All Products
Search
Document Center

ApsaraVideo VOD:Alibaba Cloud proprietary cryptography

Last Updated:Feb 27, 2024

After you use Alibaba Cloud proprietary cryptography to encrypt video data, the downloaded videos are also encrypted and cannot be maliciously distributed. This prevents data leaks and hotlinking. Compared with HTTP Live Streaming (HLS) encryption, Alibaba Cloud proprietary cryptography is more secure and easier to use. This topic describes how to enable Alibaba Cloud proprietary cryptography and provides solution enhancement.

Background information

Users can pay a one-time fee for a video and download the video file from the streaming URL that has hotlink protection. However, distribution of the video file cannot be controlled after the video file is downloaded from the streaming URL. Therefore, hotlink protection is not enough to protect video copyrights. The leakage of video files may cause serious economic losses to customers that charge users for watching videos.

Benefits

Alibaba Cloud proprietary cryptography encrypts video data. Video files downloaded to a local device are encrypted, which prevents unauthorized redistribution. Video encryption prevents video leakage and hotlinking. You can use video encryption in a wide range of online copyrighted video fields such as online education, finance, industry training, and premium TV shows.

Alibaba Cloud utilizes the proprietary cryptography algorithm to provide a high level of security, which allows you to protect your video resources in a convenient, efficient, and secure manner.

  • Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.

  • ApsaraVideo VOD provides a comprehensive permission management system. You can create RAM users and use playback credentials to control the access permissions.

  • ApsaraVideo VOD uses ciphertext and plaintext keys to provide an envelope encryption system. The plaintext keys are not stored and are used only to process data in the memory.

  • ApsaraVideo VOD provides secure player kernel SDKs.

Overall architecture

Alibaba Cloud proprietary cryptography consists of two parts: encryption and transcoding, and decryption and playback.

  • Encryption and transcoding

    1. The application initiates a video encryption request

      You submit a transcoding job that requires data encryption (Step 1 in the preceding figure).

    2. ApsaraVideo VOD obtains the encryption key

      ApsaraVideo VOD uses Key Management Service (KMS) to generate a plaintext key and a ciphertext key (Step 2 in the preceding figure).

    3. ApsaraVideo VOD encrypts and transcodes the video

      ApsaraVideo VOD uses the plaintext key to encrypt the video file. After the video file is transcoded, the plaintext key is discarded (Step 3 in the preceding figure).

    4. ApsaraVideo VOD sends a notification after transcoding is complete

      ApsaraVideo VOD saves the encrypted video file and sends you a notification (Step 4 in the preceding figure).

  • Decryption and playback

    1. Authorization

      When a user requests to play a video on a mobile application or web page, the request is first sent to your API or backend page. You can configure permission control to manage content. For example, you can require users to log on before they can play the video. We recommend that you configure HTTPS for your added domain name. If the playback request is authorized, the AccessKey pair of the RAM user is used to access ApsaraVideo VOD and obtain a playback credential. Then, the playback credential is sent to the mobile application or web page.

    2. Playback URL acquisition

      The mobile application or web page sends the playback credential and media ID to ApsaraVideo Player. ApsaraVideo Player SDK proceeds with the following operations:

      • Obtain the playback URL in the specific video format and definition from ApsaraVideo VOD based on the media ID.

      • Obtain the encryption key of the encrypted video.

    3. Decryption and playback

      ApsaraVideo VOD provides the secure kernel SDK, which uses the encryption key to decrypt and play the video.

Usage notes

  • Videos encrypted by using Alibaba Cloud proprietary cryptography are generated only in the HLS or MP4 format and can be played only by using ApsaraVideo Player.

  • Videos encrypted by using Alibaba Cloud proprietary cryptography cannot be played by ApsaraVideo Player for Web on iOS devices. In this scenario, we recommend that you use HLS encryption to encrypt videos.

  • You can play MP4 videos encrypted by Alibaba Cloud proprietary cryptography only by using ApsaraVideo Player for iOS or Android. For more information, see Compatibility description.

