Securing Your Media
Updated: July 15, 2013
Windows Azure Media Services allow you to secure your media from the time it leaves your computer through storage, processing, and delivery. This topic discusses securing your media at each level: uploading, processing, and delivery. The following diagram illustrates how content is protected end to end.
There are several scenarios for uploading media to Windows Azure Media Services each requires you to specify how your content should be protected.
I want to upload my media and store it for later processing
If you have unencrypted content and want to encrypt and upload that content use AssetCreationOptions.StorageEncrypted. This will encrypt your content locally and then upload it to Windows Azure Storage where it will be stored encrypted. This scenario is used to protect your valuable content at rest when that content is being used as input to the Media Processor pipeline. This could be for encoding or packaging tasks. Assets protected with Storage Encryption are automatically unencrypted and placed in an encrypted file system prior to encoding. After processing Storage Encrypted assets must be unencrypted prior to streaming.
I want to upload my media for streaming
If you have pre-encoded Smooth Streaming content protected with PlayReady, specify AssetCreationOptions.CommonEncryptionProtected. If you have pre-encoded HLS content with AES encryption, specify AssetCreationOptions.EnvelopeEncryptionProtected. Your content is already protected in transit and in storage (at rest). Any storage encrypted content must be decrypted before being streamed by Origin Services.
I want to upload my media without any protection
You can upload content and specify AssetCreationOptions.None. This is not recommended as your content is not protected in transit or at rest, although it may be helpful in initially testing your code before adding encryption.
I want to upload an MP4 for progressive download
To deliver MP4 progressive download content, upload your content using AssetCreationOptions.None. Windows Azure Media Services Origin Service does not support the delivery of Storage Encrypted Assets. To protect progressive download content, use DRM protection. In the case of standard progressive download ISO MP4 files, PlayReady DRM is not supported.
The previous paragraphs have explained specifying the encryption options using one of the AssetCreationOptions values to use in various scenarios. The encryption options are set when you create an Asset object. All media files in Media Services are associated within an Asset object. AssetCreationOptions are specified when creating an Asset for your media by calling Asset.Create. Each file added to the Asset will use the encryption options specified when the asset is created. For example if you create an asset by calling: Asset.Create(“My Secure Asset”, AssetCreationOptions.StorageEncrypted) all files added to the asset will be storage encrypted. For a complete list of AssetCreationOption values, see Microsoft.WindowsAzure.MediaServices.Client.AssetCreationOptions.
When processing encrypted assets (for example encoding or packaging) you specify encryption options when adding the output asset to the processing task as shown in the following code snippet:
IAsset outputAsset = task.OutputAssets.AddNew("Output asset", AssetCreationOptions.StorageEncrypted);
For more information about using the Windows Azure Media Encoder and Packager, see Process Assets with the Media Services SDK for .NET.
The asset will be decrypted before the processing operation and stored in an Encrypted File System (EFS) on the Windows Azure Compute node that is processing the task. The media processor(s) perform the required operations on the media stored in the EFS and the output asset of each task is written to storage. Each task in the processing job specifies an AssetCreationOptions for its output asset. Tasks may create multiple assets while processing. For example encoding a mezzanine file to multi-bitrate MP4 which is packaged into SmoothStreaming. The Smooth Streaming asset is then packaged into HLS (encrypted). The SmoothStreaming asset can then be PlayReady protected. The last two outputs are protected SmoothStreaming and protected HLS which protected by common encryption and envelope encryption, respectively. All other outputs can be storage encrypted for maximum security. The encryption of each asset created by a job is controlled by specifying the AssetCreationOptions for each task in the job.
I want to encode a video and secure it for storage
Specify AssetCreationOptions.StorageEncrypted when creating the output asset for the encoding task. When a storage encrypted asset is downloaded using one of the Windows Azure Media Services SDKs (.NET, Java), the SDK will automatically decrypt the asset as part of the download process. If you are using the Windows Azure REST API automatic decryption does not occur and the downloaded data must be decrypted afterwards.
I want to encode and package a video for streaming or progressive download
Specify AssetCreationOptions.None when creating the output asset for the encoding task. The encryption options used for the output asset generated by the packager depends on the format of the packaged file. For a Smooth Streaming asset protected with PlayReady, use AssetCreationOptions.CommonEncryptedProtected. For an Apple HLS asset protected with AES 128 encryption specify AssetCreationOptions.EnvelopeEncrypted.
