Axinom DRM Key Service supports the new AWS protocol SPEKE 2.0 from day one. SPEKE v2 supports multiple keys and better integrates with CPIX


Secure Packager and Encoder Key Exchange (SPEKE) API was introduced by Amazon Web Services (AWS) in 2018 to integrate DRM Key Services with encryptors, including encoders, transcoders, and origin servers. In September 2021 AWS introduced SPEKE 2.0 which supports multiple encryption keys and offer some other advantages.

Axinom, as an early adoptor of SPEKE, support SPEKE 2.0 in its Axinom DRM Key Service from day one.

Check the documentation of the SPEKE endpoint of the Key Acquisition API.

SPEKE 2.0 brings the following evolutions compared to SPEKE 1.0:

  • Support for multiple content keys

  • All tags from the SPEKE XML namespace are deprecated in favor of equivalent tags in the CPIX XML namespace

  • SPEKE:ProtectionHeader is deprecated and replaced by CPIX:DRMSystem.SmoothStreamingProtectionHeaderData

  • CPIX:URIExtXKey, SPEKE:KeyFormat and SPEKE:KeyFormatVersions are deprecated and replaced by CPIX:DRMSystem.HLSSignalingData

  • CPIX@id is replaced by CPIX@contentId

  • New mandatory CPIX attributes: CPIX@version, ContentKey@commonEncryptionScheme

  • New optional CPIX element: DRMSystem.ContentProtectionData

  • Cross-versioning mechanism between SPEKE and CPIX

  • HTTP headers evolution: new X-Speke-Version header, Speke-User-Agent header renamed to X-Speke-User-Agent

  • Heartbeat API deprecation

With a long history as a proponent of the CPIX standard, Axinom maintains and publishes an open-source implementation of the CPIX document format since version 1.0 was published.

AWS when it requests encryption keys from a Key Service, generates the related KeyID automatically. It is important for the downstream DRM processes to know the KeyID, but AWS does not report the assigned KeyID. Axinom offers two workarounds for this issue.

  1. You can create a proxy which sits between AWS and the Key Service and can report the KeyID. Read Extracting keyId from SPEKE requests for guidelines. This approach works with both SPEKE 1.0 and SPEKE 2.0.

  2. You can override the KeyID assigned by AWS by supplying a flag: /Speke?overrideKeyIds=true. The new KeyID is generated using a deterministic algorithm described in SPEKE Override Functionality

KeyID overriding functionality is currently available with the SPEKE 1.0 endpoint. For SPEKE 2.0 Axinom is working on the implemenation, it will be published soon.

See also: