How to pass stream options for HLS decryption key to play HLS encrypted video?

[vardanbalyan97]

Hi, i want to play the HLS video using the Flyleaf how do i pass the decryption key to the player for video decryption.

[SuRGeoNix]

Hi @vardanbalyan97, does FFmpeg support it? what is that decryption key, header/cookie? Possible related to #261 ?

[vardanbalyan97]

Hi @SuRGeoNix through FFmpeg we encrypt the video using a key and FFmpeg creates .ts segments of the video file by dividing them into small segments with a master .m3u8 file to play those video segments. Using the key we pass the key to the player to decrypt the video and play that is the decryption key.

I have tried passing the key like this : Config.Demuxer.FormatOpt["headers"] = "my_key";

but it did not work

Are there more option available for FormatOpt like we have for headers

[SuRGeoNix]

@vardanbalyan97 find how you would do that with ffmpeg/ffplay and then if you still need help how you will do it with flyleaf i can assist you

[vardanbalyan97]

So is this currently not supported in Flyleaf passing the decryption key for HLS video? Can you please confirm.

[SuRGeoNix]

@vardanbalyan97 Didn't say that, I said I can't currently see how the decryption key works with ffmpeg. So if you tell me how it works with ffmpeg then I can tell you if Flyleaf supports it and how. From a quick look seems to pass in HLS headers? So ffmpeg should read it.

#EXT-X-KEY:METHOD=AES-128,URI="file://path/to/local/my.key"

[vardanbalyan97]

HLS (HTTP Live Streaming) key encryption in FFmpeg refers to the process of encrypting the media files, such as video and audio, that are served through the HLS protocol.

To encrypt the media files, FFmpeg uses the AES (Advanced Encryption Standard) encryption algorithm, which is a widely used encryption algorithm that provides strong security. AES encryption works by generating a key, which is used to encrypt the media files, and a unique initialization vector (IV) for each segment. The key and IV are then passed to FFmpeg, which uses them to encrypt the media files.

FFmpeg supports several key encryption methods, including AES-128 encryption, SAMPLE-AES encryption, and AES-128 encryption with FairPlay DRM. Each method has its own encryption and decryption process.

Overall, the HLS key encryption in FFmpeg provides a secure way to protect your media files and prevent unauthorized access.

This is how hls encryption works with key.

My requirement is to pass the key at run time to the Flyleaf player for encryption, if i put the key file path in URI then anyone can access it.

[SuRGeoNix]

@vardanbalyan97 Read what you have created and how to use it with FFmpeg. When you will be able to use it with FFmpeg or FFplay then you will know how to use it with Flyleaf. I will not do the research for you. Probably you need to use cookies.

[SuRGeoNix]

@vardanbalyan97 it seems that you need to pass the key and iv options to the stream not the format options and this how you use it with ffplay

ffplay my_video.mkv.enc -decryption_key $AES_KEY -decryption_iv $AES_IV

I will review this in the next update, but please next time provide proper information so I can fix an issue or include an enhancement easier.

[SuRGeoNix]

I'm actually confused with ffmpeg it has this in options_table.h

{"cryptokey", "decryption key", OFFSET(key), AV_OPT_TYPE_BINARY, {.dbl = 0}, 0, 0, D},

which means that probably it should work if you pass this (cryptokey) to Config.Demuxer.FormatOpt and ensure you white list the https/http/crypto protocols

Config.Demuxer.FormatOpt.Add("cryptokey","<hex_key_here>");
Config.Demuxer.FormatOpt.Add("protocol_whitelist", "file,tcp,tls,https,crypto,data");

Please give a try and let me know if that works otherwise I will try to investigate this further

[SuRGeoNix]

@vardanbalyan97 Now this is supported on master, I've tested with an actual encrypted HLS Url and worked fine. Let me know if you need more help.

HLS example for decryption key:-

Config.Demuxer.FormatOptToUnderlying = true;
Config.Demuxer.FormatOpt["decryption_key"] = "6ae95abd60de318b3af92db24b082871"

consider also using the following:-

Config.Demuxer.FormatOpt["tls-verify"] = "0"
Config.Demuxer.FormatOpt["icy"] = "1";

[vardanbalyan97]

Hi @SuRGeoNix, first of all thank you for support and patience you have shown and i'm sorry if i wasn't able to effectively explain the problem statement to you, you see i'm also new to this FFMPEG thing.

When will these above changes will be available on FlyLeafLib Nuget package? As i have to integrate these changes in my project.

Thanks

[SuRGeoNix]

@vardanbalyan97 Just don't like when I ask something to give me a copy / paste from FFmpeg that you can't really understand from their poor documentation. That's why I was asking you how do you normally use the decryption_key. It's still not clear to me why they also use cryptokey. Anyways, that was another issue with FFmpeg and found a workaround to resolve it. Let me know if you have any issues with the updated NuGet.

Note: Set Config.Demuxer.FormatOptToUnderlying = true; (I renamed it as I misspell it)

[vardanbalyan97]

Hi @SuRGeoNix, i have updated the Nuget package and tested the decryption key with my code and have few observations:

• Palyer.Open() -- doesn't work anymore had to call the Player.OpenAsync() for non-encrypted video.
• I have done the code changes as you suggested earlier but still not able to play the encrypted video. Not getting any errors or warnings the video just doesn't load.

