Asset protection through Tokenisation

Owned by Olivier Grenet
Last updated: Aug 01, 2022
4 min read

In some cases, system integrators need to protect a video asset from being publicly accessible : the asset is played from an intranet, or a form needs to be filled to get access to the video.

To cover this use case, the Wedia DAM offers player protection through tokens.

Token-based authentication mechanisms are commonly used across the Internet as security to validate user rights. Token Authentication security prevents a Media Services stream from link sharing and/or player hijacking attacks by ensuring that the stream is only delivered to the authenticated user.

This feature is based on hybrid tokens that are generated using a “trusted shared secret” between the content owner and our network—a primary token is short-lived and is used to secure a playlist; while an available secondary cookie token is long-lived and valid for the play time of the media content in order to protect subsequent segments that are delivered after the manifest file.

 

The embedded player from Wedia is called from the originating website (intranet, public website) using a token. Before allowing the player to start, the Wedia DAM checks for the token validity. If the token is valid, the video starts, if it is not, an error message is displayed.

 

In order to ensure Video broadcasting through tokenisation, 3 conditions must be met :

  1. Tokenisation is activated by Wedia on your DAM instance : please contact your account manager to enable this feature.
    Wedia Account Managers have access to this restricted page describing the setup : https://crossmedia.atlassian.net/wiki/spaces/WD/pages/2055798785

  2. Wedia DAM Security rules calculate the conditions to secure an asset : security rules can test a property values, or multiple properties and return a true / false to the DAM, to know if the asset should be secured by a token or not.

  3. In the external website, a special process must be included by web developers / system integrators to generate valid tokens that are appended to the player embed code.

Wedia rely upon Akamai EdgeAuth technology for token generation.

 

Choosing which videos will be secured by Tokenization

Not all videos may be secured through tokenisation : Wedia system integrators can create dedicated rules to calculate if a given video should be secured or not.

The security rule is called : mediacloud/tokenize and will return “true” if the video should be accessed through tokenization :

This rule must be calculated using only properties of the asset : you cannot use any “surfer” properties in this rule, as the surfer is unknown.

Generating valid tokens in the external website

 

To generate valid calls to a tokenized player embed code, a web developer will require :

  1. A secret key, provided by Wedia

  2. A library in your programming language of choice to generate valid tokens based on this secret key.

Secret Key

The secret key is provided by your account manager at Wedia.

This key should be never be exposed to public consumption, it is used on a server environment only.

We recommend using environnement variables to store it.

Token Generation Library

Wedia offers librairies for generating tokens for the following programming languages :

  • PHP

  • C#

  • Go

  • Perl

  • Erlang

  • C

They are available through a private GIT repository. Please contact your Account Manager to get access.

wediaproduct / media-cloud-tokenisation / misc / AkamaiToken — Bitbucket

Due to the sensible nature of the token generation process, we have no current plan to publish this information publicly.

Time window token validity

Token generated are time-bombed, meaning that they are only valid a certain amount of time.

The duration of the validity is set up during the token generation by the token generation method.

The validity is equal to : start_time + window.

The unit of the timeframe is the second.

The default “window” timespan defaults to 300 seconds, but can be set-up during token generation by setting the window parameter, or using the set_window method.

The default “start time” defaults to the timestamp of the token generation, by can be set up using the set_start_time method.

 

PHP Sample code

Here is a typical PHP code that will append a valid token to the query string of the player, valid for a time window of 7200 seconds.

Signing function such as “generate_token" are included by the Wedia provided library available in the aforementioned Git repository

function wediaTokenGeneratorTokenize($url, $tokenSecretKey) { $timestamp = time(); $window = 7200; $tokenParameterName = 'RequestToken'; $path = parse_url($url, PHP_URL_PATH); $acl = $path.'*'; $c = new Akamai_EdgeAuth_Config(); $g = new Akamai_EdgeAuth_Generate(); $c->set_window($window); $c->set_start_time($timestamp); $c->set_acl($acl); $c->set_algo("sha256"); $c->set_key($tokenSecretKey); $token = $g->generate_token($c); $url = trim($url, '?'); if(strpos($url, "?") === false) { $returnUrl = sprintf("%s?%s=%s", $url, $tokenParameterName, ($token)); }else{ $returnUrl = sprintf("%s&%s=%s", $url, $tokenParameterName, ($token)); } return $returnUrl; }