HMAC Tokens For Video Streaming

HMAC Stream Security

ScaleEngine implements an HMAC (hash message authentication code) based security token system, based on a strong cryptographic hash function and a secret key.

This offers a simple method of securing your streams against unapproved viewers. It is highly scalable, simple to implement, and effective against stream rippers.

How it Works

HMAC security works by having your site generate a token, and adding the token to the viewer's stream URL. This token consists of the ACL (access control list) of the streams allowed, an expiry time, and optionally the client's IP address. These are then hashed together with a secret key to make it unforgeable.

Our CDN servers share your secret key, which they will use to verify if the hash is valid, then check the expiration time, whether the stream matches the ACL, and optionally the IP address of the user, if it was included in the token. If all these things match, the request is good, since it could only originate from your web application which knows the secret key, and we allow playback. If it does not match, if the hash has been tampered with, expired, or the token is absent, the viewer will be blocked.

This token is referred to as the "short token", since the expiry time can be quite short, such as 5 min. The short token is only used to establish a connection to a streaming server. Once the viewer has connected to the server, the server will issue a cookie that is valid for a much longer time, but is specific that the individual session, and will be used for all subsequent requests. That cookie is the "long token".

Implementing HMAC Security

See our Example PHP code for an example of implementing HMAC security.

There are 4 elements to set:

  • the secretkey
  • the acl ("/*" usually)
  • expiration time of the token
  • optionally, the ip address of the user

Once these are hashed together, you will get a piece of text. When you draw your embed code for the website, just append the signature to the url:{$signature}

You can also set a window, which is how long you want the ticket to be good for, and the expiration time will be automatically calculated for you. The amount of time between when you draw the page, and when the viewer clicks play is all that is important here. Once they use the ticket, they'll be given a cookie good for 24 hours to keep viewing the stream.

Optionally, you can require the client IP address to match, to keep the ticket from being reused with other addresses. This is less of requirement since the URL signature is usually so short lived. You can make it longer though if you are more concerned about successful plays than security.