TechNote (Archived)

How to protect video content (Flash Media Server)

Solution

Stream capture software providers are trying many ways to capture and archive video delivered to Adobe® Flash® Today, few of these "rippers" support RTMP (Real-Time Messaging Protocol)--the protocol used by Adobe® Flash® Media Server. To help prevent the ripping of video streamed through Flash, Adobe created the RTMPE protocol -- a real-time encryption solution -- and SWF Verification. These new technologies were introduced in Flash Media Server 3.0 and Adobe Flash® Player 9.0.115. Today, over 86% of internet-connected computers have adopted this Flash Player version, and all Content Delivery Networks (CDN) support Flash Media Server 3.

RTMPE and RTMPTE (the tunneled version) can be combined with SWF Verification to help provide additional content protection. This document will discuss those methods in more detail.

There are two ways to help prevent this activity:

Enable SWF Verification and use RTMPE-only connections.
Encrypt video assets with Adobe® Flash® Media Rights Management Server (limited to Adobe® AIR® solutions).

Enabling SWF Verification

Flash Media Server can verify SWF files running in Flash Player or AIR files running in Adobe AIR after the client connects to an application. Flash Media Server disconnects any Flash player or AIR application sending invalid bytes. This verification ensures that only your SWF or AIR files can connect to your application or content on Flash Media Server. SWF verification requires at minimum Flash Media Server 3.0 and Flash Player 9.0.115 or AIR 1.0. See the LiveDocs for more specific information on SWF verification.

For optimal security, enable the SWF Verification functionality and ensure the <FinalHashTimeout> tag is configured. The <FinalHashTimeout> specifies the maximum time (in seconds) the server is willing to wait to receive the last SWF Verification byte. Flash Media Server disconnects the client if it does not receive all the SWF Verification bytes within this timeout.

Configure SWF Verification for applications:

Create a backup of the %FMS_Install%/conf/_defaultRoot_/_defaultVHost_/Application.xml file.
Open the Application.xml and locate the <SWFVerification> tag.
Set the "enabled" attribute on the <SWFVerification> tag to "true".
Specify the location of the folder containing the verification SWFs in the <SWFFolder>.

Note: If <SWFFolder> is empty or missing, FMS will look for the SWFs in application_directory\SWFs.
Add the <FinalHashTimeout> tag within <SWFVerification> tags.

Note: This will force the replay software to become disconnected after this amount of time.
Set a default value of 20 seconds.

Note: You have to consider your target audience when setting the appropriate timeout value. Setting the value too low can adversely affect low bandwidth connections (e.g. modem users) because the longer it takes to download the swf, the greater the possibility of FMS reaching the timeout and prematurely disconnecting the client. However, setting a longer timeout means potentially allowing rippers to rip more content.
```
 <Application>
  <SWFVerification enabled="true">
   <SWFFolder></SWFFolder>
    <FinalHashTimeout>20</FinalHashTimeout>
   </SWFVerification>
 </Application>
```

Adobe released a Flash Media Server Developer Center article that contains several alternate solutions for protecting content against replay attacks and other forms of theft.

Use RTMPE-only connections

You can use one of the following methods to disable any non-RTMPE connections.

Use DisallowedProtocols tag
Use customized Server-Side ActionScript (SSAS).*
Use Access and/or Authorization Plug-ins.*

*These solutions are only applicable for Flash Media Interactive Server (FMIS) edition.

DisallowedProtocols tag

Flash Media Server 3.0.3 and 3.5.1 introduced the Application.xml <DisallowedProtocols> tag to allow administrators to restrict application access by connection protocols. This tag accepts a comma delimited list of protocols to reject connection attempts. Any protocols not listed are allowed. Adobe recommends specifying rtmp and rtmps to allow only client connections over rtmpe:

<DisallowedProtocols>rtmp, rtmps</DisallowedProtocols>

Note: The comma delimited list is not case sensitive. Specifying rtmp prevents connections over rtmp and rtmpt. Specifying rtmpe prevents connections over rtmpe and rtmpte. You can specify rtmpt and rtmpte separately.

Custom Server-Side ActionScript

To deploy this solution on Flash Media Interactive Server, your application requires custom Server-Side ActionScript (for example, main.asc). It's recommended that only experienced developers deploy and test this solution.

Add the following within the application.onConnect handler
```
 application.onConnect = function(clientObj) {
 //only allow rtmpe and rtmpte connections
   if(clientObj.protocol == "rtmpe" || clientObj.protocol == "rtmpte"){
     return true;
   }
  return false
 } 
```
Note: Adobe does not recommend using the URI to perform protocol checking because it can be spoofed. The best practice is to use the Server-Side ActionScript properties provided by Flash Media Server.
Save the Server-Side ActionScript and restart Flash Media Server.

Sample Access and Authorization Plug-ins

The adaptors.zip file contains sample C code for Access and Authorization adaptor. Adobe recommends experienced developers integrate this code with existing plug-in code for their Flash Media Interactive Servers. Consult the LiveDocs for more information on using plug-ins with Flash Media Server.

Encrypting video assets with Flash Media Rights Management Server

Flash Media Rights Management Server is a stand-alone server which allows content owners to protect media content delivered to Adobe Media Player and Adobe AIR applications. Consult the LiveDocs for more information on encrypting video assets and the DRM (digital rights management) capabilities of Flash Media Rights Management Server.