I am currently working on a project of videos on demand where I convert videos to HLS using FFMPEG.
Videos are publicly hosted on AWS S3 and there is an API giving the URL of the HLS playlist.
Now, I was looking at encrypting HLS files with AES-128 so that people can't download and watch the video offline. I found the procedure which consists in hosting the key online and using that key while converting the video to encrypt the segments.
The URL of the key is written in the HLS playlist, and the file is publicly available online.
So anyone has access to the encryption key.
I don't understand what is the point of encrypting the segments if anyone has access to the key.
Can someone enlighten me? I know I must be missing something. Thanks!
HLS AES-128 encryption refers to video streams using HLS streaming protocol wherein the video files are encrypted using the AES-128 algorithms. The key exchange happens through the secure HTTPS protocol.
For some of the protection schemes, the API supports multiple protection schemes as well as key rotation. HLS streams can also be protected by using key files stored in the Wowza Streaming Engine server's keys folder ([install-dir]/keys).
Apple HLS supports two encryption methods: AES-128 It encrypts the whole segment with the Advanced Encryption Standard (AES) using a 128 bit key, Cipher Block Chaining (CBC) and PKCS7 padding. The CBC will be restarted with each segment using the Initialization Vector (IV) provided.
HLSe does secure the content against most standard users trying to get the content, but is not considered DRM level content protection. Video Cloud supports HLS encryption in Brightcove Players. For more information on Brightcove Player support, see Brightcove Player System Requirements.
Encrypting HLS provides transport security as long as the key is requested over HTTPS as it should be. This is not a considered a DRM-level solution, it's just a very basic form of content protection.
In addition to using HTTPS for the keys you can improve it by authenticating key requests (eg. using a token based authentication mechanism) and rotating the keys every n minutes following the HLS standard.
If you want true DRM you have to look at other solutions like Widevine, Primetime etc.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With