内容保护概述Content protection overview

Note

Google Widevine 目前在中国地区不可用。Google Widevine is not avaliable in China regions now.

Note

不会向媒体服务 v2 添加任何新特性或新功能。No new features or functionality are being added to Media Services v2.
查看最新版本:媒体服务 v3Check out the latest version, Media Services v3. 另请参阅从 v2 到 v3 的迁移指南Also, see migration guidance from v2 to v3

可以使用 Azure 媒体服务在媒体从计算机离开到存储、处理和传送的整个过程中确保其安全。You can use Azure Media Services to secure your media from the time it leaves your computer through storage, processing, and delivery. 借助媒体服务,可以传送使用高级加密标准 (AES-128) 或以下两个主要数字版权管理 (DRM) 系统中任意一个动态加密的直播和点播内容:Microsoft PlayReady 和 Apple FairPlay。With Media Services, you can deliver your live and on-demand content encrypted dynamically with Advanced Encryption Standard (AES-128) or any of the two major digital rights management (DRM) systems: Microsoft PlayReady and Apple FairPlay. 媒体服务还提供了用于向已授权客户端传送 AES 密钥和 DRM(PlayReady 和 FairPlay)许可证的服务。Media Services also provides a service for delivering AES keys and DRM (PlayReady and FairPlay) licenses to authorized clients.

下图阐释了媒体服务内容保护工作流:The following image illustrates the Media Services content protection workflow:

使用 PlayReady 进行保护

本文介绍的概念和术语是了解媒体服务的内容保护功能所必需的。This article explains concepts and terminology relevant to understanding content protection with Media Services. 本文还提供指向讨论如何保护内容的文章的链接。The article also provides links to articles that discuss how to protect content.

动态加密Dynamic encryption

可以通过 Azure 媒体服务传送使用 AES 明文密钥或 DRM 加密(利用 PlayReady 或 FairPlay)动态加密的内容。You can use Media Services to deliver your content encrypted dynamically with AES clear key or DRM encryption by using PlayReady or FairPlay. 当前可以加密 HTTP Live Streaming (HLS)、MPEG DASH 和平滑流式处理格式。Currently, you can encrypt the HTTP Live Streaming (HLS), MPEG DASH, and Smooth Streaming formats. 不支持对渐进式下载加密。Encryption on progressive downloads is not supported. 每个加密方法均支持以下流式处理协议:Each encryption method supports the following streaming protocols:

  • AES:MPEG-DASH、平滑流式处理和 HLSAES: MPEG-DASH, Smooth Streaming, and HLS
  • PlayReady:MPEG-DASH、平滑流式处理和 HLSPlayReady: MPEG-DASH, Smooth Streaming, and HLS
  • FairPlay:HLSFairPlay: HLS

若要加密资产,则需要关联加密内容密钥和资产并且为该密钥配置授权策略。To encrypt an asset, you need to associate an encryption content key with your asset and also configure an authorization policy for the key. 可以指定或由媒体服务自动生成内容密钥。Content keys can be specified or automatically generated by Media Services.

还需要配置资产的传送策略。You also need to configure the asset's delivery policy. 如果要流式传输存储加密的资产,请确保通过配置资产传送策略来指定该资产的传送方式。If you want to stream a storage-encrypted asset, make sure to specify how you want to deliver it by configuring the asset delivery policy.

播放器请求流时,媒体服务通过 AES 明文密钥或 DRM 加密使用指定的密钥来动态加密内容。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES clear key or DRM encryption. 为了解密流,播放器从媒体服务密钥传送服务请求密钥。To decrypt the stream, the player requests the key from Media Services key delivery service. 为了确定用户是否有权获取密钥,服务会评估为密钥指定的授权策略。To decide whether or not the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.

AES-128 明文密钥与DRMAES-128 clear key vs. DRM

客户通常希望知道他们应该使用 AES 加密还是 DRM 系统。Customers often wonder whether they should use AES encryption or a DRM system. 这两种系统的主要区别是,使用 AES 加密时,内容密钥以未加密格式(“明文”)传输到客户端。The primary difference between the two systems is that with AES encryption the content key is transmitted to the client in an unencrypted format ("in the clear"). 因此,可以通过网络跟踪在客户端上明文查看用于加密内容的密钥。As a result, the key used to encrypt the content can be viewed in a network trace on the client in plain text. AES-128 明文密钥加密适合查看者是受信任方的用例(例如,加密员工观看的在公司内部分发的公司视频)。AES-128 clear key encryption is suitable for use cases where the viewer is a trusted party (for example, encrypting corporate videos distributed within a company to be viewed by employees).

与 AES-128 明文密钥加密相比,PlayReady 和 FairPlay 均提供更高等级的加密。PlayReady and FairPlay both provide a higher level of encryption compared to AES-128 clear key encryption. 内容密钥以加密格式传输。The content key is transmitted in an encrypted format. 此外,解密是在安全的环境中在操作系统级别处理的,在这样的环境中,恶意用户更难进行攻击。Additionally, decryption is handled in a secure environment at the operating system level, where it's more difficult for a malicious user to attack. 在观看者可能不是受信任方且需要更高等级的安全性的用例中,建议使用 DRM。DRM is recommended for use cases where the viewer might not be a trusted party and you require the highest level of security.

