ApsaraVideo VOD provides a comprehensive protection mechanism to ensure content security. You can configure features such as access control, URL signing, remote authentication, video encryption, and secure download to meet your security requirements in different business scenarios.
Introduction
ApsaraVideo VOD provides a comprehensive content security mechanism to protect video content from hotlinking and illegal downloads or distribution. You can use ApsaraVideo VOD to protect the copyright of online videos in fields such as education, finance, industry training, and premium TV shows.
The following table describes the security features provided by ApsaraVideo VOD.
Security feature | Method | Description | Security level | Deployment complexity |
Referer blacklist or whitelist | This feature tracks sources based on HTTP headers, which are prone to forgery. | Low | Low. Only configurations in the cloud are required. | |
User-Agent blacklist and whitelist | This feature tracks sources based on HTTP headers, which are prone to forgery. | Low | Low. Only configurations in the cloud are required. | |
IP address blacklist or whitelist | This feature rejects or allows access requests that are sent only from specific IP addresses. This feature is not suitable for distributing content to a large number of consumers. | Relatively low | Low. Only configurations in the cloud are required. | |
URL signing | This feature generates signed URLs that can dynamically change. You can specify custom validity periods for signed URLs. | Medium | Relatively low. Signed URLs are obtained by calling API operations or automatically generated based on the keys. | |
ApsaraVideo VOD passes user requests to your authentication center for authentication. | You add custom request information and use your own authentication center to verify requests. | Relatively high | Relatively high. You must deploy an authentication center and ensure high availability of the center. | |
Alibaba Cloud proprietary cryptography | ApsaraVideo VOD provides a cloud-device integrated solution to encrypt videos. The solution uses a proprietary encryption algorithm to ensure the security of transmission links. | High | Relatively low. You need to only perform simple configurations and integrate ApsaraVideo Player SDK. | |
HTTP Live Streaming (HLS) encryption | HLS encryption uses AES-128 to encrypt video content and supports all HLS-compatible players. The keys are prone to theft. | Relatively high | High. You must set up a key management service and a token issuance service. You must also ensure the security of transmission links. | |
Commercial digital rights management (DRM) | Platforms such as Apple FairPlay and Google Widevine provide native support for DRM. DRM provides high security and meets the requirements of large copyright content providers. | High | Very high. You must understand the rules and limits of Widevine and Fairplay and develop complex business logic on the client side. You need to integrate ApsaraVideo Player SDK. You are charged based on the number of license calls. | |
A private key is used to perform secondary encryption on a downloaded video file, which can be decrypted and played offline. | Multiple mechanisms are used to ensure that a video can be decrypted and played offline only on the specified application. Each video has an independent private key. The private key file is stored after encryption to prevent theft. | High | Relatively low. You need to only perform simple configurations and integrate ApsaraVideo Player SDK. |
Access limits
Introduction: Access policies are configured on the cloud to provide basic protection for video resources.
The following common access control policies are provided:
Referer
You can use the referer header in HTTP requests to track and identify the source of the requests. You can configure a referer blacklist or whitelist to manage access to video resources.
User-Agent
You can use the User-Agent header in HTTP requests to track and identify the source of requests. You can configure a User-Agent blacklist or whitelist to control access to video resources.
IP address
You can configure an IP address blacklist or whitelist by using the X-Forwarded-For header or actual IP addresses of users to manage access to video resources. You can configure the IP address blacklist or whitelist by using an IP address list or a subnet mask.
For more information, see Access control.
URL signing
Background: If fixed playback URLs are used, unauthorized video distribution may occur and cannot be controlled.
Introduction: ApsaraVideo VOD provides the URL signing feature. This feature generates dynamic signed URLs that contain information such as information about permission verification and validity period to distinguish legitimate requests and protect video resources.
After URL signing is enabled:
The URLs of all media resources, including videos, audio, thumbnails, and snapshots, are signed.
You can use the ApsaraVideo Player SDK, ApsaraVideo VOD API, or ApsaraVideo VOD SDK to obtain a playback URL. A validity period is automatically assigned to the playback URL. For more information about how to obtain a dynamic signed URL, see the "
Usage
" section of the Configure URL signing topic.
For more information, see Configure URL signing.
Remote authentication
Background: The URL signing feature provided by ApsaraVideo VOD cannot detect all illegal requests such as hotlinking requests. Remote authentication allows you to authenticate user requests and makes the authentication more accurate.
Introduction: To perform remote authentication, CDN passes user requests to your authentication center to allow you to determine whether the requests are legitimate. CDN allows or rejects the requests based on your judgment.
To implement remote authentication, you must develop and deploy an authentication center. If the domain name of the authentication center is accelerated by CDN, CDN can cache the authentication results based on specific rules. This reduces the loads on your authentication center.
If you use CDN to accelerate data access for the authentication center, the remote authentication request is sent to CDN before it reaches your server. The returned results are stored in CDN and no response is required from your server.
By default, CDN passes the headers and request_uri fields in user requests to your authentication center and performs actions based on the authentication results that are returned by the authentication center.
You can use CDN to verify requests. If you hide the logon cookie or universally unique identifier (UUID) of a user in a playback request and pass the playback request, CDN can verify the request. This way, you can determine whether the user is a legitimate user.
For more information, see Configure remote authentication.
You must develop and deploy an authentication center to use the remote authentication feature. To enable and configure the remote authentication feature, submit a ticket or contact your account manager.
