AES-128 Encryption – extra followup

[dougw]

I get S3Bubble is making AES-128 Encrypted segments.

However, after pouring over the AWS Elastic documentation, its my understanding (although very poor hence my question) that S3Bubble and Streamium website, are currently giving away the private keys, right?

What I take away from the AWS Elastic documentation, it seems like S3Bubble is storing the private key in the *.key file in each stream folder. So for example, the private key is stored in the 240P.key, 360p.key, 480p.key, 720p.key 1080p.key files. However, this *.key file is in a public bucket, no? At a minimum, whichever method I then implemented to restrict access to a user (paywall or the like), if a user was granted access to the media in this bucket, wouldn’t they then have access to the private key as well?

Thanks
Doug

[s3bubble]

Hi Doug,

Nothing is set to public within the process everything is secured via a bucket policy (without Cloudfront) or a WAF firewall in front on the Cloudfront distirbution.

Everything is set to a private Canonical user id on encryption.

Best Regards

Sam

[dougw]

First thanks for everything you are doing. If you want to add a good looking paywall, then I am good to go and will only use S3Bubble. However, right now, that’s not the case, so I am trying to make S3Bubble work with other products, so please forgive my under the hood questions. I am happy to take this to e-mail offline if I am pushing too hard for the ‘secret sauce”

I am clearly missing something about AES encryption / decryption.

I have set up a Streamium website, and put a few encrypted videos up. If I go to the website from a new computer (so not Canonical AWS user), I can easily view the encrypted content. So that leaves a few questions:

1) Does AES work on as two key system? A public and Private?
2) What is the *.key file (360p, 480p, 720p.key) Is that a public or private key?
3) Where is the other key stored… based on answer 2.
4) I am not clear how bucket policies effect users abilities to access the keys. Are you able with bucket polices to prevent the *.key from being download while allowing access to other files?

Doug

PS. I am turning over a life’s amount of work, so I want to make sure its secure before committing to one vendor. As you have pointed out in your videos, a lot of vendors toss around the words security, but the videos are not. I get there is AES128 encryption going on here, but if I don’t have my developers implement it properly, all this effort is a waste.

[s3bubble]

Hi Doug,

There is no “secret sauce” so feel free to keep pushing, but you are searching for an answer from us saying yes you could download it this way, which we can’t answer because we ourselves cannot achieve this but feel free to try.

Can you explain this in more detail.

I have set up a Streamium website, and put a few encrypted videos up. If I go to the website from a new computer (so not Canonical AWS user), I can easily view the encrypted content. So that leaves a few questions:

You should be able to view the encrypted content from any computer can you download it? playback from anything? take this video.

http://streamiumtheme.com/comedy/encrypted-video/

You can inspect element and take a look at the segments.

So the process if you want to try.

1. First, you will need to download all the thousands of .ts files.
2. You will then need to decrypt each individual segment.
3. Then you will need to bind all the .ts segments
4. Output as a video formatted file.

(You need to think who would go through all this trouble when people could effectively use screengrab software which there is no solution to, Netflix, Amazon Prime Video etc cannot solve this)

As always with the web and emerging tech people could find ways around setups there are people that dedicate their whole life’s to this just to say they can, but there is also people that prevent this when they happen (s3bubble) so for now I would be content with the level of security.

Please don’t take this as me being blunt I understand you need validation 😉

For paywall we suggest these plugins.

https://codecanyon.net/item/woocommerce-membership/8746370
https://codecanyon.net/item/subscriptio-woocommerce-subscriptions/8754068
https://woocommerce.com

Security is a huge aspect of online video streaming but getting users to pay for your content and happily get other users to pay because the content is something they want is much more important.

• User experience
• Quality content
• Regularly updated content
• Cross platform support
• Mobile apps
• Smart tv

like every aspect of life you always get the handful of people determined to be a pain and want everything in life for free.

Best Regards

Sam

• This reply was modified 7 years, 2 months ago by s3bubble.
• This reply was modified 7 years, 2 months ago by s3bubble.
• This reply was modified 7 years, 2 months ago by s3bubble.
• This reply was modified 7 years, 2 months ago by s3bubble.
• This reply was modified 7 years, 2 months ago by s3bubble.
• This reply was modified 7 years, 2 months ago by s3bubble.

[brazilianaire]

I am curious as well.

James

[Author]

Posts