Post on 07-Aug-2015
Stream Security: Signing URLs
Opencast Conference - 25 March 2015
Basil Brunner Software Engineer
for the open minded
Adam McKenzie Software Engineer
First name, Last name Position
for the open mindedfor the open minded
01
principles of stream security
how the magic works
– for the open minded
Why Do I Need Stream Security?
Someone posts link to direct video on Facebook instead of to the video player / portal
Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in
Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links
– for the open minded
How Does it Work Now?
Get Video Urls
Video Urls
Get Video With Provided URL
Opencast
Streaming / Download
Server
Video Player / Portal
– for the open minded
How Would it Work?
Get Video Urls (Stream or Download)
Signed Video Urls
Get Videos With Signed URL
Video Player / Portal
Matterhorn
Streaming / Download
Server
First name, Last name Position
for the open mindedfor the open minded
requests and responses
02
– for the open minded
Stream Security URLs
Policy: What stream? When? For who?
Signature: Encrypted version of Policy
Secret Encryption Key ID: Which key to use
– for the open minded
Policy Components
Resource: the video stream being played
DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000
DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000
IpAddress: The client’s ip address (Optional)
– for the open minded
Policy JSON
{ "Statement": { "Condition": { "DateGreaterThan": 1427371200000, "DateLessThan": 1427378400000, "IpAddress": "10.0.0.1" }, "Resource": "sample.mp4" }}
– for the open minded
Policy Query String Parameter
{“Statement”:{“Condition":{"DateGreaterThan":1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}
Signing Service Base 64 Encoded (URL Safe)
eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi
OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
– for the open minded
Creating Signature
{“Statement”:{“Condition":{"DateGreaterThan":1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}
1 Way Encryption Hash SHA-256 HMAC &
Base 64 Encoded (URL Safe)
RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
– for the open minded
Example Url Signing
rtmp://wowza.server.com/matterhorn-engage/sample.mp4
rtmp://wowza.server.com/matterhorn-engage/sample.mp4?policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4
wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=theId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01
d2xtVGhSSEw4dDZ6TjhkWT0
First name, Last name Position
for the open mindedfor the open minded
03how to configure stream security
opencast integration
– for the open minded
Secret Key IDs
Administrator configured Key & ID on both Opencast and Streaming
key.1=0123456789abcdefid.1=theIdurl.1=http://mh-wowza
key.2=abcdef0123456789 id.2=theOtherIdurl.2=rtmp://mh-wowza
– for the open minded
Secret Key IDs
New Service Properties Files in etc/services:
GenericUrlSigningProvider.propertiesSigns the full url
WowzaUrlSigningProvider.propertiesFormats the resource for Wowza
– for the open minded
Opencast Architecture
Opencast
Get Episode MP Search Service
ChainingMediaPackageSerializer
Serialize MP
SigningMediaPackageSerializer
UrlSigningProviderSigned Url
– for the open minded
Plugins That Verify Signed Url
Plugin
Signed URLAll Params Are Okay
Policy Encrypted Matches Signature
IP, if in Policy, Matches
It is After Start and Before End
Bad Request
Forbidden
Gone
Stream / Download Video
First name, Last name Position
for the open mindedfor the open minded
roadmap (sort of)
02
– for the open minded
Current Status
Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin
– for the open minded
Future Work
Develop more plugins including Apache HTTPd to secure downloads
HLS streaming in Wowza to support Safari / iOS
Dash streaming in Wowza to support Firefox / Chrome
– for the open minded
Limitations
Authorized users can still download / stream video and store it locally for sharing (no DRM)
Every download / stream provider requires a plugin to verify signed urls
Third party systems need to implement URL signing or use Opencast’s RESTful signing service
– for the open minded
Getting Started
Documentationhttps://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security
Source Code https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream-security-1.6.x
Wowza Pluginhttps://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src
http://entwinemedia.com @entwinemedia
Adam McKenzieadam@entwinemedia.com
for the open minded
Basil Brunnerbasil@entwinemedia.com @myniva