Microsoft Azure Media Services and Content Protection

Mingfei Yan (@mingfeiy)

Senior Program Manager - Azure Media Services – yanmf@microsoft.com

Microsoft Azure

Agenda

•Overview of Microsoft Azure and Azure media services

• Typical media workflow• Encoding

• Dynamic packaging

• Indexer

• Content Protection• Hosted AES and PlayReady License delivery

• Dynamic encryption

• Live streaming

16 Regional Data Centers

29 CDN Super POPs

Azure is an open and flexible cloud platform that

enables you to quickly build, deploy and manage

applications across a global network of Microsoft-

managed datacenters. You can build applications

using any language, tool or framework. And you

can integrate your public cloud applications with

your existing IT environment.

Microsoft Azure

What is Azure?

Azure enables you to easily scale applications to

any size. It is a fully automated self-service

platform that allows you to provision resources

within minutes- Elastically grow or shrink your

resource usage based on your needs. You only pay

for the resources your application uses. Azure is a

available in multiple datacenters around the world,

enabling you to deploy your applications close to

your costumers.

Unlimited servers. Unlimited storage.

Azure delivers a 99.95% compute SLA and enables

you to build and run highly available applications

without focusing on the infrastructure. It provides

automatic OS and service patching, built in network

load balancing and resiliency to hardware failure. It

supports a deployment model that enables you to

upgrade your application without downtime.

Always up. Always on.

Digital media landscape is always changing:The Challenge & The Opportunity

Huge capital investment requiredVideo is the new currency

H.264

HLS

DASH

Azure Media Services

Microsoft’s cloud platform now enables on

demand and live streaming video solutions

for consumer and enterprise scenarios.

Introducing

Azure Media Services

Plus a growing

ecosystem of value-add

third party partner

components

Live &

On Demand

Streaming

Content Protection

Encoding, Packaging,

and Indexing

Cloud Upload & Storage

Scalable components for

building custom media

workflows in the cloud

What do we meanby Azure Media Services?

Player

Clients

Integrated

CDN

7

What you can do with Media Services

Enterprise video

management

Distribute and manage

corporate communications, IT,

HR content and training.

Web video for digital

marketing platforms

Services and tools for video

preparation, management and

publishing.

Live and Premium on-

demand streaming

Reach hundreds of millions of

device endpoints.

Wide Adoption

Premium video

on-demand

content,

broadcasts & live

event streaming,

online video

platforms for web

and mobile,

enterprise video

management….

And more!

Subscription Video Service

"With Microsoft

Azure, we instantly

have a scalable

video encoding

platform. We can

spin up hundreds

of encoding servers

when needed and

let them go when

the job is done."

-Jon Robinson

Group Head of IT,

blinkbox

Live to Video-on-Demand

“The functionality

and power behind

Microsoft Azure really

helped us develop,

implement, scale and

launch a video-

capable website in

near record time.”

-Chris Witmayer, Director

of Broadcast, Production

and New Media Tech,

NASCAR Production

NBC Sports streams Super Bowl XLIX live on Azure

Plus a growing

ecosystem of value-add

third party partner

components

Live &

On Demand

Streaming

Content Protection

Encoding, Packaging,

and Indexing

Cloud Upload & Storage

Scalable components for

building custom media

workflows in the cloud

What do we meanby Azure Media Services?

Player

Clients

Integrated

CDN

• Elastically scale to support lots of parallel jobs

• Pay only for what you use, charged per Output GB

• Manage via Azure Portal, API, or Azure Explorer Desktop Tool

Azure Media Encoding Features

• Broadcast/Studio quality video and audio formats • Video - H.264, MXF, DVCPro, MPEG2 TS, WMV, De-interlacing

• Audio - AC3/Dolby Digital+, AAC,-LC, Multi Language Tracks

• SD, HD, or 4K AVC content

• Closed Captioning Support

Access to the capacity and

performance that you need for

bursting to the cloud.Basic Standard Premium

ENCODER PERFORMANCE

Demo

Azure management portal

Dynamic packagingAllows you to re-use your encoded content and bring it to various streaming formats without repackaging the content.

