다큐멘트 센터 Cloud Live User Guide Secure HLS Streams with AES Encryption

Secure HLS Streams with AES Encryption

최신 업데이트:2023-05-22 17:31:11

HLS is a streaming protocol based on HTTP, developed by Apple. It packages video content in the TS (Transport Stream) format, along with a manifest file called M3U8 that serves as a playlist to guide the client in playing the content. To ensure the security of the video files, the TS files are encrypted using the AES encryption algorithm.
To facilitate decryption, the M3U8 file includes an #EXT-X-KEY tag that provides all the necessary information for the player to decrypt the content, including the encryption algorithm type(METHOD), the location of the key to retrieve for decryption(URI). For example:

#EXT-X-KEY:METHOD=AES-128,URI="https://api.cloudv.haplat.net/live/channelManage/getHlsKeyByPullId?cid=xxxx&pid=xxxx"

How it works

The picture below illustrates how AES encryption works on Cloud Live. To encrypt your live channel, simply check the “HLS Encryption” option when creating it on Cloud Live. The rest of the encryption process (steps 2 to 9) will be handled automatically by Cloud Live and your player.

How to use

Before using it, please make sure AES encryption is enabled for your Cloud Live. If not, please contact our customer service to enable it.

Firstly, click “Create Channel” to create a new channel.

If you want to encrypt your stream, choose the option “HLS Encryption”. Remember to set an expiration time for the encryption key, or else it will only last for 7 days by default. After this period, the encryption will no longer work.

Afterwards, you will see your newly created channel in the channel list with an “Encryption: Encrypted” label. This indicates that your stream is encrypted by HLS AES now.

You can download the HLS segment (TS) and add it to your player for playback, but you may encounter playback issues because the stream has already been encrypted with AES.

Key Authentication

Once the stream is encrypted, the player will receive the M3U8 file and detect from the “#EXT-X-KEY” tag that the stream has been encrypted and cannot be played immediately. Then, the player will read the address in the “URI” field to retrieve the decryption key for playback. For example:

#EXT-X-KEY:METHOD=AES-128,URI="https://api.cloudv.haplat.net/live/channelManage/getHlsKeyByPullId?cid=xxxx&pid=xxxx"

However, we would like to note that typically there is no authentication token included in the “URI”. This means that anyone who obtains this URL can access it and retrieve the key from Cloud Live KMS for playback.
Therefore, we highly recommend adding authentication parameters to the key retrieval URL. Cloud Live provides token parameters for this purpose - you can contact our customer service to enable them. Once authentication parameters are enabled, the M3U8 URL becomes:

http://domain.com/live/428015ad01881000a7f3856700000000/playlist.m3u8?t=1684744537&k=88db0138ea5abbc7266aab9c8ff295be&r=4294f256018810006d25b43c00000000

As you can see, parameters t, k, and r have been appended to the URL. These parameters are generated using the following rules:

Parameter How to generate
t A second-level UNIX timestamp that refers to the expiration time.
k k = md5(secretKey + t + r). You can obtain the SecretKey from the console by going to Account > Security Settings > API Information Management > AccessKey Management.
r A random number that you can assign.

After these parameters have been added to the playback URL, our CDN includes them in the key “URI” in the “#EXT-X-KEY” tag. Only a key request with these parameters will be allowed to retrieve the key. For example, the “#EXT-X-KEY” tag will now appear like this:

#EXT-X-KEY:METHOD=AES-128,URI="https://api.cloudv.haplat.net/live/channelManage/getHlsKeyByPullId?cid=196507&pid=55555555ss062q2455563365qn065379&t=1684746397&k=640e49d94c11d85cb60ff961312de8b2&r=42b1528a0188100060f4ed0e00000000",IV=0x31323334353637383132333435363738

This helps prevent unauthorized users from gaining access to the key and the ability to decrypt the stream and play it back, which further enhances stream security.

You can generate these parameters in your own application using simple coding - or alternatively, you can use our API getSinglePullCode to retrieve the playback URL directly.

이 문서의 내용이 도움이 되었습니까?
아니오
정상적으로 제출되었습니다.피드백을 주셔서 감사합니다.앞으로도 개선을 위해 노력하겠습니다.