How to add Media Encryption

This functionality encrypts individual media segments, before delivering them to a requesting client.

Information regarding the key used to decrypt content is included in the manifest file associated with the target media, and when the client processes the manifest, it requests this key. A Key Server or License Server provides the decryption key if the user is authenticated and authorized to play the content. Finally, the client uses the decryption key to decrypt and play the media segments.

In Segmented Media Protection (SMP), this is implemented via Session Level Encryption. The stream is encrypted per each user playback session, based on the stream, user, and time or date. An individual session is every new request for a stream, and is usually categorized by a request for the stream manifest. In this case, the decryption key is created per session—it is allocated dynamically when a new session is initiated. Each new session is independently encrypted with unique keys, and each separate user needs to access a separate key to decrypt the content.

What format of video is supported?

Media Encryption is supported for Apple HTTP Live Streaming (HLS) streams, for Segmented Media Delivery Modes of On Demand, or Live, using Akamai Media Services Live.

Where does Media Encryption fit into the content protection spectrum?

There are multiple levels of access and protection.

  • No protection: Open Access. Anyone can access your content
  • Level 1: Token Auth. This looks to prevent access to only those with valid access permissions by comparing a token included in the request with one associated with your content. For added protection we recommend that you combine Token Authentication along with Media Encryption, via the Segmented Media Protection behavior.
  • Level 2: Geo Protection. This looks to allow access to requesting clients in geographic regions or IP addresses/CIDR blocks you mark as good, or block access to clients in regions or IP addresses/CIDR blocks you mark as bad. You can add it to your property via the Content - Targeting Protection behavior.
  • Level 3: HTTPS Protection. Configure your AMD property to access and send content via secure delivery.
  • Level 4: Media Encryption.
  • Most protection: DRM Encryption. This prevents access to only those clients that have been authorized to have a DRM license for the playback environment or content, including additional rights management rules.

We attempt to improve the default 'Media Encryption' use case, which is typically one key for each piece of content, by making the content decryption keys session specific. For example, "User1" and "User2" accessing the same content have different decryption keys.

The Media Encryption workflow

Below is a basic outline of the Media Encryption process, once you've enabled it in your AMD property, and associated content is requested by a client.

  1. The client requests the Master Playlist. When the player first targets media, a request is made for the “Master Playlist” and the session key is created. Information about the session key is then appended as a variable value in the query string of all Media Playlist URIs, and this information is sent in a response to the client.
  2. The client requests the Media Playlist. The Media Playlist URI(s) are contacted and the session key is checked and verified. The following are then appended as variable values in the query string for each Segment URI in the Media Playlist:
    • Information about the session key.
    • The media sequence number. This is extracted and calculated for each media segment, and could be used as an initialization vector during encryption.
    • The HLS playlist version.

    The AMD Media Encryption service appends the “EXT-X-KEY” tag to the top of the Media Playlist, and populates it with all of the required attributes (URI, Encryption Mode, and Initialization Vector (IV)). The session key is included as a query string in the Key URL, which is then sent in a response to the client.

  3. The client requests the Key File. The Key URL is contacted and the session key checked and verified again. If verified, the key is sent to the client. If it is not verified or the key is missing, the request is denied (in a response to the client).
  4. The client requests the Segment File. The session key is extracted from the Segment URL and verified. The Media Segment is encrypted during delivery and then delivered to the client where it is decrypted using the same session key that was retrieved earlier.