AES128 with HLS Streaming

2
votes

I am newbie in using Streaming Server. we are evaluating EvoStream Media Server to stream HLS stream with AES128 encryption.

I have few queries on AES 128. I have search through google but no luck

When doing HLS with VOD(Video on Demand) , Evostream creates chunks of segments along with m3u8 index file that contains all information including key and IV vectors. 

#EXT-X-KEY:METHOD=AES-128,URI="2015-06-25T11-20-18.key",IV=0x0360f11b211ef025d7f72c41d58e0a2d

My question if when i play this file in html5 media player and debug it using F12, i can easily get the key and IV used to encrypt the file. Then what is kind of security AES provide if anyone can get those key and IV vector to decrypt the data.

Please any one have some knowledge over it, please share ...

4
htmlencryptionaeshttp-live-streaming

4 Answers

1
votes

The key seems to be in yet another file:

URI="2015-06-25T11-20-18.key"

2015-06-25T11-20-18.key is only a reference to the key, not the key itself.

So you need to control access to the file and only make it available to persons that are allowed to play the video.

1
votes

The answer to your question is that HLS with AES-128 provides transport security making it difficult for someone to capture your content in a man-in-the-middle scenario. It doesn't provide DRM.

You are supposed to change the keys every 3-4 hours and the IV every 50 Mb of data and serve the keys over HTTPS and not plain HTTP.

See Serving Key Files Securely Over HTTPS on the Apple Developer site.

0
votes

The first thing, that you have to keep in mind when dealing with content protection, is the fact that there is no perfect solution. There is no solution to guarantee you that only the audiences that you intended will be able to watch the video. All the protection schemes make it harder for the others to steal it but not impossible. Here are some of your options:

  • AES-128 encryption - you have to take special care to protect the key. Once the key "leaks" then anyone will be able to decode the video with some effort. The advantage is that's this method is simple and supported by the multitude of players.
  • SAMPLE-AES encryption - again you have to take care of the key. But even if it "leaks" one would need a specialized software to decode the video as it's not trivial. The disadvantage is that not all players support this method.
  • use DRM - DRM solutions are very expensive and require effort for integration and specialized players. But they provide the most protection.

There is no silver bullet. It depends on you needs and the level of protection you need. Don't forget that after all even the most advanced encryption scheme is not protected against simple things like screen capturing for example.

0
votes

In normal case or a general use case

 1. You can continue to use AES-128 as the encryption mechanism
 2. Use HTTPS to provide the transport security.
 3. Use token/cookie to authorize the user

(The cookie/token should be sent to the key server and the key server validates it before delivering the key)

Above 3 steps provide you the content protection, transport protection and to authorize users. To answer your second question, Authorized users with right tokens will be able to download the contents and keys to decrypt it. (There are plenty of tools to do it) you need a custom client to avoid that and html5 supported browsers cannot stop that.