Video encryption
Background: The hotlink protection feature protects your content. However, in the paid video scenario, users can pay a one-time fee for a video and download the video file from the legitimate streaming URL for which hotlink protection is configured. After the video is downloaded, distribution of the video cannot be managed. Therefore, hotlink protection is far from enough to protect video copyrights. The leakage of video files may cause serious economic losses to customers that charge users for watching videos.
Introduction: Alibaba Cloud proprietary cryptography encrypts video data. The video files that are downloaded to on-premises devices are encrypted. This prevents unauthorized redistribution and video leakage and hotlinking.
Alibaba Cloud proprietary cryptography
Alibaba Cloud video encryption uses a proprietary cryptography algorithm and a secure transmission mechanism to provide a cloud-device integrated video security solution. Alibaba Cloud video encryption includes encrypted transcoding and playback after decryption.
Benefits:
Each media file has a dedicated encryption key. This prevents a large number of video files from being exposed if a single key is leaked.
ApsaraVideo VOD uses ciphertext and plaintext keys to provide envelope encryption. Only the ciphertext keys are stored. The plaintext keys are used in the memory and are immediately destroyed after use.
ApsaraVideo VOD provides secure ApsaraVideo Player SDKs for multiple platforms, including iOS, Android, HTML5, and Flash. ApsaraVideo Player SDKs can automatically decrypt and play encrypted videos.
A proprietary cryptography protocol is used to transmit ciphertext keys between players and the cloud. The plaintext keys are not transmitted. This can prevent the keys from being stolen.
ApsaraVideo VOD provides the secure download feature. Videos cached on on-premises devices are encrypted again. This allows the videos to be played offline and prevents the videos from being copied and redistributed.
ImportantThe following section describes the limits on videos that are encrypted by using Alibaba Cloud video encryption:
Videos can be generated only in the HLS format.
Videos that are encrypted by using Alibaba Cloud video encryption can be played only by ApsaraVideo Player.
The videos cannot be played on web pages on iOS devices.
For more information, see Alibaba Cloud video encryption.
HLS encryption
HLS encryption supports the common encryption scheme that is specified in HLS. HLS encryption uses AES-128 to encrypt the video content and supports all HLS-compatible players. You can use your custom player or an open source player to play the videos that are encrypted by using HLS encryption. Compared with Alibaba Cloud proprietary cryptography, HLS encryption is more flexible but is difficult to use and less secure.
You must set up a key management service to generate keys to encrypt videos during transcoding and obtain decryption keys during playback. You can also use Key Management Service (KMS) of Alibaba Cloud to encapsulate keys.
In addition, you must set up a token issuance service to verify players and prevent unauthorized access to decryption keys.
The plaintext keys are transmitted between players and the cloud and are prone to interception.
For more information, see HLS Encryption.
Commercial DRM
High-end video programs must meet the security requirements of content providers, such as Hollywood and Warner. ApsaraVideo VOD provides a cloud-based DRM solution that supports FairPlay and Widevine DRM encryption. This solution integrates the video encryption, license issuance, and video playback features.
For more information, see Introduction.
Each video encryption solution has advantages and disadvantages. In general, a more standard and universal solution provides higher flexibility but lower security. Select a solution based on your business scenario.
Feature comparison:
Security level: commercial DRM > Alibaba Cloud proprietary cryptography > HLS encryption
The security level of Alibaba Cloud proprietary cryptography is approximately equal to that of commercial DRM. The security level of Alibaba Cloud proprietary cryptography or commercial DRM is significantly higher than that of HLS encryption.
Ease of use: commercial DRM > Alibaba Cloud proprietary cryptography > HLS encryption
Alibaba Cloud proprietary cryptography provides a cloud-device integrated solution that allows you to seamlessly integrate the encryption capability by using simple configurations and ApsaraVideo Player SDKs.
To use HLS encryption, you must set up a KMS service and a token issuance service.
To use commercial DRM, you must purchase a license, integrate a specific SDK, and develop business logic on the client side.
Universality: HLS encryption > commercial DRM > Alibaba Cloud proprietary cryptography
HLS encryption supports all HLS-compatible players.
Commercial DRM supports only authorized platforms such as the Google Chrome, Safari, Internet Explorer, and Microsoft Edge browsers and the Android and iOS operating systems.
Alibaba Cloud proprietary cryptography supports ApsaraVideo Player only for Android, iOS, HTML5, and Flash.
Cost: Alibaba Cloud proprietary cryptography = HLS encryption < commercial DRM
Alibaba Cloud proprietary cryptography and HLS encryption are free of charge. Commercial DRM requires additional license fees.
Secure download and caching
Background: Video applications, especially those for mobile devices on Android and iOS, must cache videos on or download videos to on-premises devices. The videos that are stored on on-premises devices must be protected from unauthorized playback or redistribution. The secure download feature provided by ApsaraVideo Player can protect the videos that are downloaded to on-premises devices.
Introduction: Secure download is a process where secondary encryption is performed on a video by using a private key. After the video is downloaded, it is decrypted in ApsaraVideo Player SDKs. This ensures that the offline video can be played only by the application with the bundle ID or keystore that is specified in secure download settings.
Benefits:
After a video is downloaded, it can be decrypted and played offline and can be played only by the specified application.
The private key file is stored after encryption to prevent theft.
Each video file has an independent private key for each application. If the private key of a single video is disclosed, other videos are not affected.
To use this feature, enable secure download in the ApsaraVideo VOD console. For more information, see Configure offline download.
Secure download is supported for ApsaraVideo Player SDKs except for ApsaraVideo Player SDK for Web.