Azure Media Services v3 - Unique AES token signing key for each content key policy per video?

0
votes

Should the AES token signing key be unique for each content key policy per video?

Is it unsafe to use the same token signing key for all videos?

Media Services uses the specified key to dynamically encrypt your content

References: https://docs.microsoft.com/en-us/azure/media-services/latest/protect-with-aes128

https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithAES/Program.cs

private static byte[] TokenSigningKey = new byte[40];

// Generate a new random token signing key to use
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(TokenSigningKey);

//Create the content key policy that configures how the content key is delivered to end clients
// via the Key Delivery component of Azure Media Services.
ContentKeyPolicy policy = await GetOrCreateContentKeyPolicyAsync(client, config.ResourceGroup, config.AccountName, ContentKeyPolicyName);
2
azure-media-services

2 Answers

0
votes

Carlos, if you are talking about the symmetric or asymmetric key for encrypting the JWT token issued to client for requesting AES decryption key or DRM licenses, generally no (in reality the key is not unique.)

For example, at any given time, Azure AD uses the same asymmetric key for ALL token encryption across the globe for all users. However, they change the key on a periodic basis. For more information, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover .

If you are using your own custom STS, you can choose to change the key over time like AAD.

thank you, Julia