KMS Types
- Eitan Dvir
- Ramya Raman (Unlicensed)
- Andrew Lochbaum
The KMS Configuration depends on the KMS type that is chosen. While adding a new KMS server or editing an existing KMS server, one can view the relevant fields for a specific KMS type.
Simulcrypt
Simulcrypt enables scramblers and content protection systems to exchange information about the encryption keys.
Originally the DVB Common Scrambling Algorithm (DVB-CSA) was used in conjunction with Simulcrypt for DVB satellite, cable, and terrestrial pay-TV operations. However, since the introduction of commercial IPTV services more than ten years ago by telecommunications companies ("telcos") using their managed networks, Simulcrypt deployments that utilize the Advanced Encryption Standard (AES) algorithm are also common.
The fields shown in the below figure are mandatory for Simulcrypt KMS.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Simulcrypt). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Huawei PlayReady
The fields shown in the below figure are mandatory for Playready KMS. It is essential to configure the Certificates for the Certificate and Private Key to reflect in the dropdown list.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Huawei PlayReady). |
Port | Port number. |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Certificate | Certificate for negotiating with the KMS. |
Private Key | Private Key for negotiating with the KMS. |
Verimatrix VMX
Verimatrix (VMX) provides content security for digital television services. It includes software and IP-based security through its Verimatrix Video Content Authority System (VCAS). The MCM9000 connects directly to the VCAS or MCAS systems to retrieve the key for descrambling VMX encrypted sources.
The fields shown in the below figure are mandatory for Verimatrix KMS.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Verimatrix, VMX). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Key Server Manifest URL | The Manifest URL from which to retrieve the Manifest files. |
Replace URL | The URL to replace within the Manifest files. |
Verimatrix MultiRights
The fields shown in the below figure are mandatory for Verimatrix MultiRights KMS.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Verimatrix, MultiRights). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Server URL | The Server URL to connect to. |
Token | The Token to use for the connection to the server. |
SKY CKS
The Customer Key Server (CKS) is a system that the customer hosts entirely on their premises in the container-storing platform of their choice.
Among the fields shown in the below figure, Server URL and Asset Ids are mandatory for SKY CKS KMS. It is essential to input the fields in the below format.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (SKY, CKS). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Server URL | The Server URL to connect to (Please follow the suggested URL structure). |
Username | Username to access the KMS. |
Password | The password to access the KMS. |
Asset IDs | Asset IDs to be replaced in the URL. |
Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
Irdeto
Irdeto offers Security Key Server Technology solutions enabling customers to access premium content from any device securely.
Among the fields shown in the below figure, Server URL and Token Request URL are mandatory for Irdeto KMS. It is essential to input the fields in the below format.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (Irdeto). |
Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
Server URL | The Server URL to connect to. |
Token Request URL | Token URL to use when negotiating a connection. |
Grant Type | A URL that is used to send the request to the KMS system. |
Username | Username to access the KMS. |
Password | The password to access the KMS. |
Audience | Audience URL to use when sending the request to the KMS system. |
Client ID | Client ID to use when sending the request to the KMS system. |
Realm | Realm ID to use when sending the request to the KMS system. |
ATD-C
**From version 5.6.0 onwards MCM9000 supports Content Protection Information Exchange Format (CPIX) KMS.
A CPIX document contains keys and DRM information used for encrypting and protecting content and can be used for exchanging this information among entities needing it in many possibly different workflows for preparing, for example, DASH or HLS content.
From version 6.2 onwards, CPIX is referred to as ATD-C.
From version 6.3.1 onwards, CPIX certificate and CPIX private key options are available on MCM9000.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (ATD-C). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Certificate | Certificate for negotiating with the KMS. |
| Private Key | Private Key for negotiating with the KMS. |
| Enable CPIX Encryption | When checked, CPIX encryption is enabled. |
| CPIX Certificate | CPIX Certificate for negotiating with the KMS. |
| CPIX Private Key | CPIX Private Key for negotiating with the KMS. |
| Server URL | The Server URL, in the format of: https://<server>:<port>/<directory> path to the authentication server. For example, https://test_server.com:4443/ovrm/ovrr/ |
| Options | Yet to be implemented. |
| Asset Ids | Asset IDs to be replaced in the URL. |
| Download Repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
**From version 5.6.4 onwards MCM9000 supports BISS-2, SynMedia and Axinom KMS types.
BISS-2
Basic Interoperable Scrambling System (BISS) is a point to point encryption for use on digital contribution circuits (satellite, IP etc.).
It is available on MCM9000 from version 5.6.4 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (BISS2). |
| Private Key (BISS2-CA) | This is an autogenerated configuration by MCM, hence, please keep this field empty. When creating a new “BISS2-CA KMS”, the MCM generates a public/private key pair. The public key should be copied and sent to the sender. (The private key is not visible on the GUI/API - can not be read. it is exported to the XML - but encrypted. This keeps it over a software upgrade) On the channel config, it should be detected during the scan as “BISS-2” and the relevant KMS should be configured to the channel. |
| Public Key (BISS2-CA) | This is an autogenerated configuration by MCM, hence, please keep this field empty. When creating a new “BISS2-CA KMS”, the MCM generates a public/private key pair. The public key should be copied and sent to the sender. |
| Session Key (BISS2-E) | BISS-2-E: When creating a new “BISS KMS” - paste the static SK (session key) - 32 char long hex value. BISS-2-1: Paste the 16 char constant key to the channel configuration key field. |
**A new event #431 is available from version 5.6.4 onwards - this event is triggered for any key/descrambling issues with the BISS sources.
