for authentication and key exchange between DRM platforms and encryptors (transcoders and packagers) that reduces the number of integration points and accelerates time-to-market for customers for on-premises, hybrid, and cloud video workflows. In this session, learn about the SPEKE API and the Content Protection Information Exchange (CPIX) format, and how SPEKE establishes secure key exchange using Amazon API Gateway, document encryption, IAM roles, and Signature Version 4 signing for live and file-based video workflows.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE-ing of Content Protection and DRM . . .
Lionel Bringuier
Director - Product
Management
AWS Elemental
M A E 3 0 2
Jesse Rosenzweig
Chief Technology
Officer
AWS Elemental
Jim Thario
Technical Marketing Engineer
AWS Elemental

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• SPEKE (Secure Packager Encoder Key Exchange)
 Advantages
 SPEKE architecture
 SPEKE Reference Key Server and Demo

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is the SPEKE API?
The Secure Packager and Encoder Key Exchange (SPEKE) is an open
API specification that defines the standard for communication
between encryptors and digital rights management (DRM)
platforms

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why do we need to use DRMs?
Protect and control access to content
 Monetize content by maintaining control and fulfillment
Market coverage
 Content producers protect premium video content
 Sporting events example: FIFA World Cup 2018
Playback complexity
 Consumers watch content on various devices which all have specific container/DRM
requirements
 The DASH container offers multi-DRM protected using Widevine and PlayReady
 Apple HLS is protected using Apple FairPlay
 Playback on web browsers, multiscreen devices, and set-top boxes

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryptors
(Encoders, transcoders, and packagers)
 Robust and lighter application
 Saves time, effort and cost of custom DRM API
integration
 saves 4 weeks per custom integration
 Savings in testing time and effort
 ~17% reduction in testing effort
 Ability to test DRM workflow with reference servers
SPEKE—Democratization of the video workflow
Content providers
(MVPDS and content distributors)
 Lowers barrier of DRM solution provider adoption
 Instant support for 10+ DRM vendors
 Opportunity cost savings with quicker integration
 Ability to expand audience/device coverage
DRM solution providers
 Lowers barrier to adoption
 Instant support for all SPEKE encryptors
 Custom integration cost and time savings
 Ability to establish proven workflows

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The SPEKE ecosystem
Several DRM solution providers have implemented SPEKE
SPEKE also enables customers to develop their own key management solution

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE system diagram
AWS Cloud Region
z
AWS Management
Console
IAM Role
Amazon
API Gateway
Operators
AWS STS
HTTPS (TLS 1.2)
+ AWS Auth
AWS Elemental Account Customer AWS Account
AWS Identity and
Access Management (IAM)
Customer AWS Account
DRM Partner Account
DRM Key Server
Public Interface
INSTANCE
Public Key Server/
Entitlement
Management
INSTANCE(S)
Elastic Load
Balancing
Encryptor
Amazon
CloudFront
DRM Partner System Example
Mutual TLS Auth
Client Certificate
Trust Store Private Keys
AWS Elemental MediaConvert &
AWS Elemental MediaPackage
Bucket
Viewers
Encrypted Content
Encrypted Content (includes DRM metadata)
GET Key
Metadata
DRM Management Interface
Key

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE transaction flow
Packager Encryptor
Key server DRM system





Packager
DRM

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE request sample—XML POST over HTTP
KeyID
SystemID 1
GET Key
KeyID SystemID 2
GET PSSH

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE response sample—XML over HTTP
KeyID
KeyID
SystemID 1
SystemID 2
Key
PSSH

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DASH manifest with multi-DRM signaling
KeyID DRM1
SystemID DRM1PSSH DRM1
KeyID DRM2
SystemID DRM2
PSSH DRM2

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How do I get started with SPEKE?
 SPEKE API documentation:
https://docs.aws.amazon.com/speke/latest/documentation/what-is-
speke.html
https://docs.aws.amazon.com/speke/latest/documentation/the-speke-
api.html
 SPEKE reference server:
https://github.com/awslabs/speke-reference-server

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SPEKE reference server
 Open source reference key server in GitHub AWS Labs project area
 Foundational example of a custom SPEKE key server
 Available today for use and customization
 Provides pre-built AWS CloudFormation templates and code for a turnkey installation
 Integrates Amazon API Gateway, AWS Lambda, Amazon Simple Storage Service
(Amazon S3), Amazon CloudFront, AWS Secrets Manager for key generation
 Uses secret IV per stream (content ID)
 Uses key derivation to produce encryption/decryption keys
 Supports HLS, HLS-Sample, and DASH
 Participate at https://github.com/awslabs/speke-reference-server
 Fork the project and build your own key server
 Submit issues, questions, pull requests with improvements

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional resources
 DASH-IF Implementation Guidelines: Content Protection Information Exchange
Format (CPIX):
https://dashif.org/docs/DASH-IF-CPIX-v2-0.pdf
 Google Widevine:
https://storage.googleapis.com/wvdocs/Widevine_DRM_Encryption_API.pdf
 Microsoft PlayReady:
https://docs.microsoft.com/en-us/playready/
 Apple FairPlay Streaming:
https://developer.apple.com/streaming/fps/

16. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lionel Bringuier
Jesse Rosenzweig
Jim Thario

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.