Decrypting a key on a time limit, but without knowing the time

[mediaguycouk]

Hi there. I'm stumped on something and would like some ideas passed around even if you don't know how to technically achieve what I'm asking for.

Before I start with the problem I'm using
Wowza - Flash streaming server
Flash CS4
JW Media Player (Longtail media player) - Under licence editing the source code.

I have videos on a streaming server that require authentication. Users log in with their university username and password and a $_SESSION variable is logged to show the user is logged in.

In the past I have totally hacked at the source code of JW Media Player to ensure that the video doesn't play without checking the session is logged in. A written application in Flash Media Server 2 also checked this information.

For this new version I would like both Wowza and JW Media player to be as 'vanilla' as possible. The reason for this is Wowza and JW Media Player both have built in authentication.

Wowza uses a secure token before an application (a whole folder of videos) can be played. The trouble is the token doesn't change and if I hard code the token into the flash player someone would only have to download the movie player to be able to play all moves.

What I would prefer to do is to pass some code to the flash player that makes it create the key, however I want it to be useless after it is used.

Before I would use the (sudo) code of

Decrypt (jr;;p, 13/3/09)

Function decrypt(input, date) {
 if (date < today) {
  exit("password can only be decrypted on the date it is created");
 } else {
  return decryptcode(input); // return token to the flash code and not to the user
 }
}

However if I'm doing the decryption inside the flash player it is using the client for its information. The client clock might be incorrect or they might just change it.

What would be best is if the web server were to pass the token at the beginning, but that would just involve the user right clicking and viewing source, which is even worse.

Any ideas or was that a really bad explanation?

[Deozaan]

Can't you just get the flash player to communicate with an online server and let the server handle all of that stuff?

[Ehtyar]

I'm afraid after reading it through a few times I still get lost in your explanation. My only recommendation is that all validation go server side, but I understand that that's not always an option.

Ehtyar.

[f0dder]

As Ehtyar said, handle authentication stuff server-side. If a user's session/whatever has expired, simply deny access to the media files - presto, problem, solved.

[mediaguycouk]

I was worried it might be that way.

What I really wanted was to not have to re-write a whole application when a token based system was already built into the serverside code.

Basically I would have to re-write this actionscript into Java (which I don't know)

Spoiler

Code: ActionScript [Select]

1. // Written by Graham Robinson - [email protected]
2. trace("build 0169");
3.  
4. // To make life easier all applications of main.asc are the same. The secuirty checks that happen between
5. // Internal, ISS authenticated, etc happen by what is defined on the next line
6.  
7. load("appsettings.asc");
8.  
9. // IP CHECK (our website here. No http:// or trailing /)
10. var VALID_REFERRER = "xxx.xxx.xxx.ac.uk";
11.  
12. // Bypass referral
13. // If you are testing on your local computer you can bypass the reffer check
14. // You will still need to pass security to the host unless you use the public profile
15.  
16. //var BYPASS_REFERRER = "yes"; // Comment out as necessary
17. var BYPASS_REFERRER = "no"; // << ALWAYS USE THIS FOR A LIVE SYSTEM
18.  
19. // IP CHECK (power referrer to allow server to connect to itself and for streaming)
20. var POWER_REFERRER = "rtmp://xxx.xxx.ac.uk/"+application.name ;
21.  
22. // Note to self. When you get hold of flash media encoder 2, you need to see how it connects
23. // to the server as the unique key and referrer checks will fail when using the laptop.
24. // The laptop itself may need a static address just to allow entry via IP.
25.  
26. function checkInternal(internalTime, internalTimeHash, pClient) {
27.         var internal_lv = new LoadVars();
28.         internal_lv.load("http://127.0.0.1/flashserver_secure/serversecuritycheck_internal.php?time="+internalTime+"&hash="+internalTimeHash+"&nothingelse");
29.         internal_lv.onLoad = function( success )
30.         {
31.                 //trace("Internal check: "+internal_lv.passed);
32.                 if (internal_lv.passed == "yes") {
33.                         //trace("Accepting connection from internal function")
34.                         application.acceptConnection(pClient);
35.                 } else {
36.                         //trace("Rejecting connection from internal function")
37.                         application.rejectConnection(pClient);
38.                 }
39.         }      
40. }
41. function checkISS(issTime, issTimeHash, pClient) {
42.         var iss_lv = new LoadVars();
43.         iss_lv.load("http://127.0.0.1/flashserver_secure/serversecuritycheck_iss.php?time="+issTime+"&hash="+issTimeHash+"&nothingelse");
44.         iss_lv.onLoad = function( success )
45.         {
46.                 //trace("ISS Check: "+iss_lv.passed);
47.                 if (iss_lv.passed == "yes") {
48.                         //trace("Accepting connection from iss function")
49.                         application.acceptConnection(pClient);
50.                 } else {
51.                         //trace("Rejecting connection from iss function")
52.                         application.rejectConnection(pClient);
53.                 }
54.         }
55. }
56.  
57. // Some code to work with published live servers
58.  
59. // Define the variable we will share to tell when the stream has started
60. isStreaming = new Object();
61.  
62. isStreaming.connected = "no";
63. isStreaming.streaming = "no";
64. isStreaming.clientID = "";
65.  
66. Client.prototype.FCPublish = function(streamname) {
67.         //this.call("onFCPublish", null, {code:"NetStream.Publish.Start", description:"name"});
68.         //trace("I'm funning in a FCPublish function");
69.         isStreaming.streaming = "yes";
70. }
71.  
72. Client.prototype.FCUnpublish = function(streamname) {
73. // perform your clean up
74.         //this.call("onFCUnpublish", null, {code:"NetStream.Unpublish.Success", description:"name"});
75.         //trace("I'm funning in a FCUnpublish function");
76.         isStreaming.streaming = "no";
77. }
78.  
79. Client.prototype.releaseStream = function(streamname) {
80.         // Nothing really needs to go here as FCPublish does all the work
81.         // However the function needs to be defined to remove the 'unknown method' error
82.         //trace("I'm funning in a releaseStream function");
83. }
84.  
85. // Ripping check
86. // this will store references of all clients, and ensure there are no replays
87. clientKeyList = new Object();
88.  
89. application.onConnect = function(pClient, uniqueKey, applicationName, internalTime, internalTimeHash, issTime, issTimeHash) {
90.         //trace("SECURITY_METHOD = "+SECURITY_METHOD);
91.         if (pClient.referrer == POWER_REFERRER && LIVE == "yes") {
92.                 this.acceptConnection(pClient);
93.                 trace("Power referrer conneted: " + pClient.ip);
94.                 isStreaming.connected = "yes";
95.                 isStreaming.clientID = pClient;
96.         } else {
97.                 //pClient.writeAccess = ""; // prevents creating shared object or live streams.
98.  
99.                 // Only allow flash movies to play when they are on our streaming server
100.                 // Note, this does not stop people from putting our .swf file onto their servers
101.                 if (pClient.referrer.split("/")[2] == VALID_REFERRER || BYPASS_REFERRER == "yes") {
102.                         //trace("Accepted IP: "+pClient.referrer);
103.                         if (uniqueKey != undefined) { // make sure there is always a uniqueKey
104.                                 if ( clientKeyList[uniqueKey] == undefined ) {
105.                                         // This client has never connected -- allow the connection
106.                                         pClient.uniqueKey   = uniqueKey;
107.                                         clientKeyList[uniqueKey]  = pClient;
108.  
109.                                         if (isStreaming.connected == "yes" || LIVE == "no") {
110.                                                 if (isStreaming.streaming == "yes" || LIVE == "no") {
111.                                                         // Run the correct security check based on the security type
112.                                                         if (SECURITY_METHOD == "internal") {
113.                                                                 //trace("running checkInternal");
114.                                                                 checkInternal(internalTime, internalTimeHash, pClient);
115.                                                         } else if (SECURITY_METHOD == "iss") {
116.                                                                 //trace("running checkISS");
117.                                                                 checkISS(issTime, issTimeHash, pClient);
118.                                                         } else {
119.                                                                 //trace("Accepted due to security being none");
120.                                                                 this.acceptConnection(pClient);
121.                                                         }
122.                                                 } else {
123.                                                         //trace("Rejected: Broadcast is connected but not streaming");
124.                                                         this.rejectConnection(pClient, {msg:"notStreaming"});
125.                                                 }
126.                                         } else {
127.                                                 //trace("Rejected: Broadcast is not connected");
128.                                                 this.rejectConnection(pClient, {msg:"notConnected"});
129.                                         }
130.                                 } else {
131.                                         trace("Rejected UniqueID");
132.                                         this.rejectConnection(pClient);
133.                            }
134.                         } else {
135.                                   trace("Rejected No UniqueID");
136.                                   this.rejectConnection(pClient);
137.                         }
138.                 } else {
139.                         // If the .swf wasn't on our server, reject and trace the referrer
140.                         this.rejectConnection(pClient, {msg:"Bad referrer"}) ;
141.                         //this.acceptConnection(pClient); // ONLY FOR TESTING PURPOSES
142.                         trace("Rejected IP: "+pClient.referrer);
143.                 }
144.         }
145. }
146.  
147. application.onDisconnect = function(pClient){
148.         if (pClient == isStreaming.clientID) {
149.                 isStreaming.connected = "no";
150.                 isStreaming.clientID = "";
151.                 trace("Power referrer disconnected");
152.         }
153.         //clean up the keys
154.         delete clientKeyList[pClient.uniqueKey];
155.         //trace("Client disconnected");
156. }