Difference between revisions of "RidgeRun gst-crypto GStreamer Plugin"

Open-source project from Ridgerun. gst-crypto plugin makes it easy to encrypt or decrypt content passing through a GStreamer pipeline. Please go to RidegRun Sponsor Projects page for more info on sponsoring this project

gst-crypto Overview

RidgeRun's gst-crypto plugin is a GStreamer plugin that makes it easy to encrypt or decrypt content passing through a GStreamer pipeline. gst-crypto will take advantage of any available crypto hardware accelerators. gst-crypto is based on OpenSSL so any encryption technology supported by OpenSSL can be supported by gst-crypto. The plugin supports any encrypt/decrypt chiper that openssl support, only aes-128-cbc and aes-256-cbc ciphers have been validated. gst-crypto source code has not yet been reviewed by experts for security deficiencies.

Also, gst-crypto does not support seeking and some mux/demuxers, please inquire in case this is needed. RidgeRun has solutions that support seeking while doing decrypting.

gst-crypto GStreamer Plugin Features

• aes-128-cbc and aes-256-cbc cipher support verified
• Password or key/iv setup
• GStreamer 0.10.x support
• GStreamer 1.x support

Example Use Cases

• Capture audio/video from a camera directly into an encrypted media file.
• Decrypt streaming audio/video and render to local display/speakers.

GStreamer Plugin Support

Please Contact RidgeRun for any modifications or extensions needed and Integration into other Embedded Linux Systems (e.g. Ubuntu, Yocto, ...).

Build and run on a local Linux PC

Tested on Ubuntu-14.04 64 bit:

Source code fetch

git clone git@github.com:RidgeRun/gst-crypto
cd gst-crypto

GStreamer 1.x

git checkout release-1.0

Note: There are tagged releases also.

Compilation

./autogen.sh
./configure --libdir=/usr/lib/x86_64-linux-gnu/
make 
sudo make install

The location of the plug-in can vary according to the system. The following table summarizes some standard locations for different setups

If you don't want to install it into your system you can specify the directory path with:

GST_PLUGIN_PATH=src/.libs/ gst-launch ....

gst-crypto Source code

Location

• Our GitHub repository

Example pipelines

Test pipeline

On Ubuntu after default installation to /usr/local/lib/gstreamer.0.10

echo "This is a crypto test ... " > plain.txt && gst-launch --gst-plugin-path=/usr/local/lib/gstreamer-0.10 filesrc location=plain.txt ! crypto mode=enc ! gst-crypto mode=dec ! filesink location=dec.txt && cat dec.txt

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

 GST_PLUGIN_PATH=src/.libs/ gst-launch <some other elements> ! crypto  ! <some other elements>

GStreamer 1.x

On Ubuntu after default installation to /usr/local/lib/gstreamer-1.0

echo "This is a crypto test ... " > plain.txt && gst-launch-1.0 --gst-plugin-path=/usr/local/lib/gstreamer-1.0 filesrc location=plain.txt ! crypto mode=enc ! crypto mode=dec ! filesink location=dec.txt && cat dec.txt

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

GST_PLUGIN_PATH=src/.libs/ gst-launch-1.0 <some other elements> ! crypto  ! <some other elements>

Creating an encrypted video with the openssl tool and playback

Download demo video

wget http://blender-mirror.kino3d.org/peach/bigbuckbunny_movies/big_buck_bunny_720p_surround.avi

Encrypt

openssl enc -k RidgeRun -nosalt -aes-128-cbc -in big_buck_bunny_720p_surround.avi -out big_buck_bunny_720p_surround.avi.enc

Playback

Playback on a local display

On Ubuntu after default installation to /usr/local/lib/gstreamer-0.10

gst-launch --gst-plugin-path=/usr/local/lib/gstreamer-0.10 filesrc location=big_buck_bunny_720p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux ! ffdec_mpeg4 ! queue ! xvimagesink

Note: The default password is RidgeRun. Change the password in the above openssl command and use the pass property of gst-crypto to use a different one.

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

GST_PLUGIN_PATH=src/.libs/ gst-launch <some other elements> ! crypto  ! <some other elements>

GStreamer 1.x

On Ubuntu after default installation to /usr/local/lib/gstreamer-1.0

gst-launch-1.0 --gst-plugin-path=/usr/local/lib/gstreamer-1.0 filesrc location=big_buck_bunny_720p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux ! decodebin ! queue ! xvimagesink

Note: The default password is RidgeRun. Change the password in the above openssl command and use the pass property of gst-crypto to use a different one.

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

GST_PLUGIN_PATH=src/.libs/ gst-launch-1.0 <some other elements> ! crypto  ! <some other elements>

Streaming to a host

On the target board

On Ubuntu after default installation to /usr/local/lib/gstreamer-0.10

gst-launch --gst-plugin-path=/usr/local/lib/gstreamer-0.10 filesrc location=big_buck_bunny_720p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux ! mpegtsmux ! queue ! udpsink port=3000 host=10.251.101.40 sync=true enable-last-buffer=false

Note: Replace the IP address according to your host system.

