[Live-devel] RTSPServer authentication is secure?

Ross Finlayson finlayson at live555.com
Thu Jun 16 12:59:06 PDT 2016


Yes, the RTSP digest authentication protocol is secure; passwords do not get sent over the net.

Instead, the way it works is that server sends, to the client, a randomly generated string (i.e., different each time) - called a “nonce”; see
	https://en.wikipedia.org/wiki/Cryptographic_nonce
- as a challenge.  The client then responds by computing a cryptographic hash of the ‘nonce' and the password, and sending this hash back to the server.  (The cryptographic hash cannot practically be reversed, so an eavesdropper cannot deduce the password from the hash.)  The server then compares this hash with what it knows that the hash should be (from its known password), to check whether the client knew the correct password.


Ross Finlayson
Live Networks, Inc.
http://www.live555.com/




More information about the live-devel mailing list