• Below is the code i'm using :

     Config = new Config();
  
      Config.Demuxer.FormatOptToUnderlying = true;
      Config.Demuxer.FormatOpt["decryption_key"] = "my_key";
  
      Config.Demuxer.FormatOpt["tls-verify"] = "0";
      Config.Demuxer.FormatOpt["icy"] = "1";
  
      Player = new Player(Config);
     Player.OpenAsync("my_video_url");

[SuRGeoNix]

Hi @SuRGeoNix, i have updated the Nuget package and tested the decryption key with my code and have few observations:

• Palyer.Open() -- doesn't work anymore had to call the Player.OpenAsync() for non-encrypted video.

Note sure what can I do for that as I can't reproduce it. Provide more information.

• I have done the code changes as you suggested earlier but still not able to play the encrypted video. Not getting any errors or warnings the video just doesn't load.

• Below is the code i'm using :

     Config = new Config();
  
      Config.Demuxer.FormatOptToUnderlying = true;
      Config.Demuxer.FormatOpt["decryption_key"] = "my_key";
  
      Config.Demuxer.FormatOpt["tls-verify"] = "0";
      Config.Demuxer.FormatOpt["icy"] = "1";
  
      Player = new Player(Config);
     Player.OpenAsync("my_video_url");

Same here. Can't reproduce it and you didn't provide any information. Here an encrypted Url I've tested and it worked fine:-

https://d1wkjvw8nof1jc.cloudfront.net/c5146154-c4d7-4e2d-8e37-0ca8528a2278/master_Ott_Hls_Ts_Avc_Aac_16x9_640x360p_30Hz_600Kbps.m3u8 decryption key: 6ae95abd60de318b3af92db24b082871

Provide FFmpeg log trace for the hls (for the Open probably you are doing something wrong)

[vardanbalyan97]

Hi @SuRGeoNix, for your reference i have attached the video zip file and key to please take a look and see if you can play this video.

With the link that you provided i'm able to play the video but same is not working for mine.

Sample encrypted video key - ABCDEFGHIJKLMNOP Sample.zip

[SuRGeoNix]

check the error messages from ffmpeg can't check this now... first issue was this I think

Config.Demuxer.FormatOpt["allowed_extensions"] = "ALL";

[vardanbalyan97]

@SuRGeoNix i have fetched the logs for encrypted video which is not playing below is the error logs for it and also attached the file with full log :

18.30.46.054 | FFmpeg | Warning | [https @ 000001e48441b940] HTTP error 404 Not Found 18.30.46.058 | FFmpeg | Error | [hls @ 000001e49a0ce000] Unable to open key file 18.30.46.060 | FFmpeg | Error | [crypto @ 000001e4843cf000] invalid decryption key size (8 bytes, block size is 16) 18.30.46.061 | FFmpeg | Warning | [hls @ 000001e49a0ce000] Failed to open segment 0 of playlist 0 18.30.46.062 | FFmpeg | Error | [crypto @ 000001e4843cf300] invalid decryption key size (8 bytes, block size is 16) 18.30.46.063 | FFmpeg | Warning | [hls @ 000001e49a0ce000] Failed to open segment 1 of playlist 0 18.30.46.065 | FFmpeg | Error | [hls @ 000001e49a0ce000] Error when loading first segment ''

can we explicitly specify the block size for the key to be 8 instead of 16?

Flyleaf-error-logs.txt

[SuRGeoNix]

@vardanbalyan97 just noticed that you provide me an encryption key instead of decryption with non hex ABCDEFGHIJKLMNOP? you need to pass a key as the one that I saw you. 16 characters hex string

[vardanbalyan97]

Don't we use encryption key for the decryption as well, because I have tried the same video and same encryption key in a Unity plugin called Av Pro player and in there the video decrypts fine with key that's why I thought same should also work here. Or am I missing something in this.

[vardanbalyan97]

Hi @SuRGeoNix, I think I have figured out the issue for decryption key. I had to convert my key to hexadecimal string and passed it to demux and now its working fine. I really like to thank you for all the support you have given I'm really thankful to you.

[SuRGeoNix]

Just randomly came back to this as I was messing with HLS and AES.. My testing Url had an invalid key Url which returns 404. The same problem you had also in your Sample.zip, actually two issues:-

1) By default HLS will not allow any extension (eg. enc.key) for security reason so you will have to manually allow them through format options by setting allowed_extensions = ALL

2) Having this line in your index.m3u8

#EXT-X-KEY:METHOD=AES-128,URI="enc.key",IV=0x00000000000000000000000000000000

but your enc.key was not existing in the same folder as the index.m3u8 (it was also empty you should have the key ABCDEFGHIJKLMNOP - not in hex here)

So the current solution to pass the hex of the decryption key directly to the crypto nested protocol through the IOOpen callback it's not actually right (even if it works). The key should be provided from the m3u8, however FFmpeg / HLS format might consider to pass the decryption key manually by an HLS option (which will pass down to crypto in case of key Url not exists or failed).

If you follow the HLS standards from server side everything should work fine with the default/current FFmpeg/HLS implementation.