Secure HLS Streams with AES-128

Last update:2023-04-14 18:28:35

With CDNetworks’ Media Acceleration Live Broadcast service, you can secure your HLS streams using AES-128 encryption. This article outlines the steps to configure AES-128 encryption for your HLS stream.

Encrypt HLS Stream

To encrypt your stream, begin by sending a request with your encryption key and key server address in Uri as shown below.

POST Method

current=`date "+%Y-%m-%d %H:%M:%S"`          
timeStamp=`date -d "$current" +%s`     
currentTimeStamp=$((timeStamp*1000+`date "+%N"`/1000000)) 
k=`echo -n "$currentTimeStamp$apiKey"|md5sum|cut -d ' ' -f1`
curl -i --url "$username&r=$currentTimeStamp&k=$k" \
-X "POST" \
-H "Content-Type: application/json" \
-d '{
    "Host":"your stream push domain",
            "Key":"encryption key",
            "Uri":"key server address",
	    "Expire":"expiration date"

Parameters and Headers

Parameter/Header Required Description
Host Yes Stream push domain.
n Yes Your account name.
r Yes A unique random string with maximum length of 13, it’s recommended to use timestamp.
k Yes MD5 authentication value.
k = md5 (r + apikey), that is, to obtain the value of ‘k’, append the string apikey to the end of the string ‘r’, and then perform an MD5 calculation on the resulting string.
Note: The apikey can be retrieved from the customer service.
For example,
1. Request and get apikey=012f37a3f2952
2. Randomly generate string r=1409284800
3. Append the apikey to the end of ‘r’, producing the string '1409284800012f37a3f2952’
4. Calculate the MD5 hash of the new string to obtain the value of ‘k’, which is ‘b9fed80be752551834eec3e52fa94115’

Request Body

The request body needs to be in JSON format. You can create a JSON object that includes the information provided below.

Item Required Description
Stream Yes Stream name or along with the application name, for example, “/”, “live” and “live/livestream”.
Note: Only Top-level application name is allowed.
Action Yes Actions type. Support three types of values: “add”, ”update” and “del”.
Method No Encryption algorithm, ase-128 or AES-128.
Key Yes Encryption key.
Uri Yes Key server address.
Expire No Key expiration date represented by a Linux timestamp in seconds, for example: 1646720000.
Note that if the expiration date is not specified, the encryption key will remain valid for a maximum of 7 days. After the key expires, the streaming will no longer be encrypted.

Error Codes

HTTP Code Description
400 Missing parameters of n, r, k or any required field in request body.
403 Incorrect k value.
404 Incorrect URI.
405 The request method is not POST.
5xx Internal server error.

Example of response

    "msg": true,
    "code": 200,
    "callTime": "2023-04-13 16:35:45"

Test AES Encryption

If AES encryption is functioning properly, your stream will be encrypted, preventing the player from playing back the media segment. You can verify this by following these steps:

  1. Copy the playback URL and paste it in the web browser address bar.
  1. Save the playlist file to your computer. If the stream has been encrypted successfully, you will see a header of EXT-X-KEY in the playlist file:

  1. Copy the path for one of the TS files. Then substitute the playlist path “playlist.m3u8” with the TS file path “1661944371.ts?wsApp=HLS&wsMonitor=0” in the playback URL. For example:
  1. Save the TS file and open it in a player. The player will not be able to play it due to the encryption.
Is the content of this document helpful to you?
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!