After you use Alibaba Cloud proprietary cryptography to encrypt video data, the downloaded videos are also encrypted and cannot be maliciously distributed. This prevents data leaks and hotlinking. Compared with HTTP Live Streaming (HLS) encryption, Alibaba Cloud proprietary cryptography is more secure and easier to use. This topic describes how to enable Alibaba Cloud proprietary cryptography and provides solution enhancement.
Background information
Users can pay a one-time fee for a video and download the video file from the streaming URL that has hotlink protection. However, distribution of the video file cannot be controlled after the video file is downloaded from the streaming URL. Therefore, hotlink protection is not enough to protect video copyrights. The leakage of video files may cause serious economic losses to customers that charge users for watching videos.
Benefits
Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to a local device are encrypted, which prevents unauthorized redistribution. Video encryption prevents video leakage and hotlinking. You can use video encryption in a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.
Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.
Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
ApsaraVideo VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.
ApsaraVideo VOD uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.
ApsaraVideo VOD provides secure player kernel SDKs.
Overall architecture
Alibaba Cloud proprietary cryptography consists of two parts: encryption and transcoding, and decryption and playback.
Encryption and transcoding
The application initiates a video encryption request
You submit a transcoding job that requires data encryption (Step 1 in the preceding figure).
ApsaraVideo VOD obtains the encryption key
ApsaraVideo VOD uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key (Step 2 in the preceding figure).
ApsaraVideo VOD encrypts and transcodes the video
ApsaraVideo VOD uses the plaintext key to encrypt the video file. After the video file is transcoded, the plaintext key is discarded (Step 3 in the preceding figure).
ApsaraVideo VOD sends a notification after transcoding is complete
ApsaraVideo VOD saves the encrypted video file and sends you a notification (Step 4 in the preceding figure).
Decryption and playback
Authorization
When a user requests to play a video on a mobile application or web page, the request is first sent to your API or backend page. You can configure permission control to manage content. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added domain name. If the playback request is authorized, the AccessKey pair of the RAM user is used to access ApsaraVideo VOD and obtain a playback credential. Then, the playback credential is sent to the mobile application or web page.
Playback URL acquisition
The mobile application or web page sends the playback credential and media ID to ApsaraVideo Player. ApsaraVideo Player SDK proceeds with the following operations:
Obtain the playback URL in the specific video format and definition from ApsaraVideo VOD based on the media ID.
Obtain the encryption key of the encrypted video.
Decryption and playback
ApsaraVideo VOD provides the secure kernel SDK, which uses the encryption key to decrypt and play the video.
Usage notes
Videos encrypted by using Alibaba Cloud proprietary cryptography are generated only in the HLS or MP4 format and can be played only by using ApsaraVideo Player.
Videos encrypted by using Alibaba Cloud proprietary cryptography cannot be played by ApsaraVideo Player for Web on iOS devices. In this scenario, we recommend that you use HLS encryption to encrypt videos.
You can play MP4 videos encrypted by Alibaba Cloud proprietary cryptography only by using ApsaraVideo Player for iOS or Android. For more information, see Compatibility description.
Procedure
Prerequisites
ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.
An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.
To encrypt MP4 videos by using Alibaba Cloud proprietary cryptography, a license for ApsaraVideo Player SDK is obtained before you create a transcoding template group in which Alibaba Cloud proprietary cryptography is specified. For more information, see Obtain a license.
Video encryption
Create a transcoding template group and specify Alibaba Cloud proprietary cryptography.
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.
On the Transcoding Template Groups page, click Create Transcoding Template Group.
You can specify Alibaba Cloud proprietary cryptography in a regular transcoding template or a video packaging template. The following steps describe how to specify Alibaba Cloud proprietary cryptography in a regular transcoding template:
In the Basic Parameters section, set Encapsulation Format to hls or mp4.
In the Advanced Parameters section, turn on Alibaba Cloud proprietary cryptography.
Configure other parameters based on your business requirements. For more information, see Configure regular transcoding templates.
Click Save.
After the template is created, you can view the ID of the transcoding template group on the Transcoding Template Groups page. Save the transcoding template group ID for subsequent use.
Optional. Create a workflow and add the transcoding template group in which Alibaba Cloud proprietary cryptography is specified.
You can add media processing tasks such as transcoding, review, snapshot capture tasks to a workflow based on a specific order. This way, you can use the workflow to process media files in the specified order.
Add a Transcode node to your workflow and use the transcoding template group in which Alibaba Cloud proprietary cryptography is specified. You can create workflows only by using the ApsaraVideo VOD console. For more information, see Workflows.
Start transcoding.
You can trigger transcoding when you upload and process media files. To submit a transcoding task, you can use a transcoding template group or a workflow that contains a transcoding node. For more information about how to start transcoding by using the ApsaraVideo VOD console, see Step 2: Start transcoding. For more information about how to start transcoding by using the ApsaraVideo VOD API, see Step 2: Start transcoding.
View the transcoding results.
Obtain results from the callback
If you have configured event notifications, you can obtain the transcoding results from the StreamTranscodeComplete or TranscodeComplete callback.
Query the results
Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Files > Audio/Video.
On the Audio/Video page, view the Status of the video.
If the Status of the video is Normal, the video is transcoded and encrypted by using Alibaba Cloud proprietary cryptography.
Click Manage in the Actions column.
On the Video URL tab, Alibaba Cloud Private Encryption is displayed in the Format column for streams encrypted by using Alibaba Cloud proprietary cryptography.
Play videos
Videos encrypted by using Alibaba Cloud proprietary cryptography can be played only by using ApsaraVideo Player.
ApsaraVideo Player SDK is supported on multiple platforms including iOS, Android, and Web (HTML and Flash players). You can use ApsaraVideo Player SDK to play encrypted videos in your application or website.
Before you use ApsaraVideo Player SDK, you must obtain a license. For more information, see Obtain a license.
Before you integrate ApsaraVideo Player SDK, make sure that you understand the compatibility of Alibaba Cloud proprietary cryptography with ApsaraVideo Player SDKs on different platforms. For more information, see Compatibility of ApsaraVideo Player SDK.
For more information about how to use ApsaraVideo Player SDK to play encrypted videos, see Use ApsaraVideo Player SDK for Web, Use ApsaraVideo Player SDK for Android, and Use ApsaraVideo Player SDK for iOS.
Solution enhancement
If users want to download videos for offline playback, we recommend that you set the Download Mode parameter to Encrypted to protect your videos. For more information, see Configure offline download. This option uses a key to perform secondary encryption on video files. After a video is downloaded, ApsaraVideo Player SDK decrypts the video and allows the video to be played only by the specified application. This ensures that the copyright of offline videos is protected.