您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

保护内容概述Protecting content overview

使用 Microsoft Azure 媒体服务,可以在媒体从离开计算机到存储、处理和传送的整个过程中确保其安全。Microsoft Azure Media Services enables you to secure your media from the time it leaves your computer through storage, processing, and delivery. 借助媒体服务,可以传送使用高级加密标准 (AES-128) 或三个主要 DRM 系统(Microsoft PlayReady、Google Widevine 和 Apple FairPlay)中任意一个动态加密的实时和请求内容。Media Services allows you to deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the three major DRM systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay. 媒体服务还提供了用于向已授权客户端传送 AES 密钥和 DRM(PlayReady、Widevine 和 FairPlay)许可证的服务。Media Services also provides a service for delivering AES keys and DRM (PlayReady, Widevine, and FairPlay) licenses to authorized clients.

下图阐释 Azure 媒体服务内容保护工作流。The following image illustrates the Azure Media Services content protection workflow.

使用 PlayReady 进行保护

本文介绍与了解使用 AMS 进行内容保护相关的概念和术语。This article explains concepts and terminology relevant to understanding content protection with AMS. 本文还提供指向讨论如何保护内容的文章的链接。The article also provides links to articles that discuss how to protect content.

动态加密Dynamic encryption

借助 Azure 媒体服务,可以传送使用 AES 明文密钥或 DRM 加密(Microsoft PlayReady、Google Widevine 和 Apple FairPlay)动态加密的内容。Azure Media Services enables you to deliver your content encrypted dynamically with AES clear key or DRM encryption: Microsoft PlayReady, Google Widevine, and Apple FairPlay. 当前可以加密以下流格式:HLS、MPEG DASH 和平滑流。Currently, you can encrypt the following streaming formats: HLS, MPEG DASH, and Smooth Streaming. 不支持对渐进式下载加密。Encryption on progressive downloads is not supported. 每个加密方法均支持以下流式处理协议:Each encryption method supports the following streaming protocols:

  • AES:MPEG-DASH、平滑流式处理和 HLSAES: MPEG-DASH, Smooth Streaming, and HLS
  • PlayReady:MPEG-DASH、平滑流式处理和 HLSPlayReady: MPEG-DASH, Smooth Streaming, and HLS
  • Widevine:MPEG-DASHWidevine: MPEG-DASH
  • FairPlay:HLSFairPlay: HLS

若要加密资产,则需要关联加密内容密钥和资产并且为该密钥配置授权策略。To encrypt an asset, you need to associate an encryption content key with your asset and also configure an authorization policy for the key. 可以指定或由媒体服务自动生成内容密钥。Content keys can be specified or automatically generated by Media Services.

还需要配置资产的传送策略。You also need to configure the asset's delivery policy. 如果要流式传输存储加密的资产,请确保通过配置资产传送策略来指定该资产的传送方式。If you want to stream a storage encrypted asset, make sure to specify how you want to deliver it by configuring the asset delivery policy.

播放器请求流时,媒体服务将使用指定的密钥通过 AES 明文密钥或 DRM 加密来动态加密内容。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content using AES clear key or DRM encryption. 为了解密流,播放器从 AMS 密钥传送服务请求密钥。To decrypt the stream, the player requests the key from AMS key delivery service. 为了确定用户是否被授权获取密钥,服务将评估你为密钥指定的授权策略。To decide whether or not the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.

AES-128 明文密钥与 DRMAES-128 Clear Key vs DRM

客户通常希望知道他们应该使用 AES 加密还是 DRM 系统。Customers often wonder whether they should use AES encryption or a DRM system. 使用 AES 加密和 DRM 系统的主要区别是,使用 AES 加密时,内容密钥以未加密格式(“明文”)传输到客户端。The primary difference between using AES encryption and the DRM systems is that with AES encryption the content key is transmitted to the client in an unencrypted format ("in the clear"). 因此,可以通过网络跟踪在客户端上明文查看用于加密内容的密钥。As a result, the key used to encrypt the content can be viewed in a network trace on the client in plaintext. AES-128 明文密钥适合查看者是受信任方的用例(例如:员工查看公司内分发的加密公司视频)。AES-128 clear key is suitable for use cases where the viewer is a trusted party (eg: encrypting corporate videos distributed within a company to be viewed by employees).

与 AES-128 明文密钥加密相比,PlayReady、Widevine 和 FairPlay 均提供更高等级的加密。PlayReady, Widevine, and FairPlay all provide a higher level of encryption compared to AES-128 clear key encryption. 内容密钥以加密格式传输。The content key is transmitted in an encrypted format. 此外,解密是安全环境中操作系统级别的句柄,它使得恶意用户的攻击变得格外困难。Additionally, decryption is handle in a secure environment at the operating system level where is significantly more difficult for a malicious user to attack. 在查看者可能并非受信任方且需要更高等级的安全性的用例中,建议使用 DRM。DRM is recommended for use cases where the viewer may not be a trusted party and you require the highest level of security.

