Alibaba Cloud proprietary cryptography can encrypt live streams. This topic describes the benefits, architecture, and usage methods of Alibaba Cloud proprietary cryptography.
Videos can be generated only in the HTTP Live Streaming (HLS) and Flash Video (FLV) formats.
You can use only ApsaraVideo Player to play videos that are encrypted by using Alibaba Cloud proprietary cryptography.
For information about HTML5 compatibility, see description about the feature Playback of videos encrypted by using Alibaba Cloud proprietary cryptography in Features of the HTML5 player supported by browsers.
Background information
Users can pay a one-time fee for a live stream and download the video file from a legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is not enough to protect copyrights of live streams.
Benefits
Alibaba Cloud proprietary cryptography encrypts video data. Video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution. Proprietary cryptography can prevent video leakage and hotlinking, and can be applied to a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.
Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.
Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
ApsaraVideo Live provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
ApsaraVideo Live uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
ApsaraVideo Live provides secure player kernel SDKs.
Overall architecture
The Alibaba Cloud proprietary cryptography process consists of encryption and transcoding, and playback after decryption.
Encryption and transcoding: Steps 1 to 3 in the following flowchart.
After a streamer ingests a live stream to a live center, ApsaraVideo Live uses KMS to generate a plaintext key and a ciphertext key. Then, ApsaraVideo Live uses the plaintext key to perform symmetric encryption on the audio and video of the live stream, and encapsulates the ciphertext key in the video.
Decryption and playback: Steps 4 to 11 in the following flowchart.
To play the live stream, the playback client sends a playback request to the AppServer to obtain the streaming URL. Then, the playback client uses the streaming URL to request the video stream from ApsaraVideo Live. ApsaraVideo Live transmits the transcoded and encrypted video and the ciphertext key to ApsaraVideo Player SDK.
The playback client uses the ciphertext key to request the encrypted plaintext key from ApsaraVideo Live. Then, ApsaraVideo Live uses the ciphertext key to request the plaintext key from KMS. The playback client transmits the decrypted plaintext key to ApsaraVideo Player SDK, which then decrypts and plays the video.
Usage methods
Alibaba Cloud proprietary cryptography is configured by using a transcoding template. You can use the ApsaraVideo Live console or call an API operation to configure the template.
To use Alibaba Cloud proprietary cryptography, you must specify a KMS key ID. If you do not have a key, go to the KMS console to create one. Make sure that the region of the key is the same as the region in which the domain name resides. For more information, see Create a CMK.
Method 1: Use the ApsaraVideo Live console to configure Alibaba Cloud proprietary cryptography. For more information, see Configure default transcoding and Configure custom transcoding.
Method 2: Call an API operation to configure Alibaba Cloud proprietary cryptography.
You can call the AddLiveStreamTranscode operation to add a default transcoding configuration or call the AddCustomLiveStreamTranscode operation to add a custom transcoding configuration. In the operations, specify the encryption parameter
EncryptParameters
, where you need to set theEncryptType
field toaliyun
. This way, Alibaba Cloud proprietary cryptography is enabled.The following sample code provides an example on how to use the server SDK for Java to add a default transcoding configuration:
// Replace the parameters in <> with actual values. DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>"); IAcsClient client = new DefaultAcsClient(profile); AddLiveStreamTranscodeRequest addLiveStreamTranscodeRequest = new AddLiveStreamTranscodeRequest(); addLiveStreamTranscodeRequest.setDomain("<DomainName>"); addLiveStreamTranscodeRequest.setApp("<AppName>"); The transcoding template. addLiveStreamTranscodeRequest.setTemplate("<Template>"); // The encryption settings. EncryptType: a fixed value (aliyun). KmsKeyID: the ID of the CMK in KMS. KmsKeyExpireInterval: the rotation period of the CMK, which ranges from 60 to 3600 seconds. addLiveStreamTranscodeRequest.setEncryptParameters("{\"EncryptType\": \"aliyun\", \"KmsKeyID\":\"<KmsKeyID>\",\"KmsKeyExpireInterval\":\"<60>\"}"); // // Other business code // try { AddLiveStreamTranscodeResponse addLiveStreamTranscodeResponse = client.getAcsResponse(addLiveStreamTranscodeRequest); System.out.println(new Gson().toJson(addLiveStreamTranscodeResponse)); // todo something. } catch (ServerException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (ClientException e) { // TODO Auto-generated catch block e.printStackTrace(); }
NoteIf changes are made to the transcoding configuration, you must re-ingest a stream for the configuration to take effect.
For more information about the server SDK for Java, see Use the server SDK for Java.
Other related API operations:
API operation
Description
Updates a default transcoding configuration.
Updates a custom transcoding configuration.
Queries the transcoding configurations of a streaming domain.
Deletes a transcoding configuration.
References
When you use the video encryption feature, the AliyunServiceRoleForLiveKes role is automatically created to obtain the access permissions on KMS. For more information, see Service-linked role for video encryption of ApsaraVideo Live.