Support "envelope encryption" AKA HLS-AES-128 in DASH #5622
Comments
|
I'm not familiar with envelope encryption in Azure. Can you provide a link to documentation? I may be able to help you figure out how to configure the player for it. My guess is that your app may need to configure network response filters in the player to unwrap or decrypt something. |
avelad
added
the
status: waiting on response
|
Hi @joeyparrish , I think this may be help you. |
shaka-bot
removed
the
status: waiting on response
|
We were using Dot net SDK for Azure Media Services for Livestream and VOD. There is a content key named Envelope Encryption available in Azure media Services along with other Content protection ways such as Clear Key, Play ready, etc. When we are using the HLS format, the request for Key will be triggered from shaka and we were modifying and sending the Bearer token with request via our App. ContentKey Enum Response from Manifest Request has this. |
|
If I'm understanding this correctly, it seems that envelope encryption is Microsoft's name for what Apple (frustratingly) calls simply "AES-128". I'm going to start using Microsoft's term for it for clarity, since all modern DRM uses the AES-128 block cipher, and envelope encryption is distinct from those DRM schemes. Envelope encryption is AES-128 in CBC mode applied to the entire stream, with keys delivered in the clear. Common encryption DRM is typically done in one of two modes: AES-128 in CTR mode (CENC), or AES-128 in CBC mode with a pattern of skipped blocks (CBCS). In either case, there are clear bytes and encrypted bytes in each encrypted segment, and we don't encrypt the entire stream. These three modes (CENC, CBCS, and Envelope encryption) are all mutually incompatible. CENC and CBCS both get fed to the browser encrypted, where the CDM uses a DRM license to decrypt. CENC and CBCS have to be decrypted differently, but by the same basic infrastructure. Envelope encryption gets a clear key and gets decrypted by the player with WebCrypto APIs before feeding it to the browser. The browser only ever sees clear content. This envelope encryption is supported by Shaka Player in HLS, but this is the first I've heard of it being used for DASH. The same decryption code could be triggered to support it. We just need to modify the DASH parser to get the necessary information and signal it to the rest of the player. I'm going to convert this into a feature request. My team doesn't have time to work on this right now, but we are always accepting PRs and happy to provide guidance. |
joeyparrish
added
type: enhancement
joeyparrish
changed the title
|
Thanks for the help @joeyparrish . |
|
@Ravi-79 can you provide a stream to implement this? Thanks! |
This change is required in preparation for #5622
This change is required in preparation for #5622
This change is required in preparation for #5622
|
Related to Dash-Industry-Forum/dash.js#1993 |
|
Hi @avelad , Can I have a documentation or steps to implement the AES-128 decryption in our custom application. |
|
Decryption of segments is handled internally. If you need to add a token to the key request, you can do that for DASH exactly as you would for HLS, by registering a request filter. |
|
Thank you @joeyparrish |
Have you read the Tutorials?
Yes
Have you read the FAQ and checked for duplicate open issues?
Yes
What version of Shaka Player are you using?
4.3.9
Please ask your question
Does shaka player support the AES Envelope encryption done in Azure Media Service (AMS) V2?
I am using Dash manifest with Envelope Encryption for Live stream. It's working in AMS player but in Shaka.
The text was updated successfully, but these errors were encountered: