You have a streaming project for a limited audience. Or you just want to secure streaming personally, however, may have some concerns about its reachability. Ant Media Server offers hash-based token security control option with 1.6.2 version as an alternative to one-time tokens offered in Ant Media Server.

Secure Streaming with Hash Based Tokens

Secure Streaming with Hash Based Tokens

In this post, we’re going to try to explain how to enable and use  hash based tokens step by step.

Enable Hash Settings and Define Secret Key

Firstly, you should enable the hash-based secure streaming from the settings file(webapps/{APP_DIRECTORY}/WEB-INF/red5.properties) of the application.

settings.hashControlPublishEnabled=false
settings.hashControlPlayEnabled=false
tokenHashSecret=

Set true to settings.hashControlPublishEnabled to enable secret based hash control for publishing operations, and settings.hashControlPlayEnabled= for playing operations.

Also, do not forget to define a secret key for generating a hash value. As a result, the settings file of the application include below settings.

settings.hashControlPublishEnabled=true
settings.hashControlPlayEnabled=true
tokenHashSecret=I7KGMudkyV # any secret value. you may use https://randomkeygen.com/

Publishing with Secret Based Tokens

1. Generate a Hash

Firstly, you need to generate a hash value using the formula sha256(STREAM_ID + ROLE + SECRET) for your application and send to your clients. You can programmatically SHA 256 generate with any programming languages. The values used for hash generation are:

STREAM_ID: The id of stream, generated in Ant Media Server.
ROLE: For this case it should be “publish”
SECRET: Shared secret key (should be defined in the setting file)

2. Publishing with Hash

Client sends produced hash value to Ant Media Server. After that, the system controls hash validity during publishing.

  • RTMP Publishing: You need to add a hash parameter to RTMP URL before publishing. Such as;
rtmp://[IP_Address]/<Application_Name>/<Stream_Id>?token=hash
  • WebRTC Publishing: Hash parameter should be inserted to publish WebSocket message. Such as;
{
command : "publish",
streamId : "{STREAM ID}",
token : "{hash output of SHA256 as described above}",
}

For details about WebRTC WebSocket messaging please visit wiki page.

Playing with Secret Based Tokens

1. Generate a Hash

You again need to generate a hash value using the formula sha256(STREAM_ID + ROLE + SECRET) for your application and send to your clients. You can again programmatically SHA 256 generate with any programming languages. The values used for hash generation are:

STREAM_ID: The id of stream, generated in Ant Media Server.

ROLE: For this case it should be “play”

SECRET: Shared secret key (should be defined in the setting file)

2. Playing with Hash
  • Live Stream/VoD Playing: Same as publishing, URL should include the hash parameter. Such as;
http://[IP_Address_or_FQDN]/<Application_Name>/streams/<Stream_Id>?token=hash
  • WebRTC Playing: Again the hash parameter should be inserted to play WebSocket message. Such as;
{
command : "play",
streamId : "{STREAM ID}",
token : "{hash output of SHA256 as described above}",
}

Please have a look at the principles described in the wiki page.

How Ant Media Server validates the Hash-based Token 

If hash is enabled as described above, Ant Media Server first generates hash values based on the formula sha256(STREAM_ID + ROLE + SECRET) using streamId, role parameters and hash secret string which is defined in the settings file. Then compare this generated hash value with client’s hash value during authorization.

Once the hash is successfully validated by Ant Media Server, the client is granted either to publish or play according to application settings.

You can use both one-time tokens or hash-based tokens for secure streaming.

Contact us if you have any questions or suggestions with the contact form or email contact [at] antmedia.io

[Total: 2    Average: 5/5]
Categories: Tutorial

Leave a Reply

Your email address will not be published. Required fields are marked *