Security features for live streams in Wowza Video

The Wowza Video™ service offers a comprehensive set of security features designed to safeguard the delivery and access of streams throughout the entire process, starting from capturing with a camera or source encoder, undergoing transcoding, and, ultimately, generating streams for viewer consumption in a player. 

This article outlines which security features are available for different types of live streams. It also points to instructions for implementing the security features using the Wowza Video REST API or the Wowza Video user interface.

Security features for HLS live streams using Wowza CDN on Fastly


The following features are available to secure an HLS stream that uses Wowza CDN on Fastly stream targets in Wowza Video.

User authentication for source connection on Fastly

User authentication for HLS streams provides a secure connection from the source encoder or camera into the ingest origin server and prevents third parties from connecting to and altering your stream. When user authentication is enabled on a push stream, Wowza Video requires the source encoder or camera to use a username and password associated with the stream to establish a connection. You can also configure user authentication on a pull stream so that the source encoder or camera uses values set on the encoder side to connect to a live stream or transcoder in Wowza Video.

Wowza Video generates default user authentication values for you for push streams. To view and edit the authentication for a push stream:

  1. Go to Livestreams in the navigation.
  2. Select a live stream.
  3. Click the Components tab.
  4. The Transcoder section at the top includes the Source Username and Source Password.
  5. Click Configure if you want to change the Source Username and Source Password.
  6. Check the Change Source Username/Password checkbox.
  7. Add a new source username and source password in the corresponding fields.
  8. Click Save Changes.

When Wowza Video pulls your stream from the encoder or IP camera, you can use user authentication for a pull stream. To configure:

  1. Go to Livestreams in the navigation.
  2. Click +Add New.
  3. Select a live stream Type to configure. 
  4. Add a Title and Region.
  5. Select an encoder or IP camera for the Stream Input Type, like IP Camera.
  6. Enter a source URL value that includes authentication information for the source encoder or IP camera, such as username and password.
  7. Complete creation of the live stream.
Note: Refer to documentation for your encoder or camera for information on the syntax of the source URL and available methods of source authentication. Authentication information included in the source URL can only contain alphanumeric, period (.), underscore (_), and hyphen (-) characters. The source URL for your camera or encoder must include a publicly accessible hostname or IP address.

See this article to configure user authentication for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

SSL for playback on Fastly

After Wowza Video transcodes (or passes through) encoded live source video, it passes the video stream through stream targets. Those targets deliver the stream to viewers, such as through a hosted webpage or a direct playback URL.

Secure Socket Layer (SSL) can provide secure and encrypted HTTPS connections as a stream moves through the network connections from stream targets to playback destinations. When a specific stream target property is enabled, Wowza Video uses SSL to establish a handshake for encrypting HTTP connections. For streams using Wowza CDN targets, you can choose to deliver streams to players for playback using SSL and require the player client to use HTTPS for playback.

Encrypting connections between servers and clients using SSL and HTTPS prevents data from being intercepted and manipulated in transit and prevents third parties from altering a stream as it moves between servers. As of 2018, certain browsers warn users against websites with content served over unsecured HTTP connections. Configuring SSL for your HLS streams can help secure streams and avoid browser warnings.

See this article to configure SSL playback for streams using Wowza CDN targets on Fastly through our Wowza Video REST API:

Note: You can only enable SSL playback through the Wowza Video REST API. 

Geo-blocking for playback on Fastly

Geo-blocking through Wowza Video allows you to selectively allow or block access to Wowza CDN on Fastly stream targets to control where a stream can be viewed. You can use geo-blocking to specify which countries or regions are allowed or which countries or regions are blocked. You can also allow streaming at specified IP addresses even if they're within a blocked location.

To configure geo-blocking by country or region:

  1. Go to Livestreams in the navigation.
  2. Select a live stream.
  3. Click the Security tab.
  4. Under Playback Security, check the Allow or Block Access To This Stream Based On Location checkbox.
  5. Click either Block, then select countries/regions from the dropdown, or, click Allow, then select countries/regions from the dropdown. Your selections display in the Countries field.
  6. Click Save Changes.

To configure geo-blocking by IP address:

  1. Go to Livestreams in the navigation.
  2. Select a live stream.
  3. Click the Security tab.
  4. Under Playback Security, check the Allow or Block Access To This Stream Based On IP Address checkbox.
  5. Click either Block, then enter the IP addresses, line by line, in the field, or, click Allow, then enter the IP addresses, line by line, in the field.
  6. Click Save Changes.

See the following article to configure geo-blocking for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

Referer policy for playback on Fastly

Setting the referer policy through Wowza Video allows you to selectively allow or block access to streams, depending on the domain that requests access. When you enable and configure the referer policy, clients and players requesting access to the stream must send a Referer header and must meet the policy requirements you've set for the stream target.

For more information about the Referer header, see the HTTP specification.

See the following article to configure the referer policy for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

Note: You can only enable and configure the referer policy through the Wowza Video REST API. 

Token authentication for playback on Fastly

Token authentication protects streams using Wowza CDN on Fastly targets by requiring a token, which is hashed and appended to the playback URL, for viewer access. You can use token authentication to make a stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, to provide content to paying viewers only, or to apply other restrictions. Token authentication prevents playback URLs from being shared by unauthorized links or player hijacking attacks.

To enable and configure token authentication:

  1. Go to Live streams in the navigation.
  2. Select a live stream.
  3. Click the Security tab.
  4. Under Token Authentication, check the Protect this stream with token authentication checkbox.
  5. Click Generate to generate a shared secret or enter an even-length hexadecimal string between 2 and 32 characters into the Shared Secret field.
  6. Optionally, select Only protect the multivariant playlist file to protect the multivariant playlist only and leave individual media playlists and media segments unprotected. This feature enables playback compatibility with media players that don’t support the withCredentials property. It may also be useful when addressing token auth compatibility issues with specific browsers.
  7. Click Save Changes.

Now that you've enabled token authentication, you need to update your HLS playback URL that you'll use in your player to reference the token and any other supported token-related security you want to use. The resulting playback URL will look similar to this:

https://[subdomain].wowza.com/1/[stream_id]/[stream_name]/hls/live/playlist.m3u8?hdnts=ip=10.1.1.1~st=1578421200~exp=1578421449~hmac=073e5b930fb494728164cad5da037eb2e9429282f33f9f89df04241bd530f74d

The bolded part of the playback URL contains a token string (token + query parameters) for allowing access to the content, expiring access to the content, and restricting the content playback to a specific IP address. 

The token string must include the query parameters in the following order: IP address, start time, and end time.

  1. Use the token auth examples from Wowza's github space to create your own token string.
  2. Locate your HLS playback URL on the Overview page for your live stream.
  3. Copy both the HLS playback URL and your token string to another tool and concatenate them.
  4. Use the secured HLS playback URL from step 3 in your player.

See this article to configure and add token authentication for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

AES-128 encryption for playback on Fastly

AES-128 encryption protects streams using Wowza CDN on Fastly targets by requiring devices to provide a matching key before a stream can be played. Wowza Video uses the external method of AES-128 encryption. When you use the external method, encryption keys are delivered to devices from an external URL.

To configure AES-128 encryption for playback:

  1. Go to Livestreams in the navigation.
  2. Select a live stream.
  3. Click the Components tab.
  4. In the Transcoder section at the top, click Configure.
  5. Click the Properties tab.
  6. Under Cupertino, in the AES 128 Host field, enter the URL the device will use to fetch the key to decrypt the stream.
  7. Under Cupertino, in the AES 128 Secret field, enter a 16-byte key that will be used to decrypt the stream. The key must be 32 characters in length and can only contain hex characters (a-f, A-F, 0-9). The key must match the key returned by the AES 128 Host.
  8. Click Save Changes.

See the following article to configure AES-128 encryption for HLS streams using Wowza CDN on Fastly targets through the Wowza Video REST API:

DRM (digital rights management) 

Digital rights management (DRM) technology provides a way, through encryption, for content creators to protect copyrights and unauthorized distribution of their digital media. The Wowza Video REST API provides integration with EZDRM, a third-party digital rights management (DRM) service you can use to protect live stream content from unauthorized viewing.

Note:
  • To protect streams using EZDRM, you must have an EZDRM account, configured appropriately for the device types you want to stream to. For FairPlay, you'll need verification from Apple that you're approved to use Fairplay.
  • Refer to EZDRM and their documentation for more information about EZDRM account setup.
  • We recommend engaging with Professional Services for assistance with setup. You can schedule a call.

Currently, Wowza Video supports the following EZDRM key management systems with live streams:

  • EZDRM FairPlay Streaming – Supports HLS playback for content to Apple devices with native support for the HTML 5 player in macOS Safari browsers or Safari 11.3 on iOS.
  • EZDRM Universal – Supports MPEG-DASH playback for Google Widevine and Microsoft PlayReady devices and platforms using a linked Common Encryption (CENC) key.

While you can implement DRM for Apple (FairPlay) and Widevine/PlayReady individually, in most cases you'll want to complete both of the following tasks to ensure your stream is protected on as many devices and platforms as possible:

Note: You can only enable and configure DRM through the Wowza Video REST API. 

More resources