Hash generation using SecureToken version 2

Wowza Streaming Engine
1

Hi to all,

I just want to ask how to generate the securetoken hash on the https://www.wowza.com/docs/how-to-protect-streaming-using-securetoken-in-wowza-streaming-engine documentation (How to protect streaming using SecureToken in Wowza Streaming Engine) specifically the following:

“Important: The client web server should generate the hash when it generates the client webpage. You shouldn’t use JavaScript code in the client webpage to generate the hash as the code is visible in the webpage source and would pose a potential security risk.”

Can anyone provide a sample code on how to do this?

I would like also ask how did you arrive on the wowzatokenhash=m20I4XSU1Emt zHmz8PbbRsX5OcVi7Km-qI1J3acEV-c= on the RTSP example below?

From the string “vod/myInstance/sample.mp4?wowzatokenCustomParameter=abcdef&wowzatokenendtime=1500000000&xyzSharedSecret” , what operations are done to arrive at the wowzatokenhash=m20I4XSU1Emt zHmz8PbbRsX5OcVi7Km-qI1J3acEV-c= ?

RTSP example

This example is based on an RTSP VOD request where the application instance is specified in the URL. The default query parameter prefix (wowzatoken) is used, a custom public query parameter is included in the hash generation, and the SecureToken end time is specified. The client IP address isn’t included in the hash generation and the the SecureToken start time isn’t specified (SecureToken playback security is enabled immediately).

Content URL: rtsp://192.168.1.1:1935/vod/sample.mp4

Content path: vod/myInstance/sample.mp4

Custom SecureToken public query parameter: wowzatokenCustomParameter=myValue

Token end time: wowzatokenendtime=1500000000

The parameters used to create the string used for hashing (not in alphabetical order):

wowzatokenendtime=1500000000

wowzatokenCustomParameter=abcdef

xyzSharedSecret

String used for hashing (in required alphabetical order):

vod/myInstance/sample.mp4?wowzatokenCustomParameter=abcdef&wowzatokenendtime=1500000000&xyzSharedSecret

RTSP URL sent to server:

rtsp://10.0.2.31:1935/vod/myInstance/sample.mp4?wowzatokenendtime=1500000000&wowzatokenCustomParameter=abcdef&wowzatokenhash=m20I4XSU1Emt zHmz8PbbRsX5OcVi7Km-qI1J3acEV-c=

Thanks a lot for the help.

Regulus

2

Hi,

You will also need to use the wowzatokenstarttime parameter when generating the hash string. This parameter is mandatory.

In your particular case, you should use the following string for generating the hash key:

vod/myInstance/sample.mp4?wowzatokenCustomParameter=abcdef&wowzatokenendtime=1500000000&wowzatokenstarttime=1412108004&xyzSharedSecret

Regards,

Zoran

3

The starttime and endtime parameters are optional.

Note that if no starttime is specified, the Streaming Engine will start as soon as the request is received. If no endtime is specified, then the token does not expire. For the majority of workflows, you will want to specify an endtime, otherwise your content is not protected by the SecureToken as you’d expect. However, there are customers who have a use case where they want a non-expiring endtime and so it is not a required field.

I will request an update to the Support article How to protect streaming using SecureToken in Wowza Streaming Engine. Thank you for the feedback.

-Lisa

4

Hey!

We got success HASH

Do not belive support. :'-((((((((

All parameters are mandatory

So we have Shared Secret:c7800e7e5afc8c0b

I take Zoran code and put there my string like this

{code}

$hashstr = hash(‘sha256’, ‘live/definst/test.stream?c7800e7e5afc8c0b&wowzatokenendtime=0&wowzatokenstarttime=0’, true); # IMPORTANT to set third parameter equals to TRUE

$usableHash= strtr(base64_encode($hashstr), ‘+/’, ‘-_’);

echo $usableHash;

{code}

result was: cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

You have to get result and put it to rtmp URL like this one:

rtmp://{skipped_IP}:1935/live/definst/test.stream?wowzatokenendtime=0&wowzatokenstarttime=0&wowzatokenhash=cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

ATTENTION!!!

wowzatokenendtime=0&wowzatokenstarttime=0 They are not OPTIONAL

Since yesterday I was sticking to the support note instructions and couldn’t figure why the SecureToken wasn’t working properly.

I followed your instructions and managed to hash !

The support note How to protect streaming using SecureToken in Wowza Streaming Engine should be updated by the Wowza team…

Akavjik, thanks for your advices.

5

Dave,

You are correct. I take that back :slight_smile:

The starttime and endtime parameters are optional.

The input parameters for the hash calculation are not dependant on the type of streaming protocol you are using. Whether the protocol is RTMP, RTSP or HTTP based, the stream name, secret key and/or endtime, starttime are not changed.

Also, to generate the correct hash key to be used in the playback URL, don’t forget to Base64 encode the hash key resulted form the PHP code Dave mentioned:

$hashstr = hash('sha256', 'vod/_myInstance_/sample.mp4?wowzatokenCustomParameter=abcdef&wowzatokenendtime=1500000000&xyzSharedSecret', true);
$usableHash= strtr(base64_encode($hashstr), '+/', '-_');

Zoran

6

Regulus,

In php, you should be able to create the hash using:

$hashstr = hash('sha256','vod/_myInstance_/sample.mp4?wowzatokenCustomParameter=abcdef&wowzatokenendtime=1500000000&xyzSharedSecret');

Zoran,

You will also need to use the wowzatokenstarttime parameter when generating the hash string. This parameter is mandatory.