Procedure

Prerequisites

  • ApsaraVideo VOD is activated. For more information, see Activate ApsaraVideo VOD.

  • An accelerated domain name is added to ApsaraVideo VOD. For more information, see Add a domain name for CDN.

  • To encrypt MP4 videos by using Alibaba Cloud proprietary cryptography, a license for ApsaraVideo Player SDK is obtained before you create a transcoding template group in which Alibaba Cloud proprietary cryptography is specified. For more information, see Obtain a license.

Video encryption

  1. Create a transcoding template group and specify Alibaba Cloud proprietary cryptography.

    Use the ApsaraVideo VOD console

    1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Configuration Management > Media Processing > Transcoding Template Groups.

    2. On the Transcoding Template Groups page, click Create Transcoding Template Group.

      You can specify Alibaba Cloud proprietary cryptography in a regular transcoding template or a video packaging template. The following steps describe how to specify Alibaba Cloud proprietary cryptography in a regular transcoding template:

      • In the Basic Parameters section, set Encapsulation Format to hls or mp4.

      • In the Advanced Parameters section, turn on Alibaba Cloud proprietary cryptography.

      • Configure other parameters based on your business requirements. For more information, see Configure regular transcoding templates.私有加密-MP4.png

    3. Click Save.

      After the template is created, you can view the ID of the transcoding template group on the Transcoding Template Groups page. Save the transcoding template group ID for subsequent use.

      视频安全-HLS加密-控制台1

    Use the ApsaraVideo VOD API

    Call the AddTranscodeTemplateGroup operation and specify EncryptType of EncryptSetting in TranscodeTemplate.

  2. Optional. Create a workflow and add the transcoding template group in which Alibaba Cloud proprietary cryptography is specified.

    You can add media processing tasks such as transcoding, review, snapshot capture tasks to a workflow based on a specific order. This way, you can use the workflow to process media files in the specified order.

    Add a Transcode node to your workflow and use the transcoding template group in which Alibaba Cloud proprietary cryptography is specified. You can create workflows only by using the ApsaraVideo VOD console. For more information, see Workflows.

  3. Start transcoding.

    You can trigger transcoding when you upload and process media files. To submit a transcoding task, you can use a transcoding template group or a workflow that contains a transcoding node. For more information about how to start transcoding by using the ApsaraVideo VOD console, see Step 2: Start transcoding. For more information about how to start transcoding by using the ApsaraVideo VOD API, see Step 2: Start transcoding.

  4. View the transcoding results.

    Obtain results from the callback

    If you have configured event notifications, you can obtain the transcoding results from the StreamTranscodeComplete or TranscodeComplete callback.

    Query the results

    Use the ApsaraVideo VOD console

    1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Files > Audio/Video.

    2. On the Audio/Video page, view the Status of the video.

      If the Status of the video is Normal, the video is transcoded and encrypted by using Alibaba Cloud proprietary cryptography.

    3. Click Manage in the Actions column.

    4. On the Video URL tab, Alibaba Cloud Private Encryption is displayed in the Format column for streams encrypted by using Alibaba Cloud proprietary cryptography.私有加密

    Use the ApsaraVideo VOD API

    Call the GetPlayInfo operation and obtain the EncryptType parameter from the response. The EncryptType parameter indicates the encryption type of the stream.

Play videos

Videos encrypted by using Alibaba Cloud proprietary cryptography can be played only by using ApsaraVideo Player.

ApsaraVideo Player SDK is supported on multiple platforms including iOS, Android, and Web (HTML and Flash players). You can use ApsaraVideo Player SDK to play encrypted videos in your application or website.

Solution enhancement

If users want to download videos for offline playback, we recommend that you set the Download Mode parameter to Encrypted to protect your videos. For more information, see Configure offline download. This option uses a key to perform secondary encryption on video files. After a video is downloaded, ApsaraVideo Player SDK decrypts the video and allows the video to be played only by the specified application. This ensures that the copyright of offline videos is protected.

References

Play an encrypted video