Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 08, 2016, 10:06:39 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Decrypting a key on a time limit, but without knowing the time  (Read 3081 times)

mediaguycouk

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 245
    • View Profile
    • Mediaguy
    • Donate to Member
Hi there. I'm stumped on something and would like some ideas passed around even if you don't know how to technically achieve what I'm asking for.

Before I start with the problem I'm using
Wowza - Flash streaming server
Flash CS4
JW Media Player (Longtail media player) - Under licence editing the source code.

I have videos on a streaming server that require authentication. Users log in with their university username and password and a $_SESSION variable is logged to show the user is logged in.

In the past I have totally hacked at the source code of JW Media Player to ensure that the video doesn't play without checking the session is logged in. A written application in Flash Media Server 2 also checked this information.

For this new version I would like both Wowza and JW Media player to be as 'vanilla' as possible. The reason for this is Wowza and JW Media Player both have built in authentication.

Wowza uses a secure token before an application (a whole folder of videos) can be played. The trouble is the token doesn't change and if I hard code the token into the flash player someone would only have to download the movie player to be able to play all moves.

What I would prefer to do is to pass some code to the flash player that makes it create the key, however I want it to be useless after it is used.

Before I would use the (sudo) code of

Decrypt (jr;;p, 13/3/09)

Function decrypt(input, date) {
 if (date < today) {
  exit("password can only be decrypted on the date it is created");
 } else {
  return decryptcode(input); // return token to the flash code and not to the user
 }
}


However if I'm doing the decryption inside the flash player it is using the client for its information. The client clock might be incorrect or they might just change it.

What would be best is if the web server were to pass the token at the beginning, but that would just involve the user right clicking and viewing source, which is even worse.

Any ideas or was that a really bad explanation?
Learning C# - Graham Robinson
« Last Edit: March 13, 2009, 10:01:58 AM by mediaguycouk »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,716
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Decrypting a key on a time limit, but without knowing the time
« Reply #1 on: March 16, 2009, 06:28:57 PM »
Can't you just get the flash player to communicate with an online server and let the server handle all of that stuff?


Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Decrypting a key on a time limit, but without knowing the time
« Reply #2 on: March 16, 2009, 10:56:59 PM »
I'm afraid after reading it through a few times I still get lost in your explanation. My only recommendation is that all validation go server side, but I understand that that's not always an option.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Decrypting a key on a time limit, but without knowing the time
« Reply #3 on: March 17, 2009, 12:03:12 PM »
As Ehtyar said, handle authentication stuff server-side. If a user's session/whatever has expired, simply deny access to the media files - presto, problem, solved.
- carpe noctem

mediaguycouk

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 245
    • View Profile
    • Mediaguy
    • Donate to Member
Re: Decrypting a key on a time limit, but without knowing the time
« Reply #4 on: March 17, 2009, 12:42:17 PM »
I was worried it might be that way.

What I really wanted was to not have to re-write a whole application when a token based system was already built into the serverside code.

Basically I would have to re-write this actionscript into Java (which I don't know)

