Skip to main content
Skip table of contents

Content Key Token (Kc)

1. About

The page defines the format of the Content Key token generated by service providers to let SSP create a DRM license with a specific key. When used, this token needs to be sent along with a (23.48) Content Authorization Token (ContentAuthZ).

Usage of Content Key token is optional. NAGRA recommends using the content key service (see Content License Mgt Service (CLM) for PurePlay MDRM documentation).


2. Security

Content Key token payload is encrypted using the encryption key included in the credentials identified by "kid" claim in the token's header.

Content Key token header and payload are signed using the signing key included in the credentials identified by "kid" claim in the token's header. A portion of the message is encrypted with AES-128-CBC. Extra data remains unencrypted; the combination of both is authenticated by HMAC-SHA256. The algorithm used is described in https://tools.ietf.org/html/rfc7518 , section 5.2.

2.1. Diagram


3. Header

3.1. Schema

3.2. Sample


4. Payload

4.1. Schema

4.2. Sample


5. Signature

In order to build signature, token's header and payload are signed:

  • Signing key used corresponds to the SSP tenant's credential identified by "kid" claim from the token's header.

  • Algorithm used is HMAC-SHA256 as described in https://tools.ietf.org/html/rfc7518, section 5.2.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.