The video experts blog
HLS Encryption: How to Encrypt Video Streams in AES-128 [2022 Update]
As piracy and hacking continue to increase yearly, broadcasters should be concerned with securing their video content. The he U.S. Chamber of Commerce estimated $29.2 billion of lost revenue from piracy.That lost revenue isn’t just from feature films and television; but also from online content.
Data breaches, unauthorized video sharing, and hacks can be a substantial cost for many companies. That’s why protecting video content and securely delivering streams to users should be a broadcasting best practice.
First, we’ll cover what video encryption is and why it matters. Then we’ll dive into the HLS streaming protocol and how AES-128 encryption works. Finally, we’ll look at the key features necessary for a secure cloud video platform.
Table of Contents:
- What is Video Encryption?
- Why Does Protecting Video Content Matter?
- The HLS Protocol
- HLS Encryption Explained
- 4 Key Features of Secure Video Clouds
- Dacast Video Platform
What is Video Encryption?
Encryption is a method for masking data so that only authorized users can decrypt and access a file. It’s a part of cryptography, which is a field of study devoted to the secure communication of information or data.
Over the years, many encryption algorithms have been developed with varying levels of security. Most algorithms, however, scramble the data into ciphertext and require the receiving party to use a key to reassemble the data into plaintext.
Can You Encrypt Video?
While it’s straightforward to understand the encryption of text documents, how exactly does video stream encryption work?
Video encryption allows broadcasters to scramble video content using a secure algorithm and transmit the data to viewers. Authorized viewers can then decode the video and watch it. That is how encrypted streaming works. That is the basics of how encrypted video streaming works.
Many broadcasters encrypt both on-demand and live streaming videos to prevent unauthorized third parties from accessing the content as it is transmitted. This prevents someone from interrupting a live stream in progress or taking the live stream and showing it on an unauthorized platform.
As broadcasters can make money from both on-demand and live streaming content, encrypted streaming is the best way to protect one’s revenue stream.
Why Does Protecting Video Content Matter?
Broadcasters usually have one or more reasons for protecting videos, from keeping sensitive information safe to implementing digital rights management or ensuring proper content monetization
- Sensitive Information: Many organizations use video streams for internal meetings and events that shouldn’t be available to the public. The company could risk violating industry regulations or leaking information to competitors if these videos aren’t protected.
- Digital Rights Management: Video stream encryption is a critical aspect of digital rights management (DRM), which broadcasters require for various reasons. For example, geographical regions—such as the People’s Republic of China (PRC)—may have specific regulations or censorship limiting who can view certain types of content.
- Monetization: Brands may have video streams at various price points that need access controls as well, such as charging more for high-definition videos or ad-free content. The ability to safely accept payment from viewers and ensure video content isn’t pirated are both crucial for monetization.
Encrypted streaming helps protect sensitive information, monetization potential, and digital rights management for broadcasters. It allows you to retain control over your content.
The HLS Streaming Protocol
Video streaming requires sending enormous amounts of data to viewers. RAW video files are too large, so broadcasters must encode videos into a compressed format using a codec like H.264 advanced video coding to reduce the file size.
A video stream also requires choosing a container format, which encompasses the necessary video, audio, and metadata. Most broadcasters choose the MP4 format because it’s compatible with a many devices.
Finally, broadcasters must choose a self-hosted video delivery method or private hosting. Two of the most common are the HLS streaming protocol and RTMP. These are standardized methods for transmitting video and audio data over the Internet as a continuous stream rather than a single file download. That is why HLS encryption is the most common method of encrypting streaming videos.
What is HLS Streaming?
HTTP Live Streaming (HLS) is a protocol that splits video streams into chunks that are transferred and reassembled within the user’s video player. In most cases, the video player is an HTML5 or Video.js player that offers playback natively in the user’s web browser.
Pure HTML5 playback without a streaming protocol requires downloading the entire video file during initiation. That’s why it’s crucial to break down videos into smaller files so that playback can start faster and there’s less wasted data.
In contrast to RTMP, the HLS protocol leverages HTTP to transfer video content in chunks to viewers. That means broadcasters can use a standard server or video content delivery network (CDN) to store and deliver video content. With HLS streaming, broadcasters can scale their streams to reach a much larger audience without compromising on quality.
Most broadcasters use HLS streaming because it’s the protocol supported by HTML5 players. These video players—built into web browsers—have become the default playback method rather than Flash. HLS streams are supported by nearly every device, from tablets to laptops and smart TVs.
What is Adaptive Bitrate Streaming?
Moreover, HLS is an adaptive bitrate streaming (ABR) protocol. That means broadcasters offer multiple variants of a particular stream at different bitrates or levels of quality.
