Nagra / Conax Contego
Nagra offers multiple API's for OTT services including CPIX, SPEKE, Conax, Google, Harmonic and Nagra supporting the following DRM types:
HLS Sample AES: FairPlay
HLS AES-128: PRM, Widevine
DASH CENC: PlayReady, PRM, Widevine
HLS / DASH CBCS: FairPlay, PlayReady, PRM, Widevine
CPIX can be used in combination with either the Unified Packager or the Unified Origin as outlined in Content Protection Information eXchange (CPIX) documentation.
Using CPIX
Access to the Nagra key server requires an AuthN token to authenticate
requests. Nagra's documentation contains an example of how to setup a proxy
configuration based on NGINX@ widespread proxy server to forward request adding
a nv-authorizations header as well as how to create such a token manually.
The following encryption schemes are supported:
Encryption |
Algorithm |
Request value |
PlayReady Headers |
Remarks |
|---|---|---|---|---|
CENC |
AES-CTR |
cenc |
4.0 |
Not supported for FairPlay DRM. |
CBCS |
AES-CBC |
cbcs |
4.3 |
In 'consumer' mode it's the Nagra key server that creates the content encryption key for the request, the CPIX request document must include the content ID and key ID.
This mode supports the following features : key per track, key rotation, end-to-end encryption and key ID override.
In 'producer' mode the content key value is generated as well and subsequently transmitted to the key server. When sending a request to the key server, the includes the content ID, key ID, and the content key value (HEX to Base64 encoded).
Note
Please note that Unified Packager and Unified Origin do not support 'end-to-end encryption of content keys' but rely on HTTPS instead. Please also note the CPIX document to be used for the request is not generated by Unified Packager or Unified Origin but by extrnal tooling, for instance using our CPIX document creation tools.
The Nagra documentation further containes CPIX sample requests and responses, including key per track and key rotation.
Using Conax Contego
Next to HLS PlayReady as outlined below, Conax Contego offers multi-DRM supporting Fairplay, PlayReady and Widevine.
These can be used in combination with either the Unified Packager or the Unified Origin by passing encryption key (the combination of key id and content key) and license server url (when applicable) as outlined in the various sections on PlayReady, Widevine etc.
Consult the Conax Contego manual on how to obtain the required variables from the Conax Contego API.
Adding Conax PlayReady
New in version 1.7.1.
Conax Contego provides Conax' own variant of HLS PlayReady encryption.
The webserver adds protection to the HLS audio and video streams on-the-fly with Conax PlayReady HLS.
USP provides the following options for Conax PlayReady HLS protection:
--conax.key
The 128 bits Key ID (KID) and 128 bits Content Encryption Key (CEK) are passed
with the --conax.key option where KID and CEK are separated by a colon,
e.g. --conax.key=KID:CEK
Both KID and CEK must be coded in hex (base16).
Note
The KID from a PlayReady License server may be formatted as a little-endian GUID. In that case you have to change the endianness as we always use a big-endian UUID representation of the KID.
--conax.key_iv
Specifies the initialization vector (64 bits).
--conax.license_server_url
A string returned by the Conax API in the format: conax:drm_id:BASE64_ENCODED_INFO
--hls.playout
Set to 'conax' to enable HLS + Conax PlayReady
The following example creates a VOD server manifest with MP4Split and will embed the key information in the server manifest.
Example for generating a server manifest with Conax PlayReady DRM:
mp4split -o conax.ism \
--conax.key=7C9AA2B68306466F882D75BED922CD25:27eb4cef2afa2afe8fe5d2c374cd60e \
--conax.license_server_url="conax:drm_id:base64_encoded_info:NOTE:returned_from_Conax_API" \
--hls.playout=conax
video.ismv
Once you generate server manifest file, as seen in the example above, all the key information is embedded in the server manifest.
When a client requests an .m3u8 playlist the webserver module will automatically insert the proper tags and requests for the MPEG-TS fragments are encrypted on-the-fly.
An example .m3u8 playlist:
#EXTM3U
#EXT-X-VERSION:2
## Created with Unified Streaming Platform(version=1.7.2)
#EXT-X-MEDIA-SEQUENCE:1
#EXT-X-ALLOW-CACHE:NO
#EXT-X-TARGETDURATION:5
#EXT-X-KEY:METHOD=AES-128-CX,URI="conax:drm_id:base64_encoded_info:NOTE:returned_from_API",IV=0x97F92BAE7D8510A10000000100000000
#USP-X-TIMESTAMP-MAP:MPEGTS=900000,LOCAL=00:00:00.000
#EXTINF:4, no desc
conax-audio=65000-video=236000-1.ts