Presented by:
HACKERSBhupinder Singh Narang
Farhad DoneshwarIshita James
Jasleen PandherManjot Kaur
Shubha Gururaja Rao
Department of Computer Science & Engineering
San Jose State University
An Analysis of RTSP network securityAn Analysis of RTSP network security
CMPE 209 Team PresentationCMPE 209 Team Presentation
Introduction to RTSP
Session control protocolSupports VCR-like operationsSupports
Media RetrievalAdding media to an existing
sessionActs as a network remote control
Introduction to RTSP (cont.)(cont.)
Protocol PropertiesRTSP message formatRTSP message types:
RequestsResponse
IETF Standard – RFC 2326
RTSP State Transitions
Setup Start an RTSP session and resource allocation for a stream
Play and Record Start data transmission of the stream
Pause Temporarily halt a stream without freeing server resources
Teardown Free resources associated with stream and end of a session
Authentication MechanismChoice of Authentication Schemes
Basic AuthenticationDigest Authentication
Abuse of Server Log Information Transfer of Sensitive Information Concentrated denial-of-service attack Session hijacking
RTSP Security ConsiderationsRTSP Security Considerations
Authentication Mechanism Client MUST be able to do the
following:• recognize the 401 status code; • parse and include the WWW-
Authenticate header; • implement Basic Authentication
and Digest Authentication.
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Choice of Authentication Schemes•Server may return multiple challenges
with a 401 (Authenticate) response, and each challenge may use a scheme
•"most secure" authentication scheme choice first from server
•possible man-in-the-middle (MITM) attack would be to add a weak authentication scheme to the set of choices
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Basic AuthenticationUser agent must authenticate itself with a user-ID and a password for each realm
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Server
Unauthorized request for URI
WWW-Authenticate: Basic realm=“ "
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
ClientClient ServerClient ServerClient ServerClient ServerClient ServerClient ServerClient ServerClientWWW-Authenticate: Basic realm=“ "
ServerClient ServerClient ServerClient ServerClient
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Wireshark Capture
OPTIONS rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0CSeq: 3Authorization: Basic YWRtaW46YWRtaW4=User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08)
RTSP/1.0 200 OKServer: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; )Cseq: 3Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, OPTIONS, ANNOUNCE, RECORD
DESCRIBE rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0CSeq: 4Accept: application/sdpAuthorization: Basic YWRtaW46YWRtaW4=User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08)
Digest AuthenticationChallenge-Response paradigm
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
ServerClient
Request for access-protected object (No Auth header)
“401 Unauthorized” response (with www-Auth header)
Retry request, passing an authentication header line
Digest Authentication•The Digest scheme challenges using
a nonce value. •A valid response contains a
checksum (by default the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI.
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0CSeq: 1Accept: application/sdpBandwidth: 384000Accept-Language: en-USUser-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2)
RTSP/1.0 401 UnauthorizedServer: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; )Cseq: 1WWW-Authenticate: Digest realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498"
DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0CSeq: 2Accept: application/sdpBandwidth: 384000Accept-Language: en-USUser-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2)Authorization: Digest username="admin", realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498", uri="/streaming_media/sample_100kbit.mp4", response="e68bd443e12e95e91f06225f3dfefe93"
Denial Of Service Attack:• An attacker can initiate traffic to
one or more IP addresses, by specifying them as destination in the setup request.
• If such multiple request exceed a certain number then legitimate request will be denied, leading to an denial of service attack.
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Sessions Hijacking:
• RTSP unlike HTTP is a statefull server.
• It uses Session Ids to keep track of its Sessions.
• As Session Ids can be sniffed, an attacker can use a Session Id to steal a session.
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Abuse of Server Log Information:
• The Servers are capable of storing logs of user Information, like their subjects of interest.
• This information is clearly confidential.
• Hence care must be taken that this information is not available to the attacker.
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
Transfer Of Sensitive Information:
• No method of determining the sensitivity of any particular piece of information within the context of any given request
• Applications SHOULD supply as much control over this information as possible to the provider of that information
RTSP Security ConsiderationsRTSP Security Considerations (cont.)(cont.)
IETF Standard – RFC 2326 Real Time Streaming Protocol, April 1998
IETF Standard – RFC 2068 Hypertext Transfer Protocol - HTTP/1.1, January 1997
IETF Standard – RFC 2069 An Extension to HTTP : Digest Access Authentication, January 1997
The VideoLAN forums at http://forum.videolan.org/viewtopic.php?f=13&t=44780&start=0&st=0&sk=t&sd=a
References