All Products
Search
Document Center

ApsaraVideo Live:Overview

Last Updated:Dec 16, 2024

To ensure the security of live streaming during configuration, content production, stream ingest, and playback, ApsaraVideo Live provides a comprehensive content security protection system to meet the security requirements in different business scenarios. This way, live streams are protected from hotlinking and illegal downloads or distribution. This topic describes how to protect live streaming security.

Live streaming security

The following figure shows the security features that are provided by ApsaraVideo Live.

image

The following table describes the security features that are provided by ApsaraVideo Live.

Security mechanism

Feature

Description

Security level

Threshold

Account authorization

RAM users

You can grant permissions to RAM users by configuring policies.

Relatively low

Low. Only configurations in the cloud are required.

Secure acceleration

HTTPS secure acceleration

HTTPS is used for secure communication over networks. HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.

High

Low. Only configurations in the cloud are required.

Access control

Referer-based hotlink protection

This feature tracks sources based on HTTP headers, which are prone to forgery.

Low

Low. Only configurations in the cloud are required.

IP address blacklist or whitelist

This feature rejects or allows access requests that are sent only from specific IP addresses. This feature is not suitable for distributing content to a large number of consumers.

Relatively low

Low. Only configurations in the cloud are required.

URL signing for stream ingest and playback

URL signing for stream ingest and playback

This feature supports custom authentication keys and expiration time, and also allows you to generate dynamic signed URLs.

Medium

Relatively low. Scripts are required to generate signed URLs.

Remote authentication

User requests passed to your authentication center for authentication

You add custom request information and use your own authentication center to verify requests.

High

Relatively high. You must deploy an authentication center and ensure its high availability.

Video security

Alibaba Cloud proprietary cryptography

A cloud-device integrated video encryption solution that uses a proprietary cryptography algorithm to ensure the security of video stream transmission.

High

Relatively low. You need only to perform simple configurations and integrate ApsaraVideo Player SDK.

Digital rights management (DRM) encryption

Platforms such as Apple FairPlay and Google Widevine provide native support for DRM. DRM delivers high security and meets the requirements of large copyrighted content providers.

High

Relatively high. You are charged based on the number of license calls. You need only to integrate ApsaraVideo Player SDK.

Content security

Automated review

This feature automatically detects audio and video content violations in live streams.

High

Low. Only configurations in the cloud are required.

Disabling live streams

You can disable live streams with inappropriate content for a specified period.

High

Low. Only configurations in the cloud are required.

Account authorization

Background information: AccessKey pairs of Alibaba Cloud accounts have full permissions and bring high risks of data leaks if the AccessKey pairs are disclosed.

Introduction: ApsaraVideo Live authenticates the identities of users who initiate requests and determines whether the users have the required permissions based on AccessKey pairs. ApsaraVideo Live allows you to authenticate accounts and provides system policies. In addition, you can create custom policies. For more information, see Permission management overview.

Secure acceleration

Background information: HTTP does not encrypt data. Instead, HTTP transmits data in plaintext.

Introduction: HTTPS is used for secure communication over networks. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the SSL or TLS protocol. SSL or TLS is the security foundation of HTTPS. For more information, see Secure acceleration.

Access control

You can configure access control policies in the cloud to provide basic protection for live streaming.

The following common access control policies are provided:

  • Referer-based hotlink protection

    You can use the Referer header in HTTP requests to track and identify where the requests come from. You can configure a Referer-based blacklist or whitelist to control access to video resources.

  • IP address blacklist or whitelist

    You can configure an IP address blacklist or whitelist to identify and filter users. This helps you control access to live stream resources and improve the security of live streams.

For more information, see Access control.

URL signing for stream ingest and playback

Background information: If fixed streaming URLs are used, unauthorized video distribution may occur and cannot be controlled.

Introduction: ApsaraVideo Live provides the URL signing feature. This feature generates dynamic signed URLs that contain information such as the permission verification and validity period to distinguish legal requests and protect video resources.

After URL signing is enabled:

  • Both ingest URLs and streaming URLs are signed.

  • ApsaraVideo Player SDK and the API or SDKs provided by ApsaraVideo Live to obtain streaming URLs automatically generate streaming URLs with a validity period. For information about how to manually generate a dynamic signed URL, see the authentication method described in URL signing.

