Skip to main content
C
CodeRoyal
Inspiring
August 4, 2008
Answered

RTMPE not Protecting Content?

  • August 4, 2008
  • 3 replies
  • 2479 views
Hi everyone,

I'm a bit confused but I believe I am missing a step. Before purchasing the Streaming Server, I need to be sure that the encryption technology works and prevents users from using stream recording technologies to save the clips. (Not referring to screen recorders as we all know they will always work though with loss of some quality.)

I published a flash SWF file using the FLVPlayback component, and pointed it to an RTMPE stream on my server at: rtmpe://66.186.176.18/vod/OSAAT.flv

The source path works as the video plays. To confirm that the stream is encrypted I tried a program called "Replay Media Catcher" that is designed to intercept an RTMP stream to save it. To my complete surprise, it was able to save an exact copy of my RTMP E stream as stored on my server!

I can't imagine that it could have decrypted a 128-bit key, so I think I'm missing something. It's clear that RTMPE is turned on on my server since the path works. Perhaps there's an additional step to have it actually send a stream in an encrypted form? Is there possibly a key that I need to place in the FLV file?

If so, can someone point me to documentation on how to set this up?

Any help would be appreciated!

Alan
    This topic has been closed for replies.
    Correct answer CodeRoyal
    Hi,

    Thanks for the documentation. No however, those steps don't work to protect the content. This is what confused me in my previous posts. That guide talks about the same technologies, using verification and RTMPE however the Replay software can bypass it. (At least with the new version now)

    John correctly answered that the only way to protect content is through Adobe's DRM product. Unfortunately Adobe wants $40,000 for it, meaning it's not targeted to the regular consumer/host.

    I've switched to Silverlight because their DRM is free (though there's an approval process by Microsoft that can take a few weeks), but I'll continue to use Adobe Flash Streaming Server for content that I'm not worried about being stolen.

    I'm open to outsourcing the flash video files to a third-party host that provides Adobe DRM protection with their streaming, but I've yet to find one that does.

    I do believe Adobe has a solution, but they presently feel that the solution to truly protecting their content is worth so much, that most of their customers wouldn't afford it, which is disappointing.

    Nonetheless, 99% of my content should still be OK in FMS so I'll continue to use it anyway.

    3 replies

    U
    uygf
    Participant
    August 21, 2008
    CodeRoyal:
    Did you see this:

    http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video_fms.pdf

    Kevin Towes talks about ways to protect against stream ripping (Replay catcher etc) among other security issues.

    (sorry about the empty message)

    Ed
    C
    CodeRoyalAuthorCorrect answer
    Inspiring
    August 21, 2008
    Hi,

    Thanks for the documentation. No however, those steps don't work to protect the content. This is what confused me in my previous posts. That guide talks about the same technologies, using verification and RTMPE however the Replay software can bypass it. (At least with the new version now)

    John correctly answered that the only way to protect content is through Adobe's DRM product. Unfortunately Adobe wants $40,000 for it, meaning it's not targeted to the regular consumer/host.

    I've switched to Silverlight because their DRM is free (though there's an approval process by Microsoft that can take a few weeks), but I'll continue to use Adobe Flash Streaming Server for content that I'm not worried about being stolen.

    I'm open to outsourcing the flash video files to a third-party host that provides Adobe DRM protection with their streaming, but I've yet to find one that does.

    I do believe Adobe has a solution, but they presently feel that the solution to truly protecting their content is worth so much, that most of their customers wouldn't afford it, which is disappointing.

    Nonetheless, 99% of my content should still be OK in FMS so I'll continue to use it anyway.
    U
    uygf
    Participant
    August 23, 2008
    Uhm.... Did you actually read the paper?
    In a section, he acknowledges that rtmpe doesn't protect from R. media catcher, and then gives the solution! it is a simple server side AS code that does the job. Kevin Towes is an engineer @Adobe and knows what he is talking about.
    I guess you just gave up reading when you saw the usual swf verification/rtmpe in the beginning.

    So once again, you don't need to pay $40,000 for DRM or switch to Silverlight for this type of security.
    Cheers.
    A
    Anonymous
    August 11, 2008

    swf verification should help for now.

    C
    CodeRoyalAuthor
    Inspiring
    August 13, 2008
    I'm working on that now. I'm following the guide here http://fmsguru.com/showtutorial.cfm?tutorialID=13
    to try to turn on SWF verification. Unfortunately, all of the guides and tutorials are built on the presumption that the viewer will know how to implement the NetConnection components, and unfortunately I have yet to learn how to even import anything in a script, yet to write a script.

    The tuturial mentions adding an nc.connect line to the flash file. The swf files I use are basic video windows based on the FLVPlayback component with no custom changes and no script shows up when I press F9. I suspect there's no script available because the FLVPlayback components are already compiled.

    I need to figure out how to create a script that will import the NetConnect libraries and let me make a nc.connect call to the server. Of course, the demo shows that the SWF file actually executed even when failing the test, and I am unsure whether this would actually stop the video from playing in the SWF file anyway.
    C
    CodeRoyalAuthor
    Inspiring
    August 4, 2008
    Forgot to add that I am using Adobe Flash CS3 Professional 9.0 and the included FLVPlayback component with it. Windows Version.

    Further, when I say it stored the entire RTMPE stream, I mean it was able to save the full FLV clip on the computer in a playable form. In short, it downloaded the clip which was supposedly encrypted through RTMPE.

    The version of the Media Catcher application used to intercept the stream was the beta version 3.0, and not the 2.0 version.
    C
    Chris___W
    Participant
    August 4, 2008
    A follow-up question: To ensure that the video stream is always encrypted (and that the content is never sent unencrypted), is there a way to disable plain rtmp connections?
    C
    Chris___W
    Participant
    August 5, 2008
    CodeRoyal - I'm quite new to this also, but I was reading a document somewhere that discussed this issue at a high level. The document said that we are confusing two concepts - "encryption" and "access control". Both concept is necessary for a completely secure solution, but each concept protects against a different type of "attack".

    RTMPE prevents packets from being intercepted in the middle (for example, with a network packet sniffer). This is the encryption. To prevent someone from connecting to your stream, you need some form of access control. With flash media server, the access control can be provided by SWF verification. By using SWF verification, you can prevent third-party clients from connecting to your stream and ripping your content.

    I certainly could be wrong about this, but that's the way I understand it right now.

    If you discover anything else, I'd appreciate it if you could post it here so me (and other people in the future) could understand this issue better.
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices