Eksportuj (0) Drukuj
Rozwiń wszystko
EN
Ta zawartość nie jest dostępna w wymaganym języku. Wersja w języku angielskim znajduje się tutaj.

Securing Media

Updated: February 18, 2014

Azure Media Services enables you to secure your media from the time it leaves your computer through storage, processing, and delivery. The following diagram illustrates how content is protected end to end.

Media Services Content Protection

This topic discusses the following:

Concepts

The following list describes useful terminology and concepts when working with data protection.

Adaptive bitrate sets - Adaptive bitrate streaming is a technique used in streaming multimedia over computer networks. For more information, see Adaptive bitrate streaming. It is recommended to first encode your mezzanine file into H.264 MP4 adaptive bitrate sets before continuing to package, encrypt, or stream your content.

AES - 128 - Advanced Encryption Standard (AES) - 128 is a secure encryption algorithm using 128-bit keys and blocks. AES envelope encryption is end-to-end encryption for video streaming. Data will be encrypted by the server before it is sent out, and decrypted by the client to view. This allows video data to be transferred safely between the server and client, and makes the video data unreadable by any parties who intercept it in between.

Azure Media Services supports creating HLS assets protected with AES-128 transport stream encryption. For more information, see Producing HLSv3 Encrypted with AES-128.

CBC - Cipher-block Chaining (CBC) is a block encryption mode of operation that uses XOR on the previous block, with the goal of making different ciphertext for blocks with the same plaintext. Requires an Initialization Vector (IV) for the first block.

Asset encryption options – Depending on the type of content you want to upload, store, and deliver, Media Services provides various encryption options that you can choose from.

  • None - No encryption is used. This is the default value. Note that when using this option your content is not protected in transit or at rest in storage.

    If you plan to deliver an MP4 using progressive download, use this option to upload or encode your content.

    Media Services does not support delivering of Storage Encrypted assets. You must decrypt any storage encrypted assets that you wish to stream from the origin service for progressive download. Also, in the case of standard progressive download of MP4 files, PlayReady DRM is not supported.

  • StorageEncrypted – Use this option to encrypt your clear content locally using AES 256 bit encryption and then upload it to Azure Storage where it is stored encrypted at rest. Assets protected with Storage Encryption are automatically unencrypted and placed in an encrypted file system prior to encoding, and optionally re-encrypted prior to uploading back as a new output asset. The primary use case for Storage Encryption is when you want to secure your high quality input media files with strong encryption at rest on disk. Azure Media Services Origin Service does not support the delivery of Storage Encrypted Assets. For more information, see Producing Storage Encrypted Content.

  • CommonEncryption - Use this option if you want to encrypt (or upload already encrypted) content with Common Encryption or PlayReady DRM (for example, Smooth Streaming protected with PlayReady DRM).

  • EnvelopeEncrypted – Use this option if you want to protect (or upload already protected) HTTP Live Streaming (HLS) encrypted with Advanced Encryption Standard (AES). Note that if you are uploading HLS already encrypted with AES, it must have been encrypted by Transform Manager.

Access policy –The AccessPolicy entity defines permissions (like read, write, and list) and duration of access to an asset. You would usually pass an AccessPolicy object to a locator that would then be used to access the files contained in an asset.

CENC - The Common Encryption Scheme (CENC) specifies standard encryption and key mapping methods. CENC defines a common format for the encryption related metadata necessary to decrypt the protected streams. At the same time, it leaves the management of rights mappings, key acquisition and storage, DRM compliance rules, etc. up to the DRM system or systems supporting the 'cenc' scheme. PlayReady supports CENC. To stream MPEG DASH you need to use CENC options. For more information, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

HLS - HTTP Live Streaming (HLS), is an adaptive bitrate streaming technology developed by Apple. Azure Media Services supports creating HLS assets protected with AES-128 transport stream encryption. For more information, see Producing HLSv3 Encrypted with AES-128.Transport stream encrypted media must be decrypted prior to media processing. Media and keys are processed unencrypted inside players, and players do not have to establish trust and guarantee protection of keys and content. Content protected in this manner is less secure than content protected with a DRM technology like PlayReady. For information on how to protect HLS with PlayReady, see Producing HLSv3 Encrypted with PlayReady.

