导出 (0) 打印
全部展开
此主题尚未评级 - 评价此主题

Securing Media

更新时间: 2014年2月

注:本页面内容可能不完全适用中国大陆地区运营的 Windows Azure服务。如要了解不同地区 Windows Azure 服务的差异, 请参考本网站.

Azure Media Services enables you to secure your media from the time it leaves your computer through storage, processing, and delivery. The following diagram illustrates how content is protected end to end.

媒体服务内容保护

This topic discusses the following:

Concepts

The following list describes useful terminology and concepts when working with data protection.

Adaptive bitrate sets - Adaptive bitrate streaming is a technique used in streaming multimedia over computer networks. For more information, see Adaptive bitrate streaming. It is recommended to first encode your mezzanine file into H.264 MP4 adaptive bitrate sets before continuing to package, encrypt, or stream your content.

AES - 128 - Advanced Encryption Standard (AES) - 128 is a secure encryption algorithm using 128-bit keys and blocks. AES envelope encryption is end-to-end encryption for video streaming. Data will be encrypted by the server before it is sent out, and decrypted by the client to view. This allows video data to be transferred safely between the server and client, and makes the video data unreadable by any parties who intercept it in between.

Azure Media Services supports creating HLS assets protected with AES-128 transport stream encryption. For more information, see Producing HLSv3 Encrypted with AES-128.

CBC - Cipher-block Chaining (CBC) is a block encryption mode of operation that uses XOR on the previous block, with the goal of making different ciphertext for blocks with the same plaintext. Requires an Initialization Vector (IV) for the first block.

Asset encryption options – Depending on the type of content you want to upload, store, and deliver, Media Services provides various encryption options that you can choose from.

  • None - No encryption is used. This is the default value. Note that when using this option your content is not protected in transit or at rest in storage.

    If you plan to deliver an MP4 using progressive download, use this option to upload or encode your content.

    Media Services does not support delivering of Storage Encrypted assets. You must decrypt any storage encrypted assets that you wish to stream from the origin service for progressive download. Also, in the case of standard progressive download of MP4 files, PlayReady DRM is not supported.

  • StorageEncrypted – Use this option to encrypt your clear content locally using AES 256 bit encryption and then upload it to Azure Storage where it is stored encrypted at rest. Assets protected with Storage Encryption are automatically unencrypted and placed in an encrypted file system prior to encoding, and optionally re-encrypted prior to uploading back as a new output asset. The primary use case for Storage Encryption is when you want to secure your high quality input media files with strong encryption at rest on disk. Azure Media Services Origin Service does not support the delivery of Storage Encrypted Assets. For more information, see Producing Storage Encrypted Content.

  • CommonEncryption - Use this option if you want to encrypt (or upload already encrypted) content with Common Encryption or PlayReady DRM (for example, Smooth Streaming protected with PlayReady DRM).

  • EnvelopeEncrypted – Use this option if you want to protect (or upload already protected) HTTP Live Streaming (HLS) encrypted with Advanced Encryption Standard (AES). Note that if you are uploading HLS already encrypted with AES, it must have been encrypted by Transform Manager.

Access policy –The AccessPolicy entity defines permissions (like read, write, and list) and duration of access to an asset. You would usually pass an AccessPolicy object to a locator that would then be used to access the files contained in an asset.

CENC - The Common Encryption Scheme (CENC) specifies standard encryption and key mapping methods. CENC defines a common format for the encryption related metadata necessary to decrypt the protected streams. At the same time, it leaves the management of rights mappings, key acquisition and storage, DRM compliance rules, etc. up to the DRM system or systems supporting the 'cenc' scheme. PlayReady supports CENC. To stream MPEG DASH you need to use CENC options. For more information, see 使用 Microsoft PlayReady 保护资产.

HLS - HTTP Live Streaming (HLS), is an adaptive bitrate streaming technology developed by Apple. Azure Media Services supports creating HLS assets protected with AES-128 transport stream encryption. For more information, see Producing HLSv3 Encrypted with AES-128.Transport stream encrypted media must be decrypted prior to media processing. Media and keys are processed unencrypted inside players, and players do not have to establish trust and guarantee protection of keys and content. Content protected in this manner is less secure than content protected with a DRM technology like PlayReady. For information on how to protect HLS with PlayReady, see Producing HLSv3 Encrypted with PlayReady.

