Contact support
    • Serverside.ai
    • Content source

    SSAI stream protection

    Table of Contents

    Overview Content protection API-key or token authentication DRM FairPlay for HLS Example media playlist with #EXT-X-KEY CENC for DASH Example UnifiedStreaming DASH CENC manifest

    Overview

    This document explains how to protect SSAI live and VoD content streams using token authentication and DRM. It also covers implementation details for FairPlay (HLS) and CENC (DASH) encryption.

    Content protection

    There are two main ways to protect the source stream:

    • Token authentication of the manifest URL.
    • Encryption (DRM) of the video and audio segments. DRM might be required by the content rights holder or owner.

    These methods can be applied independently or together for stronger protection. Token authentication must be enforced at the origin or CDN level, while DRM must be applied during encoding and packaging.

    API-key or token authentication

    Token authentication is the process of generating tokens on the CDN, associating them with an authenticated user session, and validating the stream with these tokens to prevent unauthorized link sharing. 

    Serverside.ai supports token authentication via a query string. Specify it in the channel configuration as follows:

    Channel URL https://your-domain.com/your-stream.m3u8?token=1234

    DRM

    Serverside.ai supports encrypted media content. Each audio and video segment is encrypted and cannot be played without a valid license. 

    The most common DRM systems are: 

    • CENC (Common Encryption) for DASH and HLS (fMP4)
    • FairPlay for HLS (.ts)

    Encryption must be applied during encoding or packaging, and license acquisition, decryption, and playback require additional player-side integration.

    FairPlay for HLS

    When encrypting HLS content, you must use AES-128 or SAMPLE-AES: 

    • AES-128 encrypts the entire TS file. 
    • SAMPLE-AES encrypts individual audio or video samples. 
    • Apple FairPlay streams use SAMPLE-AES. 

    Example media playlist with #EXT-X-KEY 

    #EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:26 #EXT-X-KEY:METHOD=AES-128,URI="https://media.example.com/asset/key1.php?id=<s ignature>",IV=<initialization vector>
#EXTINF:9.901,
http://media.example.com/wifi/segment26.ts
#EXTINF:9.901,
http://media.example.com/wifi/segment27.ts #EXT-X-KEY:METHOD=AES-128,URI="https://media.example.com/asset/key2.php?id=<s ignature>"
#EXTINF:9.501,
http://media.example.com/wifi/segment28.ts
     
     

    CENC for DASH

    Common Encryption (CENC) defines standard encryption and key mapping methods that work across DRM systems. This allows the same file to be decrypted by multiple DRM systems, while each system manages rights, key acquisition, and compliance independently. 

    CENC requires encryption headers in both the client manifest (.mpd) and the initialization segment. 

    Example UnifiedStreaming DASH CENC manifest

    <ContentProtection
  schemeIdUri="urn:mpeg:dash:mp4protection:2011"
  value="cenc"
  cenc:default_KID="F859A410-3FB8060EE9D2"
  xmlns:cenc="urn:mpeg:cenc:2013"/>

<ContentProtection schemeIdUri="urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed">
  <cenc:pssh xmlns:cenc="urn:mpeg:cenc:2013">
    AAAAaPSoCU0Q=
  </cenc:pssh>
</ContentProtection>

<ContentProtection
  schemeIdUri="urn:uuid:9a04f079-9840-4286-ab92-e65be0885f95"
  value="MSPR 2.0">
  <cenc:pssh xmlns:cenc="urn:mpeg:cenc:2013">
    AAA4A
  </cenc:pssh>
</ContentProtection>
     
     

    RELATED ARTICLES