SlideShare a Scribd company logo

Opencast Matterhorn Stream Security

Basil Brunner
Basil Brunner

This document discusses stream security for online video content by signing URLs. It describes how signed URLs work by encrypting a policy about access restrictions and explains how Opencast implements URL signing to secure video streams. Finally, it provides information on the current status and future work to expand URL signing to different streaming technologies and limitations.

Technology
1 of 23
Download to read offline
Stream Security: Signing URLs Opencast Conference - 25 March 2015 Basil Brunner Software Engineer for the open minded Adam McKenzie Software Engineer
First name, Last name Position for the open mindedfor the open minded 01 principles of stream security how the magic works
– for the open minded Why Do I Need Stream Security? Someone posts link to direct video on Facebook instead of to the video player / portal Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links
– for the open minded How Does it Work Now? Get Video Urls Video Urls Get Video With Provided URL Opencast Streaming / Download Server Video Player / Portal
– for the open minded How Would it Work? Get Video Urls (Stream or Download) Signed Video Urls Get Videos With Signed URL Video Player / Portal Matterhorn Streaming / Download Server
First name, Last name Position for the open mindedfor the open minded requests and responses 02
– for the open minded Stream Security URLs Policy: What stream? When? For who? Signature: Encrypted version of Policy Secret Encryption Key ID: Which key to use
– for the open minded Policy Components Resource: the video stream being played DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000 DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000 IpAddress: The client’s ip address (Optional)
– for the open minded Policy JSON {
 "Statement": {
 "Condition": {
 "DateGreaterThan": 1427371200000,
 "DateLessThan": 1427378400000,
 "IpAddress": "10.0.0.1"
 },
 "Resource": "sample.mp4"
 }
 }
– for the open minded Policy Query String Parameter {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} Signing Service Base 64 Encoded (URL Safe) eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM 3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
– for the open minded Creating Signature {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} 1 Way Encryption Hash SHA-256 HMAC & Base 64 Encoded (URL Safe) RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
– for the open minded Example Url Signing rtmp://wowza.server.com/matterhorn-engage/sample.mp4 rtmp://wowza.server.com/matterhorn-engage/sample.mp4? policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHc mVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3N UaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4 wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=t heId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01 d2xtVGhSSEw4dDZ6TjhkWT0
First name, Last name Position for the open mindedfor the open minded 03 how to configure stream security opencast integration
– for the open minded Secret Key IDs Administrator configured Key & ID on both Opencast and Streaming key.1=0123456789abcdef
 id.1=theId
 url.1=http://mh-wowza key.2=abcdef0123456789
 id.2=theOtherId
 url.2=rtmp://mh-wowza
– for the open minded Secret Key IDs New Service Properties Files in etc/services:
 GenericUrlSigningProvider.properties
 Signs the full url WowzaUrlSigningProvider.properties
 Formats the resource for Wowza
– for the open minded Opencast Architecture Opencast Get Episode MP Search Service ChainingMediaPackageSerializer Serialize MP SigningMediaPackageSerializer UrlSigningProvider Signed Url
– for the open minded Plugins That Verify Signed Url Plugin Signed URL All Params Are Okay Policy Encrypted Matches Signature IP, if in Policy, Matches It is After Start and Before End Bad Request Forbidden Gone Stream / Download Video
First name, Last name Position for the open mindedfor the open minded roadmap (sort of) 02
– for the open minded Current Status Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin
– for the open minded Future Work Develop more plugins including 
 Apache HTTPd to secure downloads HLS streaming in Wowza to support Safari / iOS Dash streaming in Wowza to support Firefox / Chrome
– for the open minded Limitations Authorized users can still download / stream video and store it locally for sharing (no DRM) Every download / stream provider requires a plugin to verify signed urls Third party systems need to implement URL signing or use Opencast’s RESTful signing service
– for the open minded Getting Started Documentation
 https://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security Source Code 
 https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream- security-1.6.x Wowza Plugin
 https://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src
http://entwinemedia.com @entwinemedia Adam McKenzie
 adam@entwinemedia.com for the open minded Basil Brunner
 basil@entwinemedia.com @myniva