IV – Initialization Vector (IV is a vector used by CBC and other encryption modes when encrypting the first block. Since the 1st block should XOR the previous block, and no previous block exists, the IV takes the place of that previous block.

Locator定位符s provide an entry point to access the files contained in an asset. Media Services supports two types of locators: OnDemandOrigin locators, used to stream media (for example, MPEG DASH, HLS, or Smooth Streaming) and Access Signature (SAS) URL locators, used to download media files. An access policy is used to define the permissions and duration that a client has access to a given asset. Locators can have a many to one relationship with an access policy, such that different locators can provide different start times and connection types to different clients while all using the same permission and duration settings; however, because of a shared access policy restriction set by Azure storage services, you cannot have more than five unique locators associated with a given asset at one time. For more information, see Using a Shared Access Signature (REST API).

MPEG DASH - MPEG DASH is an international standard adaptive bitrate streaming protocol developed by the Motion Picture Experts Group (MPEG). For information about securing an MPEG DASH, see 使用 Microsoft PlayReady 保护资产.

PlayReady DRM - You can protect a Smooth Streaming or an HLS asset using Common Encryption plus PlayReady DRM. PlayReady protects the stream during playback by using a license server that protects the decryption key needed to decrypt the media stream. The player should also provide a robust and secure playback environment that meets the compliance and robustness rules for PlayReady. When a user attempts to access a PlayReady protected asset, it passes the player ID and device information to a license server. The licensing server verifies if the user has permission to access the stream and determines if their device is trusted to decrypt the stream. For more information about PlayReady, see Microsoft PlayReady. Microsoft does not currently provide a license delivery service for PlayReady as part of Media Services. You can implement your own or use a third-party provider such as EZDRM http://www.ezdrm.com/ available via the Azure Store today. For more information about implementing your own PlayReady license server see: Microsoft PlayReady Overview. For more information about available third-party PlayReady providers, see Engaging a PlayReady Service Provider. For more information about securing a Smooth Streaming asset with PlayReady, see 使用 Microsoft PlayReady 保护资产.

Smooth Streaming - Smooth Streaming is an adaptive bitrate streaming technology developed by Microsoft. For information about securing a Smooth Streaming asset with PlayReady, see 使用 Microsoft PlayReady 保护资产.

Supported encryptions for the specified input and output formats

The following table summarizes encryptions for the specified input and output formats that are currently supported by Media Services.

 

Source\Target Smooth + PlayReady MPEG DASH + CENC HLSv3 + PlayReady HLSv3 + AES128 CBC envelope encryption

Adaptive bitrate MP4

It is recommended to convert your mezzanine files to adaptive bitrate MP4 sets before further processing.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

For more information, see Encrypting HLS v3 with AES -128 CBC envelope encryption.

Clear Smooth

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

For more information, see Encrypting HLS v3 with AES -128 CBC envelope encryption.

PlayReady Smooth

For information about how to upload an encrypted asset, see Uploading Encrypted Content.

No further processing is needed.

For more information, see Encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

For more information, see Encrypting HLS v3 with PlayReady.

Not supported.

Producing Storage encrypted content

If you have unencrypted content and want to encrypt and upload that content, use the StorageEncrypted option. This will encrypt your content locally and then upload it to Azure Storage where it will be stored encrypted. This scenario is used to protect your valuable content at rest when that content is being used as input to the Media Processor pipeline. This could be for encoding or packaging tasks. Assets protected with Storage Encryption are automatically unencrypted and placed in an encrypted file system prior to encoding. Currently, Azure Media Services Origin Service does not support the delivery of Storage Encrypted Assets. After processing Storage Encrypted assets must be unencrypted prior to streaming.

For more information, see Producing Storage Encrypted Content.

Encrypting HLS v3 with AES -128 CBC envelope encryption

This section describes possible workflows when encrypting HLS with AES - 128. The following example shows how to encrypt HLS with AES – 128: Producing HLSv3 Encrypted with AES-128.

