Microsoft Azure Media Services and Content Protection
Mingfei Yan (@mingfeiy)
Senior Program Manager - Azure Media Services – [email protected]
Microsoft Azure
Agenda
•Overview of Microsoft Azure and Azure media services
• Typical media workflow• Encoding
• Dynamic packaging
• Indexer
• Content Protection• Hosted AES and PlayReady License delivery
• Dynamic encryption
• Live streaming
16 Regional Data Centers
29 CDN Super POPs
Azure is an open and flexible cloud platform that
enables you to quickly build, deploy and manage
applications across a global network of Microsoft-
managed datacenters. You can build applications
using any language, tool or framework. And you
can integrate your public cloud applications with
your existing IT environment.
Microsoft Azure
What is Azure?
Azure enables you to easily scale applications to
any size. It is a fully automated self-service
platform that allows you to provision resources
within minutes- Elastically grow or shrink your
resource usage based on your needs. You only pay
for the resources your application uses. Azure is a
available in multiple datacenters around the world,
enabling you to deploy your applications close to
your costumers.
Unlimited servers. Unlimited storage.
Azure delivers a 99.95% compute SLA and enables
you to build and run highly available applications
without focusing on the infrastructure. It provides
automatic OS and service patching, built in network
load balancing and resiliency to hardware failure. It
supports a deployment model that enables you to
upgrade your application without downtime.
Always up. Always on.
Digital media landscape is always changing:The Challenge & The Opportunity
Huge capital investment requiredVideo is the new currency
H.264
HLS
DASH
Azure Media Services
Microsoft’s cloud platform now enables on
demand and live streaming video solutions
for consumer and enterprise scenarios.
Introducing
Azure Media Services
Plus a growing
ecosystem of value-add
third party partner
components
Live &
On Demand
Streaming
Content Protection
Encoding, Packaging,
and Indexing
Cloud Upload & Storage
Scalable components for
building custom media
workflows in the cloud
What do we meanby Azure Media Services?
Player
Clients
Integrated
CDN
7
What you can do with Media Services
Enterprise video
management
Distribute and manage
corporate communications, IT,
HR content and training.
Web video for digital
marketing platforms
Services and tools for video
preparation, management and
publishing.
Live and Premium on-
demand streaming
Reach hundreds of millions of
device endpoints.
Wide Adoption
Premium video
on-demand
content,
broadcasts & live
event streaming,
online video
platforms for web
and mobile,
enterprise video
management….
And more!
Subscription Video Service
"With Microsoft
Azure, we instantly
have a scalable
video encoding
platform. We can
spin up hundreds
of encoding servers
when needed and
let them go when
the job is done."
-Jon Robinson
Group Head of IT,
blinkbox
Live to Video-on-Demand
“The functionality
and power behind
Microsoft Azure really
helped us develop,
implement, scale and
launch a video-
capable website in
near record time.”
-Chris Witmayer, Director
of Broadcast, Production
and New Media Tech,
NASCAR Production
Plus a growing
ecosystem of value-add
third party partner
components
Live &
On Demand
Streaming
Content Protection
Encoding, Packaging,
and Indexing
Cloud Upload & Storage
Scalable components for
building custom media
workflows in the cloud
What do we meanby Azure Media Services?
Player
Clients
Integrated
CDN
• Elastically scale to support lots of parallel jobs
• Pay only for what you use, charged per Output GB
• Manage via Azure Portal, API, or Azure Explorer Desktop Tool
Azure Media Encoding Features
• Broadcast/Studio quality video and audio formats • Video - H.264, MXF, DVCPro, MPEG2 TS, WMV, De-interlacing
• Audio - AC3/Dolby Digital+, AAC,-LC, Multi Language Tracks
• SD, HD, or 4K AVC content
• Closed Captioning Support
Access to the capacity and
performance that you need for
bursting to the cloud.Basic Standard Premium
ENCODER PERFORMANCE
Dynamic packagingAllows you to re-use your encoded content and bring it to various streaming formats without repackaging the content.