存储加密Storage encryption

可以使用存储加密通过 AES 256 位加密在本地加密明文内容。You can use storage encryption to encrypt your clear content locally by using AES 256-bit encryption. 然后,可以将该内容上传到 Azure 存储,以静止加密方式存储在其中。You then can upload it to Azure Storage, where it's stored encrypted at rest. 受存储加密保护的资产会在编码前自动解密并放入经过加密的文件系统中。Assets protected with storage encryption are automatically unencrypted and placed in an encrypted file system prior to encoding. 在将资产作为新的输出资产上传回来之前,可以选择重新加密这些资产。The assets are optionally re-encrypted prior to uploading back as a new output asset. 存储加密的主要用例是在磁盘上通过静态增强加密来保护高品质的输入媒体文件。The primary use case for storage encryption is when you want to secure your high-quality input media files with strong encryption at rest on disk.

若要传送存储加密资产,必须配置资产的传送策略,使媒体服务了解要如何传送内容。To deliver a storage-encrypted asset, you must configure the asset's delivery policy so that Media Services knows how you want to deliver your content. 在流式传输资产之前,流式处理服务器会解密内容,然后使用指定的传送策略(例如 AES、通用加密或无加密)流式传输内容。Before your asset can be streamed, the streaming server decrypts and streams your content by using the specified delivery policy (for example, AES, common encryption, or no encryption).

加密类型Types of encryption

Playready 使用通用加密(AES CTR 模式)。PlayReady utilizes common encryption (AES CTR mode). FairPlay 使用 AES CBC 模式加密。FairPlay utilizes AES CBC-mode encryption. AES-128 明文密钥加密使用信封加密。AES-128 clear key encryption utilizes envelope encryption.

许可证和密钥传送服务Licenses and keys delivery service

媒体服务提供用于向已授权客户端传送 DRM(PlayReady 和 FairPlay)许可证和 AES 密钥的密钥传送服务。Media Services provides a key delivery service for delivering DRM (PlayReady and FairPlay) licenses and AES keys to authorized clients. 可以使用 Azure 门户、REST API 或适用于 .NET 的媒体服务 SDK 来配置许可证和密钥的授权与身份验证策略。You can use the Azure portal, the REST API, or the Media Services SDK for .NET to configure authorization and authentication policies for your licenses and keys.

控制内容访问Control content access

可以通过配置内容密钥授权策略控制谁有权访问内容。You can control who has access to your content by configuring the content key authorization policy. 内容密钥授权策略支持开放或令牌限制。The content key authorization policy supports either open or token restriction.

开放授权Open authorization

通过开放授权策略,将内容密钥发送到任意客户端(无限制)。With an open authorization policy, the content key is sent to any client (no restriction).

令牌授权Token authorization

使用令牌限制授权策略时,内容密钥仅发送到在密钥/许可证请求中提供了有效 JSON Web 令牌 (JWT) 或简单 Web 令牌 (SWT) 的客户端。With a token-restricted authorization policy, the content key is sent only to a client that presents a valid JSON Web Token (JWT) or simple web token (SWT) in the key/license request. 此令牌必须是由安全令牌服务 (STS) 颁发的。This token must be issued by a security token service (STS). 可以使用 Azure Active Directory 作为 STS,也可以部署自定义 STS。You can use Azure Active Directory as an STS or deploy a custom STS. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及在令牌限制配置中指定的颁发声明进行签名。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration. 如果令牌有效,而且令牌中的声明与为密钥/许可证配置的声明相匹配,则媒体服务密钥传送服务会将所请求的密钥/许可证返回到客户端。The Media Services key delivery service returns the requested key/license to the client if the token is valid and the claims in the token match those configured for the key/license.

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的安全令牌服务。The issuer is the secure token service that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥传送服务验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.

流 URLStreaming URLs

如果资产是使用多个 DRM 加密的,请在流式处理 URL 中使用加密标记:(format='m3u8-aapl', encryption='xxx')。If your asset was encrypted with more than one DRM, use an encryption tag in the streaming URL: (format='m3u8-aapl', encryption='xxx').

请注意以下事项:The following considerations apply:

  • 仅可以指定不多于一个加密类型。No more than one encryption type can be specified.
  • 如果仅向资产应用了一种加密,则无需在 URL 中指定加密类型。Encryption type doesn't have to be specified in the URL if only one encryption was applied to the asset.
  • 加密类型区分大小写。Encryption type is case insensitive.
  • 可以指定以下加密类型:The following encryption types can be specified:
    • cenc:对于 PlayReady(通用加密)cenc: For PlayReady (common encryption)
    • cbcs-aapl:用于 FairPlay(AES CBC 加密)cbcs-aapl: For FairPlay (AES CBC encryption)
    • cbc:用于 AES 信封加密cbc: For AES envelope encryption

后续步骤Next steps

下列文章介绍了可帮助你掌握内容保护入门知识的后续步骤:The following articles describe next steps to help you get started with content protection: