ApsaraVideo Live provides a comprehensive content security protection system to meet the security requirements in different business scenarios. The security services include RAM user, HTTPS-based acceleration, and access control. This topic describes how to protect live streaming.
Protect live streaming
To ensure the security of live streaming configurations, live stream production, stream ingest, and playback, ApsaraVideo Live provides a comprehensive content security protection system to meet the security requirements in different business scenarios. The system protects live streams from hotlinking and illegal download or distribution.
The following figure shows the security services that are provided by ApsaraVideo Live.
Live streaming security
The following table describes the security services that are provided by ApsaraVideo Live.
|Security service||Security feature||Characteristics||Security level||Barrier to entry|
|Authorization||RAM user||RAM users can be granted corresponding permissions based on permission policies.||Relatively low||Low. Only configurations in the cloud are required.|
|Secure acceleration||HTTPS-based acceleration||HTTPS is used for secure communication over networks. HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.||High||Low. Only configurations in the cloud are required.|
|Access control||User-Agent blacklist or whitelist||This feature tracks sources based on HTTP headers, which are prone to forgery.||Low||Low. Only configurations in the cloud are required.|
|Referer-based hotlink protection||This feature tracks sources based on HTTP headers, which are prone to forgery.||Low||Low. Only configurations in the cloud are required.|
|IP address blacklist or whitelist||This feature rejects or allows access only from specific IP addresses. This feature is unsuitable for the distribution of content to a large number of consumers.||Relatively low||Low. Only configurations in the cloud are required.|
|URL signing for stream ingest and playback||URL signing for stream ingest and playback||This feature supports custom authentication keys and expiration time. This feature also allows you to generate dynamic signed URLs.||Medium||Relatively low. Scripts are provided to generate signed URLs.|
|Remote authentication||ApsaraVideo Live passes through business requests to the authentication center of a customer for authentication.||The customer can add custom business request information and use their own authentication centers to verify requests.||High||Relatively high. You must deploy an authentication center and ensure its high availability.|
|Video security||Alibaba Cloud video encryption||A cloud-device integrated video encryption solution that uses a proprietary cryptography algorithm to ensure the security of video stream transmission.||High||Relatively low. You need only to perform simple configurations and integrate ApsaraVideo Player SDK.|
|Digital rights management (DRM) encryption||Many platforms, such as Apple FairPlay and Google Widevine, provide native support for DRM. DRM provides high security and meets the requirements of large copyrighted content providers.||High||Relatively high. You are charged based on the number of license calls. You need only to integrate ApsaraVideo Player SDK.|
Background information: AccessKey pairs of Alibaba Cloud accounts have full permissions and bring high risks of data leaks if the AccessKey pairs are disclosed.
Introduction: ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on AccessKey pairs. ApsaraVideo Live allows you to authenticate accounts and provides system authorization policies. In addition, you can customize authorization policies. For more information, see Overview.
Background information: HTTP does not encrypt data. Instead, HTTP transmits data in plaintext.
Introduction: HTTPS is used for secure communication over networks. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the SSL or TLS protocol. SSL or TLS is the security foundation of HTTPS. For more information, see Secure acceleration.
You can configure access control policies in the cloud to provide basic protection for live streams.
The following common access control policies are provided:
- Referer-based hotlink protection
You can use the referer header in HTTP requests to track and identify where the requests come from. You can configure a referer blacklist or whitelist to manage access to video resources.
- User-Agent blacklist or whitelist
You can use the User-Agent header in HTTP requests to track and identify where requests come from. You can configure a User-Agent blacklist or whitelist to control access to video resources.
- IP address blacklist or whitelist
You can configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to live stream resources and improve the security of live streams.
For more information, see Access control.
URL signing for stream ingest and playback
Background information: If fixed playback URLs are used, unauthorized video distribution may occur and cannot be controlled.
Introduction: ApsaraVideo Live provides the URL signing feature. This feature generates dynamic signed URLs that contain information such as the permission verification and validity period to distinguish legal requests and protect video resources.
After URL signing is enabled:
- Both stream ingest URLs and streaming URLs are signed.
- ApsaraVideo Player SDKs and the API or SDKs provided by ApsaraVideo Live to obtain playback URLs automatically generate playback URLs with a validity period. For more information about how to manually generate a dynamic signed URL, see the authentication method in URL signing.
For more information, see URL signing.
Background information: The URL signing feature of ApsaraVideo Live cannot detect all illegal requests such as hotlinking requests. Remote authentication allows customers to authenticate business requests and makes the authentication more accurate.
Introduction: In remote authentication mode, CDN for ApsaraVideo Live passes through user requests to your authentication center to determine whether the requests are legal. CDN allows or rejects the requests based on the authentication results.
- To implement remote authentication, you must develop and deploy an authentication center. If the domain name of the authentication center is accelerated in CDN, CDN can cache the authentication results based on specific rules. This reduces the pressure on your authentication center.
- By default, CDN for ApsaraVideo Live passes through the headers and the request_uri field in user requests to your authentication center and performs operations based on the authentication results returned by the authentication center.
- You can hide the logon cookie or universally unique identifier (UUID) of a user in a playback request and passes through the playback request to your authentication center. This way, you can determine whether the user is a legal user.
Background information: The hotlink protection feature can prevent unauthorized access to your content. However, in the paid live stream scenario, users can pay a one-time fee for a live stream and download the video file from the legal playback URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams. The leakage of video files can cause serious economic losses to your business that charges users for watching videos.
Introduction: Alibaba Cloud video encryption encrypts video data. Video files downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Video encryption can prevent video leakage and hotlinking.
- Alibaba Cloud video encryption
Alibaba Cloud video encryption uses a proprietary cryptography algorithm and a secure transmission system to provide a cloud-device integrated video security solution. Alibaba Cloud video encryption consists of encrypted transcoding and playback after decryption.Benefits:
Notice Videos that are encrypted by using Alibaba Cloud video encryption have the following limits:
- Each media file has a dedicated encryption key. This prevents the leakage of a large number of video files if the key for a single file is leaked.
- ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. Only the ciphertext keys are stored. The plaintext keys are used in the memory and are immediately destroyed after use.
- ApsaraVideo Live provides secure ApsaraVideo Player SDKs for multiple platforms, including iOS, Android, HTML5, and Flash. ApsaraVideo Player SDKs can automatically decrypt and play encrypted videos.
- A proprietary cryptography protocol is used to transmit ciphertext keys between players and the cloud. The plaintext keys are not transmitted. This can prevent the keys from being intercepted.
- ApsaraVideo Live provides the secure download feature. Videos cached on on-premises devices are encrypted again. This allows the videos to be played offline and prevents the videos from being copied and redistributed.
- The videos can be exported only in the HTTP Live Streaming (HLS) format.
- Videos that are encrypted by using Alibaba Cloud video encryption can be played only by ApsaraVideo Player.
- Videos cannot be played in browsers.
For more information, see Alibaba Cloud video encryption.
- DRM encryption
High-end video programs must meet the security requirements of content copyright and provider. ApsaraVideo Live provides a cloud-based DRM solution that supports FairPlay and Widevine DRM encryption. This solution integrates the video encryption, license issuance, and video playback features.
For more information, see DRM encryption.
Each video encryption solution has advantages and disadvantages. In general, a more standard and universal solution provides higher flexibility but lower security. Select a solution based on your business scenario.