Protected Streaming
 | It has been suggested that this article be merged into Real Time Messaging Protocol. (Discuss) Proposed since May 2009. |
Protected Streaming[dubious – discuss] is a DRM technology by Adobe. It is used to give the impression that digital content (video or audio) is being protected from unauthorized use.
Protected Streaming consists of many different techniques; basically there are two main components: encryption and SWF verification.
This technique is used by the RTE Player.
Encryption
All content is encrypted by the Flash Media Server "on the fly". This means there is no encryption of the source file needed (which is different from Microsoft DRM, for instance). For data transmission, a special protocol is used: RTMPE or RTMPS.
RTMPS uses SSL-encryption, RTMPE makes use of well-known industry standard cryptographic primitives consisting of Diffie-Hellman key exchange and HMACSHA256, generating a pair of RC4 keys, one of which is then used to encrypt the data sent by the server (such as the audio or video stream), whilst the other key is used to encrypt any data sent to the server. RTMPE causes less CPU-load than RTMPS on the Flash Media Server. In the past, some tools were able to capture RTMPE streams by taking advantage of a security hole within the Flash player object. Adobe fixed this issue in January 2009.
Tools which have a copy of the well-known constants extracted from the Adobe Flash player are still able to capture RTMPE streams, which is a form of the trusted client problem. Adobe issued a DMCA takedown on one such tool named rtmpdump to try to limit its distribution.[1]
SWF verification
The Adobe Flash player uses a well-known constant, appended to information derived from the SWF file (a hash of the file and its size), as input to HMACSHA256. The HMACSHA256 key is the last 32 bytes of the server's first handshake packet. Flash Media Server uses this to limit access to those clients which have either had access to the SWF file (or have been given a copy of the hash and the size of the SWF file).
All officially allowed clients (which are in fact *.swf Files) need to be placed on the Flash Media Server. Any unknown client requesting a connection will receive a "connection reject".
The combination of both techniques ensures that streams cannot be sniffed and stored into a local file. SWF verification is intended to prevent manipulated clients from accessing the content, but does not achieve this goal. Third party clients are free to write the unencrypted content to a file simply by knowing the hash of the SWF file and its size. Adobe's own implementation of Flash Player is one client which does not allow saving into local files.
Additionally, it is possible to restrict connections to the Flash Media Server to a list of known hosts, to avoid that the whole player (the Flash client) is placed on a foreign site.
Notes
- ^ "Adobe has issued a DMCA removal request for rtmpdump". 2009-05-21.
References
- Whitepaper by Adobe
- RTMPE (Adobe LiveDocs)
- RTMPS (Adobe LiveDocs)
- Source code of rtmpdump v1.6 by Andrej Stepanchuk
- RTMPE specification, generated from the rtmpdump source code
- RTMPE specification, mirror of the above
- RTMFP encryption mechanism (DRAFT), reverse engineered from scratch
| File formats |
| ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Software (list) |
| ||||||||||||
| Obsolete software | |||||||||||||
| Related topics | |||||||||||||
| Developers | |||||||||||||
