Amazon Elastic Transcoder adds AES-128 encryption for HLS content

Posted on by

Amazon Web Services

Amazon Web Services boosted encryption on its media transcoding in the cloud service with AES-128 encryption to protect the transcoded files, while adopting generic content delivery mechanisms. AWS confirmed that the feature is currently available and there will be no additional charge for the use of AES-128 encryption. Users must pay only for the content transcoded.

When enabling this feature on Amazon Elastic Transcoder, each media segment is encrypted using AES-128 and a single encryption key. A URL (uniform resource locator) to the decryption key is written to each playlist (HLS supports multiple encodings known as variants; each one supports an alternate rendering of the same content). When the content is viewed, the player will download the key and decrypt the media segments during the playback process.

In order to make use of this new feature, users need to associate an Elastic Transcoder pipeline with a KMS master key. They will have two choices when it comes to keys either creating own keys or have Elastic Transcoder generate them.

Amazon Elastic Transcoder is built using the scalability and flexibility of other Amazon Web Services. It runs transcoding jobs using the Amazon Elastic Compute Cloud (Amazon EC2) to complete large transcoding jobs. Amazon Elastic Transcoder is built to work with content stored in Amazon Simple Storage Service (Amazon S3), to offer durable and cost effective storage for huge libraries, or small ones. Users can get notified about the status of transcoding jobs through the Amazon Simple Notification Service (Amazon SNS).

Each variant playlist will contain a URL that the media player will use to fetch the content protection key using a standard HTTP request. In order to protect access to the key, the content provider must authenticate and authorize the media player. The authentication should result in a session cookie that identifies the media player. The content provider should mandate that the cookie is present and acceptable before returning the key. This mechanism will prevent unauthorized playback and decryption of the content.

If the user decides to use a Content Distribution Network (CDN) such as Amazon CloudFront to distribute content, they need to ensure that the encrypted media files are accessible from CloudFront distribution. However, they must be careful not to store keys in a publicly accessible location.

Last December AWS added the ability to attach up to ten key-value pairs to each Elastic Transcoder jobs. The metadata is included in job notifications and can be used to map jobs back to the content in the internal Content Management System (CMS).

In November, AWS announced AWS Key Management Service (KMS) support for Elastic Transcoder to ensure the confidentiality of media assets (mezzanine files, thumbnails, captions, and watermarks) as they move between application and the Elastic Transcoder service. This launch gave users the control as to who could decrypt content and also allowed to use AWS CloudTrail to create an audit report of all encryption and decryption operations.

View post:
Amazon Elastic Transcoder adds AES-128 encryption for HLS content

Related Posts
This entry was posted in $1$s. Bookmark the permalink.