This specification defines the stream format for using ISO Base Media File Format [ISOBMFF] content that uses the ISO Common Encryption ('cenc') protection scheme [CENC] with the Encrypted Media Extensions [ENCRYPTED-MEDIA].


Although the ISO Base Media File Format [ISOBMFF] associated with this format's MIME type/subtype strings supports multiple protection schemes, when used with Encrypted Media Extensions, these strings refer specifically to content encrypted and packaged using the 'cenc' protection scheme [CENC].

1. Stream Format

ISO Base Media File Format [ISOBMFF] content that is encrypted using the ISO Common Encryption ('cenc') protection scheme [CENC] SHALL be encrypted at the sample level with AES-128 CTR encryption (Section 9 of [CENC]). This protection method enables multiple Key Systems to decrypt the same media content.

Each key is identified by a key ID and each encrypted sample is associated with the key ID of the key needed to decrypt it. This association is signaled either through the specification of a default key ID in the track encryption box ('tenc') or by assigning the sample to a Sample Group, the definition of which specifies a key ID. Streams may contain a mixture of encrypted and unencrypted samples.

2. Detection

For a stream determined to be in the ISO Base Media File Format [ISOBMFF], this ISO Common Encryption ('cenc') Protection Scheme may be detected as follows.

Protection scheme signaling conforms with [ISOBMFF]. When protection has been applied, the stream type will be transformed to 'encv' for video or 'enca' for audio, with a Protection Scheme Information Box ('sinf') added to the sample entry in the Sample Description Box ('stsd'). The Protection Scheme Information Box ('sinf') will contain a Scheme Type Box ('schm') with a scheme_type field set to a value of 'cenc'. [CENC]

3. Detecting Encrypted Blocks

For the purposes of the Encrypted Block Encountered, encrypted blocks are identified as follows.

The encrypted block is a sample. Determining whether a sample is encrypted depends on the corresponding Track Encryption Box ('tenc') and the sample group with grouping type 'seig' (CencSampleEncryption group), if any, associated with the sample. The default encryption state of a sample is defined by the IsEncrypted flag in the associated track encryption box ('tenc'). This default state may be modified by the IsEncrypted flag in the SampleGroupDescriptionBox ('sgpd'), pointed to by an index in the SampleToGroupBox ('sbgp').

Samples can be partially encrypted, specified by subsample information referenced by SampleAuxiliaryInformationSizesBox ('saiz') and SampleAuxiliaryInformationOffsetsBox ('saio') boxes.

For complete information, see [CENC].

4. Initialization Data Extraction

Streams may contain one or more Protection System Specific Header ('pssh') boxes [CENC], each for a unique SystemID, at each location where a 'pssh' box is necessary. Content using this stream format SHOULD include a box containing the Common SystemID and PSSH Box Format.

Initialization Data is always one or more concatenated 'pssh' boxes as defined by the "cenc" Initialization Data Format [EME-INITDATA-REGISTRY].

Each time one or more 'pssh' boxes are encountered, the Initialization Data Encountered algorithm SHALL be invoked with initDataType = "cenc" [EME-INITDATA-REGISTRY] and initData = the 'pssh' box(es). Multiple 'pssh' boxes MUST be provided together if and only if they appear directly next to each other in the stream.