Recommended

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PROIDEA
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
RBAC in Swift
RBAC in SwiftRBAC in Swift
RBAC in Swift
HisashiOsanai
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
Eric Lewis
 
DSpace und das Semantic Web
DSpace und das Semantic WebDSpace und das Semantic Web
DSpace und das Semantic Web
Pascal-Nicolas Becker
 

Recommended

PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PLNOG23 - Grzegorz Siewruk - O tym jak (nie)łatwo dodać Sec do Dev(Sec)Ops w ...
PROIDEA
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
DEVCORE
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...Manage distributed configuration and secrets with spring cloud and vault (Spr...
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
RBAC in Swift
RBAC in SwiftRBAC in Swift
RBAC in Swift
HisashiOsanai
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
HTTPS and YOU
HTTPS and YOUHTTPS and YOU
HTTPS and YOU
Eric Lewis
 
DSpace und das Semantic Web
DSpace und das Semantic WebDSpace und das Semantic Web
DSpace und das Semantic Web
Pascal-Nicolas Becker
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
ikram_ahamed
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
scetinkaya
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Amitesh Madhur
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
Nick Owen
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
Wail Hassan
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
Dan Usher
 
Cqcon
CqconCqcon
Cqcon
Antonio Sanso
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
VCP Muthukrishna
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 

More Related Content

Similar to Opencast Matterhorn Stream Security

Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
Eric Shupps
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
ikram_ahamed
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
scetinkaya
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
NCCOMMS
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Amitesh Madhur
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
Nick Owen
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
Wail Hassan
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
Dan Usher
 
Cqcon
CqconCqcon
Cqcon
Antonio Sanso
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
VCP Muthukrishna
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 

Similar to Opencast Matterhorn Stream Security (20)

Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
SPS Houston - Who Are You and What Do You Want? Working With OAuth in SharePo...
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
Vp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswellVp nwebcast williams_wallaboswell
Vp nwebcast williams_wallaboswell
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
 
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of codeSetup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
Setup ephemeral password for TURN, Learn RTC in less than 200 Lines of code
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Why Cant I Access The Portal
Why Cant I Access The PortalWhy Cant I Access The Portal
Why Cant I Access The Portal
 
Cqcon
CqconCqcon
Cqcon
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 

Recently uploaded

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 

Recently uploaded (20)

