TheRiver | blog

You have reached the world's edge, none but devils play past here

0%

rtsp_digest加解密

维基百科

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user’s web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network.

摘要访问身份验证是Web服务器可以用来与用户的Web浏览器协商凭据(例如用户名或密码)的商定方法之一。这可用于在发送敏感信息(例如在线银行交易历史记录)之前确认用户的身份。它在通过网络发送之前将哈希函数应用于用户名和密码

加解密流程

摘要访问身份验证最初由RFC 2069(HTTP扩展:摘要访问身份验证)指定。RFC 2069大致规定了传统的摘要式身份验证方案,其安全性由服务器生成的nonce值维护。身份验证响应形成如下(其中HA1和HA2是字符串变量的名称)

rtsp digest加密

onvif实况要走rtsp协议(目前还不是很熟悉这块,不确定是否必须).但ODM工具实况是走rtsp的.我也抓了报文:

链接:https://pan.baidu.com/s/1h1hUiPAQDKzugfRLNUmdPg

提取码:0rp8

DESCRIBE rtsp://192.168.1.18/media/video1 RTSP/1.0
CSeq: 3
User-Agent: LIVE555 Streaming Media v2012.06.17
Accept: application/sdp

RTSP/1.0 401 ClientUnAuthorized
CSeq: 3
WWW-Authenticate: Digest realm="48ea630ea6b6",nonce="1560111814178281114221112111111170273871", stale="FALSE"

DESCRIBE rtsp://192.168.1.18/media/video1 RTSP/1.0
CSeq: 4
Authorization: Digest username="admin", realm="48ea630ea6b6", nonce="1560111814178281114221112111111170273871",
uri="rtsp://192.168.1.18/media/video1", response="100bcc84410727cf46a8b33db7258c01"
User-Agent: LIVE555 Streaming Media v2012.06.17
Accept: application/sdp

RTSP/1.0 200 OK
CSeq: 4
Content-Base: rtsp://192.168.1.18/media/video1
Content-Length: 508
Content-Type: application/sdp

v=0
o=- 1001 1 IN IP4 192.168.1.18
s=VCP IPC Realtime stream
m=video 0 RTP/AVP 105
c=IN IP4 192.168.1.18
a=control:rtsp://192.168.1.18/media/video1/video
a=rtpmap:105 H264/90000
a=fmtp:105 profile-level-id=64001f; packetization-mode=1; sprop-parameter-sets=Z2QAH6wrUCgC3QgAAB9AAAYahCAA,aO4xsg==
a=recvonly
m=application 0 RTP/AVP 107
c=IN IP4 192.168.1.18
a=control:rtsp://192.168.1.18/media/video1/metadata
a=rtpmap:107 vnd.onvif.metadata/90000
a=fmtp:107 DecoderTag=h3c-v3 RTCP=0
a=recvonly

流程

第一次发rtsp.method == DESCRIBE,没有带用户名密码,服务端返回401鉴权不通过,并在401 response中携带了域名(realm),nonce

客户端基于realm,nonce进行digest摘要字组串加密,第二次发rtsp.method == DESCRIBE ,并携带鉴权信息.其中response=”100bcc84410727cf46a8b33db7258c01”就是最后的加密信息,服务端也会生成一份response与客户端的进行校验.

response的生成逻辑

HA1 = MD5(用户名:域名(realm):密码)
HA2 = MD5(方法:digestURI)
响应= MD5(HA1:nonce:HA2)

HA1 = MD5(admin:48ea630ea6b6:***) = a913b0ee8a4c9d05cf6d34b597b45e1f
HA2 = MD5(DESCRIBE:rtsp://192.168.1.18/media/video1)= 68010645697e5e209583dde1323ca453
响应= MD5(a913b0ee8a4c9d05cf6d34b597b45e1f:1560111814178281114221112111111170273871:68010645697e5e209583dde1323ca453)
    = 100bcc84410727cf46a8b33db7258c01

Md5加密

这里我用的md5sum命令在服务器上进行加密,比较方便

ending

----------- ending -----------