Secure streaming methods in the Wowza Streaming Engine

2018-08-03 14:21:00

Wowza Streaming Engine media server allows not only to stream live and VOD content to viewers, but also to protect streams from unauthorized viewing and interception. Since access to the media content is via a link to a resource under the control of the Wowza Streaming Engine, a simple copy of this link should, at a minimum, not lead to viewing by anyone. Wowza provides several ways to protect content.

The easiest content protection method available in the Wowza Streaming Engine is the referer validate module. Although it is not part of the Wowza Streaming Engine by default, it can be downloaded for free and simply configured. The essence of protection with this method is to check the domain from the HTTP request header - referer with the list of allowed domains registered on the Wowza side. Respectively, if the check fails, the stream in the player will not play. The method is applicable, first of all, when viewing a stream on a web page, but in many cases it can be used with mobile devices and set top boxes. The main thing is that before requesting to view the stream by the player, the HTML code of the page or application would execute an additional HTTP request to Wowza, in which the referer and the stream name are sent. If the domain reconciliation from referer has passed, then Wowza remembers the IP of the request source and allows viewing the stream with the given name, from the given IP address - the stream is played in the player. The permit is valid for a certain period of time. The method does not work well with NAT addresses, and referer is easily compromised. Reliability of protection by this method is low.

The next more rubust method is session key protection, the so-called SecureToken. The method is part of the Wowza functionality and the entire configuration (from the Wowza side) can be done through the Wowza Streaming Engine web-based management interface. The essence of the method is to add a string of parameters (token) to the request for viewing the stream, which are validated on the Wowza side. The token is formed by the script of the web server (portal, middleware) and consists of a set of parameters, as well as a hash of the string. The hash is generated using the security key specified on the side of the web server and in the Wowza settings. Thus, the formation of a token, providing the ability to view the stream, using third-party tools, becomes an extremely difficult task. The token validity period is also configured. But at the same time, if you do not include the IP address of the request source in the parameters of the token formation, the link to view the stream can be copied along with the token. After adding IP to the token generation parameters, copying the link will be impossible, but there are some difficulties with NAT addresses. User authentication on the Wowza side as such does not occur. Logic of permission to view this or that stream should be implemented on the side of the web server. SecureToken provides a basic method of protection against unauthorized viewing.

The most reliable method of protecting content is to use a DRM system. It should be understood that DRM is not an integral part of Wowza and is not supplied as a separate module. The Wowza Streaming Engine includes the Wowza DRM component, which allows you to use Wowza with third-party DRM systems, but Wowza DRM is not an independent system for checking and delimiting user rights. Truly reliable protection can only be provided by those systems where access key verification is built into the client device at the operating system level, implemented in the browser or in the player. There are several such systems on the market, but the most widespread are solutions from IT industry leaders: Google Widevine, Apple FairPlay and Microsoft PlayReady, which is not surprising. These content protection systems are certified by the studios of video producers and their use, in fact, is a requirement to get the rights to stream content. Wowza DRM includes an API with which you can create your own module for working with the above systems directly. But this is a rather complicated matter, both in the technical part and in the organizational part. Moreover, using only one of the systems will fail. Widevine generally does not work on Apple devices, FairPlay is not supported anywhere except for Apple devices, Microsoft’s PlayReady is used in Microsoft browsers. The way out of the situation is to use the services of the DRM provider (or MultiDRM), which provides support for all systems within its technical platform, and the end user is offered a single point of interaction between the systems. In addition to the API for developing its own integration solution, Wowza DRM includes ready-made components for working with such DRM providers as BuyDRM, EZDRM, castLabs DRMtoday and Verimatrix.

From a technical point of view, all DRM systems are organized in the same way. All traffic is encrypted according to AES cryptographic algorithms, and encryption keys are created, verified and periodically updated to the key exchange server. The key exchange server is usually a cloud service provider DRM. The services of any DRM provider are, of course, paid. And not the cheapest. Alternatively, consider developing your own key exchange component and using it with Wowza DRM to protect content. The degree of security will be less, but at the same time, you can create a full-fledged system for checking and delimiting access rights to content, which does not depend on third-party service providers. Traffic encryption will be carried out using the same AES algorithm.