I want to encode and package a video for secure download with PlayReady
Specify AssetCreationOptions.None when creating the output asset for the encoding and packaging tasks and AssetCreationOptions.CommonEncryption when creating the output asset for the PlayReady protection task. For more information on creating a PlayReady Protected Asset see Protecting Assets with Microsoft PlayReady.
Retrieving Content from WAMS (archiving)
You can download files directly from Windows Azure Storage if you have the Media Services account credentials of the account that uploaded/processed the asset. Account credentials are specified when creating CloudMediaContext which is used to create a locator. Scenario for retrieving content from Windows Azure Media Services include:
Downloading content for archival
Downloading for further processing
To download content, create an AccessPolicy that specifies permissions (like read or read/write) and the timespan for which those permissions are valid. Then create a Shared Access Signature (SAS) Locator. The SAS Locator contains a URL to the asset that contains the file. To get a fully qualified URL, append the name of the specific file you want to download to the asset’s URL. The URL can be used by anyone to download the asset, there is currently no authentication performed when a SAS URL is accessed. When downloading a Storage Encrypted file using the one of the Windows Azure Media Services SDKs, the encrypted asset is downloaded and is automatically decrypted the asset. For more information about downloading a file from storage see Create a SAS Locator to On Demand Content.
Deliver Adaptive Bitrate Streaming Content
Windows Azure Media Services allows you to deliver your media assets in a number of ways:
Progressive Download of Protect Content
Progressive download allows you to start playing media before the entire file has been downloaded. Progressive download is only supported with ISO standard MP4 (ISO 14496-12) files. To use progressive download, create an On Demand Locator and point your player or HTML5 <video> tag at the full URL to the MP4 file to play. On Demand Origin Locators do not support dynamic decryption of Storage Encrypted assets at this time. You will need to first storage decrypt any standard MP4 file that you wish to stream from the Origin Server for progressive download. For more information, see Create a SAS Locator to On Demand Content.
Secure delivery of Smooth Streaming and MPEG DASH
Smooth Streaming is an adaptive bitrate streaming technology developed by Microsoft. MPEG DASH is an international standard adaptive bitrate streaming protocol developed by the Motion Picture Experts Group (MPEG). To create a Smooth Streaming asset use the Windows Azure Media Services Encoder and one of the Smooth Streaming presets. For more information about using the Windows Azure Media Encoder to encode a Smooth Streaming asset, see Encoding with Windows Azure Media Services[Encode to Smooth Streaming]. For more information about Windows Azure Media Encoder Presets, see Task Preset Strings for Windows Azure Media Encoder. Alternatively you can use the Windows Azure Media Encoder to encode to any H264 compliant MP4 format and use dynamic packaging to convert the MP4 asset to Smooth Streaming, MPEG DASH, or HLS on the fly. For more information about dynamic packaging, see Dynamic Packaging
You can protect a Smooth Streaming asset using Common Encryption plus PlayReady DRM. Common encryption protects the stream during storage and download using Advanced Encryption Standard (AES) 128-bit elementary stream encryption which provides content protection all the way to a secure decryptor/decoder. PlayReady protects the stream during playback by using a license server that protects the decryption key needed to decrypt the media stream. The player itself also provides a robust and secure playback environment that meets the compliance and robustness rules for PlayReady. When a user attempts to access a PlayReady protected asset, it passes the player ID and device information to a license server. The licensing server verifies if the user has permission to access the stream and determines if their device is trusted to decrypt the stream. For more information about PlayReady, see Microsoft PlayReady. Microsoft does not currently provide a license delivery service for PlayReady as part of Media Services. You can implement your own or use a third-party provider such as EZDRM http://www.ezdrm.com/ available via the Azure Store today. For more information about implementing your own PlayReady license server see: Microsoft PlayReady Overview. For more information about available third-party PlayReady providers, see Engaging a PlayReady Service Provider. For more information about securing a Smooth Streaming asset with PlayReady, see Protecting Assets with Microsoft PlayReady.
If you want to use Dynamic Packaging to deliver MPEG DASH encrypted with PlayReady, you need to first convert your video into Smooth Streaming format and protect it with PlayReady. Make sure to use the useSencBox and adjustSubSamples configuration properties and set their value attribute to
true. For more information, see Task Preset for Windows Azure Media Encryptor.
