Search code examples
node.jsarchitecturestreamaudio-streamingdrm

How to make audio or video on-demand stream protected or encrypted?

I wanted to get some solutions for protecting on-demand media for copyrights and prevent users from downloading files directly like Spotify. What structure would you recommend? What are the requirements?

Solution

  • There is no reliable way to stop people copying streamed media - it has to be sent to the device to play so is possible to capture and copy. Even if it is obfuscated, there are tools available to capture the media streams.

    To counter this, the usual approach is to encrypt the media stream - this way the captured media cannot be played without the correct key. Most media encryption uses some form of AES.

    In the (hopefully) unlikely event that someone finds a way to crack AES in the near future, its likely that pirating media will be fairly low on their exploit list, given the wide use of AES across industries, government etc.

    You still need some secure way of getting the key from the server to the clients, only to those clients who are entitled to watch it, and if a manner that does not allow the client to view the decryption key itself (or else they could just copy it).

    This is one of the key functions that DRM solutions provide - the most common being Google's Widevine, Microsoft's PlayReady and Apple's FairPlay, although others do exist also.

    So, if you view the media security as hurdles, you might consider techniques like these, in touch order of effort/protection:

    • user authentication to access the page/server
    • obfuscate the media url to make it harder to copy
    • signed urls to limit access to certain users (with consideration of how this may impact any CDN or caching strategy)
    • encrypted files with keys hardcoded on client or passed out of band somehow
    • encrypted files using DRM and the devices secure media path, when this is available (you can usually skip most of the above other than authentication if using DRM, although some implementations will combine or use multiple hurdles together)

    It's worth bearing in mind what your end goal is - if the media is a high quality entertainment or sports, then these techniques are usually worth the investment to prevent/deter piracy.

    If your audio or video will contain 'secret' information you don't want shared then you also need to remember that someone can point a camera or a microphone at the player device and capture it that way. It may not be great quality, so less useful for piracy use cases. At this point the focus usually turns towards identifying the source of the leak, using techniques like forensic watermarking - i.e. embedded invisible/inaudible audio and video watermarks to allow a leak be traced.