Skip to main content

SPEKE 2.0

Secure Packager and Encoder Key Exchange (SPEKE) API was introduced by Amazon Web Services (AWS) in 2018 to integrate DRM Key Services with encryptors, including encoders, transcoders, and origin servers. In September 2021 AWS introduced SPEKE 2.0 which supports multiple encryption keys and offer some other advantages.

Axinom, as an early adoptor of SPEKE, supports SPEKE 2.0 in its Axinom DRM Key Service from day one.

Check the documentation of the SPEKE endpoint of the Key Acquisition API.

SPEKE 2.0 brings the following evolutions compared to SPEKE 1.0:

  • Support for multiple content keys
  • All tags from the SPEKE XML namespace are deprecated in favor of equivalent tags in the CPIX XML namespace
  • SPEKE:ProtectionHeader is deprecated and replaced by CPIX:DRMSystem.SmoothStreamingProtectionHeaderData
  • CPIX:URIExtXKey, SPEKE:KeyFormat and SPEKE:KeyFormatVersions are deprecated and replaced by CPIX:DRMSystem.HLSsignallingData
  • CPIX@id is replaced by CPIX@contentId
  • New mandatory CPIX attributes: CPIX@version, ContentKey@commonEncryptionScheme
  • New optional CPIX element: DRMSystem.ContentProtectionData
  • Cross-versioning mechanism between SPEKE and CPIX
  • HTTP headers evolution: new X-Speke-Version header, Speke-User-Agent header renamed to X-Speke-User-Agent
  • Heartbeat API deprecation

With a long history as a proponent of the CPIX standard, Axinom maintains and publishes an open-source implementation of the CPIX document format since version 1.0 was published.

AWS when it requests encryption keys from a Key Service, generates the related Key ID automatically. It is important for the downstream DRM processes to know the Key ID, but AWS does not report the assigned Key ID. Axinom offers two workarounds for this issue.

  1. You can override the Key ID assigned by the packager by supplying a flag: /Speke?overrideKeyIds=true. The new Key ID is generated using a deterministic algorithm described in SPEKE Override Functionality
  2. You can create a proxy which sits between the packager and the Key Service and can report the Key ID. Read Extracting Key ID from SPEKE requests for guidelines.

See also: