Preventing Unauthorized Viewing

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

Dynamic Cloud PackagingThis streaming solution facilitates HLS and/or MPEG-DASH playback of live or on-demand content. A live stream may be pushed to this service via RTMP.

Secure media against unauthorized viewing through the following methods:

Token-Based Authentication: Use time, country, URL, IP address, and referrer information to determine whether users can view your stream.
Stream Encryption: Apply AES-128 encryption to your stream.

Token-Based Authentication

The Token-Based Authentication feature may secure live and on-demand streams by requiring that a viewer satisfy a set of security requirements before being granted access to your content. This type of configuration is supported under the following circumstances:

Content should not be streamed from a location defined in the Directories to Authenticate section of the Token Auth page.
Token-Based Authentication should only be enabled on manifest files (i.e., m3u8 and mpd). This may be achieved via the following Rules Engine configuration:
- Match: Match the m3u8 and/or mpd file extensions via the URL Path Extension Literal match condition.
- Feature: Enable the Token Auth feature.

To create a rule that secures manifest files with Token-Based Authentication

If a policy has been deployed to the Production environment, then create a copy of it. Otherwise, create a draft.
Modify the draft to include the URL Path Extension Literal match condition.

Configure this match condition as indicated below.
- Set the Result option to "match."
- Set the Value option to "m3u8 mpd" to secure HLS and MPEG-DASH manifest files.
- Set the Ignore Case option to "yes."
Directly below this match condition, add the Token Auth feature.
1. Click .
2. Select "Feature." set the category to "Access," and then select "Token Auth."
3. Enable this feature by clicking no under the Enabled option. This option will now be set to "yes."
Click Save.
Convert the draft into a policy.
Deploy the policy to the Production environment.

Stream Encryption

Both Encrypted HLS and Encrypted Key Rotation are incompatible with Server-Side Archiving.

Stream encryption requires the activation of the Encrypted HLS feature. Please contact your CDN account manager to activate this feature.

AES-128 encryption can be applied to HLS streams generated for your live events and on-demand content. Encrypted streams can only be decrypted by players that support encrypted HLS (e.g., iOS devices, QuickTime, and Android devices). Players that do not support encrypted HLS will be unable to play back encrypted streams.

Key information:

Enabling encrypted HLS will generate encrypted streams. This will result in encrypted content being cached on our network.
Disabling encrypted HLS requires that all cached HLS content be purged to prevent encrypted cached content from impacting playback.
The playback of an encrypted stream can be performed by any media player that supports encrypted HLS playback. It does not require media player customization or additional configuration.
Only HLS streams can be encrypted at this time. This means that it may be possible to download or stream your content using a different streaming technology (e.g., MPEG-DASH).

Additional protection may be applied to sensitive streams by denying all non-HLS requests for H.264 assets. This type of setup may be achieved via Rules Engine. For more information, please contact your CDN account manager.

Live Streaming Configuration

An event's configuration determines whether its streams will be encrypted. Specifically, the Encrypt HLS option toggles whether AES-128 encryption will be applied to all streams associated with the instance.

Key Rotation

Key rotation requires the activation of the Encrypted Key Rotation feature. Please contact your CDN account manager to activate this feature.

The encryption key generated for a live stream may be rotated at regular intervals to prevent unauthorized playback via a shared link. Upon enabling this capability, a media player will be required to fetch the latest version of the encryption key at the specified interval.

Key information:

This interval may be defined on a per instance basis by setting the Encrypt Key Rotation (seconds) option to the desired interval in seconds.
This interval must be specified in multiples of 5 (e.g., 10, 15, 20, etc.) seconds.
The specified interval must be greater than or equal to 10 seconds.
The specified interval must be less than or equal to 1440 seconds (i.e., 24 minutes).
The live event's segment size plays a role in determining how often the encryption key will be rotated. Encryption key rotation may only take place at the start of a new segment.

Example

Let's assume the following configuration:
- Encrypt Key Rotation (seconds): 15 seconds
- Segment Size: 10 seconds
The first encryption key rotation should take place in the middle of the second segment (i.e., at the 15 second mark). However, since the rotation of the encryption key may only take place at the start of a new segment, the key won't be rotated until the start of the second segment (i.e., at the 20 second mark).

On-Demand Streaming Configuration

The Protected Directories for Encrypted HLS section on the Dynamic Cloud Packaging - VOD page defines the set of locations that will generate encrypted streams from on-demand content.

Secure a directory by:

Specifying the relative path to the desired directory.
Indicating whether the above directory applies to all customer origins or CDN storage.

Key information:

An encrypted directory only applies to the selected origin type (i.e., CDN storage or customer origin).

The same relative path may be secured for both CDN storage and customer origins by creating an encrypted directory configuration for each origin type.
The path to a protected folder always starts with a forward slash (/).
The path to a protected folder is case-insensitive.
Encrypted HLS cannot be applied to the root folder.
It may take up to an hour before a new location is fully protected.
Wildcard characters (e.g., *) are not supported when setting up protected directories.
Only the on-demand content stored in the specified directory will be secured by encrypted HLS. Content that resides in a subfolder of that location must be secured separately.

The starting point for an encrypted directory's relative path is indicated below.

URL Type	Relative Path (Starting Point)
CDN URL	Specify a relative path that starts directly after the content access point (e.g., /040001 and /840001). Use the following information to interpret the following sample URLs: Gray Font: Indicates what should be excluded when securing a location. Blue Font: Indicates the relative path that should be defined to secure the requested on-demand content. Sample URL (CDN Storage): http://wpc.0001.{Base Domain}/040001/mybusiness/videos/fly.mp4 Sample URL (Customer Origin): http://wpc.0001.{Base Domain}/840001/mycustomerorigin/mybusiness/videos/fly.mp4
Edge CNAME URL (CDN Origin)	Specify a relative path that starts directly after the hostname. Sample URL: http://www.domain.com/mybusiness/videos/fly.mp4 In the above sample URL, the gray text indicates what should be excluded when securing a location. This sample request can be secured by any of the following configurations: /mybusiness /mybusiness/videos

URL Type

Relative Path (Starting Point)

CDN URL

Specify a relative path that starts directly after the content access point (e.g., /040001 and /840001).

Use the following information to interpret the following sample URLs:

Gray Font: Indicates what should be excluded when securing a location.
Blue Font: Indicates the relative path that should be defined to secure the requested on-demand content.

Sample URL (CDN Storage):

http://wpc.0001.{Base Domain}/040001/mybusiness/videos/fly.mp4

Sample URL (Customer Origin):

http://wpc.0001.{Base Domain}/840001/mycustomerorigin/mybusiness/videos/fly.mp4

Edge CNAME URL

(CDN Origin)

Specify a relative path that starts directly after the hostname.

Sample URL:

http://www.domain.com/mybusiness/videos/fly.mp4

In the above sample URL, the gray text indicates what should be excluded when securing a location. This sample request can be secured by any of the following configurations:

/mybusiness
/mybusiness/videos