Streaming media service user authen method based on RTMP agreement
Technical field
The invention belongs to streaming media service technical field, particularly relate to a kind of streaming media service based on RTMP agreement, including the live user authen method with online request online。
Background technology
In recent years, along with the fast development of Internet technology, increasing service occurs on the internet, and Online Video service is exactly one of them。RTMP agreement is a host-host protocol aiming at Online Video design, has extraordinary real-time, is widely used to the online request of video or the aspect such as live。Owing to RTMP agreement self there is no the link that user identity carries out safety certification, under default situations, video server can indiscriminate acceptance from either party connection request, and provide Video service。In need for confidentiality or commercialization field of media, the service only relying only on standard RTMP agreement has significant limitation in practicality, is embodied in some deficiency following:
1. the video resource of nature of business is intended for registration user and browses, if a certain registration user is by open for the URL address information used by request video resource, then unregistered user group all can normal browsing to the video resource of correspondence, be unfavorable for copyright protection。
2. due to the publicity of RTMP agreement, rival can the video request client of design customization, validated user just can be pretended to be further to steal from server batch request video resource doing, backup etc., cause that commercially valuable video resource or significant data are leaked or propagate, make the copyright of streaming medium content be encroached on。
3. rival sends substantial amounts of connection request by program means to video server, zero difference processing mode due to RTMP agreement, server cannot be distinguished by effective and invalid connection request, it is easy to causes the excessive machine of delaying of server stress, finally affects the availability of whole system。
Summary of the invention
The RTMP agreement of use standard cannot the copyright interest of Support Resource holder, generally require the access level for user identity and correspondence in actual applications and conduct interviews control, refusing undelegated access, using thus ensureing that commercial resource can be rationalized。Present invention aims to the deficiencies in the prior art, apply at the RTMP of standard and increase a kind of customizable access control mechanisms, video server is made to provide Video service only for legal user group, video data is encrypted transmission simultaneously, fundamentally ensures that the content of Streaming Media is not by diffusive transport。
The invention provides a kind of streaming media service user authen method based on RTMP agreement, video server is before providing Video service, first pass through the legitimacy of certificate server checking user identity, secondly the access rights of user are verified, the user possessing enough access rights only provides Video service, and refusal illegal or insufficient permission user ask;Finally, video stream data is encrypted transmission, it is prevented that user obtains video content diffusive transport by the mode downloaded, and by above-mentioned several means, the copyright information of Streaming Media can be avoided to be encroached on。The inventive method specifically includes following steps:
(1) video server receives the resource request from client。
(2) video server extracts user session information from request, and described user session information includes user conversation ID, ID, TOKEN and resource ID, and these information are transferred to certificate server be authenticated processing。
(3) certificate server entrusts the effectiveness of unified entry system checking user conversation, if detecting when ID or TOKEN are invalid, directly in response to being not logged in;When user conversation is expired, respond as invalid session;When user conversation is effective, unified entry system takes out the Permission Levels of active user from database server, returns to certificate server as response results。
(4) certificate server is after obtaining the Permission Levels of active user, obtains the Permission Levels information of accessed resource according to resource ID to resource management server, when user right grade is not enough to corresponding resource is conducted interviews, responds as insufficient permission。
(5) certificate server judges whether active user ID is in broadcast state, if active user ID exists the session play, is then provided the video server break of video transmitting procedure of service by certificate server notice。
(6) video server sets up the RTMP interface channel with client, and the dynamic key of stochastic generation 16 byte length is sent to client as this session key, then notify the RTMP successful connection of certificate server current sessions, certificate server update the broadcast state of current sessions。
(7) client receives session key, is stored in this locality, and sends key response message to video server。
(8), after video server receives the key response of client, carry out video data transmission, according to current session key video stream data carried out real-time encrypted after transmission。
(9) client receiving stream media data, are decrypted into normal play after expressly。
(10) when the video data transmission of this session is complete, video server notice certificate server updates the broadcast state of user。
Further, described resource management server is used for administering and maintaining all of streaming media resource, externally provides the interface of Query Resource Information;Video resource can be uploaded on backstage, deletes by management personnel, authority change operation;Resource management server timing detects the change of local repository, once detect that local resource increases or reduces, notifies that each video server carries out the renewal of resources bank immediately, thus the resource consistency ensured on each video server。
The invention has the beneficial effects as follows:
1, possesses comprehensive access control function, it is ensured that streaming media resource can only be used by legal customer group, refuses illegal video request, it is ensured that video resource, by reasonable employment, reduces the processing pressure of video server simultaneously。
2, ensure that Information Security, adopt dynamic key to video data encrypted transmission so that video can only be browsed by validated user, and the video file after download is ciphertext state, it is impossible to normal play, it is ensured that the commercial value of video is not encroached on。
3, prevent No. one multiplex, in conjunction with unified entry system, with user conversation for reference factor, it is to avoid account number many places ask the situation of video resource to occur simultaneously。Can prevent the situation that an account number plays multiple video on same equipment simultaneously from occurring simultaneously, be conducive to the rationalization of bandwidth resources to use。
