Time-based One-Time Password (TOTP) Makes Streams Secure

Published by Burak Kekeç on

Try Live Demo

The Time-based One-time Password algorithm (TOTP) is the recently implemented stream security mechanism in Ant Media Server. This can provide tokens that are valid for a time period. Publishers or players should use these tokens in time to be able to publish or play.

What is a Time-based One-Time Password (TOTP)?

Time-based One-Time Password (TOTP)

The Time-based One-time Password algorithm (TOTP) is an extension of the HMAC-based One-time Password algorithm (HOTP) that generates a one-time password (OTP) by instead taking uniqueness from the current time. You can find more on TOTP here.

How to use TOTP in Ant Media Server

We define a publisher or player as a subscriber. If time-based token enabled, a subscriber should be created for the stream to able to publish or play. Each subscriber has an ID and a code. When a subscriber requests to publish or play a stream, he should provide his ID and time-based token generated for his code. Otherwise, the server doesn’t accept the publish or play request.

Enabling TOTP and Related Settings

You can enable Time-based One-Time Password (TOTP) using Management Panel or in the configuration file as settings.timeTokenSubscriberOnly=true You can also set the TOTP period in seconds in the configuration file as settings.timeTokenPeriod=60

Subscriber REST Operations

You should create subscribers and assign them a base 32 secret to each subscriber. A secret should be in the length of multiple of 8 characters. You can create, delete, and list subscribers using REST API as in the following curl samples:

Create Subscriber

curl -X POST -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers -d '{"subscriberId":"publisherA", "b32Secret":"mysecret", "type":"publish"}'

or

curl -X POST -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers -d '{"subscriberId":"playerB", "b32Secret":"mysecret", "type":"play"}'

Delete subscriber

curl -X DELETE -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers/publisherA

Delete all subscribers

curl -X DELETE -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers

List All Subscribers

curl -i -H "Accept: Application/json" -X GET "http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers/list/0/5"

What is Time-based one-time password (TOTP) Usage

Time-based one-time password (TOTP) Usage

Publish/Play Stream

A subscriber (publisher or player) should pass subscriber id and generated TOTP to publish or play.

Publish URL

http://localhost:5080/WebRTCAppEE/?subscriberId=publisherA&subscriberCode=​ 440456

Player URL

http://localhost:5080/WebRTCAppEE/?subscriberId=playerB&subscriberCode=​ 438610

Subscriber Statistics

You can get the stats for each subscriber with the following REST method.

curl -i -H "Accept: Application/json" -X GET "http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscriber-stats/list/0/5"

The response contains the following stats for the subscribers:

  • Connection/Disconnection events with timestamp
  • Average Video Bitrate
  • Average Audio Bitrate

When to use TOTP?

If you want to let only authenticated users publish to or play from your Ant Media Server, you may consider using TOTP. You can provide tokens to users for a restricted period. Also if you need the statistics for the user you can also use TOTP token.

In this post, we introduced the Time-based One-Time Password (TOTP) and usage in Ant Media Server for stream security. You can find about the other mechanisms for stream security from this post.

Useful Links

You can try Ant Media Server for free with all features!

You can download native Android and iOS WebRTC SDKs and integrate them into your applications for free!

Ant Media Server Github Wiki

You would want to check WebRTC Network Measurement Test Tool introduction, Setting up an Ant Media Server Scaling Solution with CloudFormation in 5 Minutes.

We are always with you for all your questions. You can reach us via contact@antmedia.io.

Categories: Tutorial

Burak Kekeç

Burak has been a Software Developer at Ant Media since its beginning in 2017. Overall he has 16 years of expertise in software development experience with C, C++, Java EE, and Android.

Related Posts

restream circle with media push plugin
Tutorial

Re-streaming Conference with Media Push Plugin

In today’s interconnected digital landscape, extending your conference’s reach to a global audience is more important than ever. Re-streaming your conference across several social media channels can greatly increase your message’s reach, engagement, and impact. Read more…

Web Player
Tutorial

How to Easily Integrate Ant Media Web Player into Your Project for Excellent Playback

The Web Player, developed by Ant Media, is a powerful live stream player specially designed to simplify the playback of server-hosted live streams. It supports various streaming protocols such as WebRTC, HLS, CMAF Dash, and Read more…

Ant Media Server Cluster using GCP Deployment Manager
Tutorial

Ant Media Server Cluster Deployment Simplified with Jinja Templates on GCP

In this guide, we’ll explore how to leverage Jinja Templates and GCP Deployment Manager to simplify the deployment of Ant Media Server clusters on GCP. We’ll delve into the fundamentals of Jinja Templates and GCP Read more…

chatsimple
Warning: Undefined array key "promocode" in /home/mirror.antmedia.io/public_html/wp-content/themes/hestia-child/footer.php on line 70