HLS Common Encryption

Last update:2023-02-08 16:32:05

To further protect your videos, Cloud VoD offers HLS AES encryption to prevent your video from being pirated. The video will be encrypted and it requires special authentication to decrypt the video for playback.

How it works

The HLS protocol defines an encryption key: # EXT-X-KEY, which is used to identify whether the video file is encrypted,and what algorithm is used for encryption (currently the AES-128 encryption algorithm is used in Cloud VoD), and gives the address to obtain the decryption key.
When a player has received the plaintext m3u8 file, it will recognise that the file is encrypted based on the “#EXT-X-KEY” tag. To have a playback, the player must obtain the decryption key from the URL provided in the “URI” from “#EXT-X-KEY”, and then decrypt the video file according to the algorithm information provided in the “METHOD” parameter.
Here is an example m3u8 file with EXT-X-KEY:
墨西哥、多米尼加共和国新节点上线
Cloud VoD provides HLS encryption with AES-128 algorithm, the encryption key is managed by CloudVoD KMS and transferred via HTTPS to prevent from illegal interception.

CloudVoD KMS address: https://api.cloudv.haplat.net/vod/videoManage/getHlsKeyByVideoId

How to use

Encrypt Your Video

  1. HLS Common Encryption is disabled by default, please contact your customer service to enable this feature first.
  2. Create a transcoding template and enable Enrypted Transcoding.
  3. Once you have created the transcoding template, you will need to transcode the video to trigger encryption.
  4. When encryption is completed, the status in the video list will show “Transcoded(encrypted)”, indicating that the video has already been encrypted.

Playback

The authentication parameters are added to the end of the URL once the video is encrypted. For example

https://cloudv.cdnetworks.com/appname/streamname/cloudv-transfer/playlist.m3u8?t=1666336607&k=3628a37a13d566252d&vid=cf352bbd01831000553f6000&r=f96237ab0183

It is recommended to set up your own authentication server to authenticate the end users and only provide the URL with authentication information to those authenticated users. After acquiring the correct adaptive code or video URL, the player will get the key from the m3u8 playlist and then decrypt the video for playback, the process is mainly divided into the following steps:
Step 1
Get the URL of the encrypted video with authenticate parameters t, k, r and vid. For example, the orginal video URL is

https://cloudv.cdnetworks.com/vod/test.m3u8

After adding the above authenticating parameters, the URL becomes

https://cloudv.cdnetworks.com/vod/test.m3u8?t=1533289173&k=b83eb56186b4c7c7ae7ff7e2a1ee58d9&vid=0f97c608015f10007f0f055d00000000&r=ff237ff1016410000950defa00000000

Here are some ways to obtain/create the authenticated URL:

This will require you to query the URL each time there is a video playback request, which can place a heavy load on your own server due to the large number of URL queries.

  • You can also add authentication parameters t, k, r and vid yourself:
Parameter Description
t A UNIX second-level timestamp referring to the time to expire.
vid VideoId of the video, you can check the videoId on the console or via the API getVideoList.
k k=md5 (secretKey+vid+t+r). You can get the SecretKey from the console via Account > Security Settings > API Information Management > AccessKey Management.
r r is a random number you can assign.

Step 2
When a player requests the URL that carries the authentication parameters, for example

https://cloudv.cdnetworks.com/vod/test.m3u8?t=1533289173&k=b83eb56186b4c7c7ae7ff7e2a1ee58d9&vid=0f97c608015f10007f0f055d00000000&r=ff237ff1016410000950defa00000000

Cloud VoD sends back the m3u8 file and automatically adds authentication information to URI in EXT-X-KEY as follows:

Step 3
After retrieving the m3u8 from Cloud VoD, the player will automatically send a request to obtain the content key from the Cloud VoD authentication service.
Cloud VoD authentication service will verify the authentication info, then KMS will send the content key to the player if the authentication info is verified valid, otherwise the request will be rejected directly.
Step 4
After receiving the decryption key, the player can decrypt the video for playback. The decryption key is encrypted and sent using HTTPS, ensuring security when transmitted.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!