0

I want to encode my content using clearkeys. I am using DASH protocol. I know how to encrypt and play encrypted content. My question is how do I generate those keys so that I can bring up my own clear key licensing server.

ashutosh singh
  • 511
  • 3
  • 15

1 Answers1

1

Its worth mentioning that ClearKey is not really seen as a DRM - it lacks the secure key exchange mechanisms that most DRM's include. In DASH forum's own words ClearKey is 'to provide a level of content protection between HTTPS-delivered token auth and DRM'.

If this is good for you then, it may well be an appropriate choice for your use case and it does provide a hurdle against piracy.

The keys themselves are regular 16 byte AES encryption keys.

You can just create your own key generator but there are some best practices you should be aware of - see for example: https://stackoverflow.com/a/3452620/334402 (Java) and https://stackoverflow.com/a/42573924/334402 (.NET - note the discussion in comments re strings also).

There are also sites and services that can generate keys (see example below), but I think from your question you are more likely to want to build this into your own solution as above.

(Update - see discussion in comments) - the EME specification, which defines how browsers process encrypted content including how they request license keys, contains the following on the encoding of the keys that are returned:

"kty" (key type) "oct" (octet sequence)

"k" (key value) The base64url encoding of the octet sequence containing the symmetric key

value "kid" (key ID) The base64url encoding of the octet sequence containing the key ID value

This is specifically for ClearKey - keys for DRM systems are communicated securely in the encrypted DRM system license request and response messaging.

The important thing to note here is the 'base64url' encoding - this is a variant of base64 encoding which is 'url friendly' and does not include the characters + and /. More info on base64 variants is available here:

The impact of this is that you have to use base63url encoding for the ClearKey license response for EME compliant solutions - i.e. most (or all...) browser players.

One other note - once you have the keys they they can be requested via a licenser server URL which is included in the manifest, as for some DRM's, or the key itself can be embedded in the manifest directly.

Mick
  • 24,231
  • 1
  • 54
  • 120
  • Problem is I am using python and when I generate random 32 character long hex strings their base64 counterparts always contain `+` or '/' And decryption on frontend seems to fail if these are present in the base64 strings for KID and KEY. – ashutosh singh Apr 21 '21 at 20:52
  • Base64 actually has different variants and not all support + and / - see here: http://en.wikipedia.org/wiki/Base64#Variants_summary_table. The important thing is that the receiving end is able to support the variant you use when creating the key. It sounds like you want to use 'RFC 4648 §5: base64url (URL- and filename-safe standard)' which will not use those characters. – Mick Apr 21 '21 at 22:09
  • @ashutoshsingh - Out of interest, can you share the player or client which won't accept these characters - I have not seen this before with DASH? – Mick Apr 21 '21 at 22:15
  • In dash.js if you encrypt using keys(hex) with these characters in base64 representation decryption doesn't work for me. – ashutosh singh Apr 22 '21 at 07:46
  • 1
    EME requires that ClearKey keys and kids are provided in base64url format (https://www.w3.org/TR/encrypted-media/#clear-key). dash.js assumes that these keys and kids are provided in the required format and does not do any conversion between base 64 variants. – Anonymous Coward Apr 22 '21 at 10:27
  • @AnonymousCoward - thanks, I had just found the same link from some dash.js discussion (https://github.com/Dash-Industry-Forum/dash.js/issues/792) so I'll add to the answer. I can't find anything in DASH spec which specifies this so if you know of anything there also let us know - it may be that it is not actually a requirement there. – Mick Apr 22 '21 at 10:31
  • @mick - this is strictly a ClearKey requirement. – Anonymous Coward Apr 22 '21 at 10:45
  • @ashutoshsingh - you can probably just do whatever you are doing to generate you base64 key then `mykey.replace('+', '-').replace('/', '_').replace('=', '')` or similar. – Anonymous Coward Apr 22 '21 at 10:48
  • @AnonymousCoward - yes understood that reference is clearkey and EME but interested if there is a corresponding reference to a requirement across platforms somewhere, i.e. not just browsers. From a practical point of view, it makes sense to use base64url anyway as it will then work everywhere hopefully. – Mick Apr 22 '21 at 11:09