Export (0) Print
Expand All

Securing Media

Updated: August 14, 2014

Azure Media Services enables you to secure your media from the time it leaves your computer through storage, processing, and delivery. The following diagram illustrates how content is protected end to end.

Media Services Content Protection

This topic discusses the following:

Concepts and terminology

The following are some useful concepts and terminology related to data protection.

Access policy
The AccessPolicy entity defines permissions (like read, write, and list) and duration of access to an asset. You would usually pass an AccessPolicy object to a Locator that would then be used to access the files contained in an asset.

Locators provide an entry point to access files contained in an asset. Media Services supports two types of locators: OnDemandOrigin locators, used to stream media (for example, MPEG DASH, HLS, or Smooth Streaming) and Access Signature (SAS) URL locators, used to download media files. An access policy is used to define the permissions and duration that a client has access to a given asset. Locators can have a many to one relationship with an access policy, such that different locators can provide different start times and connection types to different clients while all using the same permission and duration settings; however, because of a shared access policy restriction set by Azure storage services, you cannot have more than five unique locators associated with a given asset at one time. For more information, see Using a Shared Access Signature (REST API).

Advanced Encryption Standard (AES)
AES - 128 is a secure encryption algorithm using 128-bit keys and blocks. AES envelope encryption is end-to-end encryption for video streaming. Data will be encrypted by the server before it is sent out, and decrypted by the client to view. This allows video data to be transferred safely between the server and client, and makes the video data unreadable by any parties who intercept it in between.

Note that with AES envelope encryption the encryption key is in the clear once received over HTTPS. If you require a more a robust and secure content protection, use Common Encryption (‘CENC’). PlayReady DRM supports CENC.

Asset encryption options
Depending on the type of content you want to upload, store, and deliver, Media Services provides various encryption options that you can choose from.

  • None - No encryption is used. This is the default value. Note that when using this option your content is not protected in transit or at rest in storage.

    If you plan to deliver an MP4 using progressive download, use this option to upload or encode your content.

  • StorageEncrypted – Use this option to encrypt your clear content locally using AES 256 bit encryption and then upload it to Azure Storage where it is stored encrypted at rest. Assets protected with storage encryption are automatically unencrypted and placed in an encrypted file system prior to encoding, and optionally re-encrypted prior to uploading back as a new output asset. The primary use case for storage encryption is when you want to secure your high quality input media files with strong encryption at rest on disk.

    In order to deliver a storage encrypted asset, you must configure the asset’s delivery policy (IAssetDeliveryPolicy) so Media Services knows how you want to deliver your content. Before your asset can be streamed, the streaming server removes the storage encryption and streams your content using the specified delivery policy (for example, AES, PlayReady, or no encryption).

  • CommonEncryption - Use this option if you want to encrypt (or upload already encrypted) content with Common Encryption or PlayReady DRM (for example, Smooth Streaming protected with PlayReady DRM).

  • EnvelopeEncrypted – Use this option if you want to protect (or upload already protected) HTTP Live Streaming (HLS) encrypted with Advanced Encryption Standard (AES). Note that if you are uploading HLS already encrypted with AES, it must have been encrypted by Transform Manager.

noteNote
You must decrypt encrypted assets if you wish for them to be available for progressive download.

Cipher-block Chaining (CBC)
CBC is a block encryption mode of operation that uses XOR on the previous block, with the goal of making different ciphertext for blocks with the same plaintext. Requires an Initialization Vector (IV) for the first block. Since the 1st block should XOR the previous block, and no previous block exists, the IV takes the place of that previous block.

Common Encryption Scheme (CENC)
CENC specifies standard encryption and key mapping methods. CENC defines a common format for the encryption related metadata necessary to decrypt the protected streams. At the same time, it leaves the management of rights mappings, key acquisition and storage, DRM compliance rules, etc. up to the DRM system or systems supporting the 'cenc' scheme. PlayReady supports CENC. To stream MPEG DASH you need to make sure to use CENC options. For more information, see Task Preset for Azure Media Encryptor.

