Video on Demand (VOD) platforms use Digital Rights Management (DRM) systems like Widevine and FairPlay to protect content from unauthorized access and redistribution. DRM relies on encryption with Content Encryption Keys (CEKs) to secure content during transmission and playback.
Reusing the same CEKs for extended periods increases the risk that a compromised key could be used to decrypt large amounts of content. Key rotation (periodically updating the encryption keys) minimizes this risk.
Key Rotation Strategies for Widevine
Widevine reduces key compromise risk by rotating Content Encryption Keys (CEKs) through session-specific issuance, periodic replacement, segment-based assignment, and device-aware distribution. It also supports prompt key revocation and renewal to maintain secure playback.
Periodic Key Rotation
During packaging, content can be encrypted with new CEKs at fixed intervals, such as per title, per episode, or per defined time slices. Each CEK is associated with a unique Key ID (KID) embedded in the media containers. When a client requests a license, the Widevine license server returns the CEK that corresponds to the requested KID. This ensures that any single key is valid only for a limited segment of a library, reducing the exposure if compromised.
Segment-Based Key Rotation
Widevine supports key rotation based on content segmentation. For example, a new CEK can be applied every 10 minutes of video or per chapter. Tools like Shaka Packager or other MPEG-DASH/HLS packagers insert KIDs at boundaries, and the player requests licenses with the appropriate KID to decrypt each segment. This approach guarantees that if one CEK is compromised, only a fraction of the video is exposed.
License-Based Controls (Leases & Renewals)
Although CEKs themselves are bound to packaging, license policies can enforce time-limited usage. Widevine licenses can carry short expiration periods (e.g., valid for 24 hours), after which the client must request a new license to continue playback. With this approach, even if a license is leaked, it quickly loses value.
Revocation and Renewal
If a compromise is detected, the Widevine ecosystem allows publishers to revoke device certificates or expire licenses immediately. Future content can be re-encrypted with new CEKs, and license mappings updated. Already-issued content typically cannot be re-encrypted silently, so operators rotate CEKs during future repackaging or when releasing new content.
Key Rotation Strategies for FairPlay
FairPlay uses a combination of packaging-level CEK rotation and playback license rules to confine risks of key exposure. CEKs in FairPlay are distributed via Content Key Contexts (CKCs), obtained from license servers after a client submits a Server Playback Context (SPC).
Periodic Key Rotation
Content owners can rotate CEKs on intervals aligned with content sensitivity, for example, 1 CEK per title, per episode, or per broadcast window. These CEKs are embedded during packaging with unique KIDs. During playback, the licensing server returns the appropriate CKC mapped to that KID.
Segment-Based Key Rotation
HLS with FairPlay supports multiple keys via the #EXT-X-KEY tag. This allows different CEKs to be mapped to segments or playlists. A single movie might have a new CEK every 10 minutes, or even every segment, ensuring that a compromised key cannot decrypt the entire stream.
License, Lease, and Renewal
In FairPlay, licenses control how long a CEK is valid for playback. The license server can assign time-limited leases (e.g., 24 hours), requiring the client to periodically request a new CKC. This effectively enforces automatic key rotation at the license level without repackaging content.
Revocation and Renewal
If a CEK compromise is suspected, operators invalidate the affected content keys and repackage new versions of content with fresh CEKs. Compromised devices or licenses can also be blocked. Future license requests will receive updated CKCs, cutting off unauthorized users.