Presented by: HACKERS Bhupinder Singh Narang Farhad Doneshwar Ishita James Jasleen Pandher

Presented by: HACKERS

Bhupinder Singh NarangFarhad Doneshwar

Ishita JamesJasleen Pandher

Manjot KaurShubha Gururaja Rao

Department of Computer Science & Engineering

San Jose State University

An Analysis of RTSP network securityAn Analysis of RTSP network security

CMPE 209 Team PresentationCMPE 209 Team Presentation

Agenda

Streaming RTSP Security Considerations

Streaming What is Streaming..??

Different Streaming protocols

Introduction to RTSPSession control protocolSupports VCR-like operationsSupports

Media RetrievalAdding media to an existing

sessionActs as a network remote control

Introduction to RTSP (cont.)(cont.)

Protocol PropertiesRTSP message formatRTSP message types:

RequestsResponse

IETF Standard – RFC 2326

RTSP State Transitions

Setup Start an RTSP session and resource allocation for a stream

Play and Record Start data transmission of the stream

Pause Temporarily halt a stream without freeing server resources

Teardown Free resources associated with stream and end of a session

Working of RTSP

RTSP Message Exchange

Authentication MechanismChoice of Authentication Schemes

Basic AuthenticationDigest Authentication

Abuse of Server Log Information Transfer of Sensitive Information Concentrated denial-of-service attack Session hijacking

RTSP Security ConsiderationsRTSP Security Considerations

Authentication Mechanism Client MUST be able to do the

following:• recognize the 401 status code; • parse and include the WWW-

Authenticate header; • implement Basic Authentication

and Digest Authentication.

RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)

Choice of Authentication Schemes•Server may return multiple challenges

with a 401 (Authenticate) response, and each challenge may use a scheme

•"most secure" authentication scheme choice first from server

•possible man-in-the-middle (MITM) attack would be to add a weak authentication scheme to the set of choices


Basic AuthenticationUser agent must authenticate itself with a user-ID and a password for each realm


Server

Unauthorized request for URI

WWW-Authenticate: Basic realm=“ "

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

ClientClient ServerClient ServerClient ServerClient ServerClient ServerClient ServerClient ServerClientWWW-Authenticate: Basic realm=“ "

ServerClient ServerClient ServerClient ServerClient


Wireshark Capture

OPTIONS rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0CSeq: 3Authorization: Basic YWRtaW46YWRtaW4=User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08)

RTSP/1.0 200 OKServer: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; )Cseq: 3Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, OPTIONS, ANNOUNCE, RECORD

DESCRIBE rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0CSeq: 4Accept: application/sdpAuthorization: Basic YWRtaW46YWRtaW4=User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08)

Digest AuthenticationChallenge-Response paradigm


ServerClient

Request for access-protected object (No Auth header)

“401 Unauthorized” response (with www-Auth header)

Retry request, passing an authentication header line

Digest Authentication•The Digest scheme challenges using

a nonce value. •A valid response contains a

checksum (by default the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI.



DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0CSeq: 1Accept: application/sdpBandwidth: 384000Accept-Language: en-USUser-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2)

RTSP/1.0 401 UnauthorizedServer: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; )Cseq: 1WWW-Authenticate: Digest realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498"

DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0CSeq: 2Accept: application/sdpBandwidth: 384000Accept-Language: en-USUser-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2)Authorization: Digest username="admin", realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498", uri="/streaming_media/sample_100kbit.mp4", response="e68bd443e12e95e91f06225f3dfefe93"

Denial Of Service Attack:• An attacker can initiate traffic to

one or more IP addresses, by specifying them as destination in the setup request.

• If such multiple request exceed a certain number then legitimate request will be denied, leading to an denial of service attack.


Sessions Hijacking:

• RTSP unlike HTTP is a statefull server.

• It uses Session Ids to keep track of its Sessions.

• As Session Ids can be sniffed, an attacker can use a Session Id to steal a session.


Abuse of Server Log Information:

• The Servers are capable of storing logs of user Information, like their subjects of interest.

• This information is clearly confidential.

• Hence care must be taken that this information is not available to the attacker.


Transfer Of Sensitive Information:

• No method of determining the sensitivity of any particular piece of information within the context of any given request

• Applications SHOULD supply as much control over this information as possible to the provider of that information


IETF Standard – RFC 2326 Real Time Streaming Protocol, April 1998

IETF Standard – RFC 2068 Hypertext Transfer Protocol - HTTP/1.1, January 1997

IETF Standard – RFC 2069 An Extension to HTTP : Digest Access Authentication, January 1997

The VideoLAN forums at http://forum.videolan.org/viewtopic.php?f=13&t=44780&start=0&st=0&sk=t&sd=a

References

Thank You Thank You !!

Documents

Presented by: HACKERS Bhupinder Singh Narang Farhad Doneshwar Ishita James Jasleen Pandher