Integration with Key Rotation

Before activating key rotation, it is recommanded to contact a Nagra representative to help with the integration.

1. Guideline on Key Rotation using start & end dates

1. Key Rotation using start and end dates is available with the CPIX interface.

2. Key Rotation can be activated on an existing content by creating a new key including a period.

3. The activation of key rotation can be done per content and encryption scheme.

   1. The encryption method is defined in the key requests sent to the key server

      1. Three possible values, which are considered as independant : cbcs, cenc, unspecified (not set)

   2. It is possible to activate key rotation on specific encryption schemes only.

      1. Not setting the encryption method is considered also as an independant value.

4. Key Rotation can be deactivated for a content by simply stopping creating new keys or setting an end date in a distant future on the last key.

5. For a single content, either key rotation by start and end dates or by index can be used but not simultaneously.

6. SSP pre-delivers the keys in advance to flatten the peak of license requests when the key rotates for a live OTT stream.

   1. The pre-delivery mechanism is based on the license end date and playback duration

      1. All the keys which are valid during the global license validity (addition of end date and playback duration) are included.

7. The packager must request the next keys in advance so that the license server can deliver them in the license.

   1. It is important that the packager doesn’t push the next key at the last moment

      1. In which case, all the devices will request a new license at the same time when the latest key validity expires.

8. When using key rotation by start and end dates, the computation of the license end date and playback duration must absolutely be defined so that it expires before the end of the crypto period of the last key in the license.

2. Guideline on Key Rotation using indexes

1. Key Rotation by indexes is available with the CPIX, SPEKE V1 and SPEKE V2 interfaces.

2. The activation of key rotation can be done per content and encryption scheme.

   1. The encryption method is defined in the key requests sent to the key server

      1. Three possible values, which are considered as independant : cbcs, cenc, unspecified (not set)

   2. It is possible to activate key rotation on specific encryption schemes only.

      1. Not setting the encryption method is considered also as an independant value.

3. Key Rotation can be activated on an existing content by inserting a new key to the key server including a period index.

   1. During the activation, if a key already exists for the requested content and encryption scheme, SSP will associate the requested period index to the existing key.

   2. After the activation and if the period index is incremented, new keys will be created.

4. Key Rotation can be deactivated for a content by simply stopping creating new keys with incremented indexes.

5. For a single content, either key rotation by start and end dates or by index can be used but not simultaneously.

6. The packager must increment the period indexes sequentially, one by one.

7. SSP pre-delivers the keys in advance to flatten the peak of license requests when the key rotates for a live OTT stream.

   1. SSP will pre-provision the next keys in advance in the license, the number of pre-provisionned keys can be configured.

      1. By default, SSP pre-delivers the next two keys associated to the next two indexes.

   2. In this case, the packager can request new keys at the last moment (just before the last key validity expiry)

8. When using key rotation by indexes, the playback duration must absolutely be defined so that it expires before :

   1. Crypto period + Num(pre-provisioned keys) * Crypto period

      1. Example : Crypto period of 1 hour, 2 keys are pre-provisionned => 1 + 2*1 = 3 hours