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 

Opencast Matterhorn Stream Security

  • 1. Stream Security: Signing URLs Opencast Conference - 25 March 2015 Basil Brunner Software Engineer for the open minded Adam McKenzie Software Engineer
  • 2. First name, Last name Position for the open mindedfor the open minded 01 principles of stream security how the magic works
  • 3. – for the open minded Why Do I Need Stream Security? Someone posts link to direct video on Facebook instead of to the video player / portal Someone figures out a way to get all of the video URLs from the streaming server and starts downloading from classes they aren’t even in Someone is removed from a class and shouldn’t have access to the video streams anymore but still has links
  • 4. – for the open minded How Does it Work Now? Get Video Urls Video Urls Get Video With Provided URL Opencast Streaming / Download Server Video Player / Portal
  • 5. – for the open minded How Would it Work? Get Video Urls (Stream or Download) Signed Video Urls Get Videos With Signed URL Video Player / Portal Matterhorn Streaming / Download Server
  • 6. First name, Last name Position for the open mindedfor the open minded requests and responses 02
  • 7. – for the open minded Stream Security URLs Policy: What stream? When? For who? Signature: Encrypted version of Policy Secret Encryption Key ID: Which key to use
  • 8. – for the open minded Policy Components Resource: the video stream being played DateLessThan: when the video stream will expire e.g.Thu, 26 Mar 2015 14:00:00 GMT —> 1427378400000 DateGreaterThan: When the video will become available (Optional) e.g. Thu, 26 Mar 2015 12:00:00 GMT —> 1427371200000 IpAddress: The client’s ip address (Optional)
  • 9. – for the open minded Policy JSON {
 "Statement": {
 "Condition": {
 "DateGreaterThan": 1427371200000,
 "DateLessThan": 1427378400000,
 "IpAddress": "10.0.0.1"
 },
 "Resource": "sample.mp4"
 }
 }
  • 10. – for the open minded Policy Query String Parameter {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} Signing Service Base 64 Encoded (URL Safe) eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHcmVhdGVyVGhhbiI6MTQyNzM 3MTIwMDAwMCwiRGF0ZUxlc3NUaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3Mi OiIxMC4wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0
  • 11. – for the open minded Creating Signature {“Statement”:{“Condition":{"DateGreaterThan": 1427371200000,"DateLessThan":1427378400000," IpAddress":"10.0.0.1"},"Resource":"sample.mp4"}} 1 Way Encryption Hash SHA-256 HMAC & Base 64 Encoded (URL Safe) RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01d2xtVGhSSEw4dDZ6TjhkWT0
  • 12. – for the open minded Example Url Signing rtmp://wowza.server.com/matterhorn-engage/sample.mp4 rtmp://wowza.server.com/matterhorn-engage/sample.mp4? policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVHc mVhdGVyVGhhbiI6MTQyNzM3MTIwMDAwMCwiRGF0ZUxlc3N UaGFuIjoxNDI3Mzc4NDAwMDAwLCJJcEFkZHJlc3MiOiIxMC4 wLjAuMSJ9LCJSZXNvdXJjZSI6InNhbXBsZS5tcDQifX0&keyId=t heId&signature=RGVTN1daeXIvcEdZMkdqd08zWlZvN1I1VE01 d2xtVGhSSEw4dDZ6TjhkWT0
  • 13. First name, Last name Position for the open mindedfor the open minded 03 how to configure stream security opencast integration
  • 14. – for the open minded Secret Key IDs Administrator configured Key & ID on both Opencast and Streaming key.1=0123456789abcdef
 id.1=theId
 url.1=http://mh-wowza key.2=abcdef0123456789
 id.2=theOtherId
 url.2=rtmp://mh-wowza
  • 15. – for the open minded Secret Key IDs New Service Properties Files in etc/services:
 GenericUrlSigningProvider.properties
 Signs the full url WowzaUrlSigningProvider.properties
 Formats the resource for Wowza
  • 16. – for the open minded Opencast Architecture Opencast Get Episode MP Search Service ChainingMediaPackageSerializer Serialize MP SigningMediaPackageSerializer UrlSigningProvider Signed Url
  • 17. – for the open minded Plugins That Verify Signed Url Plugin Signed URL All Params Are Okay Policy Encrypted Matches Signature IP, if in Policy, Matches It is After Start and Before End Bad Request Forbidden Gone Stream / Download Video
  • 18. First name, Last name Position for the open mindedfor the open minded roadmap (sort of) 02
  • 19. – for the open minded Current Status Currently works with Flash RTMP Streaming with Matterhorn 1.6.x and Wowza Plugin
  • 20. – for the open minded Future Work Develop more plugins including 
 Apache HTTPd to secure downloads HLS streaming in Wowza to support Safari / iOS Dash streaming in Wowza to support Firefox / Chrome
  • 21. – for the open minded Limitations Authorized users can still download / stream video and store it locally for sharing (no DRM) Every download / stream provider requires a plugin to verify signed urls Third party systems need to implement URL signing or use Opencast’s RESTful signing service
  • 22. – for the open minded Getting Started Documentation
 https://opencast.jira.com/wiki/display/MH/URL+Signing+Stream+Security Source Code 
 https://bitbucket.org/entwinemedia/matterhorn/branch/f/MH-10729-stream- security-1.6.x Wowza Plugin
 https://bitbucket.org/entwinemedia/wowza-stream-security-plugin/src
  • 23. http://entwinemedia.com @entwinemedia Adam McKenzie
 adam@entwinemedia.com for the open minded Basil Brunner
 basil@entwinemedia.com @myniva