Multimedia content protection is at the heart of the multimedia business. It avoids unauthorized access to content and hence it guarantees the revenues for the whole multimedia value chain at large but specialy for Content Owners and Service Providers. Velocix is fully committed to ensure that content value and integrity is preserved. On top of classical DRM approaches, Velocix provides additional capabilities for protecting access to content.
Per-session content encryption
Beyond the Velocix platform is DRM-agnostic and can also interoperate with any third-party key management server to retrieve and release keys, Velocix offers its unique per-session level encryption protection scheme, which provides an extra security level on top of any DRM system. The content is encrypted on a per-session basis with a different key each time it is requested, preventing so the interception of the content stream. Keys are held for a limited time, are consumed quickly after being created and are not reused again, making publication of potential hacked keys completely irrelevant. It can be used both with live streams and also video-on-demand streaming.
Velocix supports both the pantos draft for HTTP Live Streaming using the AES-128 CBC encryption method for iOS devices and the AES-128 CTR encryption method (not supported by the pantos draft) for use with Silver Light devices.
The Velocix Delivery Appliance is in charge to apply this per-session protection schema as depicted in Figure 1, so that multiple encryption formats can be applied in the edge out of a single input from Veloix CDN.
An additional key benefit of this CDN session awareness is the option of enabling personalized watermarking. An invisible mark, different per user, can be inserted in the audio/video level by the delivery appliance. Then if content is published in the clear the source of the leak can be identified.
Another side-effect of per-session encryption is the fact that the encryption brings session awareness to the CDN, which dovetails nicely with the existing on-demand infrastructure of the operator, for example, the session and resource management of the video back office.
Velocix is a leader in the commercial development and deployment of per-session AES encryption to both iOS and Silver Light devices, which is already in commercial deployment into major operators multi-screen delivery architecture.
Velocix is the first on-CDN provider to enable HTTPS functionality on the CDN infrastructure. HTTPS is increasingly used by websites to secure end users web sessions even for basic web services such as search. Velocix's implementation allows secure HTTPS streaming for all Velocix functions including web acceleration, and HTTP streaming services.
Velocix´s solution supports also token authentication as a mechanism to ensure that only valid requests for content are delivered by the CDN. When an end-user device is connected to a Delivery Appliance, the system decodes the token and checks that the token has not expired yet -a timestamp is applied to invalidate the address after a defined session timeout-, it is for the object specified in the request and it is 'valid'. For example, an unauthenticated user is not allowed access to content from a particular region, whereas an authenticated user is redirected to the CDN with an authorization token. If the token is valid, the CDN delivers the content.
For maximum security, in a token-based authorization scheme, it is esential to keep duration and reuse of tokens to a minimum, any concessions we make to usability could reduce security, For example, we could set a reuse property on the token, and set the duration to exceed the expected length of the content. This would make it likely that a disconnected consumer would be able to restart their content but it would also make the tokenised link vulnerable to malicious redistribution. This risk increases the more reuse we allow and the longer we make the duration of tokens. For the greatest security, Velocix provides some recommended deployment methods to get the expected customer quality of service.
The Velocix solution supports secure tokens, Hash-based Message Authentication Code (HMAC) tokens, as well as, Shock Wave Format (SWF) verification. With secure tokens a token generation library is used to add a secure token to any request, which is then validated against a shared secret or key.
Velocix has actively supported the move to HMAC tokens based on industry standard token-generating utilities that generate standard libraries of tokens in languages such as Java and C#. The Velocix solution also supports SWF verification to ensure the Flash application requesting content matches a copy of the application registered with the CDN.
Velocix´s solution supports also integrated geo-configuration which applies policy to content delivery using an associated set of rights to determine how and where content can be served and delivered.
The Velocix solution allows blocking certain subscribers or suspicious IP addresses within a generally allowed IP address block. Customer IP blocks are easily imported and updated to the Velocix Digital Media Delivery Platform to ensure accurate checking of the requester to grant access if the user is in the white list or deny access if it is in the blacklist.