Wowza Community

Secure streaming to the iPhone and iPod Touch (AES-128, internal method)

I really have not tried self-signed certificate on iOS. Can’t really help.

Charlie

  1. Encryption for live streaming is on the origin. There is not way to do per-session encryption with a live stream. It is per-stream. It is all done on the origin and forwarded to the edges.

  2. Yes, all communication between edge and origin is RTMP but there is a separate connection for RTMP and Cupertino for the same stream. We just stream Cupertino chunks over RTMP.

Charlie

Yes, I think that’s they way it works, a new key is generated for each session.

Richard

To start, you need to compile this in the Wowza IDE, then there is additional code that needs to be written. Take a look at this other method for securing IPhone, to see if it is a better method for you:

http://www.wowza.com/community/t/-/83

Richard

I’m not sure if this is going to work for that combo, but the ModuleOnConnectAuthenticate can be used for authentication from Flash apps that will publish:

http://www.wowza.com/forums/showthread.php?t=7812

Try placing this above ModuleRTMPAuthenticate. And if that doesn’t work, try putting it below, last in the Modules list. You have to modify the NetConnection.connect of the Flash app.

Richard

Try going back to SecureURLParams. That should work. I think you have to use the Wowza 1.7.2 MediaSecurity Addon

http://www.wowza.com/community/t/-/45

Richard

Can you zip up and send the startup package to support@wowza.com. Please reference this thread.

Richard

Nish,

I think you just have to start over with this. You had it working and now it is not working, so you know that it does work, it’s not a bug in Wowza or the package, so you have made a mistake somewhere.

Richard

Nish,

Can you paste in your Application.xml

Richard

Sounds similar to this:

http://www.wowza.com/forums/showthread.php?t=10236&page=2#17

So check your Application.xml Properties list.

Richard

I think maybe there is some overlap and confusion regarding encryption key caused by your frequent replay in short time.

Richard

Eric,

From your description, with encryption in place, it sounds like your stress test is breaking the system, but I don’t think it is a valid load test. Wowza has a load test tool that simulates many connection for a live or vod application. It only does rtmp streams, but you can extrapolate. You can get the load test tool by sending request to test@wowza.com

Richard

Eric,

It’s just not a valid load test tool. You are only proving that you can confuse Wowza and the phone, which is streaming from a high-latency playlist of encrypted chunks grouped by sessionID.

You can get the the load test tool by sending request to test@wowza.com. The load test tool only does vod and live rtmp streaming, but it gives you an idea of what your server can handle, and you can extrapolate.

Richard

Eric,

The way to test encryption is download one of the .ts chunks from the playlist and try to play it in VLC. It should not be playable in VLC if encryption is working correctly.

The way to download one of the .ts chunks is:

  • Enter playlist.m3u8 URL in a browser, for example:

    http://localhost:1935/vod/mp4:sample.mp4/playlist.m3u8
    
    

    A playlist.m3u8 file is downloaded to your computer

  • Open the playlist.m3u8 file that is download in a text editor, then copy the the URL you see (including the wowzasesssionid) to a browser. It will look something like this:

    http://localhost:1935/vod/mp4:sample.mp4/playlist.m3u8?wowzasessionid=1776170579
    
    

    Another playlist.m3u8 file is downloaded to your computer

  • Open the new playlist.m3u8 file, then copy one of .ts URLs and append, something like this:

    http://localhost:1935/vod/mp4:sample.mp4/media_4.ts?wowzasessionid=1776170579
    
    

    Richard

You have to build the module and add Module and Properties to Application.xml.

https://www.wowza.com/docs/how-to-use-the-internal-method-of-aes-128-encryption-to-secure-live-or-vod-streams-sent-to-apple-ios-devices-moduleencryptionhandlercupertinostreaming)

Richard

Eric,

In origin/edge (liverepeater), this encryption module is setup on the origin, so the stream from the origin to the edge, then from edge to client is encrypted. Note the properties at the bottom of the post for configuring an edge application.

RTSP and RTMP are handled separately in origin to edge connection, that is how it works.

Richard

Hi All,

I need to add secure live streaming in iphone app using http streaming protocol

I have read this tutorial but i m totally confused

tell me if i need to use this

http://[localhost}:1935/[App_name]/[stream_name]/playlist.m3u8

how can i use key here???

Also , how can these methods be called?

public void onHTTPCupertinoEncryptionKeyRequest(HTTPStreamerSessionCupertino httpCupertinoStreamingSession, IHTTPRequest req, IHTTPResponse resp)

{

boolean isGood = true;

String ipAddress = httpCupertinoStreamingSession.getIpAddress();

String queryStr = req.getQueryString();

String referrer = httpCupertinoStreamingSession.getReferrer();

String cookieStr = httpCupertinoStreamingSession.getCookieStr();

String userAgent = httpCupertinoStreamingSession.getUserAgent();

String sessionId = httpCupertinoStreamingSession.getSessionId();

IApplicationInstance appInstance = httpCupertinoStreamingSession.getAppInstance();

String streamName = httpCupertinoStreamingSession.getStreamName();

// reject encryption key requests that are not delivered over SSL

//if (!req.isSecure())

// isGood = false;

getLogger().info(“ModuleEncryptionHandlerCupertinoStreaming.onHTTPCupertinoEncryptionKeyRequest[”+appInstance.getContextStr()+"/"+httpCupertinoStreamingSession.getStreamName()+"]: accept:"+isGood);

if (!isGood)

httpCupertinoStreamingSession.rejectSession();

}

public void onHTTPCupertinoEncryptionKeyCreateLive(IApplicationInstance appInstance, String streamName, byte[] encKey)

{

String mySharedSecret = appInstance.getProperties().getPropertyStr(“cupertinoEncryptionSharedSecret”, “”);

String hashStr = mySharedSecret+":"+appInstance.getApplication().getName()+":"+appInstance.getName()+":"+streamName;

byte[] tmpBytes = MD5DigestUtils.generateHashBytes(hashStr);

if (tmpBytes != null)

System.arraycopy(tmpBytes, 0, encKey, 0, encKey.length);

getLogger().info(“ModuleEncryptionHandlerCupertinoStreaming.onHTTPCupertinoEncryptionKeyCreateLive[”+appInstance.getContextStr()+"/"+streamName+"]: *"+BufferUtils.encodeHexString(encKey).substring(28));

}

public void onHTTPCupertinoEncryptionKeyCreateVOD(HTTPStreamerSessionCupertino httpCupertinoStreamingSession, byte[] encKey)

{

String ipAddress = httpCupertinoStreamingSession.getIpAddress();

String queryStr = httpCupertinoStreamingSession.getQueryStr();

String referrer = httpCupertinoStreamingSession.getReferrer();

String cookieStr = httpCupertinoStreamingSession.getCookieStr();

String userAgent = httpCupertinoStreamingSession.getUserAgent();

IApplicationInstance appInstance = httpCupertinoStreamingSession.getAppInstance();

String streamName = httpCupertinoStreamingSession.getStreamName();

String sessionId = httpCupertinoStreamingSession.getSessionId();

String mySharedSecret = appInstance.getProperties().getPropertyStr(“cupertinoEncryptionSharedSecret”, “”);

String hashStr = mySharedSecret+":"+sessionId+":"+appInstance.getApplication().getName()+":"+appInstance.getName()+":"+httpCupertinoStreamingSession.getStreamName();

byte[] tmpBytes = MD5DigestUtils.generateHashBytes(hashStr);

if (tmpBytes != null)

System.arraycopy(tmpBytes, 0, encKey, 0, encKey.length);

getLogger().info(“ModuleEncryptionHandlerCupertinoStreaming.onHTTPCupertinoEncryptionKeyCreateVOD[”+appInstance.getContextStr()+"/"+httpCupertinoStreamingSession.getStreamName()+"]: *"+BufferUtils.encodeHexString(encKey).substring(28));

}

Thanks

Plz it’s urgent

Hi Richard,

I have used RTMPAuthentication for publishing from FMLE encoder and used SecureToken for playback by flash player

Now i have following setup to conf

ModuleRTMPAuthenticate

ModuleRTMPAuthenticate

com.wowza.wms.plugin.security.ModuleRTMPAuthenticate

secureTokenSharedSecret

mypassword

in FLASH AS

if (infoObject.info.code == “NetConnection.Connect.Success”)

{

if (infoObject.info.secureToken != null)

nc.call(“secureTokenResponse”, null, TEA.decrypt(infoObject.info.secureToken, “mypassword”));

}

Now, the problem is that publishing from FMLE and playback by flash player works fine

BUT

if I need to publish from flash player , it rejects the stream saying stream not authorized to publish

I need to Support FMLE(publish)/Flash player(PLay) and flash player(publish)/Flash player(PLay) by same wowza application

also if i add securetoken module to conf it does not allow to publish FMLE

plz help it’s really urgent

Thanks alot

Hi Richard,

I have tried both approaches but no result:(

still

NetStream.Publish.Failed (Not authorized to publish)

isnt there any other way by which i can support both publish/play by flashplayer and publish(FMLE)/play(flash player)

thanks

I am using this method but i have a question about cupertinoEncryptionBaseURL that i can’t seem to find the answer to,

I have 2 wowza boxes running on ec2 and I am using a zip config package to start the boxes. how am i suppose to be setting this URL? I am trying the following, but it does not work :

cupertinoEncryptionBaseURL

http://${com.wowza.amazonaws.ec2.AWSEC2_METADATA_PUBLIC_HOSTNAME}:1935

It results in a url that looks like http://${com.wowza.amazonaws.ec2.AWSEC2_METADATA_PUBLIC_HOSTNAME}:1935 and not th ec2 hostname. So i am doing something wrong here…

My other question is if i make a DNS alias to something like wowza.myhost.com and then used that, does it matter which host gets the connection for cupertinoEncryptionBaseURL or do i have to ensure that the wowza box handling the request is the one to hand out the encryption?

What is the correct way to do this when launching more than one box or launching a wowza box without knowing what it’s ip will be before it starts?