IV – Initialization Vector (IV is a vector used by CBC and other encryption modes when encrypting the first block. Since the 1st block should XOR the previous block, and no previous block exists, the IV takes the place of that previous block.

LocatorLocators provide an entry point to access the files contained in an asset. Media Services supports two types of locators: OnDemandOrigin locators, used to stream media (for example, MPEG DASH, HLS, or Smooth Streaming) and Access Signature (SAS) URL locators, used to download media files. An access policy is used to define the permissions and duration that a client has access to a given asset. Locators can have a many to one relationship with an access policy, such that different locators can provide different start times and connection types to different clients while all using the same permission and duration settings; however, because of a shared access policy restriction set by Azure storage services, you cannot have more than five unique locators associated with a given asset at one time. For more information, see Using a Shared Access Signature (REST API).

MPEG DASH - MPEG DASH is an international standard adaptive bitrate streaming protocol developed by the Motion Picture Experts Group (MPEG). For information about securing an MPEG DASH, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

PlayReady DRM - You can protect a Smooth Streaming or an HLS asset using Common Encryption plus PlayReady DRM. PlayReady protects the stream during playback by using a license server that protects the decryption key needed to decrypt the media stream. The player should also provide a robust and secure playback environment that meets the compliance and robustness rules for PlayReady. When a user attempts to access a PlayReady protected asset, it passes the player ID and device information to a license server. The licensing server verifies if the user has permission to access the stream and determines if their device is trusted to decrypt the stream. For more information about PlayReady, see Microsoft PlayReady. Microsoft does not currently provide a license delivery service for PlayReady as part of Media Services. You can implement your own or use a third-party provider such as EZDRM http://www.ezdrm.com/ available via the Azure Store today. For more information about implementing your own PlayReady license server see: Microsoft PlayReady Overview. For more information about available third-party PlayReady providers, see Engaging a PlayReady Service Provider. For more information about securing a Smooth Streaming asset with PlayReady, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

Smooth Streaming - Smooth Streaming is an adaptive bitrate streaming technology developed by Microsoft. For information about securing a Smooth Streaming asset with PlayReady, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

Supported encryptions for the specified input and output formats

The following table summarizes encryptions for the specified input and output formats that are currently supported by Media Services.

 

Source\Target Smooth + PlayReady MPEG DASH + CENC HLSv3 + PlayReady HLSv3 + AES128 CBC envelope encryption

Adaptive bitrate MP4

It is recommended to convert your mezzanine files to adaptive bitrate MP4 sets before further processing.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

For more information, see Encrypting HLS v3 with AES -128 CBC envelope encryption.

Clear Smooth

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

For more information, see Encrypting HLS v3 with AES -128 CBC envelope encryption.

PlayReady Smooth

For information about how to upload an encrypted asset, see Uploading Encrypted Content.

No further processing is needed.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

Not supported.

Producing Storage encrypted content

If you have unencrypted content and want to encrypt and upload that content, use the StorageEncrypted option. This will encrypt your content locally and then upload it to Azure Storage where it will be stored encrypted. This scenario is used to protect your valuable content at rest when that content is being used as input to the Media Processor pipeline. This could be for encoding or packaging tasks. Assets protected with Storage Encryption are automatically unencrypted and placed in an encrypted file system prior to encoding. Currently, Azure Media Services Origin Service does not support the delivery of Storage Encrypted Assets. After processing Storage Encrypted assets must be unencrypted prior to streaming.

For more information, see Producing Storage Encrypted Content.

Encrypting HLS v3 with AES -128 CBC envelope encryption

This section describes possible workflows when encrypting HLS with AES - 128. The following example shows how to encrypt HLS with AES – 128: Producing HLSv3 Encrypted with AES-128.

Starting with an Asset that contains a set of adaptive bitrate MP4 files

  1. Specify an input asset that contains a set of adaptive bitrate MP4 files.

    It is recommended to start with a set of adaptive bitrate MP4 files. You could get an asset that contains a set of adaptive bitrate MP4s from an encoding job. For example, if your mezzanine file is a single MP4, you can use Media Services Encoder to encode the MP4 file into a set of adaptive bitrate MP4s. For more information, see Encoding Media with Media Services.

