Tech Paper "How Teleport Media secures video delivery for OTT services"
Five scenarios of protection against stream swapping andunauthorized use
It may sound unusual, but OTT service doesn’t just mean a quality video service. It also means taking care of the video content — its safety, reliability of storage, and the absence of leaks or, imagine that, the substitution of original content with something else while streaming.
Teleport Media decentralized CDN provides several levels of protection against unauthorized access to the service and to the content, against attempts to disrupt content distribution or substitute the content that users are watching on their devices. Let’s see closely how do they work.
There are five scenarios of video content protection we maintain:
Protection against unauthorized access to the Teleport Media service.
Protection of data channels (both service data and transmitted content) from eavesdropping, interception, and spoofing by third parties or applications.
On-device protection against unauthorized content copying by the viewer.
On-device protection against unauthorized access of a third-party device for copying the content.
On-device protection of viewers against the malicious substitution of original content with other content.
Protection against unauthorized access to Teleport Media service
Each of the viewer devices running teleport. js in a browser, let’s name it "viewer script", can access Teleport Media CDN, meaning the Teleport Media backend servers and other viewer devices are running viewer script only after a successful authorization on a Gateway. Each viewer script must provide a properly registered and valid digital key to be authorized.
Digital keys are created by the Teleport Media customers in the dashboard. Each of the digital keys is bonded to a certain domain. With the domain verification procedure, the customer creates a domain-key pair. An unlimited number of digital keys can be issued to a domain.
This digital key is used during the initialization of the viewer script on the web page where it is installed by the customer. At the time of the first call to the Gateway, the digital key is checked to see if it matches the domain from which this call was sent. The digital key is extracted from the viewer’s script authorization request, while the domain is extracted from the ORIGIN header, which is generated by the browser, thus neither the viewer nor the viewer script can forge it.
This is how Gateway certifies that the particular device requesting the access to Teleport Media service is running the viewer script in the browser on the particular domain owned by the customer and that the digital key to the service has not been revoked by the customer. If the viewer’s script is using its digital key on another domain, if any device tries to access without the ORIGIN header, or tries to access without a digital key, or using a revoked key, and in case of any other violation of the authorization protocol, the access to Teleport Media network will not be granted.
Upon successful authorization, the viewer’s script receives a JWT token signed by the ESDSA digital signature of the Gateway. This JWT is then used by the viewer script when accessing all other Teleport Media services.
Protection of data channels
Interaction of viewer scripts with Gateway and all other Teleport Media services is performed via encrypted SSL protocol. This prevents eavesdropping, interception, or substitution of the digital keys, ORIGIN headers, JWT tokens, and any other data by malicious actors.
Viewer scripts' interaction with each other, including exchanging service messages, receiving and transmitting video, is performed via WebRTC protocol with DTLS encryption, which is the standard method of encrypting communications via WebRTC. This prevents eavesdropping, interception, or substitution of service messages and transmitted video files by malicious actors.
Content protection from unauthorized copying
The viewer script serves as a proxy server for requests from the video player to the URLs of the video chunks given in the manifest file. Thus, the viewer script receives video chunks in the format in which they are stored on the default CDN. No processing of these files takes place in the viewer script itself. In particular, if the video chunks are DRM-protected, the viewer script does not retrieve and store the keys that would decrypt the chunks, thus it can not decrypt the chunks.
To store the downloaded video chunks, the viewer script reserves and uses areas of the viewer’s device memory that are inaccessible to any other application. In particular, these areas are inaccessible for viewing with in-browser developer tools. No video segments are ever saved to HDD. This protects video chunks received by the viewer script from being copied and saved to the viewer’s device.
Content protection from unauthorized download by another device
All devices running the viewer script must be authorized on the Gateway in order to be able to establish a connection with each other. To open a WebRTC connection the device must use a valid JWT signed by the Gateway. So no device that hasn’t been authorized by Teleport Media gateway has the chance of establishing a WebRTC connection to a device that has been properly authorized. If there is no chance to open the WebRTC session, there is no capability to receive video content by an unauthorized malicious actor.
Preventing content substitution
All authorized viewer scripts using the Teleport Media coordinating servers are grouped together to view the same video stream. Requests to download a particular video chunk are generated by hashing the URL of the chunk. When downloading a video chunk, the viewer script compares the checksum of the received file to a reference checksum that the viewer script receives from all other viewer scripts (not just the one from which the download is originating).
In this way, we achieve the following levels of security:
Viewer scripts cannot "accidentally" or "by mistake" connect to viewer scripts that are viewing another broadcast.
Viewer scripts cannot "accidentally" or by "mistake" receive a mismatched chunk of the same broadcast instead of the video chunk they are requesting.
If a viewer script "accidentally" or by "mistake" or as a result of malicious actions receives a file with a checksum that does not match the reference one, this file is discarded and the video chunk is downloaded from the default CDN.
The scenarios described here work for any type of video content — LIVE, Catch Up, VOD; and for any device and operating system in browser or mobile (under certain conditions for a desired level of effectiveness). They are achieved through a combination of DRM, encryption, watermarking and a unique proprietary cloud-based CAS. In addition, Teleport Media CDN is compatible with any latest generation web and mobile video player. All to make our customers maximize profits from the premium content while reaching global audiences and securing their streams.
If you have any questions or you’d like to discuss a customized solution for your video service, simplycontact us, we’ll be happy to help!
Select a convenient time slot if you’d like to arrange Teleport Media Product Demo withour CEO — Andy Klimenko, you’re very welcome!