How to protect video content (Flash Media Server)

Stream capture software providers are trying many ways to capture and archive video delivered to Adobe Flash. Today, very few of these “rippers” support RTMP (Real-Time Messaging Protocol) ? the protocol used by Flash Media Server (FMS).

Adobe Flash Media Server 3.0 and Adobe Flash Player 9,0,115 introduced the new RTMPE protocol – a real-time encryption solution to help prevent stream ripping from Flash. Today this version of Adobe Flash player has been adopted by over 86% of internet-connected computers and Adobe Flash Media Server 3 is supported by all Content Delivery Networks (CDN).

RTMPE and RTMPTE (the tunneled version) should be combined with SWF Verification to provide the maximum content protection. Some stream capture software providers appear to circumvent RTMPE by using an RTMP connection and spoofing the URI used to connect to FMS, to appear as if it has made an RTMPE connection. This solution does not break RTMPE, and there are ways to prevent such software from accessing your content. This document will discuss those methods in more detail.

There are 3 ways to help prevent this activity:
Enable SWF Verification.
Use RTMPE and deny non-RTMPE connections.
Encrypt video assets with Adobe Flash Media Rights Management Server (FMRMS) (limited to Adobe AIR solutions)
Enabling SWF Verification
You can configure FMS to verify swf files after clients connect to an application. FMS will disconnect any swfs sending invalid bytes. This ensures that only your swfs can connect to your application. SWF verification requires FMS 3.0 or later and Flash Player 9.0.115 or later. See the LiveDocs for more specific information on SWF verification.
For optimal security, enable the SWF verification functionality and ensure the <FinalHashTimeout> tag is configured when enabled. The <FinalHashTimeout> specifies the maximum time (in seconds) FMS is willing to wait to receive the last SWF verification byte. FMS will disconnect the client if it does not receive all the SWF verification bytes within this timeout.
Configure SWF verification for applications:
Create a backup of the %FMS_Install%/conf/_defaultRoot_/_defaultVHost_/Application.xml file.
Open the Application.xml and locate the <SWFVerification> tag.
Set the “enabled” attribute on the <SWFVerification> tag to “true”.
Specify the location of the folder containing the verification SWFs in the <SWFFolder>
Note: If <SWFFolder> is empty or missing, FMS will look for the SWFs in application_directory\SWFs
Add the <FinalHashTimeout> tag within <SWFVerification> tags.
Note: This will force the replay software to become disconnected after this amount of time.
Set a default value of 20 seconds.
Note: You have to consider your target audience when setting the appropriate timeout value. Setting the value too low can adversely affect low bandwidth connections (e.g. modem users) because the longer it takes to download the swf, the greater the possibility of FMS reaching the timeout and prematurely disconnecting the client. However, setting a longer timeout means potentially allowing rippers to rip more content.
<Application>
   <SWFVerification enabled="true">
      <SWFFolder></SWFFolder>
      <FinalHashTimeout>20</FinalHashTimeout>
   </SWFVerification>
</Application>Adobe has released an article on the Flash Media Server Developer Center that contains a number of alternate solutions for protecting your content against replay attacks as well as other forms of content theft. You can download it here: http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video_fms.html.
Use RTMPE and deny non-RTMPE connections
Stream capture software can use an RTMP connection to rip streams. Adobe recommends using RTMPE in your application and disallowing all other protocols. You can use one of the following methods to disable any non-RTMPE connections.
Note: These solutions are only applicable for Flash Media Interactive Server (FMIS) edition. For Flash Media Streaming Server (FMSS) edition, you should use SWF verification to protect against stream capture software.
Use customized Server-Side ActionScript (SSAS).
Use Access and/or Authorization Plug-ins.
Creating a custom server side script
To deploy this solution on FMIS, your application requires custom SSAS (e.g. main.asc). It?s recommended that only experienced developers deploy and test this solution.
Add the following within the application.onConnect handler
application.onConnect = function(clientObj) {
//only allow rtmpe and rtmpte connections
if(clientObj.protocol == "rtmpe") || (clientObj.protocol == "rtmpte"){
     return true;
}
return false
}Note: Adobe does not recommend using the URI to perform protocol checking because it can be spoofed. The best practice is to use the SSAS properties provided by FMS.
Save the SSAS and restart FMS.
Sample Access and Authorization Plug-ins
The adaptors.zip file contains sample C code for Access and Authorization adaptor. Adobe recommends experienced developers integrate this code with existing plug-in code for their FMIS servers. Consult the LiveDocs for more information on using plug-ins with FMS.
Encrypting video assets with FMRMS
FMRMS is a stand-alone server which allows content owners to protect media content delivered to Adobe Media Player and AIR applications. Consult the LiveDocs for more information on encrypting video assets and the DRM (digital rights management) capabilities of FMRMS.
Additional Information
White Paper: Video content protection measures enabled by FMS 3
http://xinsync.xju.edu.cn/index.php/archives/3004