Implementing EZDRM with this SPEKE setup

[samueleastdev]

Hi All,

I am quite new to this so apologies.

I am looking to set up a SPEKE server with EZDRM.

I am following this guide for media convert: https://www.ezdrm.com/Documentation/EZDRM%20AWS%20MediaConvert%20v4.pdf

I set up the SPEKE Server using this template with Cloudformation all setup successfully:
https://s3.amazonaws.com/rodeolabz-us-east-1/speke/speke_reference.json

In the PDF document from EZDRM it gives you a zip file to download see: (Step 4: Edit the Key Server files)

In this, it asks you to add your username and password to the key_server_common.py here:

with urllib.request.urlopen('http://cpix.ezdrm.com/aws.aspx?m=' + mst + '&k=' + kid + '&u=<<USERNAME>>&p=<<PASSWORD>>&c=' + content_id) as response:
			html = response.read()
			EM.register_namespace("cpix", "urn:dashif:org:cpix")
			EM.register_namespace("pskc", "urn:ietf:params:xml:ns:keyprov:pskc")
			self.moot = EM.fromstring(html)

Then combine with key_server.py in a zip file called key_server.zip.

You then create use their Cloudformation template: python create_cloud_formation.py

I guess what I am asking is how would you implment this auth (username,password) for EZDRM with your SPEKE setup or do you always need to use the setup from the provider (EZDRM)

[JimTharioAmazon]

I think you'll want to check with EZDRM to see if their patch instructions are still current. We no longer deploy the CloudFormation template from the command-line, so it could be they need to update their instructions for patching the server with their code.

key_server.py and key_server_common.py have changed quite a bit in the last quarter of 2018 to support new CPIX certification options.

[samueleastdev]

Hi @JimTharioAmazon

Thanks for the update I will pass this on.

I managed to get this DRM working with EZDRM for widevine I am also setting up fairplay but I need authentication from Apple and also a business developer account, I am waiting for a response from them.

Is their a way to manage the whole process without a third party key licence provider like EZDRM?

From what I understand DRM is mainly for large studios who deliver premium content and DRM is a requirement if you would like to distribute their content.

What if you create your own custom video content say video tutorials or any video content you would like to monetize via the web what AWS solutions are available for this?

I have tried a STATIC key approach with a proxy url:

#EXT-X-KEY:METHOD=AES-128,URI="http://localhost:3000/proxy/token"

This provides a certain level of security but you need to set the request headers and Safari defaults to native HLS on IOS mobile so it only works on desktop.

Can the SPEKE server provide what I am looking for to secure our videos or am I thinking about this completely wrong?

Thanks

[samueleastdev]

Here is a url I just encrypted using the setup explained here: https://github.com/awslabs/speke-reference-server/blob/master/MEDIAPACKAGE_CONFIG.md

https://dwpurpmwfzvap.cloudfront.net/testing/master.m3u8

It is encrypted but easily downloaded I am obviously missing something the key licence server part?

[samueleastdev]

Hi @JimTharioAmazon

Apologies I got my question answered by AWS support.

for your use case, you'll need to build something in front of the key that's being used
Like Cognito to authenticate or using signed cookies with CloudFront to authenticate/protect the key
So right now this reference server is just publishing the key

So these are some getting started guides and examples, but for your use case will involve a lot of custom development
and I want to be upfront, depending on the clients trying to access the key for DRM decryption, this may not work

There's no full solution without using a DRM provider, correct.

the reference server from GitHub is a reference, it's not a full or proper DRM solution. It's used to check against the SPEKE reference API calls

[JimTharioAmazon]

Hi, see this issue:
#27

I had a few people at re:Invent ask what's next after installing the reference SPEKE server. The solution will be expanded to include an example of how to use Cognito, S3 and CloudFront together to restrict access to the decryption key bucket.

I think like this would make a nice optional CloudFormation template to apply after the SPEKE server is installed to create a login/player page, Cognito resources, and update the CloudFront distro with the access restrictions.

[samueleastdev]

Hi @JimTharioAmazon,

Thanks for the extra info yes that would be great if there was a guide on how to implement this I will keep an eye on this repo.

Also if there is a guide on setting up Cloudfront Cookies successfully I have tried this in the past with no luck I will give this another go and post my results if I have any success.

Thanks

Sam

[aliuzzi]

Hi Sam! Did you need to get authentication from Apple before implementing DRM for FairPlay even when using a third party like EZDRM?