Protected Streaming

Last updated

Protected Streaming [1] is a DRM technology by Adobe. The aim of the technology is to protect digital content (video or audio) from unauthorized use.

Contents

Protected Streaming consists of many different techniques; basically there are two main components: encryption and SWF verification.

This technique is used by the Hulu desktop player and the RTÉ Player. Fifa.com also uses this technique to serve the videos on the official site. Some videos on YouTube also use RTMPE, including those uploaded there by BBC Worldwide.

Encryption

Streamed content is encrypted by the Flash Media Server "on the fly", so that the source file itself does not need to be encrypted (a significant difference from Microsoft's DRM). For transmission ("streaming"), a special protocol is required, either RTMPE or RTMPS.[ citation needed ]

RTMPS uses SSL-encryption. In contrast, RTMPE is designed to be simpler than RTMPS, by removing the need to acquire a SSL Certificate. RTMPE makes use of well-known industry standard cryptographic primitives, consisting of Diffie–Hellman key exchange and HMACSHA256, generating a pair of RC4 keys, one of which is then used to encrypt the media data sent by the server (the audio or video stream), while the other key is used to encrypt any data sent to the server. RTMPE caused less CPU-load than RTMPS on the Flash Media Server.[ citation needed ]

Adobe fixed the security issue in January 2009, but did not fix the security holes in the design of the RTMPE algorithm itself. [2] Analysis of the algorithm shows that it relies on security through obscurity. For example, this renders RTMPE vulnerable to Man in the Middle attacks.[ citation needed ]

Tools which have a copy of the well-known constants extracted from the Adobe Flash Player are able to capture RTMPE streams, a form of the trusted client problem. Adobe issued DMCA takedowns on RTMPE recording tools, including rtmpdump, to try to limit their distribution. In the case of rtmpdump, however, this led to a Streisand effect. [3]

SWF verification

The Adobe Flash Player uses a well-known constant, appended to information derived from the SWF file (a hash of the file and its size), as input to HMACSHA256. The HMACSHA256 key is the last 32 bytes of the server's first handshake packet. The Flash Media Server uses this to limit access to those clients which have access to the SWF file (or have been given a copy of the hash and the size of the SWF file).

All officially allowed clients (which are in fact *.swf files) need to be placed on the Flash Media Server streaming the file. Any other client requesting a connection will receive a "connection reject".

The combination of both techniques is intended to ensure streams cannot be sniffed and stored into a local file, as SWF verification is intended to prevent third party clients from accessing the content. However, it does not achieve this goal. Third party clients are free to write the decrypted content to a local file simply by knowing the hash of the SWF file and its size. In practice, therefore, Adobe's own implementation of the Macromedia Flash Player is the only client which does not allow saving to a local file.

The only possible way to restrict connections to a Flash Media Server is to use a list of known hosts, to avoid the whole player (the Flash client) being placed on an unauthorised website. Even this has no real benefit for mass-distributed files, as any one of the known hosts could take a copy of the data and re-distribute it at will. Thus "known host" security is only useful when the known hosts can be trusted not to re-distribute the data.

Notes

  1. "Using the Adobe Access Server for Protected Streaming"
  2. "RTMPE Specification and Analysis". 2009-05-25.
  3. "Adobe has issued a DMCA removal request for rtmpdump". 2009-05-21.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

In cryptography and computer security, a man-in-the-middleattack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within the reception range of an unencrypted Wi-Fi access point could insert themselves as a man-in-the-middle. As it aims to circumvent mutual authentication, a MITM attack can succeed only when the attacker impersonates each endpoint sufficiently well to satisfy their expectations. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certificate authority.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

SWF is an Adobe Flash file format used for multimedia, vector graphics and ActionScript. Originating with FutureWave Software, then transferred to Macromedia, and then coming under the control of Adobe, SWF files can contain animations or applets of varying degrees of interactivity and function. They may also occur in programs, commonly browser games, using ActionScript.

Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

Adobe Flash Player is computer software for viewing multimedia contents, executing rich Internet applications, and streaming audio and video content created on the Adobe Flash platform. It can run from a web browser as a browser plug-in or independently on supported devices. Originally created by FutureWave under the name FutureSplash Player, it was renamed to Macromedia Flash Player after Macromedia acquired FutureWave in 1996. It was then developed and distributed by Adobe Systems as Flash Player after Adobe acquired Macromedia in 2005. It is currently developed and distributed by Zhongcheng for users in China, and by Harman International for enterprise users outside of China, in collaboration with Adobe.

Windows Media DRM or WMDRM, is a Digital Rights Management service for the Windows Media platform. It is designed to provide delivery of audio or video content over an IP network to a PC or other playback device in such a way that the distributor can control how that content is used.

Flash Video is a container file format used to deliver digital video content over the Internet using Adobe Flash Player version 6 and newer. Flash Video content may also be embedded within SWF files. There are two different Flash Video file formats: FLV and F4V. The audio and video data within FLV files are encoded in the same way as SWF files. The F4V file format is based on the ISO base media file format, starting with Flash Player 9 update 3. Both formats are supported in Adobe Flash Player and developed by Adobe Systems. FLV was originally developed by Macromedia. In the early 2000s, Flash Video was the de facto standard for web-based streaming video. Users include Hulu, VEVO, Yahoo! Video, metacafe, Reuters.com, and many other news providers.

Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet. Originally developed as a proprietary protocol by Macromedia for streaming between Flash Player and the Flash Communication Server, Adobe has released an incomplete version of the specification of the protocol for public use.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

Skype is a Voice over Internet Protocol (VoIP) system developed by Skype Technologies S.A. It is a peer-to-peer network where voice calls pass over the Internet rather than through a special-purpose network. Skype users can search for other users and send them messages.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

<span class="mw-page-title-main">Adobe Flash Media Live Encoder</span>

Flash Media Live Encoder (FMLE) was a free live encoding software product from Adobe Systems. It was available for Microsoft Windows and Mac OS.

RTMPDump is a free software project dedicated to develop a toolkit for RTMP streams. The package includes three programs, rtmpdump, rtmpsrv and rtmpsuck.

Database encryption can generally be defined as a process that uses an algorithm to transform data stored in a database into "cipher text" that is incomprehensible without first being decrypted. It can therefore be said that the purpose of database encryption is to protect the data stored in a database from being accessed by individuals with potentially "malicious" intentions. The act of encrypting a database also reduces the incentive for individuals to hack the aforementioned database as "meaningless" encrypted data is of little to no use for hackers. There are multiple techniques and technologies available for database encryption, the most important of which will be detailed in this article.

Encrypted Media Extensions (EME) is a W3C specification for providing a communication channel between web browsers and the Content Decryption Module (CDM) software which implements digital rights management (DRM). This allows the use of HTML5 video to play back DRM-wrapped content such as streaming video services without the use of heavy third-party media plugins like Adobe Flash or Microsoft Silverlight. The use of a third-party key management system may be required, depending on whether the publisher chooses to scramble the keys.

Widevine is a proprietary digital rights management (DRM) system developed by Google. It provides content protection for media. Widevine is divided into three security levels with differing levels of protection depending on the hardware present on the device. Widevine is included in most major web browsers and in Android and iOS.

References