All Products
Search
Document Center

ApsaraVideo Live:Alibaba Cloud proprietary cryptography

Last Updated:Mar 11, 2024

Alibaba Cloud proprietary cryptography can encrypt live streams. This topic describes the benefits, architecture, and usage method of Alibaba Cloud proprietary cryptography.

Note
  • If your domain name uses Alibaba Cloud proprietary cryptography for the first time, you must submit a ticket to apply to enable the feature. After the feature is enabled, adopt the usage method described in this topic.

  • Videos can be generated only in the HTTP Live Streaming (HLS) format.

  • You can use only ApsaraVideo Player to play videos that are encrypted by using Alibaba Cloud proprietary cryptography.

  • For information about HTML5 compatibility, see description about the feature Playback of videos encrypted by using Alibaba Cloud proprietary cryptography in Features of the HTML5 player supported by browsers.

  • To use Alibaba Cloud proprietary cryptography, you must grant the permissions to access Key Management Service (KMS) by assigning the AliyunServiceRoleForLiveKes role.

Background information

Users can pay a one-time fee for a live stream and download the video file from a legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams.

Benefits

Alibaba Cloud proprietary cryptography encrypts video data. Video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Proprietary cryptography can prevent video leakage and hotlinking, and can be applied to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.

  • Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.

  • ApsaraVideo Live provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.

  • ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.

  • ApsaraVideo Live provides secure player kernel SDKs.

Overall architecture

The Alibaba Cloud proprietary cryptography process consists of encryption and transcoding, and playback after decryption.

  • Encryption and transcoding: Steps 1 to 3 in the following flowchart.

    After a streamer ingests a live stream to a live center, ApsaraVideo Live uses KMS to generate a plaintext key and a ciphertext key. Then, ApsaraVideo Live uses the plaintext key to perform symmetric encryption on the audio and video of the live stream, and encapsulates the ciphertext key in the video.

  • Decryption and playback: Steps 4 to 11 in the following flowchart.

    To play the live stream, the playback client sends a playback request to the AppServer to obtain the streaming URL. Then, the playback client uses the streaming URL to request the video stream from ApsaraVideo Live. ApsaraVideo Live transmits the transcoded and encrypted video and the ciphertext key to ApsaraVideo Player SDK.

    The playback client uses the ciphertext key to request the encrypted plaintext key from ApsaraVideo Live. Then, ApsaraVideo Live uses the ciphertext key to request the plaintext key from KMS. The playback client transmits the decrypted plaintext key to ApsaraVideo Player SDK, which then decrypts and plays the video.

image

Usage method

Create a key in the KMS console and configure the key ID in a transcoding template of ApsaraVideo Live. Then, use ApsaraVideo Player to decrypt and play encrypted live streams.

You cannot use Alibaba Cloud proprietary cryptography in the ApsaraVideo Live console. To use the feature, call the AddLiveStreamTranscode operation to configure the EncryptParameters parameter. Alternatively, submit a ticket. For more information about how to submit a ticket, see Contact us.