存储加密Storage encryption

可以使用存储加密通过 AES-256 位加密在本地加密明文内容,然后将其上传到 Azure 存储以加密形式静态存储相关内容。You can use storage encryption to encrypt your clear content locally using AES-256 bit encryption and then upload it to Azure Storage where it is stored encrypted at rest. 受存储加密保护的资产会在编码前自动解密并放入经过加密的文件系统中,并可选择在重新上传为新的输出资产前重新加密。Assets protected with storage encryption are automatically unencrypted and placed in an encrypted file system prior to encoding, and optionally re-encrypted prior to uploading back as a new output asset. 存储加密的主要用例是在磁盘上通过静态增强加密来保护高品质的输入媒体文件。The primary use case for storage encryption is when you want to secure your high-quality input media files with strong encryption at rest on disk.

要传送存储加密资产,必须配置资产的传送策略,以使媒体服务了解要如何传送内容。In order to deliver a storage encrypted asset, you must configure the asset’s delivery policy so Media Services knows how you want to deliver your content. 在流式传输资产之前,流式处理服务器会解密,然后再使用指定的传送策略(例如 AES、通用加密或无加密)流式传输内容。Before your asset can be streamed, the streaming server decrypts and streams your content using the specified delivery policy (for example, AES, common encryption, or no encryption).

加密类型Types of encryption

Playready 和 Widevine 使用通用加密(AES CTR 模式)。Playready and Widevine utilize Common Encryption (AES CTR mode). FairPlay 使用 AES CBC 模式加密。FairPlay utilizes AES CBC mode encryption. AES-128 明文密钥加密使用信封加密。AES-128 clear key encryption utilizes Envelope Encryption.

许可证和密钥传送服务Licenses and keys delivery service

媒体服务提供用于向已授权客户端传送 DRM(PlayReady、Widevine 和 FairPlay)许可证和 AES 密钥的密钥传送服务。Media Services provides a key delivery service for delivering DRM (PlayReady, Widevine, FairPlay) licenses and AES keys to authorized clients. 可以使用 Azure 门户、REST API 或适用于 .NET 的媒体服务 SDK 来配置许可证和密钥的授权与身份验证策略。You can use the Azure portal, REST API, or Media Services SDK for .NET to configure authorization and authentication policies for your licenses and keys.

控制内容访问Control content access

可以通过配置内容密钥授权策略控制谁有权访问内容。You can control who has access to your content by configuring the content key authorization policy. 内容密钥授权策略支持开放或令牌限制。The content key authorization policy supports either open or token restriction.

开放授权Open authorization

通过开放授权策略,将内容密钥发送到任意客户端(无限制)。With an open authorization policy, the content key is sent to any client (no restriction).

令牌授权Token authorization

通过令牌限制授权策略,内容密钥将仅发送到在密钥/许可证请求中表示有效 JSON Web 令牌 (JWT) 或简单 Web 令牌 (SWT) 的客户端。With a token-restricted authorization policy, the content key will only be send to a client that presents a valid JSON Web Token (JWT) or Simple Web Token (SWT) in the key/license request. 此令牌必须由安全令牌服务 (STS) 颁发。This token must be issued by a Secure Token Service (STS). 可以将 Microsoft Active Directory 用作 STS 或者部署一个自定义 STS。You can use Microsoft Active Directory as an STS or deploy a custom STS. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果令牌有效,而且令牌中的声明与为密钥/许可证配置的声明相匹配,则媒体服务密钥传送服务会将请求的密钥/许可证返回到客户端。The Media Services key delivery service will return the requested key/license to the client if the token is valid and the claims in the token match those configured for the key/license.

在配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When configuring the token restricted policy, you must specify the primary verification key, issuer and audience parameters. 主验证密钥包含用来为令牌签名的密钥,颁发者是颁发令牌的安全令牌服务。The primary verification key contains the key that the token was signed with, issuer is the secure token service that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥交付服务会验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.

流 URLStreaming URLs

如果使用了多个 DRM 加密资产,则应在流式处理 URL 中使用加密标记:(format='m3u8-aapl', encryption='xxx')。If your asset was encrypted with more than one DRM, you should use an encryption tag in the streaming URL: (format='m3u8-aapl', encryption='xxx').

请注意以下事项:The following considerations apply:

  • 仅可以指定不多于一个加密类型。No more than one encryption type can be specified.
  • 如果资产仅应用了一种加密,则无需在该 URL 中指定加密类型。Encryption type does not have to be specified in the URL if only one encryption was applied to the asset.
  • 加密类型不区分大小写。Encryption type is case insensitive.
  • 可以指定以下加密类型:The following encryption types can be specified:
    • cenc:适用于 PlayReady 或 Widevine(通用加密)cenc: for PlayReady or Widevine (Common Encryption)
    • cbcs-aapl:适用于 FairPlay(AES CBC 加密)cbcs-aapl: for FairPlay (AES CBC encryption)
    • cbc:适用于 AES 信封加密(信封加密)cbc: for AES envelope encryption (Envelope Encryption)

后续步骤Next steps

下文介绍内容保护入门的后续步骤:The following articles describe next steps to get started with content protection:

Azure 媒体服务 PlayReady 许可证交付定价详述Azure Media Services PlayReady license delivery pricing explained

如何在 Azure 媒体服务中调用 AES 加密流How to debug for AES encrypted stream in Azure Media Services

JWT 令牌身份验证JWT token authentication

将基于 Azure 媒体服务 OWIN MVC 的应用与 Azure Active Directory 相集成,并基于 JWT 声明限制内容密钥传送Integrate Azure Media Services OWIN MVC-based app with Azure Active Directory and restrict content key delivery based on JWT claims.