Test AES encryption for HLS streams from the Wowza Streaming Cloud REST API

The Wowza Streaming Cloud™ service allows you to apply AES-128 encryption to HLS streams. This article describes how to test AES encryption by playing a media segment (.ts) file from an encrypted stream in VLC media player. If AES encryption is working correctly, VLC won't be able to play the media segment.

Note: For instructions on configuring AES-128 encryption, see Secure HLS streams with AES-128 external encryption using the Wowza Streaming Cloud REST API.

Live stream workflow


To test a stream created through the live stream workflow, do the following:

Fetch the playback URL

Fetch the HLS playback URL for the encrypted stream.

    curl -X GET \
    -H "wsc-api-key: ${WSC_API_KEY}" \
    -H "wsc-access-key: ${WSC_ACCESS_KEY}" \ 
    "${WSC_HOST}/api/${WSC_VERSION}/live_streams/[live_stream_id]"
 

This command returns live stream details, including the player_hls_playback_url.

{
    "live_stream": {
        "id": "abcntjvl",
        "name": "MyLiveStream",
        "transcoder_type": "transcoded",
        "billing_mode": "pay_as_you_go",
        "broadcast_location": "us_west_california",
        "recording": false,
        "closed_caption_type": "none",
        "low_latency": false,
        "encoder": "other_rtmp",
        "delivery_method": "push",
        "target_delivery_protocol": "hls-https",
	...
        "player_id": "ly4rnpyt",
        "player_type": "wowza_player",
        "player_responsive": true,
        "player_countdown": false,
        "player_embed_code": "in_progress",
        "player_hls_playback_url": "https://[wowzasubdomain].wowza.com/1/abcdTnJwZEpwXYZa/aBcDeGd1/hls/live/playlist.m3u8",
	 ...
    }
}     

Start the live stream


  1. Start your video source.
  2. Start the live stream.
     
        curl -X PUT \
        -H "Content-Type: application/json" \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \ 
        "${WSC_HOST}/api/${WSC_VERSION}/live_streams/[live_stream_id]/start"
  3. Fetch the state of the live stream to confirm that it’s started.
     
        curl -X GET \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \
        "https://api.cloud.wowza.com/api/[version]/live_streams/[live_stream_id]/state"
     

    This command returns the live stream state.

    {
        "live_stream": {
            "state": "started",
            "ip_address": "34.211.17.129"
        }
    } 

Test a media segment file from the encrypted stream


  1. Use cURL to view the playlist file.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/playlist.m3u8 

    The results should look something like:
     
        #EXTM3U
        #EXT-X-VERSION:3
        #EXT-X-KEY:METHOD=AES-128,URI="mykey"
        #EXT-X-STREAM-INF:BANDWIDTH=2761081,CODECS="avc1.100.31,mp4a.40.2",RESOLUTION=1280x720
        ../pldjp4q7/2728/chunklist.m3u8
        #EXT-X-STREAM-INF:BANDWIDTH=1900046,CODECS="avc1.77.40,mp4a.40.2",RESOLUTION=854x480
        ../pldjp4q7/1728/chunklist.m3u8
        #EXT-X-STREAM-INF:BANDWIDTH=1348954,CODECS="avc1.77.32,mp4a.40.2",RESOLUTION=640x360
        ../pldjp4q7/1152/chunklist.m3u8 
  2. Copy the file path for one of the chunklists and append it to the playback URL.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/../pldjp4q7/1152/chunklist.m3u8

    The results should look something like:
     
        #EXTM3U
        #EXT-X-VERSION:3
        #EXT-X-TARGETDURATION:11
        #EXT-X-MEDIA-SEQUENCE:1
        #EXT-X-KEY:METHOD=AES-128,URI="mykey
        #EXT-X-PROGRAM-DATE-TIME:2020-03-05T17:13:06.546Z
        #EXTINF:10.166,
        0001lx7l/media_1.ts
        #EXTINF:10.133,
        0001lx7l/media_2.ts
        #EXTINF:10.133,
        0001lx7l/media_3.ts
        #EXTINF:10.2,    
  3. Copy the file path for one of the media segments and append it the chunklist path. Use the --output flag to download the file to your computer.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/../pldjp4q7/1152/0001lx7l/media_2.ts --output media_2.ts
  4. Open the media segment file in VLC media player. If the file is encrypted correctly, VLC won't be able to play it.

Transcoder workflow


To test a stream created through the transcoder workflow, do the following:

Fetch the playback URL

For streams created through the transcoder workflow, the HLS playback URL can be found by fetching the Fastly or Akamai - HLS stream target associated with the transcoder.

  • Fetch a Wowza CDN on Fastly stream target:
     
        curl -X GET \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \
        "${WSC_HOST}/api/${WSC_VERSION}/stream_targets/fastly/[stream_target_id]"
     

    This command returns transcoder details, including the playback_url.