These separate streams are split into 2 to 10-second segments and indexed in a manifest file. Then an adaptive video player can use the manifest file to choose the optimum video segment based on network conditions and the user’s device.
ABR streaming is crucial for broadcasters who want to offer their viewers the best viewing experience possible.
HLS Encryption Explained
While there are many encryption algorithms, the most common method for HLS is AES-128. Advanced Encryption Standard (AES) block cipher encrypts data in 128-bit blocks. Here are the basics of how AES-128 works.
How Does AES 128 Encryption Work?
The first block is encrypted using an initialization vector (IV)—or 16-byte random value—and the next block uses this to start the encryption process. Each subsequent block uses ciphertext from the preceding block for encryption in a method known as cipher block chaining (CBC).
As AES is a symmetric key algorithm, there needs to be a secret key that’s used for both encryption and decryption. That means the broadcaster encrypts the video using the key and the viewer’s browser decrypts it using the same key.
AES has widespread adoption because it’s straightforward to implement and safe enough for general use. The U.S. Government even uses the algorithm for encrypting sensitive data, which is how most digital rights management (DRM) systems protect media. HLS AES 128 encryption is easy to implement and, therefore, commonly used.
HLS Encryption Methods
While the HLS supports AES-128 encryption, there are two different ways to implement the standard in practice.
Broadcasters can use one key to encrypt the entire video stream, but that also means the whole stream is unprotected if an unauthorized third party intercepts the secret key.
Alternatively, each stream segment can be encrypted with a different key. That way, only a few seconds of video can be accessed without a specific key. Broadcasters might choose this method if the video content their sharing is highly sensitive.
4 Key Features of Secure Video Clouds
Many companies use a secure video platform to host their video content and share it with their intended audience. Here are four security features to look for in a private video hosting platform.
1. AES Encryption
Regarding AES video encryption, there is often a debate over which key length to use for AES: 128-bit or 256-bit. A more significant key is generally harder to compromise with a brute force attack, but a simple calculation shows that even a 128-bit key would take far too long to crack.
That’s why the ability to protect the secret key from unwanted third parties is far more critical than the key size. The videos should be safe from brute force attacks as long as the cloud platform uses at least AES-128 encryptions.
Larger key sizes also require more computing power, but most modern devices can handle decrypting AES-256 without performance issues. Be sure to consider your target audience and the quality of devices they’ll use for streaming before choosing an encryption algorithm for your content.
2. Manifest File
The HLS manifest file—or M3U8 playlist—is necessary for video players to select and retrieve the right video segments for ABR streaming. In addition, the M3U8 manifest file contains the secret encryption key for each video segment.
If an overall AES key is used, it will appear in the manifest file as a link after the EXT-X-KEY tag. This file should be served over HTTPS and require authentication to minimize the risk of this key being exposed to eavesdroppers.
Many streaming platforms rotate these AES keys at regular intervals, so there’s a lower chance of getting compromised during streams. The more frequently keys are rotated or refreshed, the more secure the video content will be.
3. HTTPS Delivery
HTTPS is a way of transferring data using HTTP (Hyper-Text Transfer Protocol) that’s secured using Secure Sockets Layer (SSL). SSL was later renamed to transport layer security (TLS), but the end goal is the same: to prevent hackers from intercepting data in transit.
With HTTPS, a server is secured using an SSL certificate that’s issued by a certificate authority (CA). When users connect to a server with a valid certificate, data transferred between the two parties will automatically be encrypted.
When using AES encryption with HLS streaming, it’s crucial to exchange the secret keys over HTTPS. That way, broadcasters can prevent man-in-the-middle attacks, where hackers intercept sensitive data—such as AES keys—while exchanged between two parties.
4. Password Protection
While many broadcasters focus on encryption, password-protected video streaming is just as important. The most common way to protect video content is by using passwords to restrict who has access to a particular piece of content. Password protection is a simple and powerful way to limit video viewership to internal employees, specific clients, or other smaller audiences.
That said, it’s a good idea to generate a secure password, change it out periodically, and follow other best practices for password protection. Otherwise, the password can get leaked online, and unwanted viewers could gain access to the content.
Dacast’s Secure Video Platform
Dacast is a secure video streaming solution that supports HLS encryption for video on demand (VOD) content. That means broadcasters can deliver video content to their audience with AES-128 encryption taking place behind the scenes.
Moreover, Dacast relies on HTTPS to deliver video streams to viewers to prevent man-in-the-middle attacks and keep their financial information safe. This is critical for broadcasters that want to monetize their videos using the platform’s secure paywall capabilities.
Beyond HLS encryption and HTTPS, Dacast encourages broadcasters to utilize password protection for hosting their video content. Within the Dacast platform, adding passwords to live streams, VOD content, or entire playlists is straightforward.
