SlideShare ist ein Scribd-Unternehmen logo

Opencast Matterhorn Stream Security

Basil Brunner
Basil Brunner

This document discusses stream security for online video content by signing URLs. It describes how signed URLs work by encrypting a policy about access restrictions and explains how Opencast implements URL signing to secure video streams. Finally, it provides information on the current status and future work to expand URL signing to different streaming technologies and limitations.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Stream Security: Signing URLs Opencast Conference - 25 March 2015 Basil Brunner Software Engineer for the open minded Adam McKenzie Software Engineer
First name, Last name Position for the open mindedfor the open minded 01 principles of stream security how the magic works
– for the open minded Why Do I Need Stream Security? Someone posts link to direct video on Facebook instead of to the video player / portal Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links
– for the open minded How Does it Work Now? Get Video Urls Video Urls Get Video With Provided URL Opencast Streaming / Download Server Video Player / Portal
– for the open minded How Would it Work? Get Video Urls (Stream or Download) Signed Video Urls Get Videos With Signed URL Video Player / Portal Matterhorn Streaming / Download Server
First name, Last name Position for the open mindedfor the open minded requests and responses 02
– for the open minded Stream Security URLs Policy: What stream? When? For who? Signature: Encrypted version of Policy Secret Encryption Key ID: Which key to use
– for the open minded Policy Components Resource: the video stream being played DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000 DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000 IpAddress: The client’s ip address (Optional)
– for the open minded Policy JSON {
 "Statement": {
 "Condition": {
 "DateGreaterThan": 1427371200000,
 "DateLessThan": 1427378400000,
 "IpAddress": "10.0.0.1"
 },
 "Resource": "sample.mp4"
 }
 }
– for the open minded Policy Query String Parameter {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} Signing Service Base 64 Encoded (URL Safe) eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM 3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
– for the open minded Creating Signature {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} 1 Way Encryption Hash SHA-256 HMAC & Base 64 Encoded (URL Safe) RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
– for the open minded Example Url Signing rtmp://wowza.server.com/matterhorn-engage/sample.mp4 rtmp://wowza.server.com/matterhorn-engage/sample.mp4? policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHc mVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3N UaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4 wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=t heId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01 d2xtVGhSSEw4dDZ6TjhkWT0
First name, Last name Position for the open mindedfor the open minded 03 how to configure stream security opencast integration
– for the open minded Secret Key IDs Administrator configured Key & ID on both Opencast and Streaming key.1=0123456789abcdef
 id.1=theId
 url.1=http://mh-wowza key.2=abcdef0123456789
 id.2=theOtherId
 url.2=rtmp://mh-wowza
– for the open minded Secret Key IDs New Service Properties Files in etc/services:
 GenericUrlSigningProvider.properties
 Signs the full url WowzaUrlSigningProvider.properties
 Formats the resource for Wowza
– for the open minded Opencast Architecture Opencast Get Episode MP Search Service ChainingMediaPackageSerializer Serialize MP SigningMediaPackageSerializer UrlSigningProvider Signed Url
– for the open minded Plugins That Verify Signed Url Plugin Signed URL All Params Are Okay Policy Encrypted Matches Signature IP, if in Policy, Matches It is After Start and Before End Bad Request Forbidden Gone Stream / Download Video
First name, Last name Position for the open mindedfor the open minded roadmap (sort of) 02
– for the open minded Current Status Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin
– for the open minded Future Work Develop more plugins including 
 Apache HTTPd to secure downloads HLS streaming in Wowza to support Safari / iOS Dash streaming in Wowza to support Firefox / Chrome
– for the open minded Limitations Authorized users can still download / stream video and store it locally for sharing (no DRM) Every download / stream provider requires a plugin to verify signed urls Third party systems need to implement URL signing or use Opencast’s RESTful signing service
– for the open minded Getting Started Documentation
 https://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security Source Code 
 https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream- security-1.6.x Wowza Plugin
 https://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src
http://entwinemedia.com @entwinemedia Adam McKenzie
 adam@entwinemedia.com for the open minded Basil Brunner
 basil@entwinemedia.com @myniva

Empfohlen

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PROIDEA
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
RBAC in Swift
RBAC in SwiftRBAC in Swift
RBAC in Swift
HisashiOsanai
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
Eric Lewis
 
DSpace und das Semantic Web
DSpace und das Semantic WebDSpace und das Semantic Web
DSpace und das Semantic Web
Pascal-Nicolas Becker
 

Empfohlen

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PROIDEA
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
RBAC in Swift
RBAC in SwiftRBAC in Swift
RBAC in Swift
HisashiOsanai
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
Eric Lewis
 
