Secure media against unauthorized viewing through the following methods:
The Token-Based Authentication feature may secure live and on-demand streams by requiring that a viewer satisfy a set of security requirements before being granted access to your content. This type of configuration is supported under the following circumstances:
Token-Based Authentication should only be enabled on manifest files (i.e., m3u8 and mpd). This may be achieved via the following Rules Engine configuration:
To create a rule that secures manifest files with Token-Based Authentication
Modify the draft to include the URL Path Extension Literal match condition.
Configure this match condition as indicated below.
Directly below this match condition, add the Token Auth feature.
Both Encrypted HLS and Encrypted Key Rotation are incompatible with Server-Side Archiving.
Stream encryption requires the activation of the Encrypted HLS feature. Please contact your CDN account manager to activate this feature.
AES-128 encryption can be applied to HLS streams generated for your live events and on-demand content. Encrypted streams can only be decrypted by players that support encrypted HLS (e.g., iOS devices, QuickTime, and Android devices). Players that do not support encrypted HLS will be unable to play back encrypted streams.
Key information:
Only HLS streams can be encrypted at this time. This means that it may be possible to download or stream your content using a different streaming technology (e.g., MPEG-DASH).
Additional protection may be applied to sensitive streams by denying all non-HLS requests for H.264 assets. This type of setup may be achieved via Rules Engine. For more information, please contact your CDN account manager.
An event's configuration determines whether its streams will be encrypted. Specifically, the Encrypt HLS option toggles whether AES-128 encryption will be applied to all streams associated with the instance.
Key rotation requires the activation of the Encrypted Key Rotation feature. Please contact your CDN account manager to activate this feature.
The encryption key generated for a live stream may be rotated at regular intervals to prevent unauthorized playback via a shared link. Upon enabling this capability, a media player will be required to fetch the latest version of the encryption key at the specified interval.
Key information:
The live event's segment size plays a role in determining how often the encryption key will be rotated. Encryption key rotation may only take place at the start of a new segment.
Example
Let's assume the following configuration:
The first encryption key rotation should take place in the middle of the second segment (i.e., at the 15 second mark). However, since the rotation of the encryption key may only take place at the start of a new segment, the key won't be rotated until the start of the second segment (i.e., at the 20 second mark).
The Protected Directories for Encrypted HLS section on the Dynamic Cloud Packaging - VOD page defines the set of locations that will generate encrypted streams from on-demand content.
Secure a directory by:
Key information:
An encrypted directory only applies to the selected origin type (i.e., CDN storage or customer origin).
The same relative path may be secured for both CDN storage and customer origins by creating an encrypted directory configuration for each origin type.
The path to a protected folder is case-insensitive.
The starting point for an encrypted directory's relative path is indicated below.
URL Type | Relative Path (Starting Point) |
---|---|
CDN URL |
Specify a relative path that starts directly after the content access point (e.g., /040001 and /840001). Use the following information to interpret the following sample URLs:
Sample URL (CDN Storage): http://wpc.0001.{Base Domain}/040001/mybusiness/videos/fly.mp4
Sample URL (Customer Origin): http://wpc.0001.{Base Domain}/840001/mycustomerorigin/mybusiness/videos/fly.mp4
|
Edge CNAME URL (CDN Origin) |
Specify a relative path that starts directly after the hostname. Sample URL:
In the above sample URL, the gray text indicates what should be excluded when securing a location. This sample request can be secured by any of the following configurations:
|