Note: The default password is RidgeRun. Change the password in the above openssl command and use the pass property of gst-crypto to use a different one.

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

GST_PLUGIN_PATH=src/.libs/ gst-launch <some other elements> ! crypto  ! <some other elements>

GStreamer 1.x

On Ubuntu after default installation to /usr/local/lib/gstreamer-1.0

gst-launch-1.0 --gst-plugin-path=/usr/local/lib/gstreamer-1.0 filesrc location=big_buck_bunny_720p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux ! mpegtsmux ! queue ! udpsink port=3000 host=10.251.101.40 sync=true enable-last-buffer=false

Note: Replace the IP address according to your host system.

Note: The default password is RidgeRun. Change the password in the above openssl command and use the pass property of gst-crypto to use a different one.

Note: You could also test the plugin without make install. Just run the pipeline from the source tree like:

GST_PLUGIN_PATH=src/.libs/ gst-launch <some other elements> ! crypto  ! <some other elements>

On the host

gst-launch udpsrc port=3000 ! mpegtsdemux ! queue ! decodebin ! fpsdisplaysink sync=true async=false

Encoding/Decoding Playback Pipelines

GStreamer 1.0

• TS - encrypting with gstcrypto

gst-launch-1.0 -e videotestsrc is-live=true !  x264enc  ! queue ! h264parse ! mpegtsmux !  filesink location=test.ts sync=true

gst-launch-1.0 filesrc location=test.ts ! crypto mode=enc ! filesink location=test.ts.enc

gst-launch-1.0 filesrc location=test.ts.enc ! crypto mode=dec ! queue ! tsdemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

• AVI - encrypting with gstcrypto

gst-launch-1.0 videotestsrc is-live=true num-buffers=300 ! "video/x-raw,width=(int)1280,height=(int)720,framerate=(fraction)30/1" ! x264enc ! avimux ! filesink location=test.avi

gst-launch-1.0 filesrc location=test.avi ! crypto mode=enc ! filesink location=test.avi.enc

gst-launch-1.0 filesrc location=test.avi.enc ! crypto mode=dec ! queue ! avidemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

• QuickTime - encrypting with gstcrypto

wget https://download.blender.org/peach/bigbuckbunny_movies/big_buck_bunny_480p_h264.mov

gst-launch-1.0 filesrc location=big_buck_bunny_480p_h264.mov ! crypto mode=enc ! filesink location=big_buck_bunny_480p_h264.mov.enc

gst-launch-1.0 filesrc location=big_buck_bunny_480p_h264.mov.enc ! crypto mode=dec ! filesink location=big_buck_bunny_480p_h264.mov.dec

gst-launch-1.0 filesrc location=big_buck_bunny_480p_h264.mov.dec ! qtdemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

• TS - encrypting with openssl

gst-launch-1.0 -e videotestsrc is-live=true !  x264enc  ! queue ! h264parse ! mpegtsmux !  filesink location=test.ts sync=true

openssl enc -k RidgeRun -nosalt -aes-128-cbc -in test.ts -out test.ts.enc

gst-launch-1.0 filesrc location=test.ts.enc ! crypto mode=dec ! queue ! tsdemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

• AVI - encrypting with openssl

gst-launch-1.0 videotestsrc is-live=true num-buffers=300 ! "video/x-raw,width=(int)1280,height=(int)720,framerate=(fraction)30/1" ! x264enc ! avimux ! filesink location=test.avi

openssl enc -k RidgeRun -nosalt -aes-128-cbc -in test.avi -out test.avi.enc

gst-launch-1.0 filesrc location=test.avi.enc ! crypto mode=dec ! queue ! avidemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

Encoding/Decoding Livestream Pipelines

GStreamer 1.0

• TS - Encrypting Camera livestream with GstCrypto to a file

gst-launch-1.0 -e v4l2src device=/dev/video0 ! queue !  x264enc  ! queue ! h264parse ! mpegtsmux ! queue ! rndbuffersize min=4096 max=4096 !  crypto mode=enc ! filesink location=live.ts.enc

• TS - Decrypt encoded file from the camera livestream

gst-launch-1.0 filesrc location=live.ts.enc blocksize=4096 ! crypto mode=dec ! queue ! tsdemux ! h264parse ! avdec_h264 ! queue ! xvimagesink

• TS - Decrypt encoded file to a video file

gst-launch-1.0 filesrc location=live.ts.enc blocksize=4096 ! crypto mode=dec ! queue ! tsparse ! queue ! filesink location=live.ts sync=false

Encoding/Decoding Udpstream

GStreamer 1.0

H264 + Transport Stream

• Server

gst-launch-1.0 videotestsrc is-live=true pattern=ball ! x264enc ! h264parse ! mpegtsmux ! tsparse ! rndbuffersize min=4096 max=4096  ! queue  ! crypto mode=enc ! queue ! udpsink port=5000 

