Media security

更新时间:
复制 MD 格式

ApsaraVideo VOD provides multiple content protection mechanisms, including access control, URL signing, remote authentication, video encryption, and secure download, to address security requirements across different business scenarios.

Introduction

Content protection mechanisms guard against hotlinking, unauthorized downloads, and illegal distribution of video content. These mechanisms are especially critical in sectors where online copyright is a major concern, such as premium TV shows, online education, finance, and corporate training.

ApsaraVideo VOD provides the following security mechanisms:

Security mechanism

Method

Features

Security level

Complexity

Access control

Referer blacklist/whitelist

Tracks request origins via HTTP Referer headers, which are easily forged.

Low

Low. Requires only configuration on the console.

User-Agent blacklist/whitelist

Tracks request origins via HTTP User-Agent headers, which are easily forged.

Low

Low. Requires only configuration on the console.

IP address blacklist/whitelist

Blocks or allows access from specific IP addresses. Not suitable for distributing content to a large number of end users.

Relatively low

Low. Requires only configuration on the console.

URL signing

URL signing

Generates dynamic, signed URLs with configurable expiration times to control access to your resources.

Medium

Relatively low. Obtain dynamic URLs through an API or generate them from a signing key.

Remote authentication

Forwards user requests to your custom authentication center for verification.

Lets you include custom business information in requests and use your own authentication center for more precise validation.

Relatively high

Relatively high. Requires deploying and maintaining a highly available authentication center.

Video encryption

Alibaba Cloud proprietary cryptography

A cloud-to-device video encryption solution that uses a proprietary algorithm and secure transmission to protect video content.

High

Relatively low. Requires simple configuration and integration with the ApsaraVideo Player SDK.

HLS encryption

Uses the standard AES-128 HLS encryption scheme. Compatible with all HLS players, but the key is vulnerable to theft.

Relatively high

High. Requires building your own key management and token issuance services, and ensuring secure transmission.

Commercial DRM

Natively supports Apple FairPlay and Google Widevine. Provides a high level of security that meets the requirements of major content rights holders.

High

Very high. Requires in-depth knowledge of Widevine and FairPlay, custom client-side logic, and integration with the ApsaraVideo Player SDK. Billed per license request.

Secure download (caching)

Re-encrypts downloaded video files with a private key for offline decrypted playback.

Multiple mechanisms ensure that only a designated app can decrypt and play videos offline. Each video file uses a unique private key and is stored encrypted to prevent theft.

High

Relatively low. Requires simple configuration and integration with the ApsaraVideo Player SDK.

Digital watermark

Digital watermark

Embeds imperceptible watermark information into the video that can be extracted later. Due to its unobtrusive nature and high reliability, a digital watermark is primarily used for copyright verification and leak tracing.

Medium

Low. Requires only configuration on the console.

Access control

Introduction: Configure access policies for your video resources in the cloud to provide a basic layer of protection.

Common methods include:

  • Referer-based access control

    Uses the HTTP Referer header to track request origins. You can configure a Referer blacklist to block specific referers or a whitelist to allow only approved referers.

  • User-Agent-based access control

    Uses the HTTP User-Agent header to track request origins. You can configure a User-Agent blacklist to block specific user agents or a whitelist to allow only approved user agents.

  • IP-based access control

    You can block or allow requests based on the client's IP address, identified by the x-forwarded-for header or the direct connection IP address. You can configure an IP address blacklist or whitelist by using a list of IP addresses or CIDR blocks.

For more information, see blacklist/whitelist.

URL signing

Background: Static, unchanging playback URLs leave your video content vulnerable to persistent, uncontrolled distribution.

Introduction: URL signing protects video resources by generating dynamic, signed URLs. These URLs contain authentication information and an expiration time to distinguish legitimate requests from unauthorized ones.

After enabling URL signing:

  • The URLs for all media resources, such as videos, audio, thumbnails, and snapshots, must be signed.

  • The ApsaraVideo Player SDK and the APIs/SDKs for retrieving playback addresses automatically generate signed URLs with an expiration time. If you need to generate signed URLs manually, see the Authentication method section in URL signing.

For more information, see URL signing.

Remote authentication

Background: URL signing alone cannot identify certain types of unauthorized requests, such as sophisticated hotlinking. Remote authentication enhances security by incorporating your business logic into the verification process for more precise control.

Introduction: With remote authentication, the ApsaraVideo VOD CDN forwards user requests to your custom authentication center. Your service determines whether each request is legitimate, and the CDN grants or denies access based on your center's response.

  • Remote authentication requires you to develop and deploy your own authentication center. If the domain of your authentication center is also accelerated by a CDN, authentication results can be cached to reduce the load on your server.

Note

If your authentication center is also accelerated by a CDN, remote authentication requests first pass through the CDN before reaching your server. The CDN caches the response from your authentication center, which reduces subsequent requests to your server.

  • By default, the ApsaraVideo VOD CDN passes the headers and request_uri from the user's request to your authentication center and acts on the result.

  • You can embed user information, such as a login cookie or UUID, into the playback request. This information is forwarded to your authentication center for user-level authorization.

For more information, see remote authentication.

Note

Remote authentication requires significant implementation effort because you must develop and deploy an authentication center. To enable and configure this feature, submit an application or contact your Alibaba Cloud account manager.

Video encryption

Background: Hotlink protection helps ensure authorized access but is insufficient for protecting video copyrights in paid-content scenarios. A user can make a single payment, obtain a valid playback URL, download the video, and redistribute it. Leaked video files can cause significant financial losses for paid content models.

