With CDNetworks’ Media Acceleration Live Broadcast service, you can secure your HLS streams using AES-128 encryption. This article outlines the steps to configure AES-128 encryption for your HLS stream.

Encrypt HLS Stream

To encrypt your stream, start by sending a request with your stream URI, encryption key, key URL, etc., as demonstrated below.

Request Example

curl -i --url "http://ca.haplat.net/wslive/drm/manage.action?n=$username&r=$currentTimeStamp&k=$k" \
-X "POST" \
-H "Content-Type: application/json" \
-d '{
    "Host":"streampull.cdnetworks.com",
    "data":[
        {
            "Stream":"live/stream1",
            "Action":"add",
            "Method":"aes-128",
            "Key":"123456789",
            "Uri":"http://livestream-aes.com/testaeskey",
	    "Expire":"1850092464"
        }
    ]
}'

Parameters and Headers

Parameter/Header	Required	Description
Host	Yes	Stream pull domain.
n	Yes	Your account name.
r	Yes	A unique random string with maximum length of 13, it’s recommended to use timestamp.
k	Yes	MD5 authentication value. k = md5 (r + apikey), that is, to obtain the value of ‘k’, append the string apikey to the end of the string ‘r’, and then perform an MD5 calculation on the resulting string. Note: The apikey can be retrieved from the customer service. For example, 1. Request and get apikey=012f37a3f2952 2. Randomly generate string r=1409284800 3. Append the apikey to the end of ‘r’, producing the string '1409284800012f37a3f2952’ 4. Calculate the MD5 hash of the new string to obtain the value of ‘k’, which is ‘b9fed80be752551834eec3e52fa94115’

Request Body

The request body needs to be in JSON format. You can create a JSON object that includes the information provided below.

Item	Required	Description
Stream	Yes	Application name or along with the stream name, for example, “/”, “live” and “live/livestream”. Note: Only Top-level application name is allowed.
Action	Yes	Actions type. Support three types of values: “add”, ”update” and “del”.
Method	No	Encryption algorithm, ase-128 or AES-128.
Key	Yes	Key value.
Uri	Yes	Key URL.
Expire	No	Key expiration date represented by a Linux timestamp in seconds, for example: 1646720000. Note that if the expiration date is not specified, the encryption key will remain valid for a maximum of 7 days. After the key expires, the streaming will no longer be encrypted.

Error Codes

HTTP Code	Description
400	Missing parameters of n, r, k or any required field in request body.
403	Incorrect k value.
404	Incorrect URI.
405	The request method is not POST.
5xx	Internal server error.

Example of response

{
    "msg": true,
    "code": 200,
    "callTime": "2023-04-13 16:35:45"
}

Test AES Encryption

If AES encryption is functioning properly, your stream will be encrypted, preventing the player from playing back the media segment. You can verify this by following these steps:

Copy the playback URL and paste it in the web browser address bar.

http://pullaes128.cdnetworks.com/test/a5ebdd290182100039a7236800000000/playlist.m3u8

Save the playlist file to your computer. If the stream has been encrypted successfully, you will see a header of EXT-X-KEY in the playlist file:

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-ALLOW-CACHE:NO
#EXT-X-TARGETDURATION:4
#EXT-X-MEDIA-SEQUENCE:69

#EXT-X-KEY:METHOD=AES-128,URI="https://cloudvodtest0622.cdnetworks.com/cloudv-material/**********************",IV=0x313233343536******************
#EXTINF:3.989,
1661944371.ts?wsApp=HLS&wsMonitor=0
#EXTINF:3.968,
1661944372.ts?wsApp=HLS&wsMonitor=0
#EXTINF:3.989,
1661944373.ts?wsApp=HLS&wsMonitor=0

Copy the path for one of the TS files. Then substitute the playlist path “playlist.m3u8” with the TS file path “1661944371.ts?wsApp=HLS&wsMonitor=0” in the playback URL. For example:

http://pullaes128.cdnetworks.com/test/a5ebdd290182100039a7236800000000/1661944371.ts?wsApp=HLS&wsMonitor=0

Save the TS file and open it in a player. The player will not be able to play it due to the encryption.

Media Delivery

Cloud Security

Web Performance

Enterprise Application

Storage

Console Guide

API Docs

Secure HLS Streams with AES-128