What is the point of encrypting HLS files?

Asked 29/1, 2016 at 2:17 Answered 29/1, 2016 at 11:46

Solved video encryption ffmpeg http-live-streaming video-conversion

I am currently working on a project of videos on demand where I convert videos to HLS using FFMPEG.

Videos are publicly hosted on AWS S3 and there is an API giving the URL of the HLS playlist.

Now, I was looking at encrypting HLS files with AES-128 so that people can't download and watch the video offline. I found the procedure which consists in hosting the key online and using that key while converting the video to encrypt the segments.

The URL of the key is written in the HLS playlist, and the file is publicly available online.

So anyone has access to the encryption key.

I don't understand what is the point of encrypting the segments if anyone has access to the key.

Can someone enlighten me? I know I must be missing something. Thanks!

Appellate answered 29/1, 2016 at 2:17 Comment(0)

Encrypting HLS provides transport security as long as the key is requested over HTTPS as it should be. This is not a considered a DRM-level solution, it's just a very basic form of content protection.

In addition to using HTTPS for the keys you can improve it by authenticating key requests (eg. using a token based authentication mechanism) and rotating the keys every n minutes following the HLS standard.

If you want true DRM you have to look at other solutions like Widevine, Primetime etc.

Dyarchy answered 29/1, 2016 at 9:36 Comment(3)

I think the key will do if I can protect it. But I'm not sure how to, since the key is hosted on AWS S3, and will be accessed not only by the website, but also the mobile apps (which excludes use of bucket policy I believe) – Appellate 1/2, 2016 at 0:58

@APITC Last time I checked there weren't many options on S3 but you can do HLS authentication using CloudFront. You have the choice of using signed URLs or signed cookies. See the docs – Dyarchy 1/2, 2016 at 8:50

@Appellate I'm in a similar boat. How did you end up going about protecting the decryption key? I don't want to implement a full on DRM solution, I just want to serve an encrypted stream via ffmpeg over RTMP and allow a user to decrypt it if that user has access to the decryption key. – Teatime 5/6, 2018 at 22:50

To restrict access to the key files, you need to add some form of authentication. For example, you could use something like digest authentication or TLS/SSL client authentication.

There's more information on serving key files over HTTPS on Apple's site.

Harrovian answered 29/1, 2016 at 11:46 Comment(1)

The key is hosted on AWS S3. How can I add authentication then? The link is for live streaming. How can I rotate the key since the key is used during the segmentation, done only once? – Appellate 1/2, 2016 at 0:56

Recommended topics

Hot tags