This document discusses stream security for online video content by signing URLs. It describes how signed URLs work by encrypting a policy about access restrictions and explains how Opencast implements URL signing to secure video streams. Finally, it provides information on the current status and future work to expand URL signing to different streaming technologies and limitations.
2. First name, Last name
Position
for the open mindedfor the open minded
01
principles of stream
security
how the magic works
3. – for the open minded
Why Do I Need Stream Security?
Someone posts link to direct video on Facebook
instead of to the video player / portal
Someone figures out a way to get all of the video
URLs from the streaming server and starts
downloading from classes they aren’t even in
Someone is removed from a class and shouldn’t
have access to the video streams anymore but still
has links
4. – for the open minded
How Does it Work Now?
Get Video Urls
Video Urls
Get Video
With Provided URL
Opencast
Streaming /
Download
Server
Video Player /
Portal
5. – for the open minded
How Would it Work?
Get Video Urls
(Stream or Download)
Signed Video Urls
Get Videos
With Signed URL
Video Player /
Portal
Matterhorn
Streaming /
Download
Server
6. First name, Last name
Position
for the open mindedfor the open minded
requests and
responses
02
7. – for the open minded
Stream Security URLs
Policy: What stream? When? For who?
Signature: Encrypted version of Policy
Secret Encryption Key ID: Which key to use
8. – for the open minded
Policy Components
Resource: the video stream being played
DateLessThan: when the video stream will expire e.g.Thu,
26 Mar 2015 14:00:00 GMT —> 1427378400000
DateGreaterThan: When the video will become available
(Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —>
1427371200000
IpAddress: The client’s ip address (Optional)
9. – for the open minded
Policy JSON
{
"Statement": {
"Condition": {
"DateGreaterThan": 1427371200000,
"DateLessThan": 1427378400000,
"IpAddress": "10.0.0.1"
},
"Resource": "sample.mp4"
}
}
10. – for the open minded
Policy Query String Parameter
{“Statement”:{“Condition":{"DateGreaterThan":
1427371200000,"DateLessThan":1427378400000,"
IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}
Signing Service
Base 64 Encoded (URL Safe)
eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM
3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi
OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
11. – for the open minded
Creating Signature
{“Statement”:{“Condition":{"DateGreaterThan":
1427371200000,"DateLessThan":1427378400000,"
IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}}
1 Way Encryption Hash
SHA-256 HMAC &
Base 64 Encoded (URL Safe)
RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
12. – for the open minded
Example Url Signing
rtmp://wowza.server.com/matterhorn-engage/sample.mp4
rtmp://wowza.server.com/matterhorn-engage/sample.mp4?
policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHc
mVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3N
UaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4
wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=t
heId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01
d2xtVGhSSEw4dDZ6TjhkWT0
13. First name, Last name
Position
for the open mindedfor the open minded
03
how to configure stream security
opencast
integration
14. – for the open minded
Secret Key IDs
Administrator configured Key & ID on both Opencast
and Streaming
key.1=0123456789abcdef
id.1=theId
url.1=http://mh-wowza
key.2=abcdef0123456789
id.2=theOtherId
url.2=rtmp://mh-wowza
15. – for the open minded
Secret Key IDs
New Service Properties Files in etc/services:
GenericUrlSigningProvider.properties
Signs the full url
WowzaUrlSigningProvider.properties
Formats the resource for Wowza
16. – for the open minded
Opencast Architecture
Opencast
Get Episode
MP
Search Service
ChainingMediaPackageSerializer
Serialize MP
SigningMediaPackageSerializer
UrlSigningProvider
Signed Url
17. – for the open minded
Plugins That Verify Signed Url
Plugin
Signed URL
All Params Are Okay
Policy Encrypted Matches Signature
IP, if in Policy, Matches
It is After Start and Before End
Bad Request
Forbidden
Gone
Stream / Download
Video
18. First name, Last name
Position
for the open mindedfor the open minded
roadmap (sort of)
02
19. – for the open minded
Current Status
Currently works with Flash RTMP Streaming with
Matterhorn 1.6.x and Wowza Plugin
20. – for the open minded
Future Work
Develop more plugins including
Apache HTTPd to secure downloads
HLS streaming in Wowza to support Safari / iOS
Dash streaming in Wowza to support Firefox /
Chrome
21. – for the open minded
Limitations
Authorized users can still download / stream video
and store it locally for sharing (no DRM)
Every download / stream provider requires a plugin to
verify signed urls
Third party systems need to implement URL signing
or use Opencast’s RESTful signing service
22. – for the open minded
Getting Started
Documentation
https://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security
Source Code
https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream-
security-1.6.x
Wowza Plugin
https://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src