Starting with an Asset that contains a set of adaptive bitrate MP4 files

  1. Specify an input asset that contains a set of adaptive bitrate MP4 files.

    Starting with a set of adaptive bitrate MP4 files is a preferred way. You could get an asset that contains a set of adaptive bitrate MP4s from an encoding job. For example, if you can upload a single MP4 file (your mezzanine file) and then use Media Services Encoder to encode the MP4 into adaptive bitrate MP4s. For more information, see 使用 Media Services 对媒体进行编码.

    You could also have a set of existing adaptive bitrate MP4s that you want to upload and then process. In this case, it is recommended to validate your set. See an example in the 操作实例:动态封装资产 topic (the Upload existing adaptive bitrate sets and validate them using the Media Packager section).

  2. Use Media Services Packager to package MP4 to Smooth Streaming.

  3. Use Media Services Packager to package Smooth Streaming to HLSv3+AES128. Make sure to set envelope encryption parameters when packaging.

  4. Create a Locator to get the HLS streaming URL.

Starting with an Asset that contains clear Smooth Streaming files

  1. Specify an input asset that contains clear Smooth Streaming files.

  2. Use Media Services Packager to package Smooth Streaming to HLSv3+AES128. Make sure to set envelope encryption parameters when packaging.

  3. Create a Locator to get the HLS streaming URL.

Starting with an Asset that contains PlayReady Smooth Streaming files

Not possible.

For more information, see Producing HLSv3 Encrypted with AES-128.

Encrypting Smooth Streaming and\or MPEG DASH with PlayReady

This section describes possible workflows when encrypting Smooth Streaming and\or MPEG DASH with PlayReady.

Important重要提示
To deliver MPEG DASH encrypted with PleayReady, make sure use CENC options when encrypting. The following example demonstrates how to encrypt Smooth Streaming and\or MPEG DASH with PlayReady using Media Services .NET SDK: 使用 Microsoft PlayReady 保护资产.

Starting with an Asset that contains a set of adaptive bitrate MP4 files

  1. Specify an input asset that contains a set of adaptive bitrate MP4s.

    Starting with a set of adaptive bitrate MP4 files is a preferred way. You could get an asset that contains a set of adaptive bitrate MP4s from an encoding job. For example, if you can upload a single MP4 file (your mezzanine file) and then use Media Services Encoder to encode the MP4 into adaptive bitrate MP4s. For more information, see 使用 Media Services 对媒体进行编码.

    You could also have a set of existing adaptive bitrate MP4s that you want to upload and then process. In this case, it is recommended to validate your set. See an example in the 操作实例:动态封装资产 topic (the Upload existing adaptive bitrate sets and validate them using the Media Packager section).

  2. Use Media Services Packager to package MP4 to Smooth Streaming.

  3. Use Media Services Encryptor to encrypt Smooth Streaming with PlayReady.

  4. Create a Locator to get Smooth Streaming and MPEG DASH streaming URLs.

Starting with an Asset that contains clear Smooth Streaming files

  1. Specify an input asset that contains clear Smooth Streaming files.

  2. Use Media Services Encryptor to encrypt Smooth Streaming with PlayReady.

  3. Create a Locator to get Smooth Streaming and MPEG DASH streaming URLs.

Starting with an Asset that contains PlayReady Smooth Streaming files

  1. Specify PlayReady Smooth Stream as your input asset. For more information, see Uploading Encrypted Content.

  2. Create a Locator to get Smooth Streaming and MPEG DASH streaming URLs.

For more information, see 使用 Microsoft PlayReady 保护资产.

Encrypting HLS v3 with PlayReady

To encrypt HLS with PlayReady, you must first get Smooth Streaming encrypted with PlayReady. To get PlayReady encrypted Smooth Streaming, refer to the Encrypting Smooth Streaming with PlayReady section.

Once you have an asset that contains PlayReady Smooth Stream, use Media Services Packager to package this asset to HLS with PlayReady.

Then, create a Locator to get the HLS streaming URL.

The following example demonstrates how to encrypt your HLS with PlayReady: Producing HLSv3 Encrypted with PlayReady

Consuming media

For information about developing client applications and consuming media, see 开发 Windows Azure Media Services 客户端应用程序.

另请参见


生成日期:

2014-04-09
本文是否对您有所帮助?
(1500 个剩余字符)
感谢您的反馈

社区附加资源

添加
显示:
© 2014 Microsoft. 版权所有。