Wowza Community

Article: How to secure Apple HTTP Live Streaming (AES-128 - external method)

You can view the page at How to secure Apple HTTP Live Streaming (AES-128 - external method)

So, i can use anything term for “[stream-name]” and not need to be equal to video filename ?


I wonder what parameters should be passed to genkey if I want to have AES encryption for smil that contains several live streams:

genkey iphone multistream.smil [key-url] ??

or do I have to create separate key for each stream?


HiI used AES-128 - external method. and It work.When key invalid, player alert "You are not authorized to open this file."Can I change the word for alert to user?Thank , Nui


Media Server Version: 2.1.1 (free)

IOS version: 4.3.5 (8L1)

I have configured wowza server using this ( configurations and the streaming is fine on iphone. Then I have followed the above instruction to make it secure using a key-url. However streaming is working even if I have set to send a wrong key through the key-url. That means the server is not requesting the encrypted key from the key url at all. My key-url is an aspx page and using http (non secure) at the moment.

Can some tell me what is wrong please.

Many thanks,


Hi Richard,

Thanks for your response.

I am very new to the wowza community. I like to use this “AES-128 - external method” as described here. Is this “HTTProviders and HTTPUTils” a different approach or a part of external method?

Further, my key-url is in a windows server (not wowza) and an .aspx page responding to the request using your c# example. I am purposely sending a wrong key but the streaming does not stop. In fact, wowza does not request the key from key-url.

Many thanks,


Hi Richard,

Thanks for your response again.

I thought once the generated key copied to the correct folder ([install-dir]/keys ) wowza would pick that one up and communicate with key-url for the encrypted key. Basically I thought communicating functionality was built in to the server.

Many thanks,


Hi Richard,

I have done exactly what it says on this page. Iphone can still play the stream even if the key-url is set to send a wrong key. This is very urgent now. Can you please help.

Cheers !

OK after hours of digging I found that the problem is my stream/video file name.

I am doing vod streaming and we have loads of mp4 videos for streaming. Files are in sub folders. Following is an example of a iphone url.


Where %5c is for the “” as it is not allowed on safari

Streaming works without encryption.

Now my question are:

  1. how to use this method with video files in subfolders?

  2. Do I have to generate keys for each and every stream? This is not going to be practical

Your quick response is highly appreciated.

Hi Richard,

Full name cannot be included when generating key as it has “” which is not allowed in windows filenames. genkey gives an error. However, if I generate a key with just the filename and drop it in [install-dir]\keys[subfolder]\filename.mp4.key it works.

So in theory wowza expects the same sub-folder structure inside the keys folder. That is sorted…

Next, As videos are uploaded by our clients it is not practical to copy/generate the key file for each uploaded video. Is there a way to have a single key for the whole application (i.e. an application level key rather than stream level keys) ??

Your quick response is highly appreciated.


Hi Richard,

Thanks for the response…

What do you mean by “after each recording” ? We are not recording but doing VOD streaming.

Will this event be fired in VOD streaming as well? If yes, then when does it fire?



Which would you consider to be the most secure - internal or external?From my understanding, the external method is less so because it uses the same key for each stream, regardless of client right? Whereas the internal method generates a unique key for each client/stream?


I am new to Wowza and would like some help. I would like to use AES-128 - external method but would want the key to change every hour or so. The key would be generated by the key url. Is this possible?

Thank you.


Thank you, Richard. I’ll wait for your updates.Happy Holidays!

Hi Richard,

Do you have updates on “rotating keys”?

Thank you,


I’m trying to set up a Cupertino VOD file for simple secure streaming to a iPad application in Phonegap 1.2.0.

My local ip is so I’ll use that for my example. I’ve encrypted the file sampleblocked.mp4 using

./ ipad sampleblocked.mp4


cupertinostreaming-aes128-key: F96B05094642E835D09AF434CFD55DE1


I’ve moved the resulting key file sampleblocked.mp4.key into the [wowzaroot]/keys directory.

Where I’m confused is what I should use to call the encrypted VOD file so it will play.

If I use:

the iPad app appropriately returns “The operation could not be completed”

But I don’t understand what code should be used to get this file to play.

I assumed it might be:

but that doesn’t work. :confused:

Thanks for any pointers and best regards–


thanks MUCH for the reply! Richard, I walked through the test and got: Which results in a 900K file that I cannot playback in VLC – so that seems to test good, seems that AES is in place. It also it works without AES in place – I have a file alongside called samplenotblocked.mp4 that plays okay. I’m guessing the code I should be using is NOT my assumed code above…

I should have clarified in my response: I still don’t have this working. I’m seeking how an AES-encrypted VOD file should be played back from an iPad using phonegap using the external method. Thanks much.


I am using Wowza Media Server 3.

I have configured wowza server and made it working for iPhone VOD. But instead of showing “you are not authorized to open this file”, it always gives me “The operation cannot complete” message. Any idea why this is happening?

Also, is it possible to use this method for flash rtmp VOD streaming?

Thanks and regards,