Along with securing and protecting the video streams themselves, Dacast allows broadcasters to set geographic and referrer restrictions. Geographic restrictions can help prevent piracy by blacklisting certain countries where malicious actors often operate.
Similarly, referrer restrictions allow broadcasters to block well-known piracy sites or competitors from resharing video content. An HTTP referrer is metadata that identifies a website that has linked to a particular video.
Finally, Dacast offers a secure video upload feature for adding video content to the secure video hosting platform. That way, users can easily upload files in bulk or migrate an entire collection of video content, keeping videos safe during the upload process.
Here are more details on the many features of the Dacast platform and our commitment to video security.
If you’re looking for advanced security, monetization, and distribution tools, Dacast is a great choice.
- Content control and advanced security options
- RTMP Encoder for ingesting HLS streaming
- Low latency HTML5 channels for video streaming
- Reliable delivery via top-tier CDNs
- Adaptive multi-bitrate streaming
- Video API access on premium plans (scale and event)
- Player API access for easy integration and custom app creation
- Multiple video monetization options to customize
- White-label customization capabilities
- Real-time analytics
- AES-128 video encryption with all plans
- Multi-user access on Scale and Custom plans
- Expo video gallery to display your live streams in an immersive video showcase
- Zoom live streaming integration for meetings and live events in real-time
- DRM for VOD
- Browser-based streaming
- China live streaming
Many features make Dacast stand out from the competition.
Mobile Live Streaming
If you want to stream on the go, Dacast allows you to live stream directly from your mobile device, making producing live content easier.
Live streaming and VOD for Every Subscription Plan
If you sign up for one of Dacast’s subscription plans, you get access to live streaming, VOD support, and features. Dacast understands that most broadcasters need support for both VOD and live streaming.
Dacast offers great features for both live streaming and VOD, such as live stream recording capabilities and a robust content management system. Dacast also allows for unlimited viewers and live channels.
Customizable HTML5 Video Player
Your video player should match your branding. With a customizable HTML5 video player, you can change how your video player looks to support your overall branding and company goals. Plus, you can easily embed the video player wherever you need it.
24/7 Customer Support
You can’t control when you need help, so Dacast offers 24/7 live customer support via email and live chat options for every plan. Higher-level plans also get phone support.
China Video Hosting
Want to broadcast content in China? Dacast offers video hosting and live streaming support for China.
One of the few drawbacks to Dacast is that the professional features may require some learning time.
However, Dacast has a vast knowledge base of articles to help you learn how to use the platform and video tutorials. Plus, Dacast offers 24/7 access to support for all customers, so you can always get the help you need to learn how to use the platform.
- Minimum dimension: None (but 240p is the recommended minimum)
- Maximum dimension: 1080p or 4K (depends on the user’s hardware and internet)
- Supported aspect ratios: No restrictions (but 16:9 is the default)
- Maximum file size: Unlimited, though larger file sizes can impact viewer experience
- Maximum video length:
- Total file storage: 10 to 1,000 GB depending on the plan
- Accepted video formats: MP4 (preferred), .MOV, M4V, M2V, .AVI, MPG, .FLV, .WMV, .MKV, WebM, OGV, MXF, ASF, VOB, MTS
Dacast offers multiple pricing plans geared toward all business budgets. Here is an overview:
- Starter Plan: $39/month (includes 1,000 GB of bandwidth & 50 GB of storage)
- Event Plan: $63/month (includes 6 TB of bandwidth upfront and 50 GB of storage)
- Scale Plan: $188/month (includes 24 TB of bandwidth per year and 1 TB of storage)
Broadcasters can contact Dacast directly to learn more about custom-priced high-volume plans.
Best Use Cases
Dacast’s live streaming platform is great for:
- Live event streaming
- VOD on-demand hosting
- Streaming video for education
- Cloud-based enterprise video solutions
- Online video platform for marketing
- Video software for sales teams
Video content is invaluable for most brands, but if data gets into the wrong hands, it can be devastating. That’s why every broadcaster should prioritize offering secure stream services and storing video content safely using a reliable video streaming solution. Both HLS video encryption and M3U* encrypted players are two secure methods for keeping content safe.
Dacast is a unified streaming solution that makes the annual list of the most important, most innovative, and most interesting companies for 2021 Streaming Media Magazine’s Top 50 List.
With the company’s commitment to offering a robust and secure streaming video platform for its users, this powerful platform helps companies worldwide scale and monetize their online video content.
At Dacast, we’re confident that the solution is ideal for broadcasters that need a secure online video platform (OVP) for their live streaming and VOD needs. That’s why we offer a risk-free trial for 14-day. Try Dacast out and see if it fits your needs for secure video delivery.
We invite you to join our LinkedIn group for regular live streaming tips and exclusive offers.