Secure CMAF HLS streams using Common Encryption (CBCS) in Wowza Streaming Engine

With Wowza Streaming Engine 4.8.28 and later, you can protect live CMAF-packetized HLS streams using the CBCS scheme of Common Encryption.

In this context, Wowza Streaming Engine doesn't function as a CBCS key server. It encrypts and delivers live content on the fly via the SAMPLE-AES encryption method, where individual audio and video samples in an HLS chunk are encrypted using AES-128 encryption. Currently, this feature doesn't support integrations with third-party DRM systems.

This page explains how to secure your CMAF HLS streams using CBCS and assumes familiarity with CBCS encryption.

Note: The protocol and security specifics for Apple devices are covered in detail in the Internet Engineering Task Force draft-pantos-hls-rfc8216bis-15 specification.

Before you start

Before you start with this workflow, make sure to consider the following:

• Configure a live application to deliver CMAF HLS streams and select the CMAF Packetizer and Apple HLS playback type. 
• We recommend getting unencrypted CMAF HLS live streaming working before adding the encryption layer.
• CBCS encryption for CMAF HLS streams only supports encryption for H.264 and HEVC/H.265 encoded streams.

Create your key file

Follow the steps in this section to create a key file and enable on-the-fly CBCS encryption for your CMAF HLS live streams. Key files are text files located in the [install-dir]/keys directory.

1. For each stream you would like to encrypt, create a key file in the [install-dir]/keys folder.

• The key file name must match the name of the stream you want to protect and should include a .key extension. For example, to encrypt a live stream named myStream, create a key file with the path [install-dir]/keys/myStream.key.
• With CMAF HLS adaptive bitrate streams referenced in SMIL files, you must create a key file specific to each stream. For example, if a sample.smil references myStream_360p and myStream_720p, create key files at the [install-dir]/keys/myStream_360p.key and [install-dir]/keys/myStream_720p.key paths.
• Similarly, this naming convention applies when you want to transcode and encrypt a stream. You need to create a separate key file and name it to match the outgoing stream name for the transcoded stream. For example, myStream_360p.key should be added to encrypt a transcoded myStream_360p stream.

2. For CBCS encryption, add the following properties to the key file. Values are placeholders and must be replaced with your own.

cmafstreaming-cenc-scheme: cbcs
cmafstreaming-cenc-iv: ecd0d06eaf884d8226c33928e87efa33
cmafstreaming-cenc-iv-include-in-chunklist: t
cmafstreaming-cenc-key-id: 12345DCF-7F93-4B8E-85C7-F908840DA059
cmafstreaming-cenc-url: www.myexampledomain/myStream/key
cmafstreaming-cenc-content-key: Hh8gISIjJCUmJx4fICEiIw==

Each item in the key file is defined as follows:

• cmafstreaming-cenc-scheme – Required. For CBCS encryption, set this value to cbcs. Possible values include cenc (AESCTR) for use with MPEG-DASH and CMAF MPEG-DASH encryption and cbcs (AESCBC) for use with HLS and CMAF HLS encryption.
• cmafstreaming-cenc-iv – Required. Determines the Initialization Vector (IV) to use for encryption. Read in hexadecimal format and can be prefixed with 0x. must be 32 characters in length excluding the beginning 0x.
• cmafstreaming-cenc-iv-include-in-chunklist – Optional. Determines if the IV is included in the HLS #EXT-X-KEY tag. Accepted values are true or t (default for CBCS) and false or f (default for CENC).
• cmafstreaming-cenc-key-id – Required. Specifies the key ID for this asset.
• cmafstreaming-cenc-url – Required. Identifies the URL to be added to the #EXT-X-KEY tag in the HLS playlist. The player uses this URL to fetch the key and decrypt the stream content.
• cmafstreaming-cenc-content-key – Required. Identifies the actual 128-bit encryption key, encoded using Base64. Used for the encryption of each segment.