• Receiver: Decrypt to a file

gst-launch-1.0 udpsrc port=5000 buffer-size=4096 ! queue ! crypto mode=dec  ! queue  ! tsparse ! queue  ! filesink location=udpstream.ts

• Receiver: Save encrypted udpstream

gst-launch-1.0 udpsrc port=5000 buffer-size=4096 ! queue ! filesink location=udpstream.ts.enc

Jpeg

• Server

gst-launch-1.0 videotestsrc is-live=true pattern=ball ! jpegenc ! queue ! rndbuffersize min=4096 max=4096  ! queue  ! crypto mode=enc  ! queue ! udpsink port=5000

• Receiver: Decrypt to a display

gst-launch-1.0 udpsrc port=5000 buffer-size=4096 ! queue ! crypto mode=dec  ! queue  ! jpegparse ! jpegdec  ! queue  ! xvimagesink sync=false

Encoding/Decoding on the Fly

GStreamer 1.0

• Encoding, decoding and sending output to display in one pipeline

gst-launch-1.0 videotestsrc is-live=true num-buffers=300 ! "video/x-raw,width=(int)1280,height=(int)720,framerate=(fraction)30/1" ! jpegenc ! queue ! rndbuffersize min=4096 max=4096 ! crypto mode=enc ! queue  ! crypto mode=dec !  jpegparse  ! jpegdec  ! xvimagesink

Using Crypto Hardware Acceleration

Crypto Hardware Acceleration can be used transparently with the plugin and can be configured independently.

There are some considerations to take into account:

• Does the MCU include a hardware crypto unit (e.g. CAAM on i.MX6)?
• Which setup would result in a performance gain (e.g data block size on i.MX6)?
• Is the cipher to be used supported by the hardware crypto unit and the kernel driver?
• Is the kernel driver implemented efficiently?

Please check RidgeRun's GstCrypto Git Repository

Test pipelines for release2.0

Raw data file

Encode

gst-launch-1.0 filesrc location=small-file.file  ! crypto mode=enc ! filesink location=small-file.file.enc

Decode

gst-launch-1.0 filesrc location=small-file.file.enc  ! crypto mode=dec ! filesink location=output.dec

Notes: 1 byte file, content was verified before/after crypto encode/decode, data was not affected by encode/decode process

Big Buck Bunny avi file

Encode file with gst-crypto

gst-launch-1.0 filesrc location=big_buck_bunny_1080p_surround.avi ! crypto mode=enc ! filesink location=big_buck_bunny_1080p_surround.avi.enc

Decode and display

gst-launch-1.0 filesrc location=big_buck_bunny_1080p_surround.avi.enc blocksize=4096 ! crypto mode=dec ! queue !  avidemux  ! avdec_mpeg4 ! xvimagesink

Encoding with openssl Decoding also work when using openssl for encoding

Encode with openssl

openssl enc -k RidgeRun -nosalt -aes-128-cbc -in big_buck_bunny_1080p_surround.avi -out openssl-enc-big_buck_bunny_1080p_surround.avi.enc

Decode and display

gst-launch-1.0 filesrc location=openssl-enc-big_buck_bunny_1080p_surround.avi.enc blocksize=4096 ! crypto mode=dec ! queue !  avidemux  ! avdec_mpeg4 ! xvimagesink

Audio/video decode file Note: this pipeline can be optimized, just for testing.

GST_DEBUG=3 gst-launch-1.0 filesrc location=big_buck_bunny_1080p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux name=demux  demux.video_0 ! 'video/mpeg, mpegversion=(int)4' ! queue ! avdec_mpeg4 ! xvimagesink async=false demux.audio_0 ! queue ! decodebin ! audioconvert ! alsasink async=false

iMX6 example pipelines

Tested on iMX6 Nitrogen6x board with RidgeRun SDK:

Avi decrypt and playback

gst-launch-1.0 filesrc location=/mnt/big_buck_bunny_1080p_surround.avi.enc ! crypto mode=dec ! queue ! avidemux name=demux demux.video_0 ! 'video/mpeg, mpegversion=(int)4' ! queue ! vpudec ! imxv4l2sink name=videosink device=/dev/video17 async=false

iMX6 transport stream

gst-launch-1.0 filesrc location=/mnt/test.ts.enc ! crypto mode=dec ! queue ! tsdemux  ! vpudec ! imxv4l2sink name=videosink device=/dev/video17 async=false

RidgeRun Resources

Quick Start Client Engagement Process RidgeRun Blog Homepage Technical and Sales Support RidgeRun Online Store RidgeRun Videos Contact Us

Contact Us Visit our Main Website for the RidgeRun Products and Online Store. RidgeRun Engineering informations are available in RidgeRun Professional Services, RidgeRun Subscription Model and Client Engagement Process wiki pages. Please email to support@ridgerun.com for technical questions and contactus@ridgerun.com for other queries. Contact details for sponsoring the RidgeRun GStreamer projects are available in Sponsor Projects page.