Video sources Multi-bitrates Mp4Origin Server
HLS
Smooth
Streaming
Encode
Video sources Multi-bitrates Mp4
Or Smooth AssetOrigin Server
HLS
v3, v4
Smooth
Streaming
Encode
Dynamic
Packaging
Traditional Encode and Package
Dynamic Packaging
MPEG
DASH
HDS
Formats
http{media services account name}.origin.mediaservices.net/{locator ID}/{filename}.ism/Manifest(format=mpd-time-csf)
Streaming Locator
Format Syntax
Smooth Streaming
MPEG DASH (format=mpd-time-csf)
Apple HTTP Live Streaming (HLS) V4 (format=m3u8-aapl)
Apple HTTP Live Streaming (HLS) V3 (format=m3u8-aapl-v3)
HDS (for Adobe PrimeTime/Access licensees only) (format=f4m-f4f)
bit.ly/playerdemo
Azure Media Player
Cross platform
JavaScript based player, detecting platform, provides best experience
Defaults to open standards where possible
Will switch to different packaging depending on platform
Knows how to request streams from Azure Media Services
“just works” experience
Aka.ms/azuremediaplayer
Media Services APIs and SDKs REST API for all platformsReference: http://msdn.microsoft.com/en-us/library/windowsazure/hh973617.aspx
.NET library Nuget package: https://nuget.org/packages/windowsazure.mediaservices
GitHub: https://github.com/Azure/azure-sdk-for-media-services
Extensions for .NET SDK: https://github.com/sazure/azure-sdk-for-media-services-extensions
PHP Library GitHub: https://github.com/windowsazure/azure-sdk-for-php
Open Tech blog with demo: http://msopentech.com/blog/2014/01/23/ms-open-technologies-enhances-open-source-php-sdk-windows-azure/
JAVA library http://www.windowsazure.com/en-us/develop/java/java-home Windows / Mac / Linux
GitHub: https://github.com/windowsazure/azure-sdk-for-java/
PowerShell cmdletsHow to use: http://www.gtrifonov.com/2013/08/24/how-to-use-windows-azure-powershell-for-media-services/
Node.js libraryGitHub: https://github.com/fritzy/node-azure-media
Introducing Azure Media Indexer
Natural Language Processing technology
Catalogue vast content libraries
Generate transcripts from multimedia
Will support OCR, multiple languages, Search, Deep linking
Used by The Washington Post, NASA/JPL, and many others
Media Intelligence and Content Enhancements
Encrypt Smooth Streaming content with PlayReady protection via common encryption scheme (CENC), and the option of packaging it into HLS or DASH. PlayReady technology allows you to define restrictive licensing agreement to manage user access rights to your media.
Source: IDC Successful Cloud Partners 2013
Microsoft PlayReady®
Who should use this feature:
Premium studio content or high business impact content: Key is encrypted and decryption happens in a secure DRM decoder environment
How to choose the best content protection method
Encrypt on-the-wire communication using the widely-known symmetric AES encryption algorithm. An authentication service for key is provided.
Source: IDC Successful Cloud Partners 2013
AES Clear Key encryption
Who should use this feature:
Trusted audience or time-valued content: Key is stored in clear format so it can only be used with trusted users or content that has time value associated with it. Used to prevent “man-in-the-middle” attacks
Dynamic Packaging and Dynamic Encryption
Video sourcesSmooth Streaming
Origin Server
Smooth
Streaming
+ PlayReady
Encode
Dynamic
Packaging
Static encryption
DASH
+ CENC
PlayReady
Smooth Streaming
+ PlayReady
Encryption
Video sources Multi-bitrates Mp4
Or Smooth Asset
Origin Server
HLS
+ AES or PlayReady
Smooth
Streaming
+ AES or PlayReady
Encode
Dynamic
Packaging and
Encryption
Dynamic Encryption
DASH
+ CENC
Storage
• MP4
Define:
Streaming
Endpoint
PlayReady/ AES Key Services
Token
verificationPlayReady License/
AES Key
Customer’s
Auth system
Content KeyAuthorization policy(Token/IP/Open, license template)
assetAsset Delivery policy (HLS with AES) or
(Smooth Streaming with PlayReady)
Client SDK
Customers
Architecture – Dynamic Encryption with AES/PlayReady
JWT Token Acquisition
When and for how long is it valid?
