Sdp PARser (SPAR)

Figure 1 - SPAR applet v1.1
Figure 1 - SPAR applet v1.1

Background

New multicast capable multimedia applications, such as RealPlayer and Marratech Pro, can accept files containing session descriptions (in SDP format) to join a multicast conference. This allows SDP files to be served from a web page and a conference joined, using a registered SDP MIME type associated with the application.

Alternatively popular MBone applications, such as VIC, RAT, WB and NTE rely on the Session Directory Tool (SDR) to convert the SDP into command line parameters and thus cannot take advantage of joining conferences via a web page. The solution offered here is to accept the SDP from the web browser, convert it to command line parameters at the client side and then to start up the tools with the relevant parameters. This could be implemented in several possible ways:

  • a platform dependent binary running on the client machine with a MIME type for the SDP
  • a plug-in installed in the browser
  • a Java applet with execution privileges

The Java applet was implemented because it requires no installation or configuration by the user and is platform independent.

Java Applet

Simplistically, the Java applet (Figure 1) parses the SDP, mapping session attributes against a tool definition (a SDR plugin) and then starts the tools with the correct parameters on the client machine. The SDP content and tool plugins are embedded within the HTML as parameters to the applet. The field terminator used in the SDP is replaced with a 'browser friendly' alternative, as SDP's CR/LF field terminator is removed by the browser. An added advantage of using HTTP to communicate the SDP content between client and server is that by using a secure web server, the SDP content (possibly with encryption keys) will also be secure.

For obvious security reasons standard Java applets do not have permissions to access local resources and thus cannot execute software on the client machine. To overcome this, both Netscape’s Communicator and Microsoft’s Internet Explorer 4 allow applets to be digitally signed with a private key associated to a RSA object-signing certificate. If the user accepts the certificate, therefore trusting the applet, then the browser allows the applet access permissions outside the Java security sandbox. Communicator and Internet Explorer implement different methods and technologies for digitally signing and distributing objects:

Communicator requires Java applets to be signed using Netscape’s Netscape Object Signing software. The certificate and Java code are then packaged using the JAR file structure. Signed Java applets need to explicitly request permission to access local resources, such as executing software using the Netscape’s Capabilities API extensions. The request causes Communicator to prompt the user, asking them to either accept or deny the relevant permission (see Figure 2). The dialog box also contains the certificate as verification of the source and authenticity of the code.

Figure 2 - Netscape Certificate 
Dialog Box
Figure 2 - Netscape Certificate Dialog Box

Internet Explorer requires Java applets to be signed using Microsoft's Authenticode software and packaged using a CAB file structure. A signed Java applet also has to request permission to access local resources by using Microsoft's Com API extensions. However unlike Communicator, the specific request doesn't prompt any user action. Instead the user is asked to accept the applets' certificate when the applet is encountered by the browser (see Figure 3) and by doing so grants universal access to local system resources.

Figure 3 - Internet Explorer 
Certificate Dialog Box
Figure 3 - Internet Explorer Certificate Dialog Box

Alternatively, browser's that do not support signed applets but do have a 'plug-in' architecture can use SUN's Java Plugin to view the applet. The Plugin requires the applet to be signed and packaged using Netscape's Netscape Object Signing software but it doesn't implement Netscape's Capabilities API. Since the API is not supported by the Plugin, any certificate accepted by the user, grants universal access to local system resources.

Future Work

The following features of SDP and tool plugins have yet to be implemented:

  • session timing
  • session attributes
  • macros in plugins
  • Download
    An implementation of SPAR is described in the UCL Secure Conference Store documentation. Click here to access the Conference Store.
    Source code and documentation for SPAR can be downloaded from here.

    The latest source code and documentation can be obtained via anonymous CVS. Details on how to get access to the multimedia group anonymous CVS can be found here.

    Contact
    Kristian Hasler is responsible for the development of SPAR.
    Links
    UCL Secure Conference Store
    UCL Secure Conference Store software (Meccano Deliverable 4.3)
    UCL Secure Conference Store documentation

    SDP Internet Draft
    SDR Plugin Manual

    Java(TM) Plug-in Product 1.2.2
    Deploying RSA Signed Applets in Java(TM) Plug-in
    Object-Signing Tools
    Java Security Introduction
    Security - Frequently Asked Questions
    Code Signing for Java Applets