After you enable M3U8 encryption and rewrite, Alibaba Cloud CDN can rewrite M3U8 files that are transmitted over HTTP Live Streaming (HLS). After an M3U8 file is rewritten, encryption parameters are appended to the #EXT-X-KEY tag of the file. The encryption parameters include the encryption algorithm, key URI, and authentication parameters. After a client receives an M3U8 file that is rewritten by Alibaba Cloud CDN, the client uses the key URI that carries authentication parameters to initiate a request. The request retrieves the key from the CDN edge node. Then, the client uses the encryption algorithm and key to decrypt transport stream (TS) files. M3U8 encryption and rewrite can encrypt HLS data transmission.

This topic consists of the following sections:

Background information

HLS is an HTTP-based adaptive bitrate streaming communications protocol developed by Apple Inc. HLS is based on HTTP. Clients download files from servers over HTTP in order. HLS specifies that video files are encapsulated in TS format. Apart from the TS video file, HLS also specifies the M3U8 file that controls playback. HLS splits a video stream into several TS video files for transmission. At the start of a streaming media session, the client first downloads an M3U8 file that contains TS file URLs, which functions as a media playlist. Then, the client uses the URLs to download TS files.

HLS basic fields:
  • #EXTM3U: the M3U8 file header, which must be placed in the first line.
  • EXT-X-MEDIA-SEQUENC: the serial number of the first TL file. In most cases, this serial number is 0. In live streaming scenarios, this serial number marks the start position of the streaming segment. Example: #EXT-X-MEDIA-SEQUENCE:0.
  • #EXT-X-TARGETDURATION: the maximum length of each TS file. For example, #EXT-X-TARGETDURATION:10 specifies that each TS file can be 10 seconds in length.
  • #EXT-X-ALLOW-CACHE: specifies whether the file can be cached. Valid values: #EXT-X-ALLOW-CACHE:YES and #EXT-X-ALLOW-CACHE:NO. In most cases, the value is set to YES.
  • #EXT-X-ENDLIST: the terminator of the M3U8 file.
  • #EXTINF: contains information about the TS files, such as the length and bandwidth. In most cases, the parameter is set in the #EXTINF:<duration>,[<title>] format. You can append other information to the value. The value before the comma (,) specifies the length of the current TS file. The length of a TS file must be smaller than the value of #EXT-X-TARGETDURATIO.
  • #EXT-X-VERSION: the version number of M3U8.
  • #EXT-X-DISCONTINUITY: specifies that two consecutive TS files are interrupted.
  • #EXT-X-PLAYLIST-TYP: the type of the streaming media.
  • #EXT-X-KEY: specifies whether to encrypt and parse data. For example, #EXT-X-KEY:METHOD=AES-128,URI="https://example.com/video.key?token=xxx" specifies that the encryption algorithm is AES-128. Clients can send requests to https://example.com/video.key?token=xxx to acquire the key. The key is stored on the on-premises machine for decrypting TS files.

How it works

  1. A client sends a request to a CDN edge node for an M3U8 file, sch as http://example.com/media/index.m3u8?MtsHlsUriToken=xxx.
  2. The edge node verifies the request. The request passes the verification.
  3. The edge node downloads the M3U8 file from the origin server and caches the M3U8 file.
  4. The edge node rewrites the #EXT-X-KEY tag of the M3U8 file and appends the encryption algorithm, key URI, and authentication parameters to the tag, such as #EXT-X-KEY:METHOD=AES-128,URI="https://example.com/video.key?MtsHlsUriToken=xxx".
  5. The edge node sends the rewritten M3U8 file to the client.
  6. The client receives and parses the M3U8 file and acquires the key URI https://example.com/video.key?MtsHlsUriToken=xxx. Then, the client sends a request to the URI.
  7. The edge node receives and verifies the request, and sends the key file to the client.
  8. The client continues parsing the M3U8 file and downloads TS files from the edge node.
  9. The client uses the key in the key file and the encryption algorithm specified by #EXT-X-KEY to decrypt downloaded TS files.

Scenarios

HLS uses M3U8 files to provide clients with media playlists. After a client receives an M3U8 file, the client can start video playback. To protect video files on origin servers from unauthorized access, Alibaba Cloud CDN must encrypt the TS files that are transmitted over HLS, and inform the clients of the decryption method. To implement this type of encryption, Alibaba Cloud CDN supports the M3U8 encryption and rewrite feature. This feature uses the #EXT-X-KEY tag to inform clients of the encryption algorithm, key URI, and authentication key.

Procedure

For more information about how to enable the M3U8 encryption and rewrite feature, see Parameter pass-through for HLS encryption.