How does RIST Ensure Cyber Security?

By Adi Rozenberg, Founder, Alvalinks, and Ciro Noronha, VP of Engineering, Cobalt Digital

In this constantly connected world, threats to cybersecurity have become ever more prevalent. With hourly attacks by hackers becoming a fact of life, keeping secure means constant evaluation of security protocols and procedures. Organizations, equipment manufacturers and service providers must be attentive to the risk and outcome of poor protection of their core business and the video industry is no exception. At the same time, how do you balance cybersecurity needs with operations needs to ensure that keeping secure doesn’t impact the ability to keep content flowing?

In this blog post, we will address how the RIST protocol addresses cybersecurity for sending and receiving content between sites.  Cybersecurity is something that was evaluated in great detail by the RIST Activity Group at the very start. Indeed, with each new RIST specification, cybersecurity concerns are evaluated by industry veterans, taking into account the security needs versus operational needs of the user. Those then form the guidelines for the RIST Activity group to include cybersecurity considerations head on. These are applied from day one of each draft recommendation.

A RIST Secure Connection

Unlike previous protocols in the past and others existing today, the RIST protocol opens a secure connection between two sites. The Secure connection may be in the form of Tunnel and coming soon a VPN. a secure connection allows the sending of streams, files and any kind of data ( HTTP, SNMP, REST and more ).  So, one needs to take a close look at the concerns relating to site-to-site transit

  • Any external access must flow through a VPN or similar secure connection

  • Any access must be either from a trusted IP or trusted source/destination

  • Authorization and authentication are highly recommended with Certification

  • Rapid Key rotation to harden the security   

  • Internal access control or firewall to restrict remote access

  • Strong connection encryption while in transit

RIST provision for cybersecurity includes:

  • Tunnel or VPN between sites, must include one or more of the below:

    • Built-in access list control

    • Built-in routing control

    • Reduced overhead mode removes addressing information

  • Crypto Security Options:

    • One-to-one: DTLS with Certificates

    • One-to-many: Pre-Shared Key (PSK) with passwords

    • Pre-shared key ( PSK ) add Authentication using either TLS-SRP or EAP

The main goal is to adopt well vetted and tested technologies that have been thoroughly examined by the experts.

RIST Main and Advanced Profile Approach to Protection

Now let’s take a closer look how RIST main and advance profiles work to secure your connection and protect your data.

RIST Certificate Authentication with DTLS specifications

RIST Certificate Authentication with DTLS specifications

  • When a device connects, it presents a certificate.

  • If certificates are not signed by a trusted CA, the connection can be rejected.

  • Blacklists/whitelists can be implemented using the Common Name in the certificate.

  • Organizations can (and should) run their private CAs.

  • RIST includes optional support for Secure Remote Password (SRP), using SRP, a node can authenticate against a server securely using a username/password combo

RIST Authentication using PSK ( Pre shared Key )

PSK uses a “secret” passphrase known to both peers, it is suitable for one to one and for one-to-many (multicast) scenarios. Devices that don’t “know” the passphrase cannot decrypt the data. A basic and Intrinsic authentication – if you don’t have the password, you cannot receive or communicate. Recently the RIST specification was amended to include a connecting client authentication method based on EAP to further enhance the security

What happens if the passphrase “leaks”, or if you need to drop some receivers?

RIST has a mechanism to change the passphrase on-the-fly a new passphrase is loaded into authorized devices and seamless switch to the new passphrase.

RIST Content Security

When moving streams over internet, you may want to make it harder for someone to grub/take/copy content so you should protect the content using encryption

RIST specification provides two Packet encryption methods (both DTLS and PSK):

  • AES 128: “relatively” secure, usually no legal constraints for use in different parts of the world.

  • AES 256: more secure than AES 128, but not allowed in some parts of the world.

Additional security measure: Key Rotation:

  • RIST supports key rotation at whatever frequency you want; the longer you use an encryption key, the less secure it becomes as people have more time and data to try and break it.

RIST is not only aimed at video streaming, instead it can provide a traditional VPN tunnel using GRE over UDP or Wireguard VPN. The tunnel can be used for in-band control and routing between networks.

Potential issue: a rogue or compromised node could, in theory, allow access to the network through the VPN connection

RIST security features to protect from this situation:

  • Reduced Overhead mode only allows for streams to flow through the tunnel

  • Routing of VPN packets is disabled by default and must be agreed on by both sides through negotiation

  • IP access lists are available and must be agreed by negotiation

In-band control is possible, but the safeguards are in place!

Keeping Content Secure

Because RIST has been built for the video industry by experts, it represents more closely the unique challenges we face. This includes the way in which it handles cybersecurity, meaning that video providers can contribute great content as it happens while keeping it safe and protected at all times.

Helen Weedon