For more information, see URL signing.

Remote authentication

Background information: The URL signing feature of ApsaraVideo Live cannot detect all illegal requests such as hotlinked requests. Remote authentication allows you to authenticate business requests, which makes the authentication more accurate.

Introduction: In remote authentication mode, CDN passes through user requests to your authentication center so that you can determine whether the requests are legal. CDN allows or rejects the requests based on the authentication results.

  • To implement remote authentication, you must develop and deploy an authentication center. If the domain name of the authentication center is accelerated in CDN, CDN can cache the authentication results based on specific rules. This reduces the pressure on your authentication center.

  • By default, CDN passes through the headers and the request_uri field in user requests to your authentication center and performs operations based on the authentication results returned by the authentication center.

  • You can hide the logon cookie or universally unique identifier (UUID) of a user in a playback request and pass through the playback request to your authentication center. This way, you can determine whether the user is a legal user.

Note

You must develop and deploy your own authentication center to use remote authentication. To enable remote authentication, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.

Video security

Background information: The hotlink protection feature can prevent unauthorized access to your content. However, in paid live streaming scenarios, users can pay a one-time fee for a live stream and download the video file from the legal streaming URL for which hotlink protection is configured. After the video file is downloaded, redistribution of the video file is uncontrollable. Therefore, hotlink protection is far from enough to protect video copyrights. The leakage of video files can cause serious economic losses to your business that charges users for watching videos.

Introduction: Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to on-premises devices are encrypted. This helps prevent unauthorized redistribution, video leakage, and hotlinking.

  • Alibaba Cloud proprietary cryptography

    Alibaba Cloud proprietary cryptography uses a proprietary cryptography algorithm and a secure transmission system to provide a cloud-device integrated video security solution. Alibaba Cloud proprietary cryptography consists of encrypted transcoding and playback after decryption.

    Benefits:

    • Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.

    • ApsaraVideo Live uses ciphertext and plaintext keys to provide envelope encryption. Only the ciphertext keys are stored. The plaintext keys are used in the memory and are immediately destroyed after use.

    • ApsaraVideo Live provides secure ApsaraVideo Player SDKs for multiple platforms, including iOS, Android, HTML5, and Flash. ApsaraVideo Player SDKs can automatically decrypt and play encrypted videos.

    • A proprietary cryptography protocol is used to transmit ciphertext keys between players and the cloud. The plaintext keys are not transmitted. This can prevent the keys from being intercepted.

    • ApsaraVideo Live provides the secure download feature. Videos cached on on-premises devices are encrypted again. This allows the videos to be played offline and prevents the videos from being copied and redistributed.

    Important

    Videos that are encrypted by using Alibaba Cloud proprietary cryptography have the following limits:

    • Videos can be generated only in the HTTP Live Streaming (HLS) format.

    • You can use only ApsaraVideo Player to play videos that are encrypted by using Alibaba Cloud proprietary cryptography.

    • Videos cannot be played on web pages.

    For more information, see Alibaba Cloud proprietary cryptography.

  • DRM encryption

    High-end video programs, such as sports games and concerts, must meet the security requirements of the content providers. ApsaraVideo Live provides a cloud-based DRM solution that supports FairPlay and Widevine DRM encryption. This solution integrates the video encryption, license issuance, and video playback features.

    For more information, see DRM encryption.

Each video encryption solution has advantages and disadvantages. In general, a more standard and universal solution provides higher flexibility but lower security. Select a solution based on your business scenario.

Content security

Background information: Live streams are produced by streamers and distributed to viewers on the live streaming platforms. Without proper content moderation, live streams may disseminate harmful and violating information.

Introduction: ApsaraVideo Live provides an AI-powered automated review feature that monitors audio, video, and image content in live streams. It also allows you to disable live streams that contain content violations.

  • Automated review: Built on extensive annotated data and deep learning algorithms, the feature accurately detects violative media content in audios, videos, thumbnails, and titles.

  • Disabling live streams: In the Stream Management module, you can permanently or temporarily disable live streams with non-compliant content or other issues.

For more information, see Content moderation.