Secure Video Streaming: How to Protect Your Content With WowzaFebruary 13, 2020
Successfully delivering live and on-demand video content starts with choosing a secure streaming platform. Unauthorized access can compromise the revenue-boosting strategies of subscription and pay-per-view services. And when a streaming implementation involves sensitive or private data, protection is key.
Wowza offers content protection at every step of the workflow — including encryption of incoming and outcoming streams, token authentication, and digital rights management (DRM) for premium content delivery. Layering several security features is often a good idea, as it provides more holistic defense against piracy, hacking, and other cyberattacks.
In this article, we explore options for secure video streaming using Wowza’s products and services.
Secure Video Streaming With Wowza Streaming Engine
Our secure video streaming server software integrates with a number of studio-approved DRM providers for on-the-fly encryption, while also offering more baseline security methods like password protection.
- Password-Based Source Protection
- SecureToken Playback Protection
- SSL and StreamLock Encryption
- Digital Rights Management (DRM)
Password Authentication for RTMP- and RTSP-Based Encoders
Source protection allows you to place restrictions on RTMP- and RTSP-based encoder connection, only allowing publishing from specific IP addresses. This prevents unauthorized computers from streaming through your Wowza Streaming Engine instance.
By restricting access to those with a username and password, source authentication thwarts unauthorized users from streaming to your server. Broadcasters can configure credentials at an application level in the Wowza Streaming Engine Manager.
Restrict Stream Playback to Specific Computers and Devices
Wowza’s SecureToken module restricts playback to specific IP addresses through a challenge-and-response security system on all viewing formats.
The security mechanism uses a handshake between Wowza Streaming Engine and the client to secure content. Each connection is protected by a random single-use key and a password (shared secret). A secure hashing algorithm and customizable security parameters help validate each client attempting to access a stream. This helps prevent spoofing threats.
Near-Instant Provisioning of Secure Sockets Layer (SSL) Certificates
The Wowza StreamLock AddOn is a network encryption option that provides near-instant provisioning of free 2048-bit Secure Sockets Layer (SSL) certificates for RTMP and secure HTTP streaming. This global standard for security technology protects streams as they travel across the public internet by scrambling the data that’s being transmitted.
- HTTPS: Use SSL in conjunction with token-based authentication to secure your HTTP streaming via Apple HLS, Adobe HDS, and Microsoft Smooth Streaming.
- RTMPS: RTMPS is a secure form of RTMP — with the ‘S’ standing for ‘secure’. By streaming encrypted data via a secure connection, RTMPS prevents third parties from intercepting your live streams.
On-the-Fly DRM to Any Screen
For premium content, studio-approved DRM offers yet another level of protection. Wowza DRM provides integration with various DRM platforms, delivering real-time Apple FairPlay, Microsoft PlayReady, or Google Widevine encryption of live and video-on-demand content to any screen. Wowza DRM enables three third-party DRM key-management service providers to deliver encryption keys to Wowza Streaming Engine during encryption and license keys to the viewer’s device during playback.
BuyDRM™ KeyOS™ provides consumer DRM support for Apple FairPlay, Microsoft PlayReady, and Google Windvine using Apple HLS, MPEG-DASH, and Microsoft Smooth Streaming on all standards-based players and the BuyDRM MultiPlay SDKs for Android, iOS, and HTML5 playback.
EZDRM provides Microsoft PlayReady protection for Smooth Streaming clients on Mac and PC, Windows phones, game consoles, set-top boxes, and smart TVs, and with Discretix SecurePlayer media players on iOS and Android devices.
Verimatrix provides Multi-DRM protection for Apple HLS, Smooth Streaming, and MPEG-DASH playback with Widevine, PlayReady, Apple FairPlay Streaming, and Verimatrix ViewRight Web DRM clients for all platforms where these DRMs are supported: macOS, iOS, tvOS, PC, Android devices, Windows phones; game consoles; set-top boxes; smart TVs, etc.
|DRM Service Provider||Yes||Yes||Yes|
|DRMs Supported||Apple FairPlay, Microsoft PlayReady, Google Widevine||Microsoft PlayReady||Apple FairPlay Streaming, Microsoft PlayReady, Google Widevine, Verimatrix ViewRight Web|
|Live Clients||All standards-based players. Buy DRM MultiPlay SDKs for Android, iOS, and HTML5.||Smooth Streaming clients on PCs, Macs, Windows phones, game consoles, set-top boxes, and smart TVs||Widevine, PlayReady, Apple FairPlay Streaming, and Verimatrix ViewRight Web DRM clients for all platforms where these DRMs are supported: macOS, iOS, tvOS, PC, Android devices, Windows phones; game consoles; set-top boxes; smart TVs, etc.|
|On-Demand Clients||Same as live clients||Discretix SecurePlayer and Smooth Streaming clients on PCs, Macs, iOS devices, Android devices, Windows phones, game consoles, set-top boxes, and smart TVs||Same as live clients.|
Wowza DRM is also compatible with Widevine and Marlin DRM platforms for MPEG-DASH content using Common Encryption (CENC). Leverage the Wowza DRM API to develop a module that handles the key exchange for real-time encryption between Wowza Streaming Engine and a specific Widevine or Marlin DRM provider.
Secure Video Streaming With Wowza Streaming Cloud
Our cloud streaming service offers a number of security measures to protect against unwanted publishing, encrypt HTTP-based streaming data, and restrict access to content.
- User Authentication for Source Connection
- SSL Encryption
- Geo-Blocking for Content Playback
- Token Authorization for Playback
User Authentication for Source Connection
Also called CDN token authorization, source authentication provides a secure connection into the ingest origin server by requiring the source encoder or camera to use username and password credentials to connect.
Encrypted HTTP Connections With SSL for Playback
Secure Socket Layer (SSL) certificates provide encrypted HTTPS connections as a stream moves through the network. Certain browsers now warn users against websites with content served over unsecured HTTP connections, so this security measure isn’t just useful to thwart unwanted access — it could also improve the likelihood for your content to reach intended viewers.
Geographic Targeting and Restriction Capabilities
Geo-restricting involves blacklisting specific countries where your video shouldn’t be streamed. This automatically blocks unauthorized viewers from accessing the content. Wowza Streaming Cloud also offers the ability to blacklist specific countries where your video shouldn’t be streamed. This automatically blocks unauthorized viewers from accessing the content. You can also use IP whitelisting to allows playback access to approved addresses within the restricted region.
Token Authorization for Playback
Token-based authentication ensures that only authorized users — like those who’ve paid or registered — have access to content. This prevents link sharing by only providing tokens to approved users. As opposed to allowing all viewers to see the stream URL, unique URLs are generated for each playback request, which then expire after an allotted time interval.