Dynamic encryption and Static encryption
In Azure Media Services, you can use dynamic encryption or static encryption to encrypt your content with AES-128, PlayReady DRM, or storage encryption. It is recommended to use dynamic encryption.

When using dynamic encryption and packaging, you only need to store and pay for the files in a single format: adaptive bitrate MP4s or adaptive bitrate Smooth Streaming. Media Services service will build, encrypt, and serve content in the correct format based on the format specified in the streaming URL by the client. For example, http://test001.origin.mediaservices.windows.net/fecebb23-46f6-490d-8b70-203e86b0df58/BigBuckBunny.ism/Manifest(format=m3u8-aapl) indicates that the client wants the stream in HLS format.

The following blog discusses dynamic and static encryption: Dynamic encryption vs. Static encryption.

Microsoft PlayReady DRM
Media Services enables you to protect your content with PlayReady DRM. PlayReady protects the stream during playback by using a license server that protects the decryption key needed to decrypt the media stream. The player should also provide a robust and secure playback environment that meets the compliance and robustness rules for PlayReady. When a user attempts to access a PlayReady protected asset, it passes the player ID and device information to a license server. The licensing server verifies if the user has permission to access the stream and determines if their device is trusted to decrypt the stream.

Media Services also provides a service for delivering Microsoft PlayReady licenses. To sign up for PlayReady License Delivery Service do the following:

Follow instructions described in Preview features.

In the Azure Management Portal, go to the CONTENT PROTECTION tab and add a row to the Branding Reporting table. The Media Services PlayReady license service will be enabled a few minutes after you press SAVE.

Once you sign up for PlayReady license deliver service, you can use the Azure Management Portal to configure your PlayReady license service policy. Media Services also provides APIs that let you configure the rights and restrictions that you want for the PlayReady DRM runtime to enforce when a user is trying to play back protected content. For more information, see Using PlayReady Dynamic Encryption and License Delivery Service.

Note that you can also choose to implement your own or use a third-party provider. For more information about implementing your own PlayReady license server see: Microsoft PlayReady Overview.

PlayReady license and AES clear key delivery services
Media Services provides a service for delivering PlayReady licenses and AES clear keys to authorized clients. You can use the Azure Management Portal or Media Services SDK for .NET to configure authorization and authentication policies for your licenses and keys.

Note if you are using the Portal, you can configure one AES policy (which will be applied to all the AES encrypted content) and one PlayReady policy (which will be applied to all the PlayReady encrypted content). Use Media Services SDK for .NET if you want more control over the configurations.

PlayReady license template
Media Services provides a service for delivering PlayReady licenses. When the end user player (for example, Silverlight) tries to play your PlayReady protected content, a request is sent to the license delivery service to obtain a license. If the license service approves the request, it issues the license which is sent to the client and can be used to decrypt and play the specified content.

Licenses contain the rights and restrictions that you want for the PlayReady DRM runtime to enforce when a user is trying to playback protected content. Media Services provides APIs that let you configure your PlayReady licenses.

Token restriction
The content key authorization policy could have one or more authorization restrictions: open, token restriction, or IP restriction. The token restricted policy must be accompanied by a token issued by a Secure Token Service (STS). Currently, Media Services only supports tokens in the Simple Web Tokens (SWT) format. Media Services does not provide Secure Token Services. You can create a custom STS or leverage Microsoft Azure ACS to issue tokens. The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. The Media Services key delivery service will return the requested key (or license) to the client if the token is valid and the claims in the token match those configured for the key (or license).

When configuring the token restricted policy, you must specify the primary verification key, issuer and audience parameters. The primary verification key contains the key that the token was signed with, issuer is the secure token service that issues the token. The audience (sometimes called scope) describes the intent of the token or the resource the token authorizes access to. The Media Services key delivery service validates that these values in the token match the values in the template. For more information, see Simple Web Token (SWT).

Note that if you are using the Azure Management Portal to configure the token restricted policy, make sure to start an ISSUER Uri value with “urn:” (for example, “urn:someissuer”) and a SCOPE Uri with “http://” (for example, http://testacs.com).

