Why and How to Encrypt Video Streams for Browser Playback

Preface

This article only discusses encryption for streaming protocols used in browsers.

1 Why Encrypt Video

Paid video model : Platforms rely on paid viewing; illegal copying threatens revenue, so encryption is crucial.

What video encryption means : Prevent easy download of protected videos; even if downloaded, the content remains encrypted and costly to decrypt.

Complete prevention of screen recording is impossible because decryption occurs on the client, but the goal is to raise the cost of obtaining the original content.

2 Common Video Encryption Techniques

Anti‑hotlinking : Only verified users can access the video; easy to download, not true encryption.

Encrypting the video itself : Use symmetric encryption; users obtain a decryption key after authentication, then decrypt and play on the client.

Usually both are combined; this article focuses on the second method.

3 Principles of Stream‑Media Encryption

Streaming can be on‑demand (VOD) or live. VOD can be downloaded fully or streamed; live must be streamed.

Encrypting whole files is straightforward; encrypting streaming media is less common and more complex.

Common browser streaming protocols:

HLS – Apple’s HTTP‑based MP4 fragment protocol (not strictly a streaming protocol).

HTTP‑FLV – HTTP long‑connection FLV fragment protocol.

RTMP – TCP‑based FLV fragment protocol for Flash.

Stream‑Media Encryption Core

Each small video fragment is encrypted with a symmetric algorithm; the server provides the key, and only authorized clients can decrypt each fragment.

Why Not Use HTTPS

HTTPS provides transport‑level asymmetric encryption to prevent eavesdropping, but video encryption aims to protect the video content itself, not just the transmission.

Why Choose Symmetric Encryption

Symmetric algorithms are fast and suitable for large, real‑time media streams, whereas asymmetric algorithms are slower and suited for small data.

4 HLS Encryption

HLS is the most mature protocol that supports encryption in browsers.

Built on HTTP, easy to adopt.

Chunking benefits CDN acceleration.

Native support in some browsers for VOD and live.

Drawbacks:

High latency for live streams.

Limited desktop support (only Safari natively); mobile support varies.

HLS Encryption Mechanism

HLS consists of an .m3u8 index file and .ts video segments. The client fetches the .m3u8, parses it, and downloads encrypted .ts files.

Example of an encrypted .m3u8 file:

<code>#EXTM3U
#EXT-X-VERSION:6
#EXT-X-TARGETDURATION:10
#EXT-X-MEDIA-SEQUENCE:26
#EXT-X-KEY:METHOD=AES-128,URI="https://priv.example.com/key.do?k=1"
#EXTINF:9.901,
http://media.example.com/segment26.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://priv.example.com/key.do?k=2"
#EXTINF:9.501,
http://media.example.com/segment28.ts</code>

The KEY tag provides the URL to obtain the decryption key (e.g.,

https://priv.example.com/key.do

) and the algorithm (AES‑128). For each TS segment the client must request the key, perform decryption, and handle additional network and compute overhead.

HLS Encryption Practical Steps

Modify the HLS server to encrypt TS segments and add the EXT‑X‑KEY tag to the .m3u8.

Provide an authentication service that returns the decryption key at the URL referenced by EXT‑X‑KEY.

Many cloud services support HLS encryption; you can also use

nginx‑rtmp‑module

to build your own.

Compatibility Solutions

Desktop browsers without native HLS (e.g., IE) can use Flash via the open‑source

flashls

project.

Modern browsers without native HLS (e.g., Chrome) can use the Media Source Extensions API via

hls.js

.

Older mobile browsers lacking both options have no reliable solution.

Cracking HLS Encryption

To obtain the original video you could:

Purchase a legitimate account.

Capture all network requests (filter for HLS and key requests).

Save encrypted TS segments and their keys.

Write a script that uses the .m3u8 index to decrypt each TS segment and concatenate them.

The difficulty is moderate.

5 Summary

Stream‑media encryption is still immature; HLS offers the most mature solution, while other protocols lack robust encryption support. RTMP’s variant RTMPE provides similar encryption, but server‑side implementations are scarce.