Content Key Token (Kc)
1. About
The page defines the format of the Content Key token generated by service providers to let SSP create a DRM license with a specific key. When used, this token needs to be sent along with a (23.48) Content Authorization Token (ContentAuthZ).
Usage of Content Key token is optional. NAGRA recommends using the content key service (see Content License Mgt Service (CLM) for PurePlay MDRM documentation).
2. Security
Content Key token payload is encrypted using the encryption key included in the credentials identified by "kid" claim in the token's header.
Content Key token header and payload are signed using the signing key included in the credentials identified by "kid" claim in the token's header. A portion of the message is encrypted with AES-128-CBC. Extra data remains unencrypted; the combination of both is authenticated by HMAC-SHA256. The algorithm used is described in https://tools.ietf.org/html/rfc7518 , section 5.2.
2.1. Diagram
3. Header
3.1. Schema
3.2. Sample
4. Payload
4.1. Schema
4.2. Sample
5. Signature
In order to build signature, token's header and payload are signed:
Signing key used corresponds to the SSP tenant's credential identified by "kid" claim from the token's header.
Algorithm used is HMAC-SHA256 as described in https://tools.ietf.org/html/rfc7518, section 5.2.