    If you already have a set of existing adaptive bitrate MP4s, you can upload the files into an asset and continue processing the asset. If the set was encoded using external encoders, it is recommended to validate it. For more information, see Validating Multi-bitrate MP4s Encoded with External Encoders.

  2. Use Media Services Packager to package MP4 to Smooth Streaming.

  3. Use Media Services Packager to package Smooth Streaming to HLSv3+AES128. Make sure to set envelope encryption parameters when packaging.

  4. Create a Locator to get the HLS streaming URL.

Starting with an Asset that contains clear Smooth Streaming files

  1. Specify an input asset that contains clear Smooth Streaming files.

  2. Use Media Services Packager to package Smooth Streaming to HLSv3+AES128. Make sure to set envelope encryption parameters when packaging.

  3. Create a Locator to get the HLS streaming URL.

Starting with an Asset that contains PlayReady Smooth Streaming files

Not possible.

For more information, see Producing HLSv3 Encrypted with AES-128.

Encrypting Smooth Streaming and\or MPEG DASH with PlayReady

This section describes possible workflows when encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

ImportantImportant
To deliver MPEG DASH encrypted with PlayReady, you must first statically package and encrypt Smooth Streaming with PlayReady and make sure to use CENC options. Then, use Dynamic Packaging to stream MPEG DASH. The following example demonstrates how to encrypt Smooth Streaming and\or MPEG DASH with PlayReady using Media Services .NET SDK: Protecting Smooth Streaming and MPEG DASH with PlayReady.

Starting with an Asset that contains a set of adaptive bitrate MP4 files

  1. Specify an input asset that contains a set of adaptive bitrate MP4 files.

    It is recommended to start with a set of adaptive bitrate MP4 files. You could get an asset that contains a set of adaptive bitrate MP4s from an encoding job. For example, if your mezzanine file is a single MP4, you can use Media Services Encoder to encode the MP4 file into a set of adaptive bitrate MP4s. For more information, see Encoding Media with Media Services.

    If you already have a set of existing adaptive bitrate MP4s, you can upload the files into an asset and continue processing the asset. If the set was encoded using external encoders, it is recommended to validate it. For more information, see Validating Multi-bitrate MP4s Encoded with External Encoders.

  2. Use Media Services Packager to package MP4 to Smooth Streaming.

  3. Use Media Services Encryptor to encrypt Smooth Streaming with PlayReady.

  4. Create an OnDemandOrigin locator to get Smooth Streaming and MPEG DASH streaming URLs.

Starting with an Asset that contains clear Smooth Streaming files

  1. Specify an input asset that contains clear Smooth Streaming files.

  2. Use Media Services Encryptor to encrypt Smooth Streaming with PlayReady.

  3. Create an OnDemandOrigin locator to get Smooth Streaming and MPEG DASH streaming URLs.

Starting with an Asset that contains PlayReady Smooth Streaming files

  1. Specify PlayReady Smooth Stream as your input asset. For more information, see Uploading Encrypted Content.

  2. Create an OnDemandOrigin locator to get Smooth Streaming and MPEG DASH streaming URLs.

For more information, see Protecting Smooth Streaming and MPEG DASH with PlayReady.

Encrypting HLS v3 with PlayReady

To encrypt HLS with PlayReady, you must first get Smooth Streaming encrypted with PlayReady. To get PlayReady encrypted Smooth Streaming, refer to the Encrypting Smooth Streaming with PlayReady section.

Once you have an asset that contains PlayReady Smooth Stream, use Media Services Packager to package this asset to HLS with PlayReady.

Then, create an OnDemandOrigin locator to get an HLS streaming URL.

The following example demonstrates how to encrypt your HLS with PlayReady: Producing HLSv3 Encrypted with PlayReady

Consuming media

For information about developing client applications and consuming media, see Developing Video Player Applications.

See Also


Build Date:

2014-07-18

Zawartość społeczności

Dodaj
Pokaż:
© 2014 Microsoft