There are many ways to protect streaming media. This page has links to articles that describe the different methods available in Wowza Streaming Engine™ media server software.
- Some of the security technologies that are described in the articles only work with Wowza Streaming Engine and Wowza Media Server™ 3.5 and later.
- Security features such as SecureToken, RTMP authentication, RTSP authentication, StreamNameAlias, and secure streaming (RTMPTE and RTMPS) that are provided in the MediaSecurity AddOn for Wowza Media Server 3.1.2 and earlier are built-in with later versions of the server software. For information about how to get the Media Security AddOn for these older versions of Wowza Media Server, see How to get MediaSecurity AddOn (playback and publish security for RTMP and RTSP).
Media security in Wowza Streaming Engine
Security features that were available as separate modules and plugins in older Wowza media server software versions are merged into a single security module in Wowza Streaming Engine 4.0. This article describes the changes and provides instructions for configuring the features in the new security module using Wowza Streaming Engine Manager:
StreamLock, SSL, HTTPS, RTMPS, and RTMPE
StreamLock, SSL, HTTPS, RTMPS and RTMPE are methods for protecting a stream as it's transmitted across a network. All traffic that flows over a protected connection is encrypted during transit.
- StreamLock: Wowza StreamLock™ AddOn is a security option for network encryption provided by Wowza™. It provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media server software. StreamLock-provisioned SSL certificates provide the best security when used with RTMP. The certificates can also be used for secure HTTP streaming (HTTPS).
- HTTPS: HTTPS is HTTP over Secure Sockets Layer (SSL). It's a method for securing HTTP streaming such as Apple HTTP Live Streaming (HLS), Adobe HTTP Dynamic Streaming (HDS), and Microsoft Smooth Streaming. HTTPS by itself doesn't secure media streams but when used in conjunction with some type of token-based authentication system, it can more fully protect streaming.
- RTMPS: RTMPS is RTMP over Secure Sockets Layer (SSL). It's a method for securing Adobe Flash RTMP streaming. It can be used in conjunction with SecureToken to protect Flash streaming.
- RTMPE: RTMPE is RTMP over an encrypted connection and is another method for securing Flash RTMP streaming. It can be used in conjunction with SecureToken to protect Flash streaming. RTMPE is less secure than RTMPS. To provide the best security for RTMP streaming, we recommend the Wowza StreamLock AddOn.
See any of the following articles for more information:
- How to get SSL certificates from the StreamLock service
- How to request an SSL certificate from a certificate authority
- How to create a self-signed SSL certificate
- How to improve SSL configuration
- How to connect to Wowza Streaming Engine Manager over HTTPS
- How to set up Adobe HDS playback across HTTPS (SSL)
- How to set up Microsoft Smooth Streaming playback across HTTPS (SSL)
- How to configure multiple SSL certificates (per domain) on a single Host Port (SNI)
- How to import an existing SSL certificate and private key
- How to troubleshoot SSL certificate configuration
Digital Rights Management (DRM)
Digital Rights Management (DRM) is a protection mechanism for securing streaming media. There are many different DRM technologies, such as Microsoft PlayReady and Verimatrix Video Content Authority System (VCAS). The following articles describe how Wowza Streaming Engine can be configured to work with several DRM technologies.
- Wowza DRM overview
- Use BuyDRM KeyOS DRM with Wowza Streaming Engine
- Use EZDRM PlayReady DRM with Wowza Streaming Engine
- Use Verimatrix VCAS DRM with Wowza Streaming Engine
- How to set up castLabs DRMtoday secure video delivery in Wowza Streaming Engine
- How to secure Apple HLS streaming using DRM encryption
- How to secure Apple HLS with AES-128 external encryption
- How to test AES encryption for Apple HLS streams
- How to secure Smooth Streaming using PlayReady DRM (Silverlight)
- Decrypt PlayReady-encrypted VOD content using the Wowza Streaming Engine Java API
- How to secure MPEG-DASH streaming using Common Encryption (CENC)
SecureToken playback protection
SecureToken is a challenge/response system that helps to protect content against spoofing threats. Each connection is protected by a random single-use key and a password (shared secret). Wowza Streaming Engine 4.0 and Wowza Media Server software provide SecureToken playback protection for Flash RTMP streams. Wowza Streaming Engine 4.1 software extends SecureToken playback protection to all streaming protocols supported by the server and includes new hashing options for generating the security token that's exchanged between the server and clients.
- How to protect streaming using SecureToken in Wowza Streaming Engine
- Add SecureToken protection to JW Player with Wowza Streaming Engine
Authentication for RTMP and RTSP publishing
RTMP and RTSP user name and password authentication is described in the following articles:
- Enable username/password authentication for RTMP/RTSP publishing to Wowza Streaming Engine
- Publish securely from an RTMP encoder that does not support authentication (ModuleSecureURLParams)
- Integrate Wowza Streaming Engine user authentication with external systems (ModuleRTMPAuthenticate)
- How to use a per application publish.password file
- How to do file-based RTMP authentication with NetConnection connect (OnConnectAuthenticate)
- How to do file-based RTMP authentication with URL query strings (OnConnectAuthenticate2)
Hotlinking is another word for embedding. For example, YouTube provides embed code for video so that you can embed a YouTube video on your website. A user can look at your webpage source code, copy the embed/object tags (or swfobject), and place that in a webpage on their website. The same can be done with IMG tags. If you want users to do this, it's called embedding; if you don't want them to do it, it's called hotlinking. The following article describes the options to help you prevent hotlinking:
Server-Side API to control access
The following articles describe methods for controlling access to different streaming protocols such as RTMP, Adobe HDS, Apple HLS, and Smooth Streaming. These API examples can be used to develop custom authentication systems for controlling access to streaming media. When used with transport protection mechanisms such as Wowza StreamLock AddOn, SSL, HTTP, RTMPS, or RTMPE, they can provide a secure way for controlling access to streaming.
- How to control access to an HTTP stream (cupertinostreaming, smoothstreaming, sanjosestreaming, mpegdashstreaming)
- How to control access to an RTSP/RTP stream
- How to control access to Apple HTTP Streaming (cupertinostreaming)
- How to control access to Microsoft Smooth Streaming (smoothstreaming)
- How to control access to Adobe HTTP Dynamic Streaming (sanjosestreaming)
- How to override publish to remap a stream name
- How to modify or control a stream by overriding playback
Stream name alias solutions
Stream name aliasing is way to intercept content requests and redirect them to some other content. Aliasing is another method that can be used to protect streaming media by controlling access to certain content based on user credentials.
- Get the StreamNameAlias AddOn for Wowza Streaming Engine
- How to use the IMediaStreamNameAliasProvider2 interface
How to get MediaSecurity AddOn (playback and publish security for RTMP and RTSP)
The MediaSecurity AddOn package includes features that help you secure Wowza Media Server 3.1.2 and earlier and the media that you want to stream through the server. The package includes several features to help you secure your content, including SecureToken, RTMP authentication, RTSP authentication, StreamNameAlias, and secure streaming (RTMPE, RTMPTE and RTMPS).
Version for Wowza Media Server 2.0.0 to Wowza Media Server 3.1.2.x
Version for Wowza Media Server Pro 1.7.x
To learn more about how to install and use MediaSecurity AddOn, see the WowzaMediaServerMediaSecurity_UsersGuide.pdf file that's included in the MediaSecurity AddOn download.