This repository contains a end-to-end solution to show how dynamic AES 126 encryption works within a single Visual Studio Solution. You can find my blogpost here.
You will find 3 projects in the project:
-
ADFS-Mockup
This is a very easy ADFS mockup using IdentityServer4. I used IdentityServer to simply show how authentication works, such that you don't have to set up your own ADFS to just try out this demo.
-
CMS
This is a very simple CMS Mockup. User can sign in to the CMS as one of two pre-configured users and see different videos regarding the position of the user in the company. Here you can also see how a man-in-the-middle attack is prohibited. If the client opens a video URL of a video without the rights to view it, you will get an error.
-
AMS-Setup
This project is to setup your Azure Media Services Account: upload your videos as assets, encode them and specify the encryption details for the assets.
-
Download two videos: Navigate to the folder Solution Items and just run "Download_Videos.cmd". This will download two different Azure Media Services videos that will be uploaded to your AMS account.
-
In the folder Solution Items, set your own Azure Media Services account details in the "Setup_Environment.cmd" and run it.
-
Specify AMSsetup as startup project and run it.
-
Specify CMS and ADFS-Mockup as Startup Projects and run the solution.
-
Take a look at how authentication goes :)
Imagine a company. The CMS is an intranet application to show training videos to the employees. There are two types of employees in the company: "normal" employees and employees who work in the management. The training content for the management is different, focusing on videos about compliance, company goals and reporting. The "normal" staff should not be able to see the videos dedicated to the management.
To realize this, I created two clients in IdentityServer:
- A "normal" employee, called staff. This employee can view all videos in the scope "Staff". * Username: StaffName * Password: pdw1
- An employee working in the management. This employee can only view videos in the scope "Management".
* Username: ManagementName * Password: pwd2
You should recognize:
- You should see different videos when you perform the login to the CMS with the two different users. (The videos of Azure Media Services are very similar, but in fact different.)
- If you copy the video URL while logged in as a Management employee and try to view it as Staff employee, you will get an error.
What is happening inside?
1. AMSSetup
- Uploading of the video files to AMS as assets. Videos are also saved in the database mockup VideoDatabase.json.
- Encoding of the assets.
- Setup of the AES Encryption. Here you can find a detailed explanation.
2. Client performs Log-in to the CMS (Browser):
- Client wants to access the CMS with username and password.
- CMS redirects the client to ADFS-Mockup (IdentitiyServer).
- ADFS-Mockup verfies username and client secret. If successful, IdentityServer returns a bearer token.
- Client uses Bearer Token to get access to the CMS.
- Client get's access to the video page. The videos are encrypted.
3. Decryption of the videos: Videos must be decrypted before the client can see them.
- Determine the role (staff|management) of the client via the session.
- Query the video database to get all videos for the client's role (staff|management).
- Create JWT Token. It is used to get the decryption key of the video from Azure Media Key Services.
- Client can see videos regarding his role (staff|management).