To ensure the security of live streaming during configuration, content production, stream ingest, and playback, ApsaraVideo Live provides a comprehensive content security protection system to meet the security requirements in different business scenarios. This way, live streams are protected from hotlinking and illegal downloads or distribution. This topic describes how to protect live streaming security.
Live streaming security
The following figure shows the security features that are provided by ApsaraVideo Live.
The following table describes the security features that are provided by ApsaraVideo Live.
Security mechanism | Feature | Description | Security level | Threshold |
RAM users | You can grant permissions to RAM users by configuring policies. | Relatively low | Low. Only configurations in the cloud are required. | |
HTTPS secure acceleration | HTTPS is used for secure communication over networks. HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. | High | Low. Only configurations in the cloud are required. | |
User-Agent blacklist or whitelist | This feature tracks sources based on HTTP headers, which are prone to forgery. | Low | Low. Only configurations in the cloud are required. | |
Referer-based hotlink protection | This feature tracks sources based on HTTP headers, which are prone to forgery. | Low | Low. Only configurations in the cloud are required. | |
IP address blacklist or whitelist | This feature rejects or allows access requests that are sent only from specific IP addresses. This feature is not suitable for distributing content to a large number of consumers. | Relatively low | Low. Only configurations in the cloud are required. | |
URL signing for stream ingest and playback | This feature supports custom authentication keys and expiration time, and also allows you to generate dynamic signed URLs. | Medium | Relatively low. Scripts are required to generate signed URLs. | |
User requests passed to your authentication center for authentication | You add custom request information and use your own authentication center to verify requests. | High | Relatively high. You must deploy an authentication center and ensure its high availability. | |
Alibaba Cloud proprietary cryptography | A cloud-device integrated video encryption solution that uses a proprietary cryptography algorithm to ensure the security of video stream transmission. | High | Relatively low. You need only to perform simple configurations and integrate ApsaraVideo Player SDK. | |
Digital rights management (DRM) encryption | Platforms such as Apple FairPlay and Google Widevine provide native support for DRM. DRM features high security and meets the requirements of large copyrighted content providers. | High | Relatively high. You are charged based on the number of license calls. You need only to integrate ApsaraVideo Player SDK. |
Account authorization
Background information: AccessKey pairs of Alibaba Cloud accounts have full permissions and bring high risks of data leaks if the AccessKey pairs are disclosed.
Introduction: ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on AccessKey pairs. ApsaraVideo Live allows you to authenticate accounts and provides system policies. In addition, you can create custom policies. For more information, see Permission management overview.
Secure acceleration
Background information: HTTP does not encrypt data. Instead, HTTP transmits data in plaintext.
Introduction: HTTPS is used for secure communication over networks. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the SSL or TLS protocol. SSL or TLS is the security foundation of HTTPS. For more information, see Secure acceleration.
Access control
You can configure access control policies in the cloud to provide basic protection for live streaming.
The following common access control policies are provided:
Referer-based hotlink protection
You can use the Referer header in HTTP requests to track and identify where the requests come from. You can configure a Referer-based blacklist or whitelist to control access to video resources.
User-Agent blacklist or whitelist
You can use the User-Agent header in HTTP requests to track and identify where the requests come from. You can configure a User-Agent blacklist or whitelist to control access to video resources.
IP address blacklist or whitelist
You can configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to live stream resources and improve the security of live streams.
For more information, see Access control.
URL signing for stream ingest and playback
Background information: If fixed streaming URLs are used, unauthorized video distribution may occur and cannot be controlled.
Introduction: ApsaraVideo Live provides the URL signing feature. This feature generates dynamic signed URLs that contain information such as the permission verification and validity period to distinguish legal requests and protect video resources.
After URL signing is enabled:
Both ingest URLs and streaming URLs are signed.
ApsaraVideo Player SDK and the API or SDKs provided by ApsaraVideo Live to obtain streaming URLs automatically generate streaming URLs with a validity period. For information about how to manually generate a dynamic signed URL, see the authentication method described in URL signing.
For more information, see URL signing.
Remote authentication
Background information: The URL signing feature of ApsaraVideo Live cannot detect all illegal requests such as hotlinked requests. Remote authentication allows you to authenticate business requests, which makes the authentication more accurate.
Introduction: In remote authentication mode, CDN passes through user requests to your authentication center so that you can determine whether the requests are legal. CDN allows or rejects the requests based on the authentication results.
To implement remote authentication, you must develop and deploy an authentication center. If the domain name of the authentication center is accelerated in CDN, CDN can cache the authentication results based on specific rules. This reduces the pressure on your authentication center.
By default, CDN passes through the headers and the request_uri field in user requests to your authentication center and performs operations based on the authentication results returned by the authentication center.
You can hide the logon cookie or universally unique identifier (UUID) of a user in a playback request and pass through the playback request to your authentication center. This way, you can determine whether the user is a legal user.
You must develop and deploy your own authentication center to use remote authentication. To enable remote authentication, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.
Video security
Background information: The hotlink protection feature can prevent unauthorized access to your content. However, in paid live streaming scenarios, users can pay a one-time fee for a live stream and download the video file from the legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is far from enough to protect video copyrights. The leakage of video files can cause serious economic losses to your business that charges users for watching videos.
Introduction: Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to on-premises devices are encrypted. This helps prevent unauthorized redistribution, video leakage, and hotlinking.
Alibaba Cloud proprietary cryptography
Alibaba Cloud proprietary cryptography uses a proprietary cryptography algorithm and a secure transmission system to provide a cloud-device integrated video security solution. Alibaba Cloud proprietary cryptography consists of encrypted transcoding and playback after decryption.
Benefits:
Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
ApsaraVideo Live uses ciphertext and plaintext keys to provide envelope encryption. Only the ciphertext keys are stored. The plaintext keys are used in the memory and are immediately destroyed after use.
ApsaraVideo Live provides secure ApsaraVideo Player SDKs for multiple platforms, including iOS, Android, HTML5, and Flash. ApsaraVideo Player SDKs can automatically decrypt and play encrypted videos.
A proprietary cryptography protocol is used to transmit ciphertext keys between players and the cloud. The plaintext keys are not transmitted. This can prevent the keys from being intercepted.
ApsaraVideo Live provides the secure download feature. Videos cached on on-premises devices are encrypted again. This allows the videos to be played offline and prevents the videos from being copied and redistributed.
ImportantVideos that are encrypted by using Alibaba Cloud proprietary cryptography have the following limits:
Videos can be generated only in the HTTP Live Streaming (HLS) format.
You can use only ApsaraVideo Player to play videos that are encrypted by using Alibaba Cloud proprietary cryptography.
Videos cannot be played on web pages.
For more information, see Alibaba Cloud proprietary cryptography.
DRM encryption
High-end video programs, such as sports games and concerts, must meet the security requirements of the content providers. ApsaraVideo Live provides a cloud-based DRM solution that supports FairPlay and Widevine DRM encryption. This solution integrates the video encryption, license issuance, and video playback features.
For more information, see DRM encryption.
Each video encryption solution has advantages and disadvantages. In general, a more standard and universal solution provides higher flexibility but lower security. Select a solution based on your business scenario.