Wowza Community

Need help to figure out how HLS encryption works

Hey Guys,

Just wanted to know, what happens when a video ripper app or someone or something tries to play an encrypted HLS stream ?

obviously, the useragent and other things can easily be faked, many such apps also come with a web browser. so anything that we do with query params or cookies would also be ineffective.

So, would they be able to gain access to the key and rip the videos. Do we have something as effective as rtmpe on apple devices ?

Thanks in advance to everyone who’d take some time out to reply to this query.

There is not an RTMPE equivelent for Apples HLS. If someone tries to play an encrypted stream and they do not have the key it will not play. The trick is to guard the encryption key. The chunks are worthless without the key.

Charlie

Use SSL to pass the keys securely. Take a look at this guide:

https://www.wowza.com/docs/how-to-request-an-ssl-certificate-from-a-certificate-authority

Richard

Re rogue clients, for Flash RTMP where you have secured your SWF with SecureToken, and you do not want your users to embed your player, then you can use Hotlinkdenial:

https://www.wowza.com/docs/how-to-combat-hotlinking-your-adobe-flash-swf-file

Richard

Also, using authentication provides another layer. You can do it through Flash using Wowza, which could do JDBC connection or file lookup. If your users have already signed in and there is http cookie available you can use Flash ExternalInterface to grab it from the HTML container instead of having users input

JDBC:

https://www.wowza.com/docs/how-to-do-user-authentication-for-flash-rtmp-client-using-jdbc-connection-to-mysql-database

File based:

https://www.wowza.com/docs/how-to-do-file-based-rtmp-authentication-with-url-query-strings-onconnectauthenticate2

Richard

Use AES encryption and SSL to protect the key. You can also use user authentication in this case, which can be entered by user or picked up from a cookie, and validated in onHTTPSessionCreate:

https://www.wowza.com/docs/how-to-control-access-to-http-streams-cupertinostreaming-sanjosestreaming-smoothstreaming-mpegdashstreaming

That is all that I know of.

Richard

exactly, so if an app tries to fake itself as safari browser then would it not be able to get the key and decrypt the chunks ? what are the ways that can ensure that the key is provided only to the safari and/or apple media player and not to any other third party app ?

that’s okay. we can use ssl, a server side module for validation, play with cookies etc. but what worries me is how do i ensure that the player to which i am providing the key (even if via ssl) is not rogue. I mean if i were to use rtmpe i can probably rely on flash player and the corresponding swf player that a such a possibility wont arise.

Can someone please let me know, what do we have in HLS+wowza to take care of this scenario ?

Thanks Richard for the reply but as i said, i was interested in ways to deal with rogue clients on apple devices (i.e HLS and not flash). how would I protect my key from a rogue app faking itself as safari browser ?

I hope you understand what i am trying to say here. I suppose creating a custom ios app and restricting the video would probably be one of the solutions, but if i allow the videos to be streamed via the browser then what do i have to safeguard the videos from being ripped ?