Azure Media Services is getting a big update this week in NABShow 2014. Now you have more options to secure your media delivery – by using AES clear key dynamaic encryption or Microsoft PlayReady content access and protection technology. This feature allows you to serve both encrypted HLS and Smooth Streaming to your client devices.
AES Clear Key Dynamic Encryption Feature explained
Now Azure Media Services allow you to deliver Http-Live-Streaming (HLS) and Smooth Streams encrypted with Advanced Encryption Standard (AES) (using 128-bit encryption keys). Media Services also provides the key delivery service that delivers encryption keys to authorized users. The diagram below demonstrate how this feature works.
Firstly of all, similar to dynamic packaging, you bring in multi-bitrate Mp4 or Smooth Streaming video file. If you want for Media Services to encrypt an asset, you need to associate an encryption key with an asset and also configure authorization policies for the key, After that, Media Services origin server will dynamically encrypt HLS or Smooth Streaming stream with AES encryption algorithm. When a stream is requested by a “player”, Media Services uses the specified key to dynamically encrypt your content using AES encryption. To decrypt the stream, the “player” will request the key from the key delivery service. To decide whether or not the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key. We provides three options: Token-based authentication, IP-based authentication and open. If you choose Token-based authentication, usually you will integrate the token issue progress into your own authentication system. Therefore, only authorized player could obtain a valid token from your Authentication system, and our key service will validate the token and issue AES key for the player to decrypt the stream.
Which client platform and devices support AES decryption?
AES decryption is a open algorithm that everyone could implement after downloading the stream. We have implement AES decryptor as plugin into the following Platform:
- • Flash OSMF plugin to decrypt AES encrypted smooth streaming
- • Windows 8 cache plugin to decrypt AES encrypted smooth streaming
- For iOS, it natively supports AES encrypted HLS stream decryption. We will provide sample code for handling the Key request.
Who should use AES dynamic encryption?
AES dynamic encrypts on-the-wire communication using the widely-known symmetric AES encryption algorithm. Therefore, this would prevent man-in-the-middle attack, if someone eavesdrops the communication, he won’t get any useful information. However, the AES key considers in the “clear” on client devices. Therefore, it requires you to trust your client. For instance, enterprise videos could be a good use case. Usually employees are bounded by employee agreement of not to distribute their training videos. Hence, enterprise just needs to prevent outsider grabbing the video through traffic. Last month, Office 365 launched a video portal based on SharePoint for enterprise to share knowledge. All videos are using AES dynamic encryption and streamed out through Azure Media Services.
PlayReady as a Service feature explained
Azure Media Services provides a Microsoft PlayReady license delivery service. PlayReady is a full-featured content access protection technology developed my Microsoft that uses Digital Rights Management (DRM). It protects a content media stream during playback by using a license server that provides the decryption key needed to decrypt the media stream. For more information, see Microsoft PlayReady. This diagram below shows how this works in details:
Firstly, you need to pre-encrypt Smooth Streaming file with PlayReady License, by providing us License Acquisition URL, Key ID and Content Key. You could follow this MSDN article to use Azure Media Encryptor to encrypt the Smooth Streaming file. As a output, you could further package the encrypted Smooth Streaming into HLS and DASH (See how here). You could also define how the license could be authorized to your user. Similar to AES dynamic encryption, we enable Token/IP/Open authentication service.
When a user tries to watch PlayReady protected content, the client player application requests the content from Azure Media Services. Azure Media Services then redirects the client to an Azure Media Services PlayReady licensing server that authenticates and authorizes the user’s access to the content. The client can then download and decrypt the content. Azure Media Services enables content providers to configure license delivery policy for each client.
Which platform/devices that PlayReady SDK covers?
Azure Media Services can be used to encode, download, or stream Smooth Streaming or MPEG DASH content encrypted with PlayReady. For consuming PlayReady encrypted content, client SDKs and the PlayReady Porting Kit are available under commercial licensing terms. (PlayReady clients for Windows 8.1 Store Apps can be built using the free SDK located HERE). These client-side SDKs are not part of this preview.
Who should use PlayReady content protection?
Both PlayReady and AES encrypts the stream over the wire, so it prevents man-in-the-middle attack. However, on the device side, when you use PlayReady, the decryption of the stream happens in a secure DRM environment, which is in a lower stack of the operating system. Therefore, neither the key nor the content would be exposed in clear. If you have primium content and you need to prevent piracy, Digital Right Management(DRM) such as PlayReady is definitely the way to go. Plus, PlayReady allows you to define a comprehensive licensing agreement, such as how many times user get to watch the content, how long the content is available to the user and etc.
How do I get access to these services?
Currently, we are running both AES dynamic encryption and PlayReady service as private preview. We are working on get the services out of the door for preview soon. If you are interested in trying the service out, please email email@example.com and copy me firstname.lastname@example.org.