Francesco Altomare
Hasenheide 9
10967 Berlin (Germany)
Mobile: +49 151 65623284

Blog

Streaming: Security #8

My arguably cleverer Reader,

Welcome back to the last Article of our Streaming Introductory Mini-Series: we set on a hard sail together 5 months ago only to find ourselves back to the Basics, over and over again. Because what is Streaming, my Dear Reader, without Security ?
Security is the Zeitgeist (more than ever nowadays) and Streaming Data is no less worth securing than other kinds of digital assets : Streaming Data is often times many a Publisher’s core source of revenue and as such, it needs to be secured and defended robustly against theft, hijack and compromission – amongst the whole rest.

No matter where you come from in the Streaming panorama, there’s money to be made and money to be spent; malicious individuals love it, also. On top of that, you are sometimes bound to Broadcast your shows according to strict geographical licensing and again – how about managing Digital Rights?

If any of this sounds remotely familiar, my Dear Reader, it’s our daily bread too; and if not, welcome to a very high level excursus on common Streaming methods of protection for your data.

This Article crowns – by design – this Streaming Mini-Series so that in future Articles we’ll be able to backlink you to this Streaming crash-course and
focus on more Advanced aspects of Streaming.

Streaming Security

Security in the context of Streaming has a slightly different connotation. Video Content Owners and Publishers have to protect themselves against illegal downloads. Streaming Technologies have been built around the premise that End Users can view videos without downloading them. This enables the use of monthly subscriptions or pay per view without compromising content. Piracy is a menace which has to be countered aggressively to protect revenue.
Access restrictions and content protection can be enforced with the use of certain tools. Streaming security can take several forms like encryption, URL tokenization, Geo-restriction and several other methods. We will discuss some of these as a general concept in this Article.

Digital Rights Management (DRM)

DRM essentially means protecting your content against dishonest use. DRM achieves this objective through various means like Encryption, Licensing Policies and Secure Delivery. Denial of redistribution by users also forms a part of Digital Rights Management. A robust DRM scheme – so to speak – should be able to operate or function when using Cloud based Delivery or CDN. There are many DRM Technologies which have been designed for various Streaming Solutions. Adobe Primetime DRM, Google Widevine and Microsoft PlayReady are some of the most welcomed DRM Solutions in the Market today.
Adobe Primetime DRM is used with Flash-based Players for delivering Premium Video. Adobe Primetime DRM can be used in conjunction with either streaming via Real Time Messaging Protocol (RTMP), Progressive Downloads, or downloads to a content library for local playback at the End User’s end.
Google Widevine widely used to stream Video to a variety of devices like Mobiles, Televisions and Set-Top Boxes. It provides a pretty versatile DRM Solution for delivering High Quality Video.
Microsoft PlayReady is a DRM Solution for Silverlight, Xbox, besides several other Platforms.
You can deploy multiple content protection schemes together, and of course the choice of your DRM scheme will almost entirely depend on your Player Technology as well as the delivering Platforms for your Premium Content.

Placing restrictions at the End User’s end

Another method (or approach altogether) to deter unauthorized viewing or downloading of your Secure Videos is to place restrictions at your beloved End User’s end. This can be achieved in several ways.

URL Tokenization

In this type of restricted access – we see mostly implemented into Streaming Businesses catering for On Demand Video Services in a Subscription fashion – , the End User is validated by adding or appending a Token to the URL his Client (Player) is about to attempt to stream from. This token is generated by the Player depending on various business rules like Access Levels, Geographic Markers, IP Validation etc. URL Tokenization takes into consideration only the source of video content and does not refer to the actual content: this means that if the URL to be tokenized is a HLS Manifest File (.m3u8) , .tses or actual chunks of content referenced within it won’t necessarily be secure. There are other methods to also protect the actual content, but we’ll cover it into more Advanced Articles.

