Tuesday, February 9, 2010

Secure Media Streaming using CloudFront & Progressive Download Method


One of the biggest challenges faced by the digital content providers today is to protect and secure the media content while streaming them. Streaming media servers like Adobe Flash Media Server, Wowza…etc addresses this issue in a big way. But it is a bit expensive proposition to host these media servers on our own and especially when it comes to serving a large customer base it becomes more complex. Amazon CloudFront recently announced its Media Streaming support using Adobe Flash Media Servers. As i posted in my previous article, Amazon CloudFront Media support is a good service to serve media publicly but lacks mechanism to protect the digital content and serve privately. As a stop gap, till the time Amazon addresses this in the right way, lets take a look at the below technique to stream media privately and to protect the content from bot downloads...etc

Proposed Method for Serving Private Media Content
Some of you might be aware that the Amazon CloudFront supports private objects. And one of the very old techniques and still widely used to serve streaming media is progressive download method. With the help of CloudFront private objects & progressive download, you will be able to serve private media content to the closed user base.

The major problem
There are two major drawbacks using the progressive download method
  1. Content being copied to the local system and played.
  2. Disallowing other media players (bots) to copy the content.
Of course, the other advanced features like optimal bandwidth usage, customizing the stream during runtime...etc is not considered here. Because all these issues are addressed in you streaming media server and you definitely need them for a comprehensive solution.

Disclaimer: This solution is still at the conceptualization layer; if you are interested, try this at your own risk.

Solution
1.               Upload all your media files to a specific S3 bucket (http://m1.mycloudbuddy.com/usermanual.html#UploadFile%28s%29)

2.               Enable CloudFront for that bucket (http://m1.mycloudbuddy.com/plugin/cloudfront.html)

3.               Enable private content support for the bucket (refer section "Enabling Private Content" in this URL .)

4.               Develop/customize any available open source media player to play content from CloudFront, S3 supports partial content download and you can develop a sophisticated player to download content in a multi threaded fashion as well.

5.               You can implement a mechanism like SWF verification by Adobe (http://kb2.adobe.com/cps/405/kb405456.html) to protect your content being copied by other players as well.

6.               Upon verifying the SWF files, the SWF player can initiate a request to the server to generate a URL which is valid only for a short time (for example 10 or 15 seconds) and starts the downloading. This method ensures that once download begins, the next call to that resource is denied.

In a nutshell,
A customized media player, S3, CloudFront private object support and a Web services application, preferably running in EC2 will help you to protect and serve digital content in a cost effective way. If you think running an application in EC2 is little expensive, you can also choose other alternative PaaS platforms like Google App or Azure to host your SWF verification/URL generation web/web services application.
In addition to this you can use encoding services like Encoding.com to encode your content to various formats. Combining this along with the above solution helps you to support multimode access such as mobile (iPhone/Android), desktop, web...etc

References
Protecting video content - http://kb2.adobe.com/cps/405/kb405456.html  

13 comments:

Eric said...

Hi, I am the Marketing Director at HeyWatch.
Thanks for this good article.
That is true, Encoding is one service.

But, you should also have a look at HeyWatch who has been the leader in Online Professional Video Encoding since 2006 - http://bit.ly/5BT30B

Affordable, with exclusive features such as Watermarking, 2-pass, trendiest video formats (h264, Theora for HTML5), HD Ready, and even more. You can use HeyWatch through a graphical smart and complete interface. But for professional use, you can integrate HeyWatch in white label to externalize your encoding tasks and focus on your core business via a REST API.

Matka/HTML said...

you can secure it to a level you want, but that's just making it difficult to copy. one could always create a player similar to your and download your streaming content. how about that?

ezhil said...

The player's generated file signature is verified by the server side application to prevent someone developing a player like yours.

SAM said...

HI, I am not sure how to set up SWF verification in your solution with Cloud front? I have read through all the relevant docs, but i can't see any indication on how to enable SWF verification with cloud front. We have done all the steps you included except this, Can you pls. help on this.

Ezhil said...

SWF verification has to be implemented by you with your own logic. The adobe link given in the article is a reference for you to come up with a solution. Just to kick start your thoughts, Your SWF player should be served by a dynamic web application which would generate a unique code for that session. When the SWF file gets loaded, it has to first initiate a call to your web application along with the unique code (possibly as a HTTP header variable)again to generate a URL for the CloudFront media file. During this call you will have to verify the code for authenticity. The concept here is you are the owner to generate a private URL for your Cloud media resource and you will provide access to the media resource upon verifying the player.

Hope this helps you.

Matka/HTML said...

funny i can still think of a way to capture this streaming media. how about recording it from the screen :D (shameless grin)

Ezhil said...

Instead you can also run Adobe Flash media server to do that.

To make it clear, you use the CloudFront feature which is more vital and build the missing pieces around.

Nothing in this world is free.

SAM said...

HI, first of all many thanks to Ezhil and others for responding to my post after almost 8 months later to your article which is very good.
Now coming to this SWF verification logic, we are using FLOW PLAYER with CLoud Front. We have already implemented URL signign using both CANNED and CUSTOM policy. I still feel this is not sufficient as we are going to launch online video streaming solution. Hence the reason I want to implement this SWF verification.

So far we have not gone to the source code of SWF file of Flow player, but from your above suggestion looks like that we need to develop our own SWF file to be able to serve a unique code for each session and to initiate a call to our web application to submit its unique code and authenticate before actually generating the private signed Cloud Front URL.
Is my understanding correct here?

If so, any tips or relevant links which can give us a head start as this would be the first time to play around with the SWF file of Cloud Front.
Thanks in advance.

Ezhil said...

I believe you can do this without modifying your SWF file too. in your flowplayer instead of pointing directly to the CloudFront media URL, you can use your server URL pointing to a dynamic page along with a unique parameter that you generate. Upon successful validation you can redirect to the generated URL. My assumption here is the player is embeeded in a server side page too.

SAM said...

HI Ezhil, by any chance is there any possibility so that I can have quick call with you to discuss on this so that i can explain our current solution so that i get bit clarity on how to do thi SWF verification. THe difference here is that we have our main web site hosted differently from our Amazon S3 (where media files are stored) and Clouf front. So I am afriad it is going to be a bit mix and match, but i don't want to defeat the purpose of Cloud Front's Signed url. So, request you for quick call with you and your convenient timings will be much appreciated if you don't mind.

Ezhil said...

please email me at ezhil[dot]sathya(at)gmail[dot]com

html5 music player said...

Interesting one. Keep posting such kind of information on your blog. I bookmarked it for continuous visit.
html5 media player

data recovery vancouver said...

Amazon also host the static website using some what cloud technique, i have heard about it. Anyone can check for it through Google.