Video sources Multi-bitrates Mp4Origin Server

HLS

Smooth

Streaming

Encode

Video sources Multi-bitrates Mp4

Or Smooth AssetOrigin Server

HLS

v3, v4

Smooth

Streaming

Encode

Dynamic

Packaging

Traditional Encode and Package

Dynamic Packaging

MPEG

DASH

HDS

Formats

http{media services account name}.origin.mediaservices.net/{locator ID}/{filename}.ism/Manifest(format=mpd-time-csf)

Streaming Locator

Format Syntax

Smooth Streaming

MPEG DASH (format=mpd-time-csf)

Apple HTTP Live Streaming (HLS) V4 (format=m3u8-aapl)

Apple HTTP Live Streaming (HLS) V3 (format=m3u8-aapl-v3)

HDS (for Adobe PrimeTime/Access licensees only) (format=f4m-f4f)

bit.ly/playerdemo

Azure Media Player

Cross platform

JavaScript based player, detecting platform, provides best experience

Defaults to open standards where possible

Will switch to different packaging depending on platform

Knows how to request streams from Azure Media Services

“just works” experience

Aka.ms/azuremediaplayer

Media Services APIs and SDKs REST API for all platformsReference: http://msdn.microsoft.com/en-us/library/windowsazure/hh973617.aspx

.NET library Nuget package: https://nuget.org/packages/windowsazure.mediaservices

GitHub: https://github.com/Azure/azure-sdk-for-media-services

Extensions for .NET SDK: https://github.com/sazure/azure-sdk-for-media-services-extensions

PHP Library GitHub: https://github.com/windowsazure/azure-sdk-for-php

Open Tech blog with demo: http://msopentech.com/blog/2014/01/23/ms-open-technologies-enhances-open-source-php-sdk-windows-azure/

JAVA library http://www.windowsazure.com/en-us/develop/java/java-home Windows / Mac / Linux

GitHub: https://github.com/windowsazure/azure-sdk-for-java/

PowerShell cmdletsHow to use: http://www.gtrifonov.com/2013/08/24/how-to-use-windows-azure-powershell-for-media-services/

Node.js libraryGitHub: https://github.com/fritzy/node-azure-media

Introducing Azure Media Indexer

Natural Language Processing technology

Catalogue vast content libraries

Generate transcripts from multimedia

Will support OCR, multiple languages, Search, Deep linking

Used by The Washington Post, NASA/JPL, and many others

Media Intelligence and Content Enhancements

Demo

Azure Media Services Indexer (link)

Azure Media Content Protection

Encrypt Smooth Streaming content with PlayReady protection via common encryption scheme (CENC), and the option of packaging it into HLS or DASH. PlayReady technology allows you to define restrictive licensing agreement to manage user access rights to your media.

Source: IDC Successful Cloud Partners 2013

Microsoft PlayReady®

Who should use this feature:

Premium studio content or high business impact content: Key is encrypted and decryption happens in a secure DRM decoder environment

How to choose the best content protection method

Encrypt on-the-wire communication using the widely-known symmetric AES encryption algorithm. An authentication service for key is provided.

Source: IDC Successful Cloud Partners 2013

AES Clear Key encryption

Who should use this feature:

Trusted audience or time-valued content: Key is stored in clear format so it can only be used with trusted users or content that has time value associated with it. Used to prevent “man-in-the-middle” attacks

Dynamic Packaging and Dynamic Encryption

Video sourcesSmooth Streaming

Origin Server

Smooth

Streaming

+ PlayReady

Encode

Dynamic

Packaging

Static encryption

DASH

+ CENC

PlayReady

Smooth Streaming

+ PlayReady

Encryption

Video sources Multi-bitrates Mp4

Or Smooth Asset

Origin Server

HLS

+ AES or PlayReady

Smooth

Streaming

+ AES or PlayReady

Encode

Dynamic

Packaging and

Encryption

Dynamic Encryption

DASH

+ CENC

Storage

• MP4

Define:

Streaming

Endpoint

PlayReady/ AES Key Services

Token

verificationPlayReady License/

AES Key

Customer’s

Auth system

Content KeyAuthorization policy(Token/IP/Open, license template)

assetAsset Delivery policy (HLS with AES) or

(Smooth Streaming with PlayReady)

Client SDK

Customers

Architecture – Dynamic Encryption with AES/PlayReady

JWT Token Acquisition

When and for how long is it valid?

(Unix time, secs since 1st Jan 1970)Who is it intended for?Who issued the token?

JWT Tokens can be generated by anyone and require at minimum:

Issuer Audience Expiration

HMAC SHA-256 (symmetric key) or RSA SHA-256 (asymmetric key, x509 certificate)

{ "aud":"https://contoso.com/relyingparty",

"iss":"https://contoso.accesscontrol.windows.net/",

"nbf":1336067338,"exp":1336070938,"nameid":"frankm",

"identityprovider":"contoso.com",“role”: [ “admin”, “user” ]}

• Header.Claim[.Claim].Signature

• Signed with symmetric or assymetric

key

Not Before

{"typ":"JWT","alg":"HS256"}

_3dZQ6cmmFgrZ_-VmOLrr7CHne3Xdko_WtE6-Je5Ihw

Player Your Backend

Authenticate UserGive back signed JWT token

Symmetric/Asymetric key, used to configure

key auth policy with

JWT Token

Configure Player to use Token

AMS Key Service

Check token from Authheader/parameters

Player plays media &

decrypts with key

Token Workflow

Demo

Dynamic encryption for on-demand

Playback with Smooth and DASH

A No-Code Easy UI way

to use Media Services

Releasehttp://aka.ms/amse

Source codehttps://github.com/Azure/Azure-Media-Services-Explorer

Blog posthttp://azure.microsoft.com/blog/2014/10/08/managing-media-workflows-with-the-new-azure-media-services-explorer-tool

Features

Assets

Upload from local, watch folder, batch, drag & drop

Import from Azure, http (S3)

Download and export to Azure

Information & report, asset files management

Processing

Encode with AME, AME Advanced, Zenium

Call Content Indexer, or any processor

Job template, priority, information & report

Publish

Dynamic encryption

License & key delivery setup

SAS and Origin locators

Playback the content

Live

Create/Manage/Delete live channels and programs

Channel

Azure Load Balancer

Blob Storage

Preview URL

Program URL

Ingest:Ingest endpoint to accept Live streams with

different bitrates (RTMP/smooth streaming)

through load balancer

Convert ingest data to fMP4

(e.g. RTMP fMP4)

Forwards the stream to all preview end-points

Preview:Receives stream from Ingest

Forwards to Program

Exposes Preview URL (for monitoring)

Program:Writes it to Blob Storage for Archive/DVR

Dynamic package into HLS, Smooth and DASH

Dynamic Encryption with AES or Playready

StorageFMP4

Streaming Endpoint

Client SDK

Players

Architecture: Live Streaming with dynamic encryption

ChannelProgram

Multi-bitrate RTMP/Smooth

Preview- monitoring

PlayReady license/ AES Key Services

Token Authentication

PlayReady License/ AES Key

Customer’s Auth system

Azure

Azure Storage Streaming EndpointChannel

IngestURL

PreviewURL

Wirecast

RTMP

Smooth,DASH or

HLS

Live Streaming Demo

Playback

AMS Explorer

Demo

Live streaming with content protection

Content Protection – Hybrid modes

35

Dynamic Encryption PlayReady license delivery

Cloud with Azure Media Services

Hybrid with your own server with Azure Media Services

Hybrid with Azure Media Services with your own server

Key Takeaways

• Media Services are easy, flexible, and powerful

• Customers can reach any device using any protocol

• Partner ecosystem: easily build-in or build-on

• Content protection across all clients

• Pay for what you use, easy to understand billing

• Any media, on any device, delivered from the cloud

Resourceswww.azure.com/mediaReceive $200 Azure Credit when you sign up

Content Protection documentation

http://msdn.microsoft.com/en-us/library/azure/dn282272.aspx

Sample code

https://github.com/AzureMediaServicesSamples

Mingfei’s blog

http://mingfeiy.com/

Email me at yanmf@Microsoft.com