How to generate hex strings for ClearKey DRM

2.8k views Asked by At

I want to encode my content using clearkeys. I am using DASH protocol. I know how to encrypt and play encrypted content. My question is how do I generate those keys so that I can bring up my own clear key licensing server.

1

There are 1 answers

9
Mick On BEST ANSWER

Its worth mentioning that ClearKey is not really seen as a DRM - it lacks the secure key exchange mechanisms that most DRM's include. In DASH forum's own words ClearKey is 'to provide a level of content protection between HTTPS-delivered token auth and DRM'.

If this is good for you then, it may well be an appropriate choice for your use case and it does provide a hurdle against piracy.

The keys themselves are regular 16 byte AES encryption keys.

You can just create your own key generator but there are some best practices you should be aware of - see for example: https://stackoverflow.com/a/3452620/334402 (Java) and https://stackoverflow.com/a/42573924/334402 (.NET - note the discussion in comments re strings also).

There are also sites and services that can generate keys (see example below), but I think from your question you are more likely to want to build this into your own solution as above.

(Update - see discussion in comments) - the EME specification, which defines how browsers process encrypted content including how they request license keys, contains the following on the encoding of the keys that are returned:

"kty" (key type) "oct" (octet sequence)

"k" (key value) The base64url encoding of the octet sequence containing the symmetric key

value "kid" (key ID) The base64url encoding of the octet sequence containing the key ID value

This is specifically for ClearKey - keys for DRM systems are communicated securely in the encrypted DRM system license request and response messaging.

The important thing to note here is the 'base64url' encoding - this is a variant of base64 encoding which is 'url friendly' and does not include the characters + and /. More info on base64 variants is available here:

The impact of this is that you have to use base63url encoding for the ClearKey license response for EME compliant solutions - i.e. most (or all...) browser players.

One other note - once you have the keys they they can be requested via a licenser server URL which is included in the manifest, as for some DRM's, or the key itself can be embedded in the manifest directly.