Alibaba Cloud video encryption/proprietary cryptography - ApsaraVideo VOD

Alibaba Cloud video encryption (proprietary cryptography) secures video data, ensuring that even if a video is downloaded locally, it remains encrypted and cannot be redistributed maliciously. This effectively safeguards against video leaks and hotlinking. Proprietary cryptography offers enhanced security and ease of use compared to HLS encryption. This topic describes how to enable Alibaba Cloud proprietary cryptography and enhance your solution.

Background

Hotlink protection URLs cannot prevent users from downloading a video for redistribution after a single payment, making hotlink protection insufficient for safeguarding video copyrights. Unauthorized distribution can lead to significant economic losses for clients who charge for video access.

Benefits

Alibaba Cloud video encryption encrypts video data. Videos remain secure against malicious redistribution even after local download, effectively preventing leaks and hotlinking. This encryption is widely adopted in online copyright video sectors such as online education, finance, industry training, and exclusive series.

Alibaba Cloud employs a proprietary cryptography algorithm to deliver a high level of security, enabling you to protect your video resources conveniently, efficiently, and securely.

Each media file is secured with an independent encryption key, significantly reducing the risk of large-scale security breaches due to a single key's compromise.
ApsaraVideo VOD offers a comprehensive permission management system, allowing the creation of RAM users and the use of playback credentials to manage access permissions.
ApsaraVideo VOD employs ciphertext and plaintext keys within an envelope encryption system, ensuring plaintext keys are only used transiently in memory and not stored.
ApsaraVideo VOD provides secure player kernel SDKs.

Overall architecture

The Alibaba Cloud video encryption solution is composed of two main components: encryption and transcoding + decryption and playback.

Encryption and transcoding
1. A video encryption request is initiated from the application backend.
  
  You submit a transcoding job that includes data encryption. (Step 1 in the figure above)
2. ApsaraVideo VOD retrieves the encryption key.
  
  ApsaraVideo VOD uses the Key Management Service (KMS) to generate both a plaintext and a ciphertext key. (Step 2 in the figure above)
3. ApsaraVideo VOD encrypts and transcodes the video.
  
  The video file is encrypted using the plaintext key, which is discarded after transcoding. (Step 3 in the figure above)
4. Notification upon transcoding completion.
  
  The encrypted video file is saved by ApsaraVideo VOD, which then sends you a completion notification. (Step 4 in the figure above)
Decryption and playback
1. Authorization
  
  The video playback request is first sent to your API or backend page, which can be configured for permission control, such as requiring user login. We recommend configuring HTTPS for your domain. If authorized, the RAM user's AccessKey is used to access ApsaraVideo VOD and retrieve a playback credential, which is then sent to the application or webpage.
2. Obtain a playback URL
  
  The application or webpage sends the playback credential and media ID to ApsaraVideo Player. The ApsaraVideo Player SDK then performs the following:
  - Retrieves playback URLs in various formats and definitions from ApsaraVideo VOD based on the media ID.
  - Acquires the corresponding encryption key for the encrypted video.
3. Decryption and playback
  
  ApsaraVideo provides a secure playback kernel SDK, which uses the encryption key pair to decrypt the content for playback.

Important information before use

Videos encrypted with Alibaba Cloud proprietary cryptography are produced in HLS or MP4 format and can only be played using ApsaraVideo Player SDK.
Currently, playing privately encrypted videos on the web player for the iOS platform is not supported. In this case, HLS encryption is recommended for video encryption. For more information, see HLS encryption.
MP4 videos encrypted with Alibaba Cloud proprietary cryptography can currently only be played using the ApsaraVideo Player SDK for iOS or Android. For more information, see the compatibility description of encrypted playback with the Player SDK.

How to use

Prerequisites

ApsaraVideo VOD must be activated. For more information, see activating ApsaraVideo VOD.
An accelerated domain name must be configured in ApsaraVideo VOD. For more information, see adding an accelerated domain name.
To perform MP4 proprietary encryption, you must create and obtain a license containing player authorization before creating a proprietary encryption transcoding template group. Otherwise, you may encounter an error such as License does not exist when creating an encryption template. For more information, see managing licenses.