Note: You can use the genkey utility to generate key files. A key file with a different key is generated each time you run this utility. You can integrate this utility into an automated workflow to create many .key files for a video library. For information, see Using genkey.

Send your stream to Wowza Streaming Engine

With a key file in place, the associated CMAF HLS stream is encrypted using CBCS encryption before it's delivered. You can continue your setup by sending your stream to Wowza Streaming Engine.

1. Start a stream and send it to your Wowza Streaming Engine server. For more about publishing live streams, see Connect a live source to Wowza Streaming Engine.
2. To verify your incoming stream, check your application's Incoming Streams page. Incoming adaptive bitrate streams include the transcoded versions of your stream.
3. When CMAF packetization begins for live streaming, you'll see a similar message in the log files:

LiveStreamPacketizerCmaf.init[myApplication/_definst_/myStream]: Encrypt CMAF: key-id:F6005DCF-7F93-4B8E-85C7-F977740DA059

Verify CMAF HLS CBCS encryption

After you send your CMAF-packetized HLS stream to Wowza Streaming Engine and the stream is active, you can query information about the content of the stream. Use the following steps to verify CBCS encryption of your CMAF HLS CBCS-encrypted stream.

1. Open a Command Prompt or Terminal on the server running Wowza Streaming Engine while the stream is active.
2. Run the following cURL command to return the stream details:

curl http://localhost:1935/my-cmaf-hls-live-application/_definst_/myStream/playlist.m3u8

3. The command returns the stream details, including the active media playlist (chunklist):

   #EXTM3U
   #EXT-X-VERSION:3
   #EXT-X-MEDIA:TYPE=AUDIO,NAME="myStream",DEFAULT=YES,GROUP-ID="audioGroup",URI="chunklist_w274565415_ao.m3u8"
   #EXT-X-STREAM-INF:BANDWIDTH=2920892,CODECS="avc1.64001f,mp4a.40.2",RESOLUTION=1232x704,AUDIO="audioGroup"
   chunklist_w274565415_vo.m3u8

4. Run another cURL command to view the segments in the CMAF HLS media playlist:

curl http://localhost:1935/my-cmaf-hls-live-application/_definst_/myStream/chunklist_w274565415_vo.m3u8

5. The result shows the video segments in the playlist, as well as the EXT-X-KEY tag with information for decrypting media segments. With this information, you can confirm the encryption method, the location of the decryption key, and the IV:

#EXTM3U
#EXT-X-VERSION:6
#EXT-X-SERVER-CONTROL:CAN-SKIP-UNTIL=54.0
#EXT-X-INDEPENDENT-SEGMENTS
#EXT-X-TARGETDURATION:9
#EXT-X-MEDIA-SEQUENCE:1794
#EXT-X-MAP:URI="header_w274565415_vo_m3u8.cmfv"
#EXT-X-KEY:METHOD=SAMPLE-AES,URI="https://www.myexampledomain/myStream/key",IV=0x12345631313131313131313131313131
#EXTINF:8.133,
media_w274565415_vo_1794_m3u8.cmfv
#EXTINF:6.7,
media_w274565415_vo_1795_m3u8.cmfv
#EXTINF:6.733,
media_w274565415_vo_1796_m3u8.cmfv
#EXTINF:8.767,
media_w274565415_vo_1797_m3u8.cmfv
#EXTINF:6.667,
media_w274565415_vo_1798_m3u8.cmfv

Test CMAF HLS CBCS-encrypted playback

After confirming your CMAF HLS stream is encrypted, you can test playback using these instructions. Only Safari and Apple native players on macOS, iPhone, and iPad devices support playback of CMAF HLS CBCS-encrypted streams. When the key URL is included in the EXT-X-KEY tag, the player downloads the key from the URI and decrypts the content before playing it back.

More resources

• About CMAF workflows in Wowza Streaming Engine
• Secure CMAF MPEG-DASH streams using Common Encryption (CENC) in Wowza Streaming Engine