DSpace und das Semantic Web
DSpace und das Semantic WebDSpace und das Semantic Web
DSpace und das Semantic Web
Pascal-Nicolas Becker
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
ikram_ahamed
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
scetinkaya
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Amitesh Madhur
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
Nick Owen
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
Wail Hassan
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
Dan Usher
 
Cqcon
CqconCqcon
Cqcon
Antonio Sanso
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
VCP Muthukrishna
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
 

Weitere ähnliche Inhalte

Ähnlich wie Opencast Matterhorn Stream Security

What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
scetinkaya
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
Dan Usher
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 

Ähnlich wie Opencast Matterhorn Stream Security (20)

Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
 
Cqcon
CqconCqcon
Cqcon
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Opencast Matterhorn Stream Security

  • 1. Stream Security: Signing URLs Opencast Conference - 25 March 2015 Basil Brunner Software Engineer for the open minded Adam McKenzie Software Engineer
  • 2. First name, Last name Position for the open mindedfor the open minded 01 principles of stream security how the magic works
  • 3. – for the open minded Why Do I Need Stream Security? Someone posts link to direct video on Facebook instead of to the video player / portal Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links
  • 4. – for the open minded How Does it Work Now? Get Video Urls Video Urls Get Video With Provided URL Opencast Streaming / Download Server Video Player / Portal
  • 5. – for the open minded How Would it Work? Get Video Urls (Stream or Download) Signed Video Urls Get Videos With Signed URL Video Player / Portal Matterhorn Streaming / Download Server
  • 6. First name, Last name Position for the open mindedfor the open minded requests and responses 02
  • 7. – for the open minded Stream Security URLs Policy: What stream? When? For who? Signature: Encrypted version of Policy Secret Encryption Key ID: Which key to use
  • 8. – for the open minded Policy Components Resource: the video stream being played DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000 DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000 IpAddress: The client’s ip address (Optional)
  • 9. – for the open minded Policy JSON {
 "Statement": {
 "Condition": {
 "DateGreaterThan": 1427371200000,
 "DateLessThan": 1427378400000,
 "IpAddress": "10.0.0.1"
 },
 "Resource": "sample.mp4"
 }
 }
  • 10. – for the open minded Policy Query String Parameter {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} Signing Service Base 64 Encoded (URL Safe) eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM 3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
  • 11. – for the open minded Creating Signature {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} 1 Way Encryption Hash SHA-256 HMAC & Base 64 Encoded (URL Safe) RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
  • 12. – for the open minded Example Url Signing rtmp://wowza.server.com/matterhorn-engage/sample.mp4 rtmp://wowza.server.com/matterhorn-engage/sample.mp4? policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHc mVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3N UaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4 wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=t heId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01 d2xtVGhSSEw4dDZ6TjhkWT0
  • 13. First name, Last name Position for the open mindedfor the open minded 03 how to configure stream security opencast integration
  • 14. – for the open minded Secret Key IDs Administrator configured Key & ID on both Opencast and Streaming key.1=0123456789abcdef
 id.1=theId
 url.1=http://mh-wowza key.2=abcdef0123456789
 id.2=theOtherId
 url.2=rtmp://mh-wowza
  • 15. – for the open minded Secret Key IDs New Service Properties Files in etc/services:
 GenericUrlSigningProvider.properties
 Signs the full url WowzaUrlSigningProvider.properties
 Formats the resource for Wowza
  • 16. – for the open minded Opencast Architecture Opencast Get Episode MP Search Service ChainingMediaPackageSerializer Serialize MP SigningMediaPackageSerializer UrlSigningProvider Signed Url
  • 17. – for the open minded Plugins That Verify Signed Url Plugin Signed URL All Params Are Okay Policy Encrypted Matches Signature IP, if in Policy, Matches It is After Start and Before End Bad Request Forbidden Gone Stream / Download Video
  • 18. First name, Last name Position for the open mindedfor the open minded roadmap (sort of) 02
  • 19. – for the open minded Current Status Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin
  • 20. – for the open minded Future Work Develop more plugins including 
 Apache HTTPd to secure downloads HLS streaming in Wowza to support Safari / iOS Dash streaming in Wowza to support Firefox / Chrome
  • 21. – for the open minded Limitations Authorized users can still download / stream video and store it locally for sharing (no DRM) Every download / stream provider requires a plugin to verify signed urls Third party systems need to implement URL signing or use Opencast’s RESTful signing service
  • 22. – for the open minded Getting Started Documentation
 https://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security Source Code 
 https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream- security-1.6.x Wowza Plugin
 https://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src
  • 23. http://entwinemedia.com @entwinemedia Adam McKenzie
 adam@entwinemedia.com for the open minded Basil Brunner
 basil@entwinemedia.com @myniva