Proprietary encryption types

Encryption type	HLS (m3u8+ts)	MP4	Usage notes
Alibaba Cloud video encryption (proprietary cryptography)	Supported	Not supported	Supports H5 player SDK and native player SDK. Requires VidAuth or STS for playback.
Alibaba Cloud video encryption (License encryption)	Supported	Supported	License encryption requires player SDK authorization. For more information, see 配置介绍. Supports URL-based playback.

Note

Please note that different encryption types support different playback platforms. Evaluate and choose based on your actual business needs. For more information about supported playback protocols, see playback compatibility description.

Video encryption

Create a proprietary encryption transcoding template group.
Console
1. Log on to the ApsaraVideo VOD console. Navigate to Configuration Management > Media Processing Configuration > Transcoding Template Groups.
2. On the Transcoding Template Groups page, click Add Transcoding Template Group to create a group for proprietary encryption.
  
  Specify Alibaba Cloud proprietary cryptography in a regular transcoding template or a video packaging template as follows:
  - In the Basic Parameters section, set Container Format to hls or mp4.
  - In the Advanced Parameters section, enable Proprietary Encryption.
  - Configure other parameters as needed. For details, see Transcoding Template.
3. Click Save to finish creating the template.
  
  Once created, the ID of the transcoding template group can be found on the Transcoding Template Groups page. Keep this ID for future reference.
OpenAPI

When calling the AddTranscodeTemplateGroup operation, set the EncryptType parameter in EncryptSetting under TranscodeTemplate to define the encryption type for the transcoding template group.
Optional. Create a workflow and include the transcoding template group with Alibaba Cloud proprietary cryptography.

You can add media processing tasks such as transcoding, review, and snapshot capture to a workflow in a specified sequence. This allows you to process media files in the defined order upon upload.

Add a Transcode node to your workflow using the transcoding template group with proprietary cryptography. Workflows can only be created via the ApsaraVideo VOD console. For more details, see Workflow.
Initiate transcoding.

Transcoding jobs can be triggered during the upload and processing of media files. To submit a transcoding task, use either a transcoding template group or a workflow containing a transcoding node. For instructions on submitting a transcoding task via the console, see Step Two: Initiate Transcoding. For OpenAPI instructions, refer to Step Two: Initiate Transcoding.
Check the transcoding results.

Asynchronously wait for result notifications

If event notifications are configured for ApsaraVideo VOD, you can receive information about transcoding tasks through callback messages for single-definition transcoding completion or all-definition transcoding completion.

Synchronously query tasks
Console
1. Log on to the ApsaraVideo VOD console. In the left-side navigation pane, choose Media Library > Audio/video to navigate to the audio and video list page.
2. On the audio and video list page, check the Status of the target video.
  
  If the video's Status is Normal, the proprietary encryption transcoding has been successfully completed.
3. Click Manage next to the video to view its basic information.
4. Select the Video URL tab. Here, you can view the stream output for the encrypted transcoding, indicated by Proprietary Encryption.
OpenAPI

Invoke the GetPlayInfo operation. The returned EncryptType parameter indicates the video stream's encryption type.

Video playback

Videos encrypted using Alibaba Cloud proprietary cryptography can only be played with ApsaraVideo Player.

ApsaraVideo Player SDK supports multiple platforms, including iOS, Android, and Web (HTML and Flash players). Use ApsaraVideo Player SDK to play encrypted videos on your application or website.

Before using ApsaraVideo Player SDK, you must obtain player license authorization. For more information, see managing licenses.
Before integrating ApsaraVideo Player SDK, ensure you understand the compatibility of each platform's player SDK with proprietary encryption. For more details, see player SDK encryption playback compatibility description.
For instructions on using ApsaraVideo Player SDK to play proprietary encrypted videos, refer to playing proprietary encrypted videos on the Web, playing proprietary encrypted videos on Android, and playing proprietary encrypted videos on iOS.

Solution enhancement

For users who want to download videos for offline playback, it is recommended to set the Download Mode parameter to Encrypted to ensure video protection. For more information, see Download Settings. This method uses a key for secondary encryption of video files. Once downloaded, ApsaraVideo Player SDK decrypts the video, allowing playback only within the specified application, thus protecting the copyright of offline videos.

References

How to play encrypted videos