Streaming technologies tend to differ in formats, but also within a format have variations with different characteristics. Security with HLS is one of those cases – the default model is fairly public and standardized, while additional security layers can often create confusion about the terminology.
From an Adobe Primetime perspective, here are the different security deployment models for HLS streaming content, ranked in reverse order of security.
- HLS without content protection.
- AES 128 encrypted HLS with clear key encryption and keyserver
- PHLS without a DRM server or keyserver
- HLS with Primetime DRM / Adobe Access DRM Server
The technical differences between the options are as follows.
HLS without content protection
Standard HLS based on the IETF specs without any form of content protection. This means content that reaches the client is unencrypted, and can be easily played locally and redistributed. This is often used for lower value content that is not meant to be protected, or sometimes for live content, only valuable in the moment of the event, with later redistribution/copying inherently less valuable. It does not require any sort of key server.
Target platforms: Unprotected HLS is supported on all platforms that have HLS support, though implementation quality can vary greatly.
AES 128 encrypted HLS with clear key encryption and keyserver
The content is encrypted with AES 128, and the manifest contains a link to a key that allows the decryption of the HLS content.
#EXT-X-KEY:METHOD=AES-128,URI="http://www.myserver.com/mykey.key"
This alone is not providing security, since once the key is obtained, the content can be easily decrypted and redistributed. There are few mechanisms in place that allow to protect the key, such as serving it over HTTPs, or different token authentication models. It secures the content against most standard users trying to get the content, but is not considered DRM level content protection.
Target platforms: Encrypted HLS is supported on most platforms that have HLS support, though implementation quality can vary greatly.
PHLS
PHLS, or protected HLS, is an Adobe Primetime content protection scheme that embeds the key in the the HLS manifest, and secures it robustly in a PHLS enabled client, such as Adobe Primetime Player SDK. It is the HLS equivalent to PHDS, which applies the same security mechanism to HDS, but available across mobile and digital home platforms as well. The security level of PHLS is equivalent to PHDS.
The PHLS enabled client can enforce DRM features, such as the ability to enforce output protection, policies, SWF or application whitelisting, and jailbreak detection, but PHLS cannot be considered a DRM solution due to the lack of a DRM server. Its design philosophy is to provide the ease of deployment of RTMPe in combination with increased security over AES 128 encrypted HLS with clear key protection.
Adobe Media Server and Adobe Primetime Streaming Server can package and encrypt PHLS content, both just-in-time or in advance.
Target platforms: Platforms that have Primetime Player support, which include Desktop (Flash), Android, iOS, Roku, Xbox 360, and more to come.
HLS with Primetime DRM / Adobe Access DRM Server
HLS with Primetime DRM is closely related to PHLS, but uses a Primetime / Adobe Access DRM server, which is a requirement to be a full DRM. Adobe offers this as on-premise deployment as well as cloud hosted solution.
Features that makes it an industry wide accepted DRM include.
- Application whitelisting to ensure that protected content only plays within approved applications from trusted packagers
- Domain management to bind content to a domain of devices all sharing a license under your business rules
- Device filtering so you can exclude certain devices from specific content based on screen type, OS, or hardware capabilities
- Key and license rotation you can set to a certain number of seconds or to end-of-program, as you prefer
- License chaining that supports a root license encrypted and bound to a certain device, with automatic updating of all related leaf licenses
- Selectable output controls to guard against consumer recording
More information in the Adobe Primetime DRM datasheet.
Adobe Media Server and Adobe Primetime Streaming Server can package and encrypt HLS with Primetime DRM content, both just-in-time or in advance.
Target platforms: Platforms that have Primetime Player support, which include Desktop (Flash), Android, iOS, Roku, Xbox 360, and more to come.
What is the right level of content protection for me?
If you don’t know if you require a DRM solution, you likely won’t. DRM is used for licensed content that requires legally DRM protection to be able to distribute it.
If you are looking for protected content that can be played on a variety of devices, AES 128 encrypted HLS with clear key encryption and key server provides the most cross platform compatibility.
The easiest to deploy content protection option is PHLS, since it does not require any key server, and provides a high level of security out of the box. It requires an Adobe Primetime enabled client.
Hi Jens, any chance you can provide some more details or an example about what you mean by “different token authentication models” in the section “AES 128 encrypted HLS with clear key encryption and keyserver”? I have some initial thoughts about what you’re referring to but it would be nice to know if what you’re thinking is in line with what I’m thinking. 🙂
It relates to the content in the token itself, which can be pretty much everything, and where the tokens are being attached to – segments, manifest files, keyserver. This is addition to HTTPs / cookie methods.
Cool, that is what I thought. Thanks for clarifying the statement!
I recommend Streaming Video Provider HLS Security Encryption they are launching now – this is something really strong in terms of protection ( I tested it myself as I am using their platform for my all my videos) :
http://www.streamingvideoprovider.com/video-protection-video-privacy.html