How video
encryption/decryption works

Private files, that can be accessed only by particular NFT owners

How does it work?

When a user uploads a video via the Freeport Creator Suite UI and Freeport Creator Suite API, it is encoded using HLS into streamable chunks. Each chunk is then encrypted and stored in the DDC. This process is supported out of the box by the Media SDK

Key Derivation

Each video file gets an individual DEK (Encryption/Decryption Key) derived from a Master DEK which is used to encrypt and decrypt the video. Each chunk also gets it’s own individual DEK which is derived from the Video DEK using a nonce.

• Master DEK: Stored in the secure vault and injected into the Freeport API. This is used to derive each Video DEK
• Video DEK: Each individual video gets its own DEK that is derived from the Master DEK. The nonce used to derive this DEK (instead of the DEK itself) is stored in the DB so that the Video DEK can be recreated.
• Chunk x DEK: Each individual chunk in a video file gets its own DEK which is derived from the Video DEK using a nonce. The nonce for each chunk is encoded in the playlist file.
  

Client Side Video Decryption

To decrypt a video on the client-side, the user must first request the DEK for the video that they wish to decrypt. The decryption process is supported out of the box via the EncryptedVideoPlayer component

1. Fetch the Video DEK associated with the content being retrieved
2. Fetch the root playlist file from the DDC (not encrypted)
3. Fetch the playlist file for the associated quality that is desired (not encrypted)
4. For each chunk, the nonce for the DEK is encoded in the chunk name as chunk/enc_<nonce>_<cid> , for example:
   1. chunk/enc_0x01decbcb3f8908d885b5a5663c8786f73c240dc4ed94df55_baebb4iddto7txzjtxwsmriyghknrrzhcnjroevdlngcmdllb7orluhl4wy
5. The DEK for the chunk can be calculated using a Blake2 Hash

6. The DEK for the chunk can be calculated using a Blake2 Hash

Server Side Encryption

If client side encryption cannot be done, the same process as above is executed on the server side, and the decrypted content is streamed directly to the user. To enable server-side streaming on most devices, a streamKey solution is used.

This is supported using the EncryptedVideoPlayer with the serverside property enabled

How to show case it?

This is more advanced option that can be also used on top of the Cere stack. High-level steps should be taken to achieve the goal:

• Mint the NFT using Freeport Creator Suite and upload the content
• Integrate the Media SDK to the application, using the guide.
• Distribute your NFT to any of your application users, so they will be able to watch the Video Stream.