Home

CEKs

Content Encryption Keys (CEKs) are cryptographic keys used to encrypt and decrypt protected digital content in media protection systems. In many DRM architectures, a CEK is used to encrypt the actual media data (the content) and is itself protected by being wrapped with another key, commonly called a Key Encryption Key (KEK) or bound to a hardware device or user credential. The CEK may be unique per asset, per title, or per segment depending on policy.

In practice, the content is encrypted with the CEK; a license server distributes a license that contains

CEK management includes key generation, secure storage, secure delivery, rotation, revocation, and auditing. CEKs are typically

Examples: major DRM systems such as Widevine, PlayReady, and FairPlay rely on CEKs as part of their

the
CEK
in
wrapped
form
(or
a
reference
to
it)
along
with
metadata
like
a
KID
(key
identifier)
to
select
the
appropriate
CEK.
The
client
obtains
the
license,
unwraps
the
CEK
using
the
KEK
or
device
key,
and
then
uses
the
CEK
to
decrypt
the
media.
In
envelope
encryption,
many
CEKs
can
be
used
for
different
segments;
the
same
CEK
may
be
used
across
segments
of
a
title
or
rotated
per
segment.
128-bit
or
256-bit
symmetric
keys;
their
security
rests
on
both
secure
generation
and
tamper-resistant
delivery
and
storage.
Hardware
security
modules
(HSMs)
and
device
keystores
are
often
employed.
workflows;
while
implementations
differ,
the
general
pattern
is
to
encrypt
content
with
a
CEK
and
protect
the
CEK
with
a
KEK.