This is contradictory to the information on https://www.wowza.com/docs/how-to-protect-streaming-using-securetoken-in-wowza-streaming-engine#parameters where it says that the starttime is optional.

Also, do the shown examples use real hash values? I suspect not as the calculated Hash vaules are the same for both RTSP and Smooth examples, even though the input hash parameters are different.

7

Zoran, yes, the [+/] to [-_] swap is important!! I had missed that bit.

Just for the next person looking for this, in actionScript (AS3)

import com.adobe.crypto.SHA256;
var hash:String = SHA256.hashToBase64(hashstring);
var regExp1:RegExp = /\+/g;
var regExp2:RegExp = /\//g;
				
hash=hash.replace(regExp1,'-');
usablehash=hash.replace(regExp2,'_');
8

Is there a code for c#?

9

I will request an update to the Support article How to protect streaming using SecureToken in Wowza Streaming Engine. Thank you for the feedback.

-Lisa

If I could add its generally very handy to have code examples along with thease types of guides.

e.g

php

asp (classic)

that way you will get a lot less support/tutorial requests about how to do this.

10

Hey!

We got success HASH

Do not belive support. :’-((((((((

All parameters are mandatory

So we have Shared Secret:c7800e7e5afc8c0b

I take Zoran code and put there my string like this

{code}

$hashstr = hash(‘sha256’, ‘live/definst/test.stream?c7800e7e5afc8c0b&wowzatokenendtime=0&wowzatokenstarttime=0’, true); # IMPORTANT to set third parameter equals to TRUE

$usableHash= strtr(base64_encode($hashstr), ‘+/’, ‘-_’);

echo $usableHash;

{code}

result was: cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

You have to get result and put it to rtmp URL like this one:

rtmp://{skipped_IP}:1935/live/definst/test.stream?wowzatokenendtime=0&wowzatokenstarttime=0&wowzatokenhash=cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

ATTENTION!!!

wowzatokenendtime=0&wowzatokenstarttime=0 They are not OPTIONAL

11

Hey!

We got success HASH

Do not belive support. :'-((((((((

All parameters are mandatory

So we have Shared Secret:c7800e7e5afc8c0b ← If you see the Shared Secret code on a web page

There are security issues. How to import a query?

I take Zoran code and put there my string like this

{code}

$hashstr = hash(‘sha256’, ‘live/definst/test.stream?c7800e7e5afc8c0b&wowzatokenendtime=0&wowzatokenstarttime=0’, true); # IMPORTANT to set third parameter equals to TRUE

$usableHash= strtr(base64_encode($hashstr), ‘+/’, ‘-_’);

echo $usableHash;

{code}

result was: cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

You have to get result and put it to rtmp URL like this one:

rtmp://{skipped_IP}:1935/live/definst/test.stream?wowzatokenendtime=0&wowzatokenstarttime=0&wowzatokenhash=cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

ATTENTION!!!

wowzatokenendtime=0&wowzatokenstarttime=0 They are not OPTIONAL

—> As above may not apply to run properly.Wowza party was set base64 (sha256).

Why not?

12

Hey!

We got success HASH

Do not belive support. :'-((((((((

All parameters are mandatory

So we have Shared Secret:c7800e7e5afc8c0b

I take Zoran code and put there my string like this

{code}

$hashstr = hash(‘sha256’, ‘live/definst/test.stream?c7800e7e5afc8c0b&wowzatokenendtime=0&wowzatokenstarttime=0’, true); # IMPORTANT to set third parameter equals to TRUE

$usableHash= strtr(base64_encode($hashstr), ‘+/’, ‘-_’);

echo $usableHash;

{code}

result was: cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

You have to get result and put it to rtmp URL like this one:

rtmp://{skipped_IP}:1935/live/definst/test.stream?wowzatokenendtime=0&wowzatokenstarttime=0&wowzatokenhash=cfGUWrQ-PONy6fhWSR9cyEtnXYpAQeJqrBsES_jzqJw=

ATTENTION!!!

wowzatokenendtime=0&wowzatokenstarttime=0 They are not OPTIONAL

rtmp vod example?

“rtmp://x.x.x.x:1935/VOD/mp4:2014/sample.mp4?wowzatokenendtime=xxxxxxxxxxx&wowzatokenhash=xxxxxxxxxxx=&wowzatokenstarttime=0&wowzaplaystart=100000&wowzaplayduration=181000”

  • VOD/definst/mp4:/2014/sample.mp4? : hash value not matched…

  • VOD/mp4:/2014/sample.mp4? : hash value not matched…

  • VOD/mp4:2014/sample.mp4? : hash value not matched…

how to regular expression?

13

Zoran, yes, the [+/] to [-_] swap is important!! I had missed that bit.

Just for the next person looking for this, in actionScript (AS3)

import com.adobe.crypto.SHA256;
var hash:String = SHA256.hashToBase64(hashstring);
var regExp1:RegExp = /\+/g;
var regExp2:RegExp = /\//g;
				
hash=hash.replace(regExp1,'-');
usablehash=hash.replace(regExp2,'_');

When you create a hash on the web page source is shown security is vulnerable

The other way is to make sure what hash?

Can not created on the server-side to create a web page url again?

Or Is there any way to get the wowza directly query the shared secret?

Please help me…

14

Can someone that understands how this should be configured (either on wowza streaming engine and on client) do a demonstration and share the link to the video (YouTube?) Unfortunaltey I dont get how to generate the sha256 hash from the client.

15

maybe… search… and ‘everything has already been done’
http://community.wowza.com/t/securetoken-between-client-server/46955/2