Thread: secure RTMPE protocol. Is it really secure???
View Single Post
  #5  
Old 06-18-2009, 10:20 PM
any ANONYMOUS forum user any ANONYMOUS forum user is offline
any user of the forum who preferred to post anonymously
  
Join Date: Aug 2011
Location: Server of stream-recorder.com
Posts: 211
any ANONYMOUS forum user is on a distinguished road
Default

Re: secure RTMPE protocol. Is it really secure???

There are several problems with adobe's approach:
  • there is no "encryption key" in RTMPE.
    there is, however, a magic constant (actually, three). the first is "Genuine Adobe Flash Player 001"; the second is "Genuine Adobe Flash Media Server 001" and the third is some unpronounceable random crud which you can get by looking at the first post
  • there is no "protection" in RTMPE.
    RTMPE is an algorithm that uses industry-standard crypto primitives, magic constants and publicly-available information (the SWF file) to do two things:

    a) provide end-to-end secrecy, just like SSL

    b) link knowledge of the size and a hash of the SWF file to the connection.

    adobe claim [translation: lie to their customers, thus exposing themselves to lawsuits] that this "validation" process _guarantees_ that only someone with the SWF file (that was publicly accessible and publicly downloadable from a web site) can download the content. what they imply from that is that only someone who _executes_ the SWF file can download the content, which is blatantly false.

    from the algorithm: if anyone knows the SWF file's hash and its size, they can use the algorithm to access the content. executing the SWF file or even having it _at all_ is irrelevant.
  • if you want to get arsey about it, and say that the words "Genuine Adobe Flash Player 001" are an "encryption key", then you have a problem, because there is further input into the "validation" algorithm: the SWF file itself.

    that makes the SWF file also an "encryption key".

    ... whoops.

    you can immediately work out the implications, here, for yourself, but here's some of the more hilarious ones:

    * how can you claim that a key is secret, yet make it publicly available on the internet?

    * if you want to keep this "key" secret, surely you should go after all web browser distributors, and everyone who has HTTP cacheing technology, DEMANDING that they "protect" - remove - SWF files from caches.

    this latter is quite easily achieved. you just block *.swf files.
Reply With Quote