PIFF to CENC (Multi DRM)

When your content is stored protected on disk in 'PIFF' (Protected Interoperable File Format) format (E.g. it is fragmented-MP4 protected with PlayReady) the Origin converts it on-the-fly to DASH with 'CENC' (Common Encryption (CENC)). This allows for playout in both the Smooth Streaming format and DASH. (Please read about the background as well.)

Possible playouts using PIFF as ingest format include:

  • Silverlight (HTTP Smooth Streaming with PlayReady).
  • IE11 / Win8.1 (MPEG-DASH with PlayReady)
  • Chrome (MPEG-DASH with Widevine)
  • Android (MPEG-DASH with Marlin)

This setup is special since Unified Origin uses the encryption information stored in the server manifest file to synthesize the required "pssh" boxes for DASH playout.

Supporting multiple DRM systems is a feature of CENC and requires that the different DRM systems share a common KID (Key ID) and CEK (Content Encryption Key). You have to align the PlayReady license server and Widevine license server to make sure that they use the same KID:CEK combination.

There is no need to re-encode or repackage your existing catalog.

You may need to create or update the USP server manifest file, but only when it is missing the key information. If it has been created with a recent version then it is already present.

Protection System Specific Header box

If the content contains the signaling for PlayReady and/or Widevine (the "pssh" boxes) then they are used for signaling of the DRM systems.

The CENC signalling is added to all output formats it applies to (PlayReady, Widevine and Marlin).

When a "pssh" box is not present for a DRM system then the Origin synthesizes one just-in-time.


The "pssh" box for Widevine is synthesized according to the following rules:

  • The key_id field is set to the KID as specified in the "tenc" box.
  • The provider field is set to 'usp-cenc'.
  • The content_id field is copied from the key_id field (in base64).
  • The track_type is left empty.
  • The policy is left empty.


Marlin doesn't use a "pssh" box, and only uses the signaling in the MPD.


After creation of the server manifest, e.g.:


mp4split -o piff2cenc.ism \

playout of HSS with PlayReady is still possible as it would 'normally'. No further commandline triggers are needed, the player can fetch the /Manifest as it would normally.

Clear Content

When your content is 'clear' (not encrypted) it is still possible to synthesize the "pssh" box, provided you pass key_id, content_key (and optionally the license_server_url).


In this case you do not pass the drm_specific_data as mentioned under Widevine Modular DRM (and thus cannot make use of track_type or policy).


  • The DASH-JS player on Appspot.
  • The DASH-JS player on Azure.


Playready license server

MUST have CORS headers setup properly. Most notably it needs "soapaction" added to the Access-Control-Allow-Headers.


In order to have playout on Chrome, you have to make sure that the Media and Encryption extensions are enabled. You can see the flags when going to the URL chrome://flags/

  • Disable Media Source API: Disable
  • Enable Encrypted Media Extensions: Enable
  • Disable prefixed Encrypted Media Extensions: Disable
  • Media Source API uitschakelen: Uitschakelen
  • Gecodeerde Media-extensies inschakelen: Inschakelen
  • Vooraf gecodeerde media-extensies uitschakelen: Uitschakelen