Considering AES video encryption for your assets at rest and during delivery? Curious on the merits of AES-256 vs AES-128 for video?
A security audit, a systematic evaluation of the security of an organization’s information system, can measure many things to see how it conforms to established practices and criteria. In relation to video, this can include virtually every state of the content, from data at rest to in transit. This article covers what is video encryption, explains AES (Advanced Encryption Standard) and why it’s discussed about what bit key is ideal to use for video within enterprise video platforms and other use cases.
- What is video encryption?
- What is data at rest?
- What is data in transit?
- AES encryption for video data
- How does AES work?
- AES key sizes
- AES-256 vs AES-128
- AES video encryption at IBM Watson Media
- Encryption and video security
What is video encryption?
At its essence, video encryption is the process of hiding video from unintended audiences. When working appropriately, it protects data so that it’s watched and accessed just by intended parties. Usually this goes hand-in-hand with other methods to restrict access to content, be it password protection to just placing an embed restricted version of the asset to your site. This is done through encrypting the asset in some manner in order to prevent snooping attacks where access to video could be compromised through a network tap and sniffer technologies. It can also include encrypting stored content, going as far as to protect assets in the event of a physical hard drive or database being compromised on location.
There are a couple of different ways to encrypt content, and several different states that data can be in as well. For the topic of video storage, the common state for these assets is data at rest and also data in transit during delivery to an end viewer.
What is data at rest?
Very briefly, data at rest is essentially information or assets that aren’t moving through a network. This includes content stored locally, like a video saved on a laptop, and assets that might be saved on databases.
What is data in transit?
Data in transit is information flowing over a network. In the context of video, it’s the delivery of video to an endpoint for playback. It is different from data in use, which is data that might be in the process of being generated, updated or removed.
AES encryption for video data
When it comes to encrypting video data at rest or in transit, one solution is to do this through AES. Now AES is a symmetric block cipher that can be implemented in software, hardware and other processes to encrypt sensitive data. It’s the successor to DES (Data Encryption Standard), which was actually developed by researchers at IBM in the early 1970’s. The need for a new standard arose from DES’ susceptibility to brute force attacks, which is still noted in recent articles as a cautionary tale to those still using it.
How does AES work?
To safeguard assets, AES basically takes a key and some data (plaintext) as an input and then transforms that into something random, known as ciphertext. This can be anything from part of a document to part of a video asset. Now to get something meaningful out of that ciphertext, AES and the same key used to transform it are required to turn it back into plaintext.
In relation to video in transit specifically, the content is encrypted in a way so that access requires being decoded by authorized players in browsers where the stream is delivered using HTTPS (HTTP over SSL/TLS). This is done through symmetric-key algorithm, which again requires the same key to be used for both encrypting and decrypting the data to get something meaningful from it.
Now that key is actually a number, and functions as a security method because of the huge amount of different combinations that it could be. The number of combinations depends on what key length or size is used.
AES key sizes
AES comes in three different key sizes: 128, 192 and 256 bits. The naming conventions relate to the number of combinations that the key could be. So an AES-128 bit key has 2^128 different possibilities while an AES-256 bit key has 2^256 different number possibilities. To be blunt, that’s a huge pool of numbers that it could be. To better visualize it, 2^128 is actually the following number and the amount of different numbers that the key might be for AES-128:
As expected, the AES-192 and AES-256 bit keys have even more combinations they could be compared to AES-128.
AES-256 vs AES-128
Naturally, a question will arise of which type of AES key should be used to encrypt video assets. This often translates into the question of which one offers superior encryption. On that note, the more possibilities offered by the larger keys would translate into something that is harder to compromise with a brute force attack. However, a school of thought is that an AES-128 bit key is already “hard enough” to crack. That is to say there are already so many number possibilities that a brute force attack in virtually all scenarios wouldn’t work in a reasonable amount of time even with an AES-128 bit key. Although someone might wonder what is considered a reasonable amount of time in this context.
To that point, it has been, rather humorously, projected from a Seagate study on AES-128 bit key protection that to crack it through a brute force attack would take 77,000,000,000,000,000,000,000,000 years for half the possibilities to be tested. While that already might seem daunting, it gets even more ludicrous when one factors in that this estimate was under the assumption that it would also take 7 billion people with each using ten computers at a rate of testing 1 billion key combinations per second on each. Keep in mind, this projection is centered on the task of cracking a single AES-128 bit key. To crack a different AES-128 bit key would take the same amount of time.
Now this is for an AES-128 bit key. To crack an AES-256 bit key using the same method would take even longer. That said, the AES-128 bit key already takes far longer than a reasonable amount of time to crack. As a result, it’s been debated on the merits of using one versus another. While this article won’t weigh in on the “correct answer” to that question, it can be said that an argument for one over the other can also be made by external requirements. For example, in 2015, the NSA stopped recommending AES-128 bit keys for top secret documents, which placed a lot of attention on the AES-256 bit key. For what it’s worth, the actual page recommending AES-256 versus other AES bit keys was removed, which is why a Wayback Machine article is linked to above. Regardless of circumstances, though, the action has led to certain organizations demanding AES-256 bit keys, which for many can be a valid enough reason in itself to use it over smaller bit keys.
AES Video Encryption at IBM Watson Media
For those who want to start utilizing AES on their video content, a solution can be to go with a service that already uses this technology to safeguard video assets.
With IBM’s video streaming and enterprise video streaming offerings, both content at rest and in transit is encrypted using the AES-256 bit key. Video content is stored at rest through dm-crypt using the LUKS AES-256 bit key. For assets in transit, during delivery, they are encrypted through AES-256 via SSL (Secure Sockets Layer).
Encryption and video security
Encryption is one component of an overall video strategy: safeguarding assets for just those permitted for playback. However, it’s up to the content owner to control what this means, and who is allowed to actually watch the content under the concept that the encryption is protecting it. To that point, this can range from simple embed restrictions that state it has to be viewed from a specific URL to utilizing SSO (Single Sign On) based corporate directories.
For more details on this and other methods, like geo-blocking, check our Video Access: Password Protection & Restriction article.
AES offers a way to encrypt video content for both assets at rest and in transit, protecting those assets in the process. As noted, AES also requires a tremendous amount of time to compromise through brute force attacks. On the topic of the better bit key for AES, much of this discussion revolves around the NSA suggesting the use of AES-256 bit key. This has led some industries and organizations to mandate its use, negating the discussion in general for many. For those who have a luxury of choosing, AES-256 is harder to crack. While it does consume more resources, the trade off is often minimal and the increased security is often seen as more futureproof.
From more information on this topic, and on the greater concept of video security, also be sure to check out our What to Know About Encrypted Video Streaming white paper.