4, real-time update resource status, by all of media resource of resource management server unified management, when resources bank change, is broadcast to each video server by instruction message, it is ensured that the video resource of each video server this locality is in last state。
5, effective access control mechanisms, management personnel can the Permission Levels of real-time update video resource or user access level, what reach change user in real time accesses the purpose authorized。
6, the present invention can realize reliability and the confidentiality of streaming media on demand and live certification, can significantly improve the safety of network flow-medium management, and the development for network flow-medium safe practice has very important realistic meaning。
Accompanying drawing explanation
Fig. 1 is the graph of a relation of each key component in the present invention;
Fig. 2 is that in the present invention, video server, after receiving user video request, comprises the flow chart of access control function;
Fig. 3 is that in the present invention, resource management server carries out resource management and synchronization flow chart。
Detailed description of the invention
As it is shown in figure 1, the invention mainly comprises video server, certificate server, resource management server and four parts of unified entry system, user terminal is browser。
As in figure 2 it is shown, a kind of streaming media service user authen method based on RTMP agreement provided by the invention, comprise the following steps:
(1) client that video server receives from http server is asked。
(2) video server extracts user session information from request, and described user session information includes user conversation ID, ID, TOKEN and resource ID, and these information are transferred to certificate server be authenticated processing。
(3) certificate server entrusts the effectiveness of unified entry system checking user conversation, if detecting when ID or TOKEN are invalid, directly in response to being not logged in;When user conversation is expired, respond as invalid session;When user conversation is effective, unified entry system takes out the Permission Levels of active user from database server, returns to certificate server as response results。
(4) certificate server is after obtaining the Permission Levels of active user, obtains the Permission Levels information of accessed resource according to resource ID to resource management server, when user right grade is not enough to corresponding resource is conducted interviews, responds as insufficient permission。
(5) certificate server judges whether active user ID is in broadcast state, if active user ID exists the session play, is then provided the video server break of video transmitting procedure of service by certificate server notice。
(6) video server sets up the RTMP interface channel with client, and the dynamic key of stochastic generation 16 byte length is sent to client as this session key, then notify the RTMP successful connection of certificate server current sessions, certificate server update the broadcast state of current sessions。
(7) client receives session key, is stored in this locality, and sends key response message to video server。
(8), after video server receives the key response of client, carry out video data transmission, according to current session key video stream data carried out real-time encrypted after transmission。
(9) client receiving stream media data, are decrypted into normal play after expressly。
(10) when the video data transmission of this session is complete, video server notice certificate server updates the broadcast state of user。
The present invention has done following extension on the basis of standard RTMP protocol realization:
(1) extending the RTMP connection request of client, client needs to provide in request data: ID, user conversation ID, TOKEN and resource ID information, adds the process logic of key reception response and video data real time decrypting simultaneously。
(2) the process logic of video server is changed, video server is after receiving the video request that client sends, Video service is not directly provided, but from request, first extract ID, user conversation ID, TOKEN and resource ID information, transfer to whether certificate server checking active user possesses enough access rights。After being verified, just can set up RTMP with client and be connected and provide follow-up Video service, otherwise it is assumed that be invalid connection request, refusal connection。
(3) video server is increased generation dynamic key and the function to the real-time encrypted transmission of video data newly。
(4) newly-increased certificate server, the service interface to user identity and Authority Verification is provided to video server, certificate server is according to ID and resource ID information, it is determined that whether the request of active user is legal, and Authority Verification result is returned to video server。
(5) newly-increased resource management server, is used for administering and maintaining all of streaming media resource, externally provides the interface of Query Resource Information。As it is shown on figure 3, the operations such as video resource can be uploaded on backstage, deletes by management personnel, authority change。Resource management server can regularly detect the change of local repository, once detect that local resource increases or reduces, then can notify that each video server carries out the renewal of resources bank immediately, thus the resource consistency ensured on each video server。
The present invention has the feature that
1, dynamic key encrypted video stream。Video server generates different dynamic key for each session connection, and data are encrypted transmission, and client real time decrypting is also play, and neither affects the real-time of video playback, adds again the difficulty that algorithm guesses that solution and ciphertext crack。
2, prevent video from being downloaded and illegally propagate。The present invention prevents video resource by illegal download and illegal propagation by the approach that video data is encrypted, video content after encryption cannot be play, the personnel that crack are when lacking decipherment algorithm and decruption key, it is difficult to obtain the content of video, fundamentally prevent video content from being leaked。
3, prevent No. one multiplex。The certificate server connection feedback information by video server, the broadcast state of each ID of real time record, when same account number repeatedly logs in and asks Video service, the video request only sent for the last time is considered as effective, and before same account, ongoing video display process can be forced to interrupt。So can prevent account number many places from logging in, and ask the situation of Video service to occur simultaneously, it is possible to limit an account number on same equipment, carry out the page quantity of video playback simultaneously。