Department of Computer Science & Engineering San Jose State University An Analysis of RTSP network security CMPE 209 Team Presentation Presented by: HACKERS Bhupinder Singh Narang Farhad Doneshwar Ishita James Jasleen Pandher Manjot Kaur Shubha Gururaja Rao Department of Computer Science & Engineering San Jose State University

Agenda Streaming RTSP Security Considerations

Streaming What is Streaming..?? Different Streaming protocols

Introduction to RTSP Session control protocol Supports VCR-like operations Supports Media Retrieval Adding media to an existing session Acts as a network remote control

Introduction to RTSP (cont.) Protocol Properties RTSP message format RTSP message types: Requests Response IETF Standard – RFC 2326

RTSP State Transitions Setup Start an RTSP session and resource allocation for a stream Play and Record Start data transmission of the stream Pause Temporarily halt a stream without freeing server resources Teardown Free resources associated with stream and end of a session

Working of RTSP

RTSP Message Exchange

RTSP Security Considerations Authentication Mechanism Choice of Authentication Schemes Basic Authentication Digest Authentication Abuse of Server Log Information Transfer of Sensitive Information Concentrated denial-of-service attack Session hijacking

RTSP Security Considerations (cont.) Authentication Mechanism Client MUST be able to do the following: recognize the 401 status code; parse and include the WWW-Authenticate header; implement Basic Authentication and Digest Authentication.

RTSP Security Considerations (cont.) Choice of Authentication Schemes Server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a scheme "most secure" authentication scheme choice first from server possible man-in-the-middle (MITM) attack would be to add a weak authentication scheme to the set of choices

RTSP Security Considerations (cont.) Basic Authentication User agent must authenticate itself with a user-ID and a password for each realm Unauthorized request for URI Server Server Server Server Server Server Server Server Server Server Server Server WWW-Authenticate: Basic realm=“ " WWW-Authenticate: Basic realm=“ " Client Client Client Client Client Client Client Client Client Client Client Client Client Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

RTSP Security Considerations (cont.) Wireshark Capture OPTIONS rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0 CSeq: 3 Authorization: Basic YWRtaW46YWRtaW4= User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08) RTSP/1.0 200 OK Server: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; ) Cseq: 3 Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, OPTIONS, ANNOUNCE, RECORD DESCRIBE rtsp://127.0.0.1/video/sample_100kbit.mp4 RTSP/1.0 CSeq: 4 Accept: application/sdp Authorization: Basic YWRtaW46YWRtaW4= User-Agent: VLC media player (LIVE555 Streaming Media v2008.02.08)

RTSP Security Considerations (cont.) Digest Authentication Challenge-Response paradigm Request for access-protected object (No Auth header) Server “401 Unauthorized” response (with www-Auth header) Client Retry request, passing an authentication header line

RTSP Security Considerations (cont.) Digest Authentication The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI.

RTSP Security Considerations (cont.) DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0 CSeq: 1 Accept: application/sdp Bandwidth: 384000 Accept-Language: en-US User-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2) RTSP/1.0 401 Unauthorized Server: DSS/5.5.5 (Build/489.16; Platform/Linux; Release/Darwin; state/beta; ) Cseq: 1 WWW-Authenticate: Digest realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498" DESCRIBE rtsp://192.168.102.58/streaming_media/sample_100kbit.mp4 RTSP/1.0 CSeq: 2 Accept: application/sdp Bandwidth: 384000 Accept-Language: en-US User-Agent: QuickTime/7.4.1 (qtver=7.4.1;os=Windows NT 5.1Service Pack 2) Authorization: Digest username="admin", realm="Streaming Server", nonce="e539951941e259b7e69f7642cb5ea498", uri="/streaming_media/sample_100kbit.mp4", response="e68bd443e12e95e91f06225f3dfefe93"

RTSP Security Considerations (cont.) Denial Of Service Attack: An attacker can initiate traffic to one or more IP addresses, by specifying them as destination in the setup request. If such multiple request exceed a certain number then legitimate request will be denied, leading to an denial of service attack.

RTSP Security Considerations (cont.) Sessions Hijacking: RTSP unlike HTTP is a statefull server. It uses Session Ids to keep track of its Sessions. As Session Ids can be sniffed, an attacker can use a Session Id to steal a session.

RTSP Security Considerations (cont.) Abuse of Server Log Information: The Servers are capable of storing logs of user Information, like their subjects of interest. This information is clearly confidential. Hence care must be taken that this information is not available to the attacker.

RTSP Security Considerations (cont.) Transfer Of Sensitive Information: No method of determining the sensitivity of any particular piece of information within the context of any given request Applications SHOULD supply as much control over this information as possible to the provider of that information

References IETF Standard – RFC 2326 Real Time Streaming Protocol, April 1998 IETF Standard – RFC 2068 Hypertext Transfer Protocol - HTTP/1.1, January 1997 IETF Standard – RFC 2069 An Extension to HTTP : Digest Access Authentication, January 1997 The VideoLAN forums at http://forum.videolan.org/viewtopic.php?f=13&t=44780&start=0&st=0&sk=t &sd=a

Thank You !