ApsaraVideo Live:Alibaba Cloud proprietary cryptography

Background information

Users can pay a one-time fee for a live stream and download the video file from a legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams.

Benefits

Alibaba Cloud proprietary cryptography encrypts video data. Video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Proprietary cryptography can prevent video leakage and hotlinking, and can be applied to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.

• Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.

• ApsaraVideo Live provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.

• ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.

• ApsaraVideo Live provides secure player kernel SDKs.

Overall architecture

The Alibaba Cloud proprietary cryptography process consists of encryption and transcoding, and playback after decryption.

• Encryption and transcoding: Steps 1 to 3 in the following flowchart.

  After a streamer ingests a live stream to a live center, ApsaraVideo Live uses KMS to generate a plaintext key and a ciphertext key. Then, ApsaraVideo Live uses the plaintext key to perform symmetric encryption on the audio and video of the live stream, and encapsulates the ciphertext key in the video.

• Decryption and playback: Steps 4 to 11 in the following flowchart.

  To play the live stream, the playback client sends a playback request to the AppServer to obtain the streaming URL. Then, the playback client uses the streaming URL to request the video stream from ApsaraVideo Live. ApsaraVideo Live transmits the transcoded and encrypted video and the ciphertext key to ApsaraVideo Player SDK.

  The playback client uses the ciphertext key to request the encrypted plaintext key from ApsaraVideo Live. Then, ApsaraVideo Live uses the ciphertext key to request the plaintext key from KMS. The playback client transmits the decrypted plaintext key to ApsaraVideo Player SDK, which then decrypts and plays the video.

Usage methods

Alibaba Cloud proprietary cryptography is configured by using a transcoding template. You can use the ApsaraVideo Live console or call an API operation to configure the template.

Method 1: Use the ApsaraVideo Live console to configure Alibaba Cloud proprietary cryptography. For more information, see Configure default transcoding and Configure custom transcoding.

Method 2: Call an API operation to configure Alibaba Cloud proprietary cryptography.

1. You can call the AddLiveStreamTranscode operation to add a default transcoding configuration or call the AddCustomLiveStreamTranscode operation to add a custom transcoding configuration. In the operations, specify the encryption parameter EncryptParameters, where you need to set the EncryptType field to aliyun. This way, Alibaba Cloud proprietary cryptography is enabled.

   The following sample code provides an example on how to use the server SDK for Java to add a default transcoding configuration:

   // Replace the parameters in <> with actual values.
   DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>");
   IAcsClient client = new DefaultAcsClient(profile);
   AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = new AddLiveStreamTranscodeRequest();
   addLiveStreamTranscodeRequest.setDomain("<DomainName>");
   addLiveStreamTranscodeRequest.setApp("<AppName>");
   The transcoding template.
   addLiveStreamTranscodeRequest.setTemplate("<Template>");
   // The encryption settings. EncryptType: a fixed value (aliyun). KmsKeyID: the ID of the CMK in KMS. KmsKeyExpireInterval: the rotation period of the CMK, which ranges from 60 to 3600 seconds.
   addLiveStreamTranscodeRequest.setEncryptParameters("{\"EncryptType\": \"aliyun\", \"KmsKeyID\":\"<KmsKeyID>\",\"KmsKeyExpireInterval\":\"<60>\"}");
   
   //
   // Other business code
   //
   
   try {
       AddLiveStreamTranscodeResponse addLiveStreamTranscodeResponse = client.getAcsResponse(addLiveStreamTranscodeRequest);
       System.out.println(new Gson().toJson(addLiveStreamTranscodeResponse));
       // todo something.
   } catch (ServerException e) {
       // TODO Auto-generated catch block
       e.printStackTrace();
   } catch (ClientException e) {
       // TODO Auto-generated catch block
       e.printStackTrace();
   }           

   Note

   • If changes are made to the transcoding configuration, you must re-ingest a stream for the configuration to take effect.

   • For more information about the server SDK for Java, see Use the server SDK for Java.

2. Other related API operations:

   API operation	Description
   UpdateLiveStreamTranscode	Updates a default transcoding configuration.
   UpdateCustomLiveStreamTranscode	Updates a custom transcoding configuration.
   DescribeLiveStreamTranscodeInfo	Queries the transcoding configurations of a streaming domain.
   DeleteLiveStreamTranscode	Deletes a transcoding configuration.

References

When you use the video encryption feature, the AliyunServiceRoleForLiveKes role is automatically created to obtain the access permissions on KMS. For more information, see Service-linked role for video encryption of ApsaraVideo Live.