PlayReady Key Exchange
Key Exchange is the process by which arbitrary cryptographic keys (for supported algorithms), protected by PlayReady, are sent to the client from the License Server. This allows the Server to perform cryptographic operations with those keys (encrypt, decrypt, sign, verify) and the client to perform the corresponding operation (decrypt, encrypt, verify, sign) with the same keys.
Note
This feature is only supported when both the client and server are using PlayReady version 4.5 or higher.
Important
Data on which the cryptographic operation is performed is not protected by PlayReady. PlayReady only protects the cryptographic keys themselves.
Key Exchange architecture
Keys are delivered to the client via a KeyExchangeLicense, a unique type of license which can only be used for key exchange operations, during ordinary license acquisition.
Keys are protected on the client by PlayReady at the same Security Level as content keys themselves.
Important
Keys used for protection of content itself must not be sent to the client via a KeyExchangeLicense. Doing so is a violation of the PlayReady Compliance and Robustness Rules (CR&RRs).
Key Exchange licenses
A single KeyExchangeLicense contains the following
- A single cryptographic key
- Policy indicating which unique cryptographic operation (algorithm plus type, e.g. "decrypt) the client may perform
- Additional policy associated with the key such as absolute expiration
Key Exchange cryptography
On the server, a KeyExchangeLicense is generally constructed and used in the PlayReady Sever SDK like a MediaLicense with the following primary differences.
- The cryptographic key requires its cryptographic operation to be specified at the same time as said key
- Some MediaLicense policies are not supported, primarily those such as Output Protection Levels which are only relevant for playback
Refer to the KeyExchangeLicense Class documentation for more information.
On the client, a KeyExchangeLicense is used via new Drm_KeyExchange_* APIs. They enable a client to perform the following operations. Refer to the API documentation provided in the associated code comments in the PlayReady Device Porting Kit for more information.
- Bind to a KeyExchange license which verifies associated license policy
- Perform the single allowed cryptographic operation with the associated key (repeatedly, as desired)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for