    {
        "stream_target_fastly": {
    	"id": "abc45lfyz",
            "name": "My Wowza CDN on Fastly Stream Target",
            "state": "activated",
            "stream_name": "9a00105a",
            "playback_url":	"https://[wowzasubdomain].wowza.com/1/TWhoL3BiZnJXMFhmNzZVN3JrZDAwUT09/ZmYxSXRrTERrUlk9/hls/live/playlist.m3u8",
            "token_auth_enabled": false,
            "token_auth_playlist_only": false,
            "geoblock_enabled": true,
            "geoblock_by_location": "allow",
            "geoblock_country_codes": "DE, US",
            "geoblock_ip_override": "deny",
            "geblock_ip_addresses": "77.12.34.567, 78.23.45.678",
            "force_ssl_playback": false,
            "created_at": "2020-03-02T20:38:31.560Z",
            "updated_at": "2020-03-05T11:41:38.560Z"
        }
    }       
  • Fetch a Wowza CDN on Akamai - HLS stream target:
     
        curl -X GET \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \
        "${WSC_HOST}/api/${WSC_VERSION}/stream_targets/akamai/[stream_target_id]"
     

    This command returns transcoder details, including the playback_url.

    {
        "stream_target_akamai": {
            "created_at": "2020-03-02T20:38:31.559Z",
            "id": "ABC45lfyz",
            "name": "My Wowza Stream Target",
            "provider": "akamai_cupertino",
            "use_secure_ingest": false,
            "use_cors": false,
            "stream_name": "9a00105a",
            "primary_url": "http://post.wowzasandbox3-i.akamaihd.net/252232/9a00105a",
            "hls_playback_url": "https://wowzasandbox3-i.akamaihd.net/hls/live/252232/9a00105a/playlist.m3u8",
            "connection_code": "456fcc",
            "connection_code_expires_at": "2020-03-06T20:38:31.559Z",
            "updated_at": "2020-03-05T11:32:32.559Z"
        }
    }

Start the transcoder


  1. Start your video source.
  2. Start the transcoder.
     
        curl -X PUT \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \
        "${WSC_HOST}/api/${WSC_VERSION}/transcoders/[transcoder_id]/start"
  3. Fetch the state of the transcoder to confirm that it’s started.
     
        curl -X GET \
        -H "wsc-api-key: ${WSC_API_KEY}" \
        -H "wsc-access-key: ${WSC_ACCESS_KEY}" \
        "https://api.cloud.wowza.com/api/[version]/transcoders/[transcoder_id]/state"

    This command returns the transcoder state.

    {
        "transcoder": {
            "ip_address": "1.2.3.4",
            "state": "started",
            "uptime_id": "abcd1234"
        }
    } 

Test a media segment file from the encrypted stream


  1. Use cURL to view the playlist file.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/playlist.m3u8 

    The results should look something like:
     
        #EXTM3U
        #EXT-X-VERSION:3
        #EXT-X-KEY:METHOD=AES-128,URI="mykey"
        #EXT-X-STREAM-INF:BANDWIDTH=2761081,CODECS="avc1.100.31,mp4a.40.2",RESOLUTION=1280x720
        ../pldjp4q7/2728/chunklist.m3u8
        #EXT-X-STREAM-INF:BANDWIDTH=1900046,CODECS="avc1.77.40,mp4a.40.2",RESOLUTION=854x480
        ../pldjp4q7/1728/chunklist.m3u8
        #EXT-X-STREAM-INF:BANDWIDTH=1348954,CODECS="avc1.77.32,mp4a.40.2",RESOLUTION=640x360
        ../pldjp4q7/1152/chunklist.m3u8 
  2. Copy the file path for one of the chunklists and append it to the playback URL.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/../pldjp4q7/1152/chunklist.m3u8

    The results should look something like:
     
        #EXTM3U
        #EXT-X-VERSION:3
        #EXT-X-TARGETDURATION:11
        #EXT-X-MEDIA-SEQUENCE:1
        #EXT-X-KEY:METHOD=AES-128,URI="mykey
        #EXT-X-PROGRAM-DATE-TIME:2020-03-05T17:13:06.546Z
        #EXTINF:10.166,
        0001lx7l/media_1.ts
        #EXTINF:10.133,
        0001lx7l/media_2.ts
        #EXTINF:10.133,
        0001lx7l/media_3.ts
        #EXTINF:10.2,    
  3. Copy the file path for one of the media segments and append it the chunklist path. Use the --output flag to download the file to your computer.
     
        curl https://[wowzasubdomain].wowza.com/1/Ni9vd3duZGRTOThB/WEtjTWpH/hls/live/../pldjp4q7/1152/0001lx7l/media_2.ts --output media_2.ts
  4. Open the media segment file in VLC media player. If the file is encrypted correctly, VLC won't be able to play it.