Apple HTTP Live Streaming (HLS)
HTTP Live Streaming or HLS, is an adaptive bitrate streaming technology developed by Apple. Windows Azure Media Services supports creating HLS assets protected with AES-128 transport stream encryption. Transport stream encrypted media must be decrypted prior to media processing. Media and keys are processed unencrypted inside players, and players do not have to establish trust and guarantee protection of keys and content. Content protected in this manner is less secure than content protected using with a DRM technology like PlayReady.
Apple HTTP Live Streaming (HLS) + PlayReady
To create an HLS asset protected with PlayReady, create a Smooth Streaming asset and protect with PlayReady, and use the Windows Azure Media Packager to convert the Smooth Streaming asset to HLS, as shown in Protecting Assets with Microsoft PlayReady. The result is an HLS asset protected with Apple HLS key delivery protocol.
Microsoft provides SDKs and Player Frameworks that allow you to create client applications that can securely consume streaming media from Media Services. The client SDKs and player framework support can be broken down into the following groups:
Web Browser Support
Most browsers only support progressive download with the HTML5 video element. Safari on iOS and Macintosh OS support HTTP Live Streaming (HLS). To enable you to support browser-based streaming support Microsoft provides the following:
Smooth Streaming Client SDK
Microsoft Media Platform: Player Framework
HTML5 Player Framework
OSMF Smooth Streaming Plugin for Flash
Smooth Streaming Client SDK
The Smooth Streaming Client SDK provides an easy-to-use interface for developers and designers to create rich Smooth Streaming experiences using the Microsoft Silverlight platform and PlayReady DRM.
HTML5 Player Framework
The HTML5 Player Framework is intended for use in browser-based applications. The framework has been tested in the latest versions of both desktop and mobile browsers that support the HTML5 video tag. It should be noted that the W3C does not currently have a standard for adaptive bitrate streaming so most browsers only support simple progressive download playback at this time. The HTML5 Player Framework does not provide any support for content protection beyond SSL. For more information, see HTML5 Player Framework.
The Windows Azure Media Services iOS Media Player Framework library makes it easy for iPod, iPhone, and iPad developers to create rich, dynamic client applications that create and mix video and audio streams together on the fly. For more information, see iOS Media Player Framework on GitHub.
For writing client player applications on Windows there are two choices:
Smooth Streaming Client SDK
Microsoft Media Platform Player Framework for Windows 8 Applications
Smooth Streaming Client SDK for Windows 8
The Smooth Streaming Client SDK for Windows 8 enables development of Smooth Streaming Windows Store applications. You can use the Microsoft Media Platform Player Framework and Smooth Streaming Client SDK to build rich media experiences on Windows 8 using the same back-end infrastructure you use for Smooth Streaming applications for the browser, set-top boxes, Windows Phone, and other mobile devices. For more information, see Smooth Streaming Client SDK.
Microsoft Media Platform: Player Framework for Windows 8 Applications
Windows Phone Applications
Microsoft provides the following for creating Windows Phone client player applications:
Smooth Streaming Client SDK for Windows Phone
Microsoft Media Platform: Player Framework for Windows Phone
The Smooth Streaming Client SDK for Windows Phone enables development of Smooth Streaming Windows Phone applications. For more information, see Smooth Streaming Client SDK
The Player Framework for Windows Phone is based on the Player Framework for Windows 8 applications but designed exclusively for Windows Phone 8 applications. For more information, see Player Framework for Windows 8 and Windows Phone 8.
For developing XBox applications, Microsoft offers an Application Development Kit (ADK) that includes an XBox SDK and framework. These enable you to write XBox client applications that can consume Smooth Streaming content with PlayReady DRM. For more information about developing XBox applications, see XBox Developers Program.
You can develop player applications for Android devices using third-party porting kits or the Microsoft Smooth Streaming Client Porting Kit (SSPK) as described in the next section.
To develop player applications for other devices, you must purchase a license for the Smooth Streaming Client Porting Kit. Microsoft Smooth Streaming Client Porting Kit (SSPK) is a Smooth Streaming client implementation optimized to help embedded device manufacturers, cable and mobile operators, content service providers, handset manufacturers, independent software vendors (ISVs), and solution providers create products and services for streaming adaptive streaming content in Smooth Streaming format. SSPK is a device and platform independent implementation of Smooth Streaming client that can be ported by the licensee to any device and platform. For more information, see Licensing Microsoft Smooth Streaming Client Porting Kit. Players implemented with the SSPK can view only unencrypted content by default, but it can be paired with the PlayReady Porting Kit to view PlayReady protected content. For more information, see PlayReady Porting Kit