Can't Explain RTSP Authentication (Basic and Digest)

Question

I apologize up front for the long post. Looking for any insight and help...

So I was trying to write a simple rtsp authentication grinder in python. I ran across a rtsp port on a (camera) in a test and when I accessed it I got back:

Received, 'RTSP/1.0 401 Unauthorized\r\n
CSeq: 1\r\n
Session:        645252166;timeout=60\r\n
WWW-Authenticate: Digest realm="4419b63f5e51", nonce="8b84a3b789283a8bea8da7fa7d41f08b", stale="FALSE"\r\n
WWW-Authenticate: Basic realm="4419b63f5e51"\r\nDate:  Sat, Aug 16 2014 02:22:28 GMT\r\n\r\n',

As you can see the response seems to indicate that the connection supports both a Basic and Digest authentication. So I tried basic first. I built the following message and sent it:

SETUP rtsp://192.168.201.113 RTSP/1.0
CSeq: 1
Transport: RTP/AVP;unicast;client_port 4588-4589
Authorization: Basic YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=
User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)

Where I base64 encoded the "user:password" and came up with "YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=".

Again this kicks back the 401 Unauthorized error.

So I whip out VLC and attempt to connect, just to make sure that the creds actually work, and in the VLC connection string I enter:

rtsp://user:pass@:554

Works like a charm!

So I fire up wireshark to see what it is doing and watch the traffic. Under the hood instead of basic authentication, vlc is using digest authentication.

So first question is, does basic authentication work with RTSP or is it lying to me? If it is suppose to, what am I missing to get it working?

To what I know works. So I try to build something with Digest based authentication. First thing I need to figure out, after reading several sites on digest authentication are the parameters it is using. From the 401 response all I have is:

realm
nonce

I don't have any qop, nor do I see in the outbound VLC message a cnonce. I assume we are using the basic form of Digest authentication where:

H(A1) = MD5(user:realm:pass)
H(A2) = MD5(method:digestURI)
response = MD5(H(A1):nonce:H(A2)

my specific values are:

H(A1) = MD5(admin:4419b63f5e51:1234) = d43b7f7d7f627da1aded72517f2a3c6c
H(A2) = MD5(DESCRIBE:rtsp://192.168.201.113) = a7c212739387f1550970752dc7a17fa2
response = MD5(d43b7f7d7f627da1aded72517f2a3c6c:57fa10a142d6c1f9e3dfabccc3ba045d:a7c212739387f1550970752dc7a17fa2) = 33477d22629eb37a6fc2d3435f03eb81

The specific response that VLC is sending is:

0bde767876cbe8e6a6dfbba3c62c6db1

!= 33477d22629eb37a6fc2d3435f03eb81

They don't match!! ??

There is not the proper information present to do the other form of Digest Auth, so what is going on here?

score 3 · Answer 1 · answered May 08 '15 at 15:34

3

Certain camera manufacturers do not support Basic auth. Axis, for example, has eliminated support for it in recent releases.

answered May 08 '15 at 15:34

Gary Stone

31
2

do you know what type of Authorization does axis use? – waqaslam Aug 25 '16 at 08:46
1

They use HTTP digest auth – ThiefMaster Jun 17 '18 at 22:26
While this is a valid remark, it's not an answer. Axis camera's do not reply with "WWW-Authenticate: Basic realm=...`. – MSalters Sep 02 '19 at 12:07

score 0 · Answer 2 · edited Oct 07 '21 at 06:11

0

Basic authentication should work. I was just doing the reverse engineering from your post, if we decode "YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=" the decoded string is "admin:4419b63f5e51:1234" so what is the password and username here? Is this ok?

In digest authentication you pass NULL string in place of the fields like qop, nor etc. C implementation for the digest authentication response generator is present in following RFC,

https://www.rfc-editor.org/rfc/rfc2617#section-5

edited Oct 07 '21 at 06:11

Community

1
1

answered Aug 19 '14 at 12:23

pragnesh

1,240
7
18

that is the correct user/pass combo, if you look down in where I state the specific values I state it is admin/1234. – Tek Tengu Aug 19 '14 at 15:37
Basic auth does not work. I tried several variations online and none of them worked. Nor did VLC use basic auth. That 4419b63f5e51 string is the realm value provided by the device I am connecting to. – Tek Tengu Aug 20 '14 at 10:11
In case of basic authentication realm string is not required at all. You just need to use username and password. So your correct SETUP request should contain following Authentication header "Authorization: Basic YWRtaW46MTIzNA==" – pragnesh Aug 20 '14 at 10:41
I did not use the realm for basic auth. I know how to do it, it didn't work. I have read that document and dozens of others. Trust me. – Tek Tengu Aug 20 '14 at 13:45
SETUP rtsp://192.168.201.113 RTSP/1.0 CSeq: 1 Transport: RTP/AVP;unicast;client_port 4588-4589 Authorization: Basic **YWRtaW46NDQxOWI2M2Y1ZTUxOjEyMzQ=** User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10) The Base64 string in your request is wrong if the user name and password is admin and 1234 respectively. – pragnesh Aug 20 '14 at 13:53

Can't Explain RTSP Authentication (Basic and Digest)

2 Answers2