SynMedia
SynMedia KMS encryption is available on MCM9000 from version 5.6.4 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (SynMedia). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Server URL | The Server URL provided by SynMedia, in the format of: https://synmedia_url/cpix/v2/configAlias/${asset_id} path to the authentication server. |
| Asset Ids | Asset IDs to be replaced in the URL. For HLS source, add the asset ID (if it’s more then 1 separate them with comma). For MPEG-Dash source, asset ID is not required. |
| Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
Axinom
Axinom KMS encryption is available on MCM9000 from version 5.6.4 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (Axinom). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Tenant ID | Tenant ID provided from Axinom. |
| Management Key | Management Key provided from Axinom. |
| Widevine Protection Info | Widevine Protection Info URL in the format: https://key-server-management.axtest.net/api/WidevineProtectionInfo |
| Widevine Protection Info Credentials | Widevine Protection Info Credentials URL in the format: https://key-server-management.axtest.net/api/WidevineProtectionInfoCredentials |
| Key Request | Query structure of the key request json. |
| Asset Ids | The asset IDs of the streams from the Packager. |
| Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
Static
** Static KMS encryption is available on MCM9000 from version 5.6.6 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (Static). |
| Static Keys | Configure a static KMS with the format <keyid>=<key>:<iv>,<keyid>=<key>:<iv>. Can add more than one entry by using “,” or “;” For example, 221bd4b8e8413a18a6663f1dad126d86=726f1f4a7cc6420dee6e8db7314e64c8:510ac1a9694f0e63c92bd851147aaf3f |
Kaltura UDRM
** Kaltura UDRM encryption is available on MCM9000 from version 5.7.1 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (Kaltura UDRM). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Server URL | The Server URL provided by Kaltura in the format: <configured_url>?custom_data=<base64query>&signature=<base64Signature> For example, https://udrmv3.kaltura.com/cenc/widevine/encryption |
| Private Key | The private key is the key used for the signature in base64. For example, MahHgAP2AUbXGF32TXJVPOHCMtPTIyKh1xXLL5AWfRA= |
| Asset Ids | Asset Ids are the content ids / asset ids for the key pulling (can be defined with the channel). For example, CNN_1082 |
| Custom data | This is the Kaltura query request. The default one is: {"ca_system":"OTT","account_id":"2657661","content_id":"${asset_id}","files":"","policy":null} If “account_id=….” is defined, we replace it in the query. For example, account_id : 2657661 Also the whole query can be set in this field instead. |
| Options | Yet to be implemented. |
| Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
Buy DRM
** Buy DRM encryption is available on MCM9000 from version 6.0 onwards.
Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (Buy DRM). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Certificate | Certificate for negotiating with the KMS. |
| Private Key | Private Key for negotiating with the KMS. |
| Server URL | The Server URL, in the format of: https://<server>:<port>/<directory> path to the authentication server. For example, https://buydrmv3.testkaltur:4443/ovrm/ovrr/ |
| Options | Yet to be implemented. |
WBD-XH
** WBD-XH encryption is available on MCM9000 from version 6.2 onwards.
| Fields | Description |
Name | Name of the KMS. |
Type | Type of KMS (WBD-XH). |
Organization | Specify the organization (tagvs.com). |
Private Key | Private Key for negotiating with the KMS. |
Public Key | Specify the public key. |
Options | Yet to be implemented. |
M7
** M7 encryption is available on MCM9000 from version 6.2 onwards.
| Fields | Description |
| Name | Name of the KMS. |
| Type | Type of KMS (M7). |
| Network | Select the network from the list; the selected Nic will be used to pull the Keys from the KMS system. |
| Server URL | The Server URL to connect to (Please follow the suggested URL structure). |
| Options | Yet to be implemented. |
Download repetition Rate | The repetition Rate field indicates the period of time that will be used by the system to re-inquire for the Keys. Click on the toggle switch to disable the Download repetition Rate. |
Note: The MCM9000 offers these supported decryption methods and protocols:
- Simulcrypt, AES-128-CBC
- Verimatrix, AES-128-CBC
- Generic, AES-128-CBC
- Irdeto, AES-128-CBC
- BISS-2, AES-128-CBC (From version 5.6.4 onwards)
- WBD-XH, AES-128-CBC (From version 6.2 onwards)
- Huawei PlayReady, AES-128-CTR
- Verimatrix, MultiRights, CENC
- SKY CKS, CENC
- Irdeto, CENC
- CPIX, CENC (From version 5.6.0 onwards); CPIX, CENC is referred as ATD-C, CENC (From version 6.2 onwards)
- SynMedia, CENC (From version 5.6.4 onwards)
- Axinom, CENC (From version 5.6.4 onwards)
- Static, CENC (From version 5.6.6 onwards)
- Kaltura UDRM, CENC (From version 5.7.1 onwards)
- buyDRM, CENC (From version 6.0 onwards)
- M7, CENC (From version 6.2 onwards)
- Simulcrypt, DVB-CSA
- Simulcrypt, AES-128-ECB