After you use Alibaba Cloud proprietary cryptography to encrypt video data, the downloaded videos are also encrypted and cannot be maliciously distributed. This prevents data leaks and hotlinking. Compared with HTTP-Live-Streaming (HLS) encryption, Alibaba Cloud proprietary cryptography is safer and easier to use. This topic describes how to enable Alibaba Cloud proprietary cryptography and provides solution enhancement.
Background
Users can pay a one-time fee for a video and download the video file from the streaming URL that has hotlink protection. However, distribution of the video file cannot be controlled after the video file is downloaded from the streaming URL. Therefore, hotlink protection is not enough to protect video copyrights. The leakage of video files may cause serious economic losses to customers that charge users for watching videos.
Benefits
Alibaba Cloud proprietary cryptography encrypts video data. Video files remain encrypted even after being downloaded to a local device, which prevents unauthorized redistribution. Video encryption effectively prevents video leaks and hotlinking. It is widely used for online copyrighted videos in fields such as online education, finance, industry training, and premium TV shows.
Alibaba Cloud utilizes proprietary cryptography algorithms to provide a high level of security, which lets you protect your video resources in a convenient, efficient, and secure manner.
Each media file has a dedicated encryption key. This prevents many video files from being exposed if a single key is leaked.
ApsaraVideo VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
ApsaraVideo VOD uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
ApsaraVideo VOD provides secure player kernel SDKs.
Encryption type | HLS | MP4 | Features | Usage notes |
Alibaba Cloud proprietary cryptography | Supported | Not supported | ApsaraVideo VOD uses a proprietary cryptography algorithm to provide a cloud-device integrated video encryption solution. This ensures the security of transmission links. |
|
Alibaba Cloud License-based proprietary cryptography | Supported | Supported | ApsaraVideo VOD uses a proprietary cryptography algorithm to provide a cloud-device integrated video encryption solution. This ensures the security of transmission links. During playback, this option reduces one HTTP request for obtaining the key, which improves the startup speed. |
|
Workflow
The Alibaba Cloud proprietary cryptography solution includes two parts: Encryption and Transcoding and Decryption and Playback.
Encryption and transcoding
The application initiates a video encryption request
You submit a transcoding job that requires data encryption (Step 1 in the preceding figure).
ApsaraVideo VOD obtains the encryption key
ApsaraVideo VOD uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key (Step 2 in the preceding figure).
ApsaraVideo VOD encrypts and transcodes the video
ApsaraVideo VOD uses the plaintext key to encrypt the video file. After the video file is transcoded, the plaintext key is discarded (Step 3 in the preceding figure).
ApsaraVideo VOD sends a notification after transcoding is complete
ApsaraVideo VOD saves the encrypted video file and sends you a notification (Step 4 in the preceding figure).
Decryption and playback
Authorization
When a user requests to play a video on a mobile application or web page, the request is first sent to your API or backend page. You can configure permission control to manage content. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added domain name. If the playback request is authorized, the AccessKey pair of the RAM user is used to access ApsaraVideo VOD and obtain a playback credential. Then, the playback credential is sent to the mobile application or web page.
Playback URL acquisition
The mobile application or web page sends the playback credential and media ID to Player. Player SDK proceeds with the following operations:
Obtain the playback URL in the specific video format and definition from ApsaraVideo VOD based on the media ID.
Obtain the encryption key of the video.
Decryption and playback
ApsaraVideo VOD provides secure player kernel SDKs, which use the encryption key to decrypt and play the video.
Prerequisites
Alibaba Cloud proprietary cryptography is free of charge. However, you must transcode the video for encryption. You are charged for transcoding. For more information, see Media transcoding.
Alibaba Cloud proprietary cryptography supports only the HLS container format. Encrypted content can be decrypted and played only using the ApsaraVideo Player SDK that is provided by ApsaraVideo VOD.
Usage notes
Prerequisites
ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.
An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.
Note: Playback platforms support different encryption types. Select the playback platform as needed. For more information about supported playback protocols, see Compatibility of Player SDK.
Video encryption
Create a transcoding template group and specify Alibaba Cloud proprietary cryptography.
Console
Log on to the ApsaraVideo VOD console. In the navigation pane on the left, choose Configuration Management > Media Processing Settings > Transcoding Template Groups.
On the Transcoding Template Groups page, click Add Transcoding Template Group to create an Audio/Video Transcoding Template for Alibaba Cloud proprietary cryptography.
The following example shows how to configure a Regular Transcoding template:
In the Basic Information section, set Container Format to HLS (.m3u8+ts).
In the Advanced Parameters section, turn on Alibaba Cloud proprietary cryptography.
Configure other parameters as needed. For more information about the parameters, see Transcoding templates.
Click Save.
After the template is created, you can view the ID of the transcoding template group on the Transcoding Template Groups page. Save the transcoding template group ID for subsequent use.
OpenAPI
Call the AddTranscodeTemplateGroup operation and specify
EncryptSettingparameter'sEncryptTypeinTranscodeTemplate.Optional. Create a workflow and add the transcoding template group in which Alibaba Cloud proprietary cryptography is specified.
You can add media processing tasks such as transcoding, review, snapshot capture tasks to a workflow based on a specific order. This way, you can use the workflow to process media files in the specified order.
Add a Transcode node to your workflow and use the transcoding template group in which Alibaba Cloud proprietary cryptography is specified. You can create workflows only using the ApsaraVideo VOD console. For more information, see Workflows.
Start transcoding.
You can trigger transcoding when you upload and process media files. To submit a transcoding task, you can use a transcoding template group or a workflow that contains a transcoding node. For more information about how to start transcoding using the ApsaraVideo VOD console, see Step 2: Start transcoding. For more information about how to start transcoding using the ApsaraVideo VOD API, see Step 2: Start transcoding.
View the transcoding results.
Wait for asynchronous notifications
If you have configured event notifications, you can obtain the transcoding results from the StreamTranscodeComplete or TranscodeComplete callback.
Running synchronous query jobs
Log on to the ApsaraVideo VOD console. In the navigation pane on the left, go to Media Assets > Audio/Video.
On the Audio/Video page, view the Status of the video.
If the Status of the video is Normal, the video is transcoded and encrypted using Alibaba Cloud proprietary cryptography.
Click Manage in the Actions column.
On the Video URL tab, Alibaba Cloud Private Encryption is displayed in the Format column for streams encrypted using Alibaba Cloud proprietary cryptography.
Play videos
Videos encrypted using Alibaba Cloud proprietary cryptography can be played only using ApsaraVideo Player.
Player SDK is supported on multiple platforms including iOS, Android, and Web (HTML and Flash players). You can use Player SDK to play encrypted videos in your application or website.
Before you use Player SDK, you must obtain a license. For more information, see Manage licenses.
Before you integrate Player SDK, make sure that you understand the compatibility of Alibaba Cloud proprietary cryptography with Player SDKs on different platforms. For more information, see Compatibility of Player SDK.
For the specific steps to play proprietary encrypted videos using the ApsaraVideo Player SDK, see Play an encrypted video.
Solution enhancement
If users want to download videos for offline playback, we recommend that you set the Download Mode parameter to Encrypted to protect your videos. For more information, see Configure download settings. This option uses a key to perform secondary encryption on video files. After a video is downloaded, Player SDK decrypts the video and allows the video to be played only by the specified application. This ensures that the copyright of offline videos is protected.