The following blog shows how to configure ACS to issue SWT tokens: Configure ACS with Azure Media Services AES/PlayReady license services with token authentication.

Encrypting your content

The following considerations apply when encrypting your content with Media Services.

  • It is recommended to convert your mezzanine files to adaptive bitrate MP4 sets before further processing.

    When working with dynamic encryption, your files must be encoded into a set of adaptive bitrate MP4s or adaptive bitrate Smooth Streaming files.

    You could get an asset that contains a set of adaptive bitrate MP4s from an encoding job. For example, if your mezzanine file is a single MP4, you can use Media Services Encoder to encode the MP4 file into a set of adaptive bitrate MP4s. For more information, see Encoding Media with Media Services.

    If you already have a set of existing adaptive bitrate MP4s, you can upload the files into an asset and continue processing the asset. If the set was encoded using external encoders, it is recommended to validate it. For more information, see Validating Adaptive Bitrate MP4s Encoded with External Encoders.

  • You must decrypt encrypted assets if you wish for them to be available for progressive download.

Storage encryption

If you have unencrypted content and want to encrypt it locally with AES-256 and then upload it to Azure Storage, use the StorageEncrypted option. This will encrypt your content locally and then upload it to Azure Storage where it will be stored encrypted. This scenario is used to protect your content at rest when that content is being used as input to the Media Processor pipeline which includes encoding or packaging tasks. Assets protected with StorageEncryption are automatically unencrypted and placed in an encrypted file system prior to encoding. You can specify for the assets that are created as a result of encoding or packaging tasks to be storage encrypted as well. For more information, see Producing Storage Encrypted Content.

In order to deliver a storage encrypted asset, you must use dynamic encryption and configure the asset’s delivery policy (IAssetDeliveryPolicy) so Media Services knows how you want to deliver your content. Before your asset can be streamed, the streaming server removes the storage encryption and streams your content using the specified delivery policy. For example, to deliver your asset encrypted with Advanced Encryption Standard (AES) encryption key, set the policy type to DynamicEnvelopeEncryption. To remove storage encryption and stream the asset in the clear, set the policy type to NoDynamicEncryption. For other delivery policy types, see AssetDeliveryPolicyType. For more information, see Delivering Storage Encrypted Content.

Dynamically encrypting with PlayReady DRM or AES-128

To take advantage of dynamic encryption you have to do the following:

  • Get at least one scale unit (also known as streaming unit). For more information, see How to Scale a Media Service.

  • Upload or encode an asset that contains a set of adaptive bitrate MP4 files or adaptive bitrate Smooth Streaming source files.

  • Configure the delivery policy for the asset. The delivery policy configuration includes:

    • delivery protocol (for example, MPEG DASH, HLS, HDS, Smooth Streaming or all),

    • the type of dynamic encryption (for example, common encryption or envelop encryption),

    • PlayReady license acquisition URL or AES key acquisition URL.

The following scenarios are supported when doing dynamic encryption with Media Services.

Statically encrypting with PlayReady DRM or AES-128

The following scenarios are supported when statically encrypting with PlayReady DRM.

When using static encryption, AES-128 encryption can only be applied to HLS.

The following example demonstrates how to encrypt HLS with AES using Media Services .NET SDK: Using Static Encryption to Protect HLSv3 with AES-128.

Using Media Services PlayReady license and AES key delivery services

When using Media Services PlayReady license or AES key delivery services, you need to configure the authorization policy for your content key. The content key authorization policy must be configured by you and met by the client (player) in order for the key to be delivered to the client. The content key authorization policy could have one or more authorization restrictions: open, token restriction, or IP restriction. For more information see the “Configure the content key’s authorization policy” section in following topics:

Using PlayReady Dynamic Encryption and License Delivery Service

Using AES-128 Dynamic Encryption and Key Delivery Service

The following are most common scenarios when using Media Services PlayReady license and AES key delivery services.

Consuming media

For information about developing client applications and consuming media, see Developing Video Player Applications.

See Also


Build Date:

2014-11-25

Community Additions

ADD
Show:
© 2014 Microsoft