Presentation is loading. Please wait.

Presentation is loading. Please wait.

Department of Computer Science & Engineering San Jose State University

Published byHector Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "Department of Computer Science & Engineering San Jose State University"— Presentation transcript:

1 Department of Computer Science & Engineering San Jose State University
An Analysis of RTSP network security CMPE 209 Team Presentation Presented by: HACKERS Bhupinder Singh Narang Farhad Doneshwar Ishita James Jasleen Pandher Manjot Kaur Shubha Gururaja Rao Department of Computer Science & Engineering San Jose State University

2 Agenda Streaming RTSP Security Considerations

3 Streaming What is Streaming..?? Different Streaming protocols

4 Introduction to RTSP Session control protocol
Supports VCR-like operations Supports Media Retrieval Adding media to an existing session Acts as a network remote control

5 Introduction to RTSP (cont.)
Protocol Properties RTSP message format RTSP message types: Requests Response IETF Standard – RFC 2326

6 RTSP State Transitions
Setup Start an RTSP session and resource allocation for a stream Play and Record Start data transmission of the stream Pause Temporarily halt a stream without freeing server resources Teardown Free resources associated with stream and end of a session

7 Working of RTSP

8 RTSP Message Exchange

9 RTSP Security Considerations
Authentication Mechanism Choice of Authentication Schemes Basic Authentication Digest Authentication Abuse of Server Log Information Transfer of Sensitive Information Concentrated denial-of-service attack Session hijacking

10 RTSP Security Considerations (cont.)
Authentication Mechanism Client MUST be able to do the following: recognize the 401 status code; parse and include the WWW-Authenticate header; implement Basic Authentication and Digest Authentication.

11 RTSP Security Considerations (cont.)
Choice of Authentication Schemes Server may return multiple challenges with a (Authenticate) response, and each challenge may use a scheme "most secure" authentication scheme choice first from server possible man-in-the-middle (MITM) attack would be to add a weak authentication scheme to the set of choices

12 RTSP Security Considerations (cont.)
Basic Authentication User agent must authenticate itself with a user-ID and a password for each realm Unauthorized request for URI Server Server Server Server Server Server Server Server Server Server Server Server WWW-Authenticate: Basic realm=“ " WWW-Authenticate: Basic realm=“ " Client Client Client Client Client Client Client Client Client Client Client Client Client Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

13 RTSP Security Considerations (cont.)
Wireshark Capture OPTIONS rtsp:// /video/sample_100kbit.mp4 RTSP/1.0 CSeq: 3 Authorization: Basic YWRtaW46YWRtaW4= User-Agent: VLC media player (LIVE555 Streaming Media v ) RTSP/ OK Server: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; ) Cseq: 3 Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, OPTIONS, ANNOUNCE, RECORD DESCRIBE rtsp:// /video/sample_100kbit.mp4 RTSP/1.0 CSeq: 4 Accept: application/sdp Authorization: Basic YWRtaW46YWRtaW4= User-Agent: VLC media player (LIVE555 Streaming Media v )

14 RTSP Security Considerations (cont.)
Digest Authentication Challenge-Response paradigm Request for access-protected object (No Auth header) Server “401 Unauthorized” response (with www-Auth header) Client Retry request, passing an authentication header line

15 RTSP Security Considerations (cont.)
Digest Authentication The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI.

16 RTSP Security Considerations (cont.)
DESCRIBE rtsp:// /streaming_media/sample_100kbit.mp4 RTSP/1.0 CSeq: 1 Accept: application/sdp Bandwidth: Accept-Language: en-US User-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2) RTSP/ Unauthorized Server: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; ) Cseq: 1 WWW-Authenticate: Digest realm="Streaming Server", nonce="e e259b7e69f7642cb5ea498" DESCRIBE rtsp:// /streaming_media/sample_100kbit.mp4 RTSP/1.0 CSeq: 2 Accept: application/sdp Bandwidth: Accept-Language: en-US User-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2) Authorization: Digest username="admin", realm="Streaming Server", nonce="e e259b7e69f7642cb5ea498", uri="/streaming_media/sample_100kbit.mp4", response="e68bd443e12e95e91f06225f3dfefe93"

17 RTSP Security Considerations (cont.)
Denial Of Service Attack: An attacker can initiate traffic to one or more IP addresses, by specifying them as destination in the setup request. If such multiple request exceed a certain number then legitimate request will be denied, leading to an denial of service attack.

18 RTSP Security Considerations (cont.)
Sessions Hijacking: RTSP unlike HTTP is a statefull server. It uses Session Ids to keep track of its Sessions. As Session Ids can be sniffed, an attacker can use a Session Id to steal a session.

19 RTSP Security Considerations (cont.)
Abuse of Server Log Information: The Servers are capable of storing logs of user Information, like their subjects of interest. This information is clearly confidential. Hence care must be taken that this information is not available to the attacker.

20 RTSP Security Considerations (cont.)
Transfer Of Sensitive Information: No method of determining the sensitivity of any particular piece of information within the context of any given request Applications SHOULD supply as much control over this information as possible to the provider of that information

21 References IETF Standard – RFC 2326 Real Time Streaming Protocol, April IETF Standard – RFC 2068 Hypertext Transfer Protocol - HTTP/1.1, January 1997 IETF Standard – RFC 2069 An Extension to HTTP : Digest Access Authentication, January 1997 The VideoLAN forums at &sd=a

22 Thank You !

Download ppt "Department of Computer Science & Engineering San Jose State University"

Similar presentations

Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Ethan Kim. o Websites o Youtube, Hulu, Fox, NBC, etc. o Media Players o Windows Media Player, Real Player o Video Conferencing o Skype, MSN Messenger,

Ethan Kim. o Websites o Youtube, Hulu, Fox, NBC, etc. o Media Players o Windows Media Player, Real Player o Video Conferencing o Skype, MSN Messenger,
An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
RFC2222bis. Summary Rfc2222bis-13 to be submitted tomorrow Addresses substantive issues Addresses editorial/nits Recommend WGLC upon announcement.

RFC2222bis. Summary Rfc2222bis-13 to be submitted tomorrow Addresses substantive issues Addresses editorial/nits Recommend WGLC upon announcement.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
RTSP Interoperability Bakeoff Ron Frederick

RTSP Interoperability Bakeoff Ron Frederick
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
A brief introduction of Real Time Streaming Protocol

A brief introduction of Real Time Streaming Protocol
SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Similar presentations

Ads by Google