Create more secure video encryption, cloud-on-demand copyright protection practice

Mobile 2022-08-26 15:38:58 views: null

In China, the online video industry represented by online education, vocational training, and OTT service providers has gradually increased its payment scale. However, piracy and infringement of online videos emerge in an endless stream, causing serious losses to the interests of copyright owners. As a result, this category of users is eager to have their high-quality video content encrypted and available only to their paying subscribers.

 

Cloud On Demand pays great attention to the security of users' video content, and has in-depth thinking and continuous innovation in the security and encryption speed of video encryption. The following will give you a detailed introduction to the technical practice of cloud-on-demand video encryption.

 

                                     - Basic encryption scheme -

 

Apple's HLS is the most widely used online audio and video streaming format in the current industry, and HLS also provides an encryption scheme using a symmetric key, commonly known as HLS Encryption.

The basic principle of HLS Encryption is that the content platform encrypts each TS file in HLS using the AES-128 key (Key) and initial vector. Then, the M3U8 file specifies the information that the player needs to decrypt.

1  #EXTM3U2  #EXT-X-VERSION:33  #EXT-X-KEY:METHOD=AES-128,URI="https://keyprovider",IV=0x1234  4  …

As shown in M3U8 above, if HLS is encrypted, the information needed for decryption is contained in the EXT-X-KEY tag:

  • TS content is encrypted using AES-128;

  • The content key is obtained from the https://keyprovider address;

  • The initial vector for decryption is 0x123.

  • The first version of cloud-on-demand encryption scheme, we call it "basic encryption scheme", the decryption process is shown in the figure above:

    1. After the player downloads M3U8, it requests the content key from the address specified by the URI in EXT-X-KEY;

    2. The URI that provides the content key is the user's service server. After the key request is authenticated, it requests the corresponding content key from the cloud on demand;

    3. Cloud-on-demand distributes content keys to the user's service server;

    4. The user service server distributes the content key to the player for the player to decrypt and play the content.

     

    The "basic encryption scheme" of cloud-on-demand is a standard scheme implemented based on HLS Encryption. After this scheme is encrypted, any terminal to play the video must pass the legal verification of the service server and obtain the content key, otherwise it cannot be played.

     

    Although the "basic encryption scheme" can encrypt and protect the video, there are security problems in the transmission of the content key. According to the design of HLS Encryption, the player obtains the content key from the address specified by the URI in the EXT-X-KEY, and uses the key to decrypt the video content. However, the content key obtained here is unprotected.

    As shown in the figure, when we use the Chrome browser to play the HLS encrypted video, we can enable the debug mode to capture the network request to obtain the content key.

    In the response body of the request, the raw binary content of the content key is displayed. This means that the attacker only needs to enable the browser debug mode or other network packet capture tools to obtain the content key, resulting in the disclosure of the key.

     

                                 - Private encryption scheme -

     

    In response to the problems existing in the "basic encryption scheme", the cloud-on-demand thinking is, can a layer of protection be applied to the content key itself? Therefore, Cloud On Demand proposed a "private encryption scheme".

    The specific process is shown in the figure above:

    1. The player requests a signature from the service server;

    2. The service server authenticates the playback request, and issues a signature after passing it;

    3. The player randomly generates a temporary key, and sends it to the cloud VOD server together with the signature (specified by URI in EXT-X-KEY in M3U8);

    4. After the cloud VOD server verifies the signature, it uses the random key sent by the player to encrypt the content key and return it to the client;

    5. The client uses the previously generated random key for decryption to obtain the original content key, then decrypts the content and plays it.

     

    The "private encryption scheme" encrypts the original content key with an ephemeral key generated by the client. Compared with the standard "basic encryption scheme", it avoids the direct exposure of content keys to attackers and improves security.

    After adopting the "private encryption scheme", the threshold for attackers to crack encrypted content has been greatly improved, effectively preventing a large number of encryption-breaking plug-ins and black-produced software attacks on the market.

     

    However, the "private encryption scheme" is essentially a software-level encryption enhancement scheme. In theory, it is still possible for attackers to figure out the specific mechanism of private encryption through decompilation and other means, and conduct targeted deciphering.

     

                                 - Commercial Grade DRM -

     

    Commercial-grade DRM, represented by Apple's Fairplay and Google's Widevine, adopts the form of hardware-level encryption and decryption, and is currently recognized as the most secure copyright protection solution in the industry.

    The principle of commercial-grade DRM is that the DRM system encrypts the content key and encapsulates it into a license, and distributes it to playback devices through a license service. The special decryption module in the playback device is responsible for extracting the original content key in the license and decrypting the video playback. Because the process of extracting the content key from the license and decrypting the video stream using the content key takes place in the special hardware of the playback device, the decryption process and the decryption result can be guaranteed not to be leaked.

    As shown in the figure above, when the device downloads the commercial-grade DRM-protected content from the content server (Web Server), it requests a license from the license server (Lincese Server), and delivers the license to the device kernel for decryption by specialized hardware.

     

    However, as a video platform, direct access to any commercial-grade DRM system requires extremely high costs. First of all, commercial-grade DRM generally requires a strict review of the access party, and needs to pass a series of certifications and exams before granting access qualifications. In addition, the implementation of different commercial-grade DRM systems is different, the learning cost is high, and the degree of support for various streaming formats and platforms is also different.

    Cloud On Demand provides a professional and stable KMS and license server, shielding users from the complexity of commercial-grade DRM. The specific playback process is shown in the figure above:

    1. The player requests a signature from the service server;

    2. The service server authenticates the playback request, and distributes a signature after passing it;

    3. The player sends the signature and license request to the license server;

    4. After the license server passes the signature authentication, it distributes the license.

     

    Finally, the client gets the original content key in the license, decrypts the content and plays it.

     

    Cloud-on-demand has integrated two mainstream DRM systems, FairPlay and Widevine, to help users quickly enjoy the industry's highest level of protection for video content.

     

                                - Choice of encryption scheme -

     

    From "basic encryption scheme" to "private encryption scheme" and then to "commercial-grade DRM", the security of encryption is gradually strengthened. Does it mean that "commercial-grade DRM" must be the best solution for all users?

     

    In fact, higher security levels come at the cost of lower platform adaptation:

    • Basic encryption scheme: basically applicable to all terminals that can play HLS, with the highest degree of adaptation;

    • Private encryption scheme: It can be adapted to all mobile terminals, but the web terminal is only adapted to browsers that support MSE (for example, safari does not support it);

    • Commercial-grade DRM: Some domestic brands of mobile phones and PCs have castrated DRM modules, and the degree of adaptation is the lowest. 

    The private encryption scheme of cloud-on-demand can support automatic degradation during playback. After it is enabled, if the browser of the playback terminal does not support MSE, it can be automatically downgraded to the basic encryption mode for playback. However, commercial-grade DRM is very demanding on the hardware of the terminal. If the device does not support DRM, it will cause playback failure.

     

    Therefore, it is recommended that users make trade-offs according to their actual playback scenarios and their security level requirements. E.g:

    • OTT users have extremely high requirements for content protection levels such as movies, and the playback terminal is relatively single (TV box), it is recommended to use commercial-grade DRM;

    • For education and training users who need to support multi-terminal playback (mobile terminal, PC, Web, applet, etc.), it is recommended to use a private encryption scheme.

     

    The high-quality project course "Silicon Valley Classroom - Building Online Classroom Based on Tencent Cloud Products" jointly launched by Tencent Cloud and Shang Silicon Valley has been launched on the "Tencent Cloud Developer Community". Silicon Valley Classroom is an online learning platform based on WeChat official account B2C model. This course includes how to apply Tencent Cloud file storage and video-on-demand services and Tencent Cloud CODING DevOps products to build an online learning platform. The whole course is 28 hours in total. It provides developers with complete project analysis through systematic theoretical explanations and on-machine demonstrations, and helps Java programmers accumulate project experience. The dry goods are full, and the famous teachers of the institution teach by hand!
    Come and get the full course!
    "Silicon Valley Classroom - Building an Online Classroom Based on Tencent Cloud Products"
    also has a free trial of Tencent Cloud products waiting for you to receive!
     Tencent Cloud Product Voucher
    Tencent Cloud Audio and Video Product Free Trial Center

{{o.name}}
{{m.name}}

Guess you like

Origin my.oschina.net/qcloudcommunity/blog/5569919
Recommended
Ranking
Offensive and defensive world re master zone Mysterious WP
How to draw a functional flowchart?
Process Fundamentals of SAP SD Overview
When InstalMgr1.52 installation is not responding
Oracle stored procedure with parameters
Arrays, loops, condition 23
[ChatGPT]ChatGPT is free, no need to circumvent the firewall! ? ——The equipment you need
WiFi-based CSI and RSS hybrid fingerprint indoor positioning
Get through Web2 and Web3 Okey Cloud Chain uses data to build a bridge
QT,UDP communication
Daily
More
2024-09-19(0)
2024-09-18(0)
2024-09-17(0)
2024-09-16(0)
2024-09-15(0)
2024-09-14(0)
2024-09-13(0)
2024-09-12(0)
2024-09-11(0)
2024-09-10(0)

Code World

© 2018 codetd.com