ISO Common Encryption Protection Scheme for ISO Base Media File Format Stream Format

W3C Editor's Draft

This version:
Latest published version:
Latest editor's draft:
Joey Parrish (Google Inc.)
Greg Freedman (Netflix Inc.)
Former editors:
Mark Watson (Netflix Inc.) (Until September 2019)
David Dorwin (Google Inc.) (Until September 2017)
Jerry Smith (Microsoft Corporation) (Until September 2017)
Adrian Bateman (Microsoft Corporation) (Until May 2014)


This specification defines the stream format for using ISO Base Media File Format [ISOBMFF] content that uses the ISO Common Encryption protection schemes [CENC] with the Encrypted Media Extensions [ENCRYPTED-MEDIA].


Although the ISO Base Media File Format [ISOBMFF] associated with this format's MIME type/subtype strings supports multiple protection schemes, when used with Encrypted Media Extensions, these strings refer specifically to content encrypted and packaged using the 'cenc' or 'cbcs' protection schemes, as defined by section 4.2 of [CENC].

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at

This document was published by the Media Working Group as an Editor's Draft.

Comments regarding this document are welcome. Please send them to (archives).

Publication as an Editor's Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 March 2019 W3C Process Document.

1. Stream Format

ISO Base Media File Format [ISOBMFF] content that is encrypted using the ISO Common Encryption protection schemes [CENC] SHALL be encrypted at the sample level with either the 'cenc' (AES-128 CTR) or 'cbcs' (AES-128 CBC) encryption schemes, as defined in section 4.2 of [CENC]. These protection methods enabls multiple Key Systems to decrypt the same media content.

Each key is identified by a key ID and each encrypted sample is associated with the key ID of the key needed to decrypt it. This association is signaled either through the specification of a default key ID in the track encryption box ('tenc') or by assigning the sample to a Sample Group, the definition of which specifies a key ID. Streams may contain a mixture of encrypted and unencrypted samples.

2. Detection

For a stream determined to be in the ISO Base Media File Format [ISOBMFF], the ISO Common Encryption protection schemes may be detected as follows.

Protection scheme signaling conforms with [ISOBMFF]. When protection has been applied, the stream type will be transformed to 'encv' for video or 'enca' for audio, with a Protection Scheme Information Box ('sinf') added to the sample entry in the Sample Description Box ('stsd'). The Protection Scheme Information Box ('sinf') will contain a Scheme Type Box ('schm') with a scheme_type field set to a value of 'cenc' or 'cbcs'. [CENC]

3. Detecting Encrypted Blocks

For the purposes of the Encrypted Block Encountered, encrypted blocks are identified as follows.

The encrypted block is a sample. Determining whether a sample is encrypted depends on the corresponding Track Encryption Box ('tenc') and the sample group with grouping type 'seig' (CencSampleEncryption group), if any, associated with the sample. The default encryption state of a sample is defined by the IsEncrypted flag in the associated track encryption box ('tenc'). This default state may be modified by the IsEncrypted flag in the SampleGroupDescriptionBox ('sgpd'), pointed to by an index in the SampleToGroupBox ('sbgp').

Samples can be partially encrypted, specified by subsample information referenced by SampleAuxiliaryInformationSizesBox ('saiz') and SampleAuxiliaryInformationOffsetsBox ('saio') boxes.

For complete information, see [CENC].

4. Initialization Data Extraction

Streams may contain one or more Protection System Specific Header ('pssh') boxes [CENC], each for a unique SystemID, at each location where a 'pssh' box is necessary. Content using this stream format SHOULD include a box containing the Common SystemID and PSSH Box Format.

Initialization Data is always one or more concatenated 'pssh' boxes as defined by the "cenc" Initialization Data Format [EME-INITDATA-REGISTRY].

Each time one or more 'pssh' boxes are encountered, the Initialization Data Encountered algorithm SHALL be invoked with initDataType = "cenc" [EME-INITDATA-REGISTRY] and initData = the 'pssh' box(es). Multiple 'pssh' boxes MUST be provided together if and only if they appear directly next to each other in the stream.

A. References

A.1 Normative references

ISO/IEC 23001-7:2016, Information technology — MPEG systems technologies — Part 7: Common encryption in ISO Base Media File Format files. ISO/IEC. International Standard. URL:
Encrypted Media Extensions Initialization Data Format Registry. David Dorwin; Adrian Bateman; Mark Watson. W3C. URL: ../initdata/index.html
Encrypted Media Extensions. David Dorwin; Jerry Smith; Mark Watson; Adrian Bateman. W3C. 18 September 2017. W3C Recommendation. URL:
Information technology — Coding of audio-visual objects — Part 12: ISO Base Media File Format. ISO/IEC. December 2015. International Standard. URL: