this article is focused on Wowza RTMP Authentication with Third party Token provider over Tiny Encryption Algorithm (TEA) and is a continuation of the previous post about setting up a basic RTMP Authentication module on Wowza Engine above version 4.
The task is divided into 3 parts .
- RTMP Encoder Application
- Wowza RTMP Auth module
- Third party Authentication Server
The component diagram is as follows :
The detailed explanation of the components are :
1.Wowza RTMP Auth module
The Wowza Server receives a rtmp stream url in the format as :
rtmp://username:pass@wowzaip:1935/Application/stteamname
It considers the username and pass to be user credentials . RTMP auth Module invokes the getPassword() function inside of deployed application class passing the username as parameter. The username is then encrypted using TEA ( Tiny Encryption algorithm)
TEA is a block cipher which is based on symmetric ( private) key encryption . Input is a 64 bit of plain or cipher text with a 128 bit key resulting in output of cipher or plain text respectively.
The code for encryption is
TEA.encrypt( username, sharedSecret );
The code to make a connection to third party auth server is
url = new URL(serverTokenValidatorURL);
URLConnection connection;
connection = url.openConnection();
connection.setDoOutput(true);
OutputStreamWriter out = new OutputStreamWriter(connection.getOutputStream());
out.write("clientid=" + TEA.encrypt( username, sharedSecret ););
out.close();
The sharedsecret is the common key which is with both the Auth server and wowza server . It must be atleast a 16 digit alphanumeric / special character based key . An example of shared secret is abcdefghijklmnop .The value can be stored as property in Application.xml file.
<Property>
<Name>secureTokenSharedSecret</Name>
<Value><![CDATA[abcdefghijklmnop]]></Value>
</Property>
<Property>
<Name>serverTokenValidatorURL</Name>
<Value>http://127.0.0.1:8080/TokenProvider/authentication/token</Value>
</Property>
The values of serverTokenValidatorURL is the third party auth server listening for REST POST request .
The code for receiving the incoming resulting json data is
ObjectMapper mapper = new ObjectMapper();
JsonNode node = mapper.readTree(connection.getInputStream());
node = node.get("publisherToken") ;
String token = node.asText();
String token2 =TEA.decrypt(token, sharedSecret);
2.Third party Authentication Server
The 3rd party Auth server stores the passwords for users or performs oauth based authentication . It uses a shared secret key to decrypt the token based on TEA as explained in above section .
The code to decrypt the incoming clientId
TEA.decrypt(id, sharedSecret);
Add own custom logic to check files , databases etc for obtaining the password corresponding to the username as decrypted above.
The code to encrypt the password for the user if exists or send invalid response if non exists is
try {
String clientID = TEA.decrypt(id, sharedSecret);
String token= findUserPassword(clientID);
token = TEA.encrypt(token, sharedSecret);
return "{\"publisherToken\":\"" + token+ "\"}";
}catch (Exception ex) {
return "{\"error\":\"Invalid Client\"}";
}
The final callflow thus becomes :
Screenshots :
Telecom R & D 
Hi
If a person monitors the data from step 1 & 4, can he reuse 1 & 4 & gain access from server? or is there any encrypted time-stamp bundled with step 4 to cross check (inside media server) and protect ?
Regards
Gopi. J
Hi
If a person monitors the data from step 1 & 4, can he reuse & gain access from server? or is there any encrypted time-stamp bundled with step 4 to cross check (inside media server) and protect ?
Regards
Gopi. J
Hi
Nice share.
In my opinion the most stable iptv boxes are those from Fishbone IPTV cloud
I would like to see more posts like this
Thanks