(Unix time, secs since 1st Jan 1970)Who is it intended for?Who issued the token?
JWT Tokens can be generated by anyone and require at minimum:
Issuer Audience Expiration
HMAC SHA-256 (symmetric key) or RSA SHA-256 (asymmetric key, x509 certificate)
{ "aud":"https://contoso.com/relyingparty",
"iss":"https://contoso.accesscontrol.windows.net/",
"nbf":1336067338,"exp":1336070938,"nameid":"frankm",
"identityprovider":"contoso.com",“role”: [ “admin”, “user” ]}
• Header.Claim[.Claim].Signature
• Signed with symmetric or assymetric
key
Not Before
{"typ":"JWT","alg":"HS256"}
_3dZQ6cmmFgrZ_-VmOLrr7CHne3Xdko_WtE6-Je5Ihw
Player Your Backend
Authenticate UserGive back signed JWT token
Symmetric/Asymetric key, used to configure
key auth policy with
JWT Token
Configure Player to use Token
AMS Key Service
Check token from Authheader/parameters
Player plays media &
decrypts with key
Token Workflow
A No-Code Easy UI way
to use Media Services
Releasehttp://aka.ms/amse
Source codehttps://github.com/Azure/Azure-Media-Services-Explorer
Blog posthttp://azure.microsoft.com/blog/2014/10/08/managing-media-workflows-with-the-new-azure-media-services-explorer-tool
Features
Assets
Upload from local, watch folder, batch, drag & drop
Import from Azure, http (S3)
Download and export to Azure
Information & report, asset files management
Processing
Encode with AME, AME Advanced, Zenium
Call Content Indexer, or any processor
Job template, priority, information & report
Publish
Dynamic encryption
License & key delivery setup
SAS and Origin locators
Playback the content
Live
Create/Manage/Delete live channels and programs
Channel
Azure Load Balancer
Blob Storage
Preview URL
Program URL
Ingest:Ingest endpoint to accept Live streams with
different bitrates (RTMP/smooth streaming)
through load balancer
Convert ingest data to fMP4
(e.g. RTMP fMP4)
Forwards the stream to all preview end-points
Preview:Receives stream from Ingest
Forwards to Program
Exposes Preview URL (for monitoring)
Program:Writes it to Blob Storage for Archive/DVR
Dynamic package into HLS, Smooth and DASH
Dynamic Encryption with AES or Playready
StorageFMP4
Streaming Endpoint
Client SDK
Players
Architecture: Live Streaming with dynamic encryption
ChannelProgram
Multi-bitrate RTMP/Smooth
Preview- monitoring
PlayReady license/ AES Key Services
Token Authentication
PlayReady License/ AES Key
Customer’s Auth system
Azure
Azure Storage Streaming EndpointChannel
IngestURL
PreviewURL
Wirecast
RTMP
Smooth,DASH or
HLS
Live Streaming Demo
Playback
AMS Explorer
Content Protection – Hybrid modes
35
Dynamic Encryption PlayReady license delivery
Cloud with Azure Media Services
Hybrid with your own server with Azure Media Services
Hybrid with Azure Media Services with your own server
Key Takeaways
• Media Services are easy, flexible, and powerful
• Customers can reach any device using any protocol
• Partner ecosystem: easily build-in or build-on
• Content protection across all clients
• Pay for what you use, easy to understand billing
• Any media, on any device, delivered from the cloud
Resourceswww.azure.com/mediaReceive $200 Azure Credit when you sign up
Content Protection documentation
http://msdn.microsoft.com/en-us/library/azure/dn282272.aspx
Sample code
https://github.com/AzureMediaServicesSamples
Mingfei’s blog
http://mingfeiy.com/
Email me at [email protected]