Secure Streaming Using SWF Verification

Akamai Secure Streaming

Viocorp recommends the use of Akamai secure streaming. Secure streaming protects the content from being shared or viewed by users not authorised to view the content.

Secure streaming works on a process of authentication and encryption.

The workflow for secure streaming is as follows:

  1. User requests a page with a link or metafile to streaming content.
  2. User's player sends a media request to Viostream.
  3. Viostream processes the request and responds with a media URL.
  4. User's player uses the media URL to request a stream from Akamai.
  5. User's player sends a unique player hash to the streaming server.
  6. Content delivery network server checks if the information encoded in the token matches the end-user and the configuration information stored on the Akamai network.
  7. The media is served and the content plays on the User's player if the token is valid, otherwise and error is returned.

Secure streaming workflow

Figure 1: Secure streaming process flow

Figure 2 illustrates the secure streaming process overlayed on a pseudo representation of the connections between the SWF Flash player, client, Akamai server and Viostream sub-account configuration. The numbers in the figure correspond to the steps in the secure streaming process flow outlined above.

Secure streaming example

Figure 2: Example of the secure streaming process

RTMPE Encryption

To protect the transport of streaming video data from a Flash Media Server to the Flash player, RTMPE encryption is enforced as the delivery protocol for SWF verification. Adding the letter “e”, instructs Flash Media Server to add real-time encryption to the data stream. RTMPE encrypts the data while it is transported. No key is required to decrypt the data.

Flash Media Server encrypts all content at runtime, which means that the user does not need to encrypt the source file. RTMPE uses the industry standard cryptographic primitives consisting of the Diffie-Hellman key exchange and HMACSHA256. While data is transported, RTMPE generates a pair of RC4 keys. One key encrypts data sent by the server and the other encrypts data sent to the server.

RTMPE prevents third-party applications from listening to the data transfer between the client and the server.

SWF Verification

SWF verification in Flash Media Server is a security feature that allows a Content Owner to directly control which SWF files can be used by a viewer to access videos.

To enable SWF verification Viocorp uploads the SWF player to the Akamai’s NetStorage. Akamai’s Flash Media Servers generate information derived from the SWF file (a hash of the file and its size) stored on NetStorage, and distributes the hash to the Akamai Content Delivery Network.

Once confirmation has been received that the hash tag has been distributed a secure embed player can be implemented.

The steps outlined below are followed in the course of SWF verification:

Viostream Sub-Account

When the media asset is embedded into an HTML page, a variable is set within the Enhanced Media Player to refer to a locally hosted SWF player.