Alibaba Cloud proprietary cryptography can encrypt live streams. This topic describes the benefits, architecture, and usage methods of Alibaba Cloud proprietary cryptography.
Videos can be generated only in the HTTP Live Streaming (HLS) and Flash Video (FLV) formats.
You can use only ApsaraVideo Player to play videos that are encrypted using Alibaba Cloud proprietary cryptography.
For information about HTML5 compatibility, see description about the feature Playback of videos encrypted using Alibaba Cloud proprietary cryptography in Features of the HTML5 player supported by browsers.
Background information
Users can pay a one-time fee for a live stream and download the video file from a legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams.
Benefits
Alibaba Cloud proprietary cryptography encrypts video data. Video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Proprietary cryptography can prevent video leakage and hotlinking, and can be applied to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.
Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which lets you protect your video resources in a convenient, efficient, and secure manner.
Each media file has a dedicated encryption key. This prevents many video files from being exposed if a single key is leaked.
ApsaraVideo Live provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
ApsaraVideo Live provides secure player kernel SDKs.
Overall architecture
The Alibaba Cloud proprietary cryptography process consists of encryption and transcoding, and playback after decryption.
Encryption and transcoding: Steps 1 to 3 in the following flowchart.
After a streamer ingests a live stream to a live center, ApsaraVideo Live uses KMS to generate a plaintext key and a ciphertext key. Then, ApsaraVideo Live uses the plaintext key to perform symmetric encryption on the audio and video of the live stream, and encapsulates the ciphertext key in the video.
Decryption and playback: Steps 4 to 11 in the following flowchart.
To play the live stream, the playback client sends a playback request to the AppServer to obtain the streaming URL. Then, the playback client uses the streaming URL to request the video stream from ApsaraVideo Live. ApsaraVideo Live transmits the transcoded and encrypted video and the ciphertext key to ApsaraVideo Player SDK.
The playback client uses the ciphertext key to request the encrypted plaintext key from ApsaraVideo Live. Then, ApsaraVideo Live uses the ciphertext key to request the plaintext key from KMS. The playback client transmits the decrypted plaintext key to ApsaraVideo Player SDK, which then decrypts and plays the video.
Usage methods
Alibaba Cloud proprietary cryptography is configured using a transcoding template. You can use the ApsaraVideo Live console or call an API operation to configure the template.
To use Alibaba Cloud proprietary cryptography, you must specify a KMS key ID. If you do not have a key, go to the KMS console to create one. Make sure that the region of the key is the same as the region in which the domain name resides. For more information, see Create a CMK.
Method 1: You can use the ApsaraVideo Live console. For more information, see default transcoding and custom transcoding.
Method 2: Call an API operation to configure Alibaba Cloud proprietary cryptography.
To configure a video encryption transcoding template, call the AddLiveStreamTranscode operation to add a default transcoding configuration, or call the AddCustomLiveStreamTranscode operation to add a custom transcoding configuration. Then, set the
EncryptParametersparameter. In this parameter, setEncryptTypetoaliyun.The following sample code provides an example on how to use the server SDK for Java to add a default transcoding configuration:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class AddLiveStreamTranscode { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout. The default is 10 seconds. .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout. The default is 20 seconds. .maxConnections(128) // Set the connection pool size. .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout. The default is 30 seconds. // Configure the proxy. .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // For an HTTPS connection, configure the certificate or ignore the certificate using .ignoreSSL(true). .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure credentials, including the AccessKey ID, AccessKey secret, and token. StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client. AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // The region ID. //.httpClient(httpClient) // Use the configured HttpClient. Otherwise, the default Apache HttpClient is used. //.serviceConfiguration(Configuration.create()) // The service-level configuration. // Override the client-level configuration. You can set parameters such as the endpoint and HTTP request parameters. .overrideConfiguration( ClientOverrideConfiguration.create() // For the endpoint, see https://api.aliyun.com/product/live. .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Set the parameters for the API request. AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = AddLiveStreamTranscodeRequest.builder() .regionId("<Your RegionId>") .domain("<Your Domain>") .app("<Your App Name>") .template("<Your Template>") .encryptParameters("<Your EncryptParameters>") // Override the request-level configuration. You can set parameters such as HTTP request headers. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously retrieve the API response. CompletableFuture<AddLiveStreamTranscodeResponse> response = client.addLiveStreamTranscode(addLiveStreamTranscodeRequest); // Synchronously retrieve the API response. AddLiveStreamTranscodeResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronously process the response. /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handle exceptions. System.out.println(throwable.getMessage()); return null; });*/ // Close the client. client.close(); } }NoteIf changes are made to the transcoding configuration, you must re-ingest a stream for the configuration to take effect.
For more information about the server SDK for Java, see Use the server SDK for Java.
Other related API operations:
API operation
Description
Updates a default transcoding configuration.
Updates a custom transcoding configuration.
Queries the transcoding configurations of a streaming domain.
Deletes a transcoding configuration.
References
When you use the video encryption feature, the AliyunServiceRoleForLiveKes role is automatically created to obtain the access permissions on KMS. For more information, see Manage service-linked role for video encryption.