Geo-Restriction of Content

It is a well-known fact that many locations around the world are known for piracy and related acts. Many Countries have lax local laws and therefore represent a hotbed of piracy. Therefore blocking access to users from these Countries is considered an effective way to minimize illegal download of Video. Same goes if you are a Broadcaster and earned the exclusive licensing of some big sporting event, only to certain countries! Complete shift of paradigm, but the need to white- or blacklisting Countries or portions of the Internet holds true.
Fortunately, End Users can be identified by their Public IP Address which in turn does indicate the Origin Country. By blocking specific IP Addresses you can restrict access to End Users from specific Countries. In fact you can get even more information from End Users like country, city, area code etc; a wealth of it! Another advantage of Geo Location is the delivery of custom Advertisements depending on specific location of the End User. How granular are you today in terms of Geo Localization Services for your Audience?
Most Geo IP Tools are really simple to design. You have to store a Database of IPs (a whole topic per se, many Broadcasters rely on Commercial ones) and compare it with the IP of the End User. By matching records within the Database with the received IP you can block any and all (if need be) Users from accessing your Content. You can deny access to your Content by blacklisting entire Countries and location IP Ranges slices. The down side of doing the job “butcher stile” is that you may lose out on genuine Customers;
risk of piracy is paramount though and can lead to incalculable loss. You must carefully vet your Database on a regular basis and revaluate your strategy from time to time. Some End Users may use Proxy Servers to mask their IP and this can prove to be a tough to counter, but of course it takes a higher than averagely malicious minded individual to hack a higher than averagely planned Security layer,
so if the game gets tougher, you have to go for higher caliber Security schemes.

Player Verification

There are many ways to ensure that your video content is protected from unauthorized use, and Player Verification is an all-time favorite of ours; it ensures – none the less – that the Player itself, the very one streaming the Content, is an authorized one.
Adobe uses protected Streaming. This technique has two components – Encryption and SWF Verification. There are two types of Encryption: RTMPS (which uses SSL) and RTMPE. RTMPE is the most popular way to protect content because it’s easy to implement. pRTMP, or protected RTMP, is one of the latest Technologies providing Streaming Video Security. You must remember that RTMPE protects the communication channel. In pRTMP it’s the content which is encrypted using Flash Access 3.0 DRM Content Protection. Your FMS (or Flash Media Server) encrypts the files and embeds the Flash Access License in the Metadata of the content.
For RTMPE SWF verification, the AMS or Adobe Media Server has a copy of the authorized SWF Clients. By comparing the client’s SWF, the AMS decides whether to give or deny access.
In RTMPE verification is done only when a connection is made, which sometimes leaks. Once a connection is established, there is no way to ascertain whether the content is passed on to others, which makes this method vulnerable to misuse. In pRTMP, each Stream’s own piece of content is verified because the license is embedded in the metadata. This provides inherent security to the Video Stream.

SSL Media Encryption

We’ve been talking about SSL into one of our other Articles and mentioned it throughout this Article on Streaming Security: the reason why is, SSL is inherent to Streaming as well as plain Static or Dynamic Delivery. End even more than that, for that is worth!
A SSL Certificate is a fairly well known and widely used Data Security Feature for Websites. SSL (Secure Sockets Layer) establishes a secure connection between a Server and Client using standard Encryption Technology. There are two types of Encryption used in SSL – Asymmetric and Symmetric. To refresh some high level concepts, in Asymmetric Encryption two different Keys are used – one for Encryption called the Public Key and another for Decryption called the Private Key. The Private Key is secret and is known only to the receiver; in Symmetric Encryption, instead, the Encryption and Decryption Keys are the same.
Asymmetric and Symmetric encryption have their own advantages and disadvantages, which we very partly dealt with into our Article on SSL Certificates and will dive into again, as we’ll produce more advanced Articles on Security.
SSL Certificates are issued by a CA or Certificate Authority. Both Asymmetric and Symmetric Keys are used in a SSL Certificate. The Server’s SSL Certificate contains an Asymmetric Public and Private Key. The session Key which is used for communication between Server and the Browser is symmetric.

Conclusion

Security of Video Streaming or Video Content Delivery is of paramount importance mainly because of unauthorized viewing of content and distribution through illegal channels or piracy. Several techniques are available, both simple and complex – as the skills of your potential offender, depending on which one you ended up with. The choice of technology depends on the cost of Implementation and the Value of your Content – priceless, we know, but worth re-estimating when talking ROI in a meeting for adoption of Security Services. We’re happy to be your own Consultant and to ensure that there will be further Articles on Streaming, starting from the end of this Introductory Mini-Series where we’ve brought you by the hand through the Streaming Delivery Basics.
Most importantly of all, thank you for following us throughout it.

Share your story with us, or consult us if you found this Article relevant to your Business or daily Operations.

  • Linked In
  • Google

Tags: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *