Skip to main content

CPIX

Overview​

Content Protection Information Exchange Format (CPIX) is a standard published by the DASH Industry Forum. It regulates the exchange of content encryption keys and related information between the parties involved, such as Packagers, Encryption Engines, CMS, etc.

A CPIX document contains keys and DRM information used for encrypting and protecting content and can be used for exchanging this information among entities needing it in many possibly different workflows for preparing, for example, DASH or HLS content. The CPIX document itself can be encrypted, signed, and authenticated so that its receivers can be sure that its confidentiality, source, and integrity are also protected.

See also: CPIX GitHub repository

CPIX is a sophisticated XML format suitable for various scenarios and capable of embracing different information about the keys, DRM systems, and the usage rules. However, in its simplest form, a CPIX document can be just a collection of keys, including their IDs and values.

Simple CPIX document example (version 2.0)
<?xml version="1.0" encoding="utf-8"?>
<CPIX 
	xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
	xmlns="urn:dashif:org:cpix" 
	xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
	xmlns:enc="http://www.w3.org/2001/04/xmlenc#" 
	xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc">
	<ContentKeyList>
		<ContentKey 
			kid="1294b959-9d75-5de2-bbf0-fdca3fa5eab8" 
			explicitIV="ez6RSem1PE2CdoSC9jXosg==">
			<Data>
				<pskc:Secret>
					<pskc:PlainValue>
						MDEyMzQ1Njc4OWFiY2RlZg==
					</pskc:PlainValue>
				</pskc:Secret>
			</Data>
		</ContentKey>
		<ContentKey 
			kid="2294b959-9d75-5de2-bbf0-fdca3fa5eab8" 
			explicitIV="afqsAFfz6EqfrlsKa45yVA==">
			<Data>
				<pskc:Secret>
					<pskc:PlainValue>
						ZmVkY2JhOTg3NjU0MzIxMA==
					</pskc:PlainValue>
				</pskc:Secret>
			</Data>
		</ContentKey>
	</ContentKeyList>
    ...
</CPIX>

CPIX uses another standard - Portable Symmetric Key Container (PSKC)

  • to embed symmetric keys into a text document.

CPIX Versions​

CPIX was first published in 2015 and has since had several versions (1.0, 2.0, 2.1, 2.2, 2.3).

CPIX versions

Main changes in 2.3 compared to 2.2 are:

  • Addition of the commonEncryptionScheme element with the CENC protection scheme value
  • Addition of the version element
  • Addition of a section on using the same content key with different encryption schemes
  • Clarification on the explicitIV element encoding

CPIX Library​

Axinom products intensively make use of CPIX for exchanging the content keys. Axinom published its library for reading/writing/processing the CPIX documents under open source terms (MIT license) in 2016 and keeps maintaining it. The library for the .NET Standard is written in C# and is available as source code on Github and as a Nuget on the Nuget website. It supports CPIX 2.3 (see CPIX Versions).

CPIX Usage by Axinom Key Service​

Most of the endpoints of the Key Acquisition API use CPIX for keys delivery. For example, SPEKE, Harmonic, and Anevia. (An important exception here is the Widevine Common Encryption). Also, the key(s) can be exported in the CPIX format, using the Management API.

CPIX Usage by Axinom Encoding​

Axinom Encoding supports CPIX for passing the key information to the encoding jobs. It uses the above-mentioned CPIX Library to read CPIX documents.

CPIX Elements​

The following table specifies which properties in the Axinom.Cpix .NET library are supported in Axinom Encoding:

PropertyRequired?Notes
ContentKey.kidRequired
ContentKey.Data.Secret.PlainValue or ContentKey.Data.Secret.EncryptedValue.CipherDataRequiredSelect the specific property based on whether the value is encrypted or not.
ContentKey.explicitIVOptionalIf not set, it is generated automatically
DRMSystemList.DrmSystemOptionalFor setting the Widevine and PlayReady PSSH data.
DRMSystemList.DrmSystem.HlssignallingDataOptionalIf not set, it is generated automatically

CPIX Usage by AWS Media Services​

AWS Media Services use a protocol called SPEKE to acquire keys for content encryption. SPEKE is a layer built on top of CPIX. It defines the details on how the CPIX requests should be constructed and how a key service is supposed to respond.

There are two versions of SPEKE:

  • SPEKE 1.0 uses CPIX 2.0
  • SPEKE 2.0 uses CPIX 2.3 (and adds a multi-key capability)

Axinom Key Service fully supports both: SPEKE 1.0 and SPEKE 2.0.

See also: SPEKE Tool.

DRM Technology ID​

CPIX uses identifiers (GUIDs) assigned by DASH IF to each DRM technology. The following IDs are relevant in Axinom DRM context:

DRM systems identifiers as defined by DASH-IF (https://dashif.org/identifiers/content_protection/)

DRM TechnologyIdentifier (System ID)
Widevineedef8ba9-79d6-4ace-a3c8-27dcd51d21ed
FairPlay94ce86fb-07ff-4f43-adb8-93d2fa968ca2
PlayReady9a04f079-9840-4286-ab92-e65be0885f95