Spoiler
Code: ActionScript [Select]
  1. // Written by Graham Robinson - gra@xxx.ac.uk
  2. trace("build 0169");
  3.  
  4. // To make life easier all applications of main.asc are the same. The secuirty checks that happen between
  5. // Internal, ISS authenticated, etc happen by what is defined on the next line
  6.  
  7. load("appsettings.asc");
  8.  
  9. // IP CHECK (our website here. No http:// or trailing /)
  10. var VALID_REFERRER = "xxx.xxx.xxx.ac.uk";
  11.  
  12. // Bypass referral
  13. // If you are testing on your local computer you can bypass the reffer check
  14. // You will still need to pass security to the host unless you use the public profile
  15.  
  16. //var BYPASS_REFERRER = "yes"; // Comment out as necessary
  17. var BYPASS_REFERRER = "no"; // << ALWAYS USE THIS FOR A LIVE SYSTEM
  18.  
  19. // IP CHECK (power referrer to allow server to connect to itself and for streaming)
  20. var POWER_REFERRER = "rtmp://xxx.xxx.ac.uk/"+application.name ;
  21.  
  22. // Note to self. When you get hold of flash media encoder 2, you need to see how it connects
  23. // to the server as the unique key and referrer checks will fail when using the laptop.
  24. // The laptop itself may need a static address just to allow entry via IP.
  25.  
  26. function checkInternal(internalTime, internalTimeHash, pClient) {
  27.         var internal_lv = new LoadVars();
  28.         internal_lv.load("http://127.0.0.1/flashserver_secure/serversecuritycheck_internal.php?time="+internalTime+"&hash="+internalTimeHash+"&nothingelse");
  29.         internal_lv.onLoad = function( success )
  30.         {
  31.                 //trace("Internal check: "+internal_lv.passed);
  32.                 if (internal_lv.passed == "yes") {
  33.                         //trace("Accepting connection from internal function")
  34.                         application.acceptConnection(pClient);
  35.                 } else {
  36.                         //trace("Rejecting connection from internal function")
  37.                         application.rejectConnection(pClient);
  38.                 }
  39.         }      
  40. }
  41. function checkISS(issTime, issTimeHash, pClient) {
  42.         var iss_lv = new LoadVars();
  43.         iss_lv.load("http://127.0.0.1/flashserver_secure/serversecuritycheck_iss.php?time="+issTime+"&hash="+issTimeHash+"&nothingelse");
  44.         iss_lv.onLoad = function( success )
  45.         {
  46.                 //trace("ISS Check: "+iss_lv.passed);
  47.                 if (iss_lv.passed == "yes") {
  48.                         //trace("Accepting connection from iss function")
  49.                         application.acceptConnection(pClient);
  50.                 } else {
  51.                         //trace("Rejecting connection from iss function")
  52.                         application.rejectConnection(pClient);
  53.                 }
  54.         }
  55. }
  56.  
  57. // Some code to work with published live servers
  58.  
  59. // Define the variable we will share to tell when the stream has started
  60. isStreaming = new Object();
  61.  
  62. isStreaming.connected = "no";
  63. isStreaming.streaming = "no";
  64. isStreaming.clientID = "";
  65.  
  66. Client.prototype.FCPublish = function(streamname) {
  67.         //this.call("onFCPublish", null, {code:"NetStream.Publish.Start", description:"name"});
  68.         //trace("I'm funning in a FCPublish function");
  69.         isStreaming.streaming = "yes";
  70. }
  71.  
  72. Client.prototype.FCUnpublish = function(streamname) {
  73. // perform your clean up
  74.         //this.call("onFCUnpublish", null, {code:"NetStream.Unpublish.Success", description:"name"});
  75.         //trace("I'm funning in a FCUnpublish function");
  76.         isStreaming.streaming = "no";
  77. }
  78.  
  79. Client.prototype.releaseStream = function(streamname) {
  80.         // Nothing really needs to go here as FCPublish does all the work
  81.         // However the function needs to be defined to remove the 'unknown method' error
  82.         //trace("I'm funning in a releaseStream function");
  83. }
  84.  
  85. // Ripping check
  86. // this will store references of all clients, and ensure there are no replays
  87. clientKeyList = new Object();
  88.  
  89. application.onConnect = function(pClient, uniqueKey, applicationName, internalTime, internalTimeHash, issTime, issTimeHash) {
  90.         //trace("SECURITY_METHOD = "+SECURITY_METHOD);
  91.         if (pClient.referrer == POWER_REFERRER && LIVE == "yes") {
  92.                 this.acceptConnection(pClient);
  93.                 trace("Power referrer conneted: " + pClient.ip);
  94.                 isStreaming.connected = "yes";
  95.                 isStreaming.clientID = pClient;
  96.         } else {
  97.                 //pClient.writeAccess = ""; // prevents creating shared object or live streams.
  98.  
  99.                 // Only allow flash movies to play when they are on our streaming server
  100.                 // Note, this does not stop people from putting our .swf file onto their servers
  101.                 if (pClient.referrer.split("/")[2] == VALID_REFERRER || BYPASS_REFERRER == "yes") {
  102.                         //trace("Accepted IP: "+pClient.referrer);
  103.                         if (uniqueKey != undefined) { // make sure there is always a uniqueKey
  104.                                 if ( clientKeyList[uniqueKey] == undefined ) {
  105.                                         // This client has never connected -- allow the connection
  106.                                         pClient.uniqueKey   = uniqueKey;
  107.                                         clientKeyList[uniqueKey]  = pClient;
  108.  
  109.                                         if (isStreaming.connected == "yes" || LIVE == "no") {
  110.                                                 if (isStreaming.streaming == "yes" || LIVE == "no") {
  111.                                                         // Run the correct security check based on the security type
  112.                                                         if (SECURITY_METHOD == "internal") {
  113.                                                                 //trace("running checkInternal");
  114.                                                                 checkInternal(internalTime, internalTimeHash, pClient);
  115.                                                         } else if (SECURITY_METHOD == "iss") {
  116.                                                                 //trace("running checkISS");
  117.                                                                 checkISS(issTime, issTimeHash, pClient);
  118.                                                         } else {
  119.                                                                 //trace("Accepted due to security being none");
  120.                                                                 this.acceptConnection(pClient);
  121.                                                         }
  122.                                                 } else {
  123.                                                         //trace("Rejected: Broadcast is connected but not streaming");
  124.                                                         this.rejectConnection(pClient, {msg:"notStreaming"});
  125.                                                 }
  126.                                         } else {
  127.                                                 //trace("Rejected: Broadcast is not connected");
  128.                                                 this.rejectConnection(pClient, {msg:"notConnected"});
  129.                                         }
  130.                                 } else {
  131.                                         trace("Rejected UniqueID");
  132.                                         this.rejectConnection(pClient);
  133.                            }
  134.                         } else {
  135.                                   trace("Rejected No UniqueID");
  136.                                   this.rejectConnection(pClient);
  137.                         }
  138.                 } else {
  139.                         // If the .swf wasn't on our server, reject and trace the referrer
  140.                         this.rejectConnection(pClient, {msg:"Bad referrer"}) ;
  141.                         //this.acceptConnection(pClient); // ONLY FOR TESTING PURPOSES
  142.                         trace("Rejected IP: "+pClient.referrer);
  143.                 }
  144.         }
  145. }
  146.  
  147. application.onDisconnect = function(pClient){
  148.         if (pClient == isStreaming.clientID) {
  149.                 isStreaming.connected = "no";
  150.                 isStreaming.clientID = "";
  151.                 trace("Power referrer disconnected");
  152.         }
  153.         //clean up the keys
  154.         delete clientKeyList[pClient.uniqueKey];
  155.         //trace("Client disconnected");
  156. }

Learning C# - Graham Robinson