SWF Verification
The Adobe Flash player uses a well-known constant, appended to information derived from the SWF file (a hash of the file and its size), as input to HMACSHA256. The HMACSHA256 key is the last 32 bytes of the server's first handshake packet. The Flash Media Server uses this to limit access to those clients which have access to the SWF file (or have been given a copy of the hash and the size of the SWF file).
All officially allowed clients (which are in fact *.swf files) need to be placed on the Flash Media Server streaming the file. Any other client requesting a connection will receive a "connection reject".
The combination of both techniques is intended to ensure streams cannot be sniffed and stored into a local file, as SWF verification is intended to prevent third party clients from accessing the content. However, it does not achieve this goal. Third party clients are free to write the decrypted content to a local file simply by knowing the hash of the SWF file and its size. In practice, therefore, Adobe's own implementation of the Macromedia Flash Player is the only client which does not allow saving to a local file.
The only possible way to restrict connections to a Flash Media Server is to use a list of known hosts, to avoid the whole player (the Flash client) being placed on an unauthorised website. Even this has no real benefit for mass-distributed files, as any one of the known hosts could take a copy of the data and re-distribute it at will. Thus "known host" security is only useful when the known hosts can be trusted not to re-distribute the data.
Read more about this topic: Protected Streaming
Famous quotes containing the word verification:
“A fact is a proposition of which the verification by an appeal to the primary sources of our knowledge or to experience is direct and simple. A theory, on the other hand, if true, has all the characteristics of a fact except that its verification is possible only by indirect, remote, and difficult means.”
—Chauncey Wright (1830–1875)