Stream Security: Signing URLs

Opencast Conference - 25 March 2015

Basil Brunner Software Engineer

for the open minded

Adam McKenzie Software Engineer

First name, Last name Position

for the open mindedfor the open minded

01

principles of stream security

how the magic works

– for the open minded

Why Do I Need Stream Security?

Someone posts link to direct video on Facebook instead of to the video player / portal

Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in

Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links

– for the open minded

How Does it Work Now?

Get Video Urls

Video Urls

Get Video With Provided URL

Opencast

Streaming / Download

Server

Video Player / Portal

– for the open minded

How Would it Work?

Get Video Urls (Stream or Download)

Signed Video Urls

Get Videos With Signed URL

Video Player / Portal

Matterhorn

Streaming / Download

Server

First name, Last name Position

for the open mindedfor the open minded

requests and responses

02

– for the open minded

Stream Security URLs

Policy: What stream? When? For who?

Signature: Encrypted version of Policy

Secret Encryption Key ID: Which key to use

– for the open minded

Policy Components

Resource: the video stream being played

DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000

DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000

IpAddress: The client’s ip address (Optional)

– for the open minded

Policy JSON

{ "Statement": { "Condition": { "DateGreaterThan": 1427371200000, "DateLessThan": 1427378400000, "IpAddress": "10.0.0.1" }, "Resource": "sample.mp4" }}

– for the open minded

Policy Query String Parameter

{“Statement”:{“Condition":{"DateGreaterThan":1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}

Signing Service Base 64 Encoded (URL Safe)

eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi

OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0

– for the open minded

Creating Signature

{“Statement”:{“Condition":{"DateGreaterThan":1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}

1 Way Encryption Hash SHA-256 HMAC &

Base 64 Encoded (URL Safe)

RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0

– for the open minded

Example Url Signing

rtmp://wowza.server.com/matterhorn-engage/sample.mp4

rtmp://wowza.server.com/matterhorn-engage/sample.mp4?policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4

wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=theId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01

d2xtVGhSSEw4dDZ6TjhkWT0

First name, Last name Position

for the open mindedfor the open minded

03how to configure stream security

opencast integration

– for the open minded

Secret Key IDs

Administrator configured Key & ID on both Opencast and Streaming

key.1=0123456789abcdefid.1=theIdurl.1=http://mh-wowza

key.2=abcdef0123456789 id.2=theOtherIdurl.2=rtmp://mh-wowza

– for the open minded

Secret Key IDs

New Service Properties Files in etc/services:

GenericUrlSigningProvider.propertiesSigns the full url

WowzaUrlSigningProvider.propertiesFormats the resource for Wowza

– for the open minded

Opencast Architecture

Opencast

Get Episode MP Search Service

ChainingMediaPackageSerializer

Serialize MP

SigningMediaPackageSerializer

UrlSigningProviderSigned Url

– for the open minded

Plugins That Verify Signed Url

Plugin

Signed URLAll Params Are Okay

Policy Encrypted Matches Signature

IP, if in Policy, Matches

It is After Start and Before End

Bad Request

Forbidden

Gone

Stream / Download Video

First name, Last name Position

for the open mindedfor the open minded

roadmap (sort of)

02

– for the open minded

Current Status

Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin

– for the open minded

Future Work

Develop more plugins including Apache HTTPd to secure downloads

HLS streaming in Wowza to support Safari / iOS

Dash streaming in Wowza to support Firefox / Chrome

– for the open minded

Limitations

Authorized users can still download / stream video and store it locally for sharing (no DRM)

Every download / stream provider requires a plugin to verify signed urls

Third party systems need to implement URL signing or use Opencast’s RESTful signing service

– for the open minded

Getting Started

Documentationhttps://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security

Source Code https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream-security-1.6.x

Wowza Pluginhttps://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src

http://entwinemedia.com @entwinemedia

Adam McKenzieadam@entwinemedia.com

for the open minded

Basil Brunnerbasil@entwinemedia.com @myniva