Description
Common Encryption (CENC) is a comprehensive content protection framework defined within 3GPP specifications that provides standardized encryption and key management for multimedia services. The architecture operates by separating the encryption of the media content itself from the management and delivery of the decryption keys. Content is encrypted once at the source using standardized encryption algorithms, while the corresponding decryption keys are managed and delivered through a separate, secure key distribution system. This separation allows for flexible service delivery models where the same encrypted content can be delivered through multiple channels while maintaining consistent security.
The technical implementation of CENC involves several key components working in concert. The Content Encryption component applies encryption to media segments using algorithms specified in the standard, typically AES-128 in CTR mode. The Key Management System (KMS) generates, stores, and manages the Content Encryption Keys (CEKs) used for encrypting the media. The License Server component issues licenses containing the CEKs to authorized clients, often using Digital Rights Management (DRM) systems. The Media Delivery component handles the transport of encrypted media through various channels including MBMS, unicast streaming, or download services. Finally, the Client DRM Agent on user devices receives licenses, retrieves CEKs, and performs decryption for playback.
CENC operates through a well-defined workflow that begins with content preparation. The service provider encrypts the media content using a Content Encryption Key (CEK), producing encrypted media segments packaged according to standards like DASH or HLS. The CEK is then securely transmitted to a Key Management System. When a user requests access to protected content, their device contacts a license server which authenticates the user and determines their rights. Upon successful authorization, the license server provides a license containing the CEK (often wrapped with a device-specific key) to the client. The client's DRM agent extracts the CEK, decrypts the media segments, and renders the content for playback.
Within the 3GPP network architecture, CENC plays a critical role in enabling secure multimedia services across both broadcast and unicast delivery methods. For MBMS (Multimedia Broadcast Multicast Service), CENC ensures that broadcast content remains protected while being efficiently delivered to multiple users simultaneously. For unicast streaming services, it provides consistent content protection regardless of the underlying transport protocol. The framework's standardization allows different DRM systems to interoperate with the same encrypted content, giving service providers flexibility in choosing DRM solutions while maintaining content security. This interoperability is particularly important in heterogeneous network environments where content may traverse different networks and be consumed on various devices.
Purpose & Motivation
CENC was created to address the growing need for standardized content protection in 3GPP multimedia services. Prior to its introduction, content providers faced significant challenges in securing media delivered through mobile networks, particularly with the emergence of MBMS for broadcast services. Different vendors and service providers implemented proprietary encryption schemes that lacked interoperability, creating fragmentation in the ecosystem. This made it difficult for content owners to distribute protected media across multiple networks and devices without implementing multiple, incompatible protection systems.
The primary motivation for developing CENC was to establish a common encryption framework that would enable secure content delivery while maintaining interoperability between different DRM systems and service providers. Traditional approaches required content to be encrypted separately for each DRM system, increasing storage costs and complexity for content distributors. CENC solves this by allowing content to be encrypted once using standardized methods, with different DRM systems able to access the same encrypted content through their respective key management systems. This significantly reduces operational overhead for content preparation and distribution.
Another key problem CENC addresses is the secure delivery of broadcast content through MBMS. Broadcast delivery presents unique security challenges since the same content is sent to multiple users simultaneously, making traditional point-to-point security mechanisms inefficient. CENC provides a framework where broadcast content can be efficiently protected while allowing authorized users to obtain decryption keys through unicast channels. This hybrid approach combines the efficiency of broadcast delivery with the security of individualized key management, enabling scalable secure multimedia services across 3GPP networks.
Key Features
- Standardized encryption using AES-128 CTR mode for media content
- Separation of content encryption from key management enabling DRM interoperability
- Support for multiple packaging formats including DASH and HLS
- Integration with MBMS for secure broadcast content delivery
- Flexible key delivery through license servers and DRM systems
- Compatibility with multiple DRM systems including PlayReady, Widevine, and FairPlay
Evolution Across Releases
Introduced the initial Common Encryption framework with standardized encryption algorithms and key management architecture. Established the separation between content encryption and DRM-specific key delivery, enabling interoperability between different DRM systems. Defined the basic components including Content Encryption, Key Management System, and License Server interfaces for secure multimedia service delivery.
Defining Specifications
| Specification | Title |
|---|---|
| TS 26.265 | 3GPP TS 26.265 |
| TS 26.512 | 3GPP TS 26.512 |
| TS 26.891 | 3GPP TS 26.891 |
| TS 26.953 | 3GPP TS 26.953 |