All editions of Adobe Media Server support features that protect your content from being stolen and misused. Some features, such as true streaming, are intrinsic to the server and don’t need to be configured. Other features, such as enhanced RTMP (RTMPE), can be configured or disabled using XML configuration files. Still other features, such as controlling read and write access to specific server folders, can be custom built using client-side ActionScript and Server-Side ActionScript.
For a definitive guide to Adobe Media Server security, see Hardening guide for Adobe Media Server in the Adobe Developer Center.
If an application uses progressive download (often called progressive streaming), content is downloaded to the client’s hard drive where malicious agents can capture the video and redistribute it. Adobe Media Server uses true streaming, not progressive download. This means that media streamed from Adobe Media Server to Adobe Flash Player is not stored locally in the client’s cache or anywhere on the client’s hard drive. There is no configuration necessary—Adobe Media Server always uses true streaming technology to protect your content.
Adobe Media Server supports two network protocols that offer different levels of security. Select the network protocol that best meets your organization’s and your application’s needs:
RTMPE
Uses a 128-bit encrypted channel for data between the client and the server. It does not use certificate management. It is best for applications that don’t require endpoint authentication and that require more performance and speed than is possible with SSL. RTMPE requires 15% more processing power than RTMP. To specify an encrypted channel, use the RTMPE protocol in the connection URI, for example: nc.connect("rtmpe://www.example.com/mediaapplication")
Data passed over RTMPE is encrypted with the well-known stream cipher encryption algorithm. This algorithm is keyed using a well-known public-key-exchange algorithm which prevents passive observation and provides perfect forward secrecy.
Note: Flash Player 9 Update 3 and later and AIR 1.0 and later support RTMPE .
RTMPS
A protocol for enabling secure communications over TCP/IP. Adobe Media Server provides native support for both incoming and outgoing SSL connections with the RTMPS protocol. SSL protects against domain impersonation. It allows you to choose the level of encryption you want. SSL potentially provides the highest level of security but requires extra processing power, almost 50% more than RTMP. To specify an RTMPS connection, use the RTMPS protocol in the connect URI, for example: nc.connect("rtmps://www.example.com/mediaapplication")
Data passed over RTMPS is protected by SSL guarantees. The server certificate check authenticates that the server is a valid server but not that the client is a valid Flash Player or AIR client. See Configure SSL.
RTMFP
Uses 128-bit encryption. Data passed over RTMFP is encrypted with the well-known block cipher encryption algorithm. The algorithm is keyed using a well-known public-key-exchange algorithm which prevents passive observation and provides perfect forward secrecy. Session nonces are provided and are tied to the key exchange so that you can build client and server authentication on top of the exchanged values.
To establish a peer-to-peer connection, a subscribing peer must know the peer ID of a publishing peer. These peer IDs are guaranteed to be unique for each instance of Flash Player. Peer IDs are 256 bit values created from a cryptographically random source. When an RTMFP peer connects to another RTMFP peer using a peer ID, the public-key-exchange algorithm is tied to the peer ID so that it is not possible to conduct a man-in-the-middle attack. All other guarantees provided by RTMFP are also in place.
To specify an RTMFP connection, use the RTMFP protocol in the connect URI, for example: nc.connect("rtmfp://www.example.com/mediaapplication")
Session nonces
Flash Player 10 and Adobe Media Server 3.0.3 and 3.5.1 add support for session nonces for RTMFP and RTMPE. Nonces are tied to the key exchange so that you can build client and server authentication on top of the exchanged values.
On Flash Player, nonces are available as properties of the NetConnection object (nearNonce and farNonce). On Adobe Media Server, nonces are available on the Server-Side ActionScript Client object (nearNonce and farNonce), the Server-Side ActionScript NetConnection object (nearNonce and farNonce) the Access plug-in (nearNonce and farNonce fields on the CONNECT event), and on the Authorization plug-in (F_CLIENT_NEAR_NONCE and F_CLIENT_FAR_NONCE fields on any authorization event that has a Client object).