SPEKE: Secure Packager and Encoder Key Exchange API

The short list of SPEKE advantages:

• Single API for video encoders, transcoders, packagers, and key servers
• Standards-based
• Supports multiple DRMs
• Supports multiple encryption keys for different tracks (SPEKE v2.0 feature)
• Simplifies integration
• Reduces vendor version testing
• Deployable for cloud, hybrid, or on-premises workflows
• Accelerates customer deployment
  

A deeper overview of how SPEKE helps:

SPEKE simplifies complex “handshake” challenges by providing a single common interface for integrating any video transcoder or origin server with any key server, whether running on-premises in a data center or as a cloud service. SPEKE is designed for both Video-on-Demand (VOD) and live streaming workflows using either a static (best for VOD) or rotating key.

SPEKE utilizes the Content Protection Information Exchange Format (CPIX) to standardize the method for carrying key and DRM information for encrypting and protecting video content, and adds specifications for authentication and other important behaviors on top of CPIX. Driven by the DASH Industry Forum, CPIX is designed to create operational efficiencies while reducing costs and time-to-market for OTT video services.

Additionally, SPEKE incorporates AWS Identity and Access Management (IAM) roles to allocate flexible yet secure permission policies which may be delegated to users, applications, or services to securely enable key exchange between a multi-DRM vendor and a video transcoding or packaging vendor. Video operators may use IAM roles whether the key server and encryptor are running on AWS, on hardware in the operator’s headend or data center, or as a combination of the two, and even where the key server and encryptor are running on different cloud providers.

While the DASH Industry Forum originally developed CPIX for MPEG-DASH content, CPIX now also supports HLS content. With its comprehensive feature set, SPEKE can function as a single format for MPEG-DASH, HLS, Microsoft Smooth Streaming, and future packaging technologies, and for multiple DRMs including Microsoft PlayReady, Google Widevine, Apple FairPlay Streaming, AES-128, and other proprietary DRM solutions. SPEKE supports Apple HLS transport streams, fragmented MP4, and CMAF. SPEKE also supports static keys and key rotation.

SPEKE eliminates complexity for both media customers and technology vendors. It combines a single common API for any transcoder, packager, and key server; CPIX for key exchange with all streaming formats; and authentication mechanisms. This combination delivers significantly faster integration time, greatly reduced test cycles, and an expanded ecosystem of integrated transcoders, packagers, and multi-DRM solutions, while also enabling operational tracing to troubleshoot issues.

This rich ecosystem provides customers with dozens of pre-integrated solutions, faster time to market, and greater flexibility to select combinations of video processing and multi-DRM solutions to meet their requirements. It also supports cloud, hybrid, and on-premises architectures.

For specific information regarding DRM Platform providers supporting SPEKE v1.0 or SPEKE v2.0, please see the documentation for getting on board with a DRM platform provider.

The barrier to protecting video content is the complexity of fragmented technologies, which imposes tremendous technical challenges and resource burdens for video encoding, transcoding, video packaging, and multi-DRM vendors alike. Solving the challenges of technology fragmentation is where SPEKE shines.

Media customers benefit from the ability to seamlessly mix and match any combination of SPEKE-enabled encoding, transcoding, packaging, and multi-DRM vendor products. Customers can also take advantage of role-based security best practices and secure mutual authentication, along with a standards-based implementation designed around CPIX for MPEG-DASH and HLS. Since these integrations work with any pre-integrated video transcoder, origin server, or key server, media customers gain the added flexibility of operating video workflows entirely in the cloud, entirely on-premises in data centers, or as hybrid workflows. This allows customers to migrate secure media workflows to the cloud in stages in order to maximize the cost savings, scalability, and global availability of the cloud while maintaining their relationships with vendors that have SPEKE integrations. The result is a much faster time-to-market and lower barriers to adopting new DRM systems, which means a bigger potential audience reach.

Multi-DRM vendors benefit by integrating their key server once with SPEKE and obtaining access to a wide ecosystem of video processing partners through that single integration. In addition, SPEKE provides a single key exchange protocol and reduces the resource impact of testing multiple product integrations across vendors.

Transcoding and origin vendors benefit from integrating transcoders and origin servers once with SPEKE and gaining access to all pre-integrated key server vendors and multi-DRM solutions. This eliminates the need for separate integrations with proprietary APIs across dozens of multi-DRM vendors. This also greatly reduces the development and testing time to integrate with DRM vendors, allowing these companies to focus instead on improving core functionality and making systems more feature rich.

For specific information regarding cloud or on-premises applications, see SPEKE Support in AWS Services and Products.