Introduction: Video encryption protects content by encrypting the video data itself. Even if a video file is downloaded, it remains encrypted and cannot be played, which effectively prevents unauthorized redistribution and hotlinking.

  • Alibaba Cloud proprietary cryptography

    Alibaba Cloud proprietary cryptography uses a proprietary algorithm and a secure transmission mechanism to deliver a cloud-to-device video security solution. Its core components are encrypted transcoding and decrypted playback.

    Key advantages:

    • Each media file is encrypted with a unique key, preventing a single compromised key from exposing a large number of assets.

    • Uses envelope encryption with a ciphertext key and a plaintext key. Only the ciphertext key is stored. The plaintext key exists only in memory and is destroyed after use.

    • Secure player SDKs are available for multiple platforms, including iOS, Android, HTML5, and Flash. These SDKs automatically handle decryption and playback of encrypted content.

    • A proprietary protocol secures communication between the player and the cloud. Plaintext keys are never transmitted, which prevents interception.

    • Supports secure download. Locally cached videos are re-encrypted, allowing offline playback while preventing copying or theft.

    Important

    The following limitations apply to Alibaba Cloud proprietary cryptography:

    • Only the HLS format is supported.

    • Playback is supported only by ApsaraVideo Player.

    • Web: Proprietary cryptography is natively supported only on iOS 17.1 and later, and is fully supported on macOS and Windows. HLS encryption is compatible with all browsers on all platforms.

    For more information, see Alibaba Cloud proprietary cryptography.

  • HLS encryption

    HLS encryption follows the standard encryption scheme defined in HTTP Live Streaming. It uses AES-128 to encrypt video content and is compatible with any HLS-compliant player, so you can use a self-developed or open-source player. Compared to Alibaba Cloud proprietary cryptography, HLS encryption offers greater flexibility but requires more implementation effort and provides a lower level of security.

    • You must build and manage your own key management service to generate encryption keys for transcoding and provide decryption keys for playback. You can build this service by using Alibaba Cloud KMS.

    • You must provide a token issuance service to verify the identity of playback clients and prevent unauthorized access to decryption keys.

    • The plaintext key is transmitted between the player and the cloud, which makes it vulnerable to interception.

    For more information, see HLS encryption.

  • Commercial DRM

    Premium video content from providers such as major Hollywood studios often must meet strict security requirements from content rights holders. Alibaba Cloud provides a cloud-based DRM solution that supports FairPlay and Widevine encryption, delivering an all-in-one service for video encryption, license delivery, and playback.

    For more information, see DRM.

Note

Each video encryption solution involves trade-offs. Generally, solutions that are more standard and universal offer greater flexibility but lower security. Choose the solution that best fits your business requirements.

Feature comparison:

  • Security level: Commercial DRM > Alibaba Cloud proprietary cryptography > HLS encryption.

    The security of Alibaba Cloud proprietary cryptography is comparable to commercial DRM. Both are significantly more secure than HLS encryption.

  • Ease of use: Alibaba Cloud proprietary cryptography > HLS encryption > commercial DRM.

    • Alibaba Cloud proprietary cryptography is a cloud-to-device solution that lets you integrate encryption capabilities through simple configuration and ApsaraVideo Player SDK integration.

    • HLS encryption requires you to build your own key management and token issuance services.

    • Commercial DRM requires purchasing licenses, integrating specific SDKs, and developing custom client-side business logic.

  • Compatibility: HLS encryption > commercial DRM > Alibaba Cloud proprietary cryptography.

    • HLS encryption is compatible with all HLS playback scenarios.

    • Commercial DRM is supported only on authorized platforms, such as Chrome, Safari, IE, and Edge browsers, and on Android and iOS devices.

    • Alibaba Cloud proprietary cryptography is supported only by ApsaraVideo Player SDKs (Android, iOS, HTML5, and Flash).

  • Cost: Alibaba Cloud proprietary cryptography = HLS encryption << commercial DRM.

    Alibaba Cloud proprietary cryptography and HLS encryption are free of charge. Commercial DRM requires additional license fees.

Secure download (caching)

Background: Video applications, especially on mobile platforms like Android and iOS, often need to let users cache or download videos for offline viewing. This content must be protected from unauthorized copying, playback, or distribution. The secure download feature in ApsaraVideo Player SDK protects video content downloaded to local devices.

Introduction: Secure download adds a second layer of encryption to video files using a private key. The downloaded video is decrypted within the ApsaraVideo Player SDK, ensuring that offline videos can be played only by the designated application, identified by its bundle ID or keystore.

Key advantages:

  • After download, the video can be decrypted and played offline without an internet connection, exclusively by the authorized application.

  • The private key file is encrypted to prevent theft.

  • Each video file has a unique private key per application. If a single key is compromised, other videos are not affected.

Before using this feature, enable secure download on the ApsaraVideo VOD console. For more information, see Configure offline download.

Note

The ApsaraVideo Player SDK for Web does not support the download feature and therefore does not support secure download. All other ApsaraVideo Player SDKs support secure download.

Digital watermark

Background: Existing content security mechanisms cannot completely prevent hotlinking, illegal downloads, or unauthorized distribution of video content. To enhance video security, you can either strengthen the security of the video itself to make it harder to crack and misuse, or focus on accountability after a leak occurs. Tracing the source of a leak lets you block it and take legal action, which deters unauthorized activity.

Introduction: A digital watermark embeds imperceptible information into the video content. This information is specially encoded and difficult to tamper with, making digital watermarks both visually unobtrusive and highly reliable. ApsaraVideo VOD offers two types of digital watermark: copyright watermark and traceability watermark, widely used for copyright protection and leak tracing.

For more information, see Digital watermark.