proposed webrtc security architecture
play

Proposed WebRTC Security Architecture IETF 82 Eric Rescorla - PowerPoint PPT Presentation

Jan 30, 2024 •199 likes •465 views

Proposed WebRTC Security Architecture IETF 82 Eric Rescorla ekr@rtfm.com IETF 82 WebRTC Security Architecture 1 Trust Model Browser acts as the Trusted Computing Base (TCB) Only piece of the system user can really trust Job is to

  1. Proposed WebRTC Security Architecture IETF 82 Eric Rescorla ekr@rtfm.com IETF 82 WebRTC Security Architecture 1

  2. Trust Model • Browser acts as the Trusted Computing Base (TCB) – Only piece of the system user can really trust – Job is to enforce user’s desired security policies • Authenticated entities – Identity is checked by the browser (sometimes transitively) • Unauthenticated entities – Random other network elements who send and receive traffic IETF 82 WebRTC Security Architecture 2

  3. Authenticated Entities • Examples: – Calling services (known origin) – Identity providers – Other users (when cryptographically verified) – Sometimes network elements with the right topology (e.g., behind our firewall) • Authenticated � = trusted: Dr. Evil is still evil even if I know it’s him – But authentication is the basis of trust decisions – And maybe I want to call Dr. Evil after all... IETF 82 WebRTC Security Architecture 3

  4. Unauthenticated Entities • Pretty much anyone else – Generally cannot be trusted • But can still be used when behavior can be verified – ICE reachability testing – Transit data which is cryptographically verified IETF 82 WebRTC Security Architecture 4

  5. Basic Design Principle: As good a job as we can • It’s always safe to browse the Web – Even to malicious sites • Calls are encrypted wherever possible – At minimum between WebRTC clients unless the site takes direct action [Open issue warning] • When available directly verify the far side – Minimizes required trust in calling site – Be compatible with as many identity providers as possible IETF 82 WebRTC Security Architecture 5

  6. Overall Topology Signaling Server S H P T T ) ( T ? R T P P H O S A A O P R ? ( ) JS API JS API Alice’s Media Bob’s Browser (DTLS-SRTP) Browser Verify Assertion Verify Assertion Get Assertion Get Assertion Identity Identity Provider Provider IETF 82 WebRTC Security Architecture 6

  7. � � � � � � � Call Flow (I) Alice’s Signaling Alice Bob IdP Server Calling App Calling App [Call Bob] Get Assertion Offer + Assertion � Offer + Assertion Check Assertion [Alice is Calling... Answer phone?] • Bob knows Alice is calling [verified with IdP] – Browser can display trusted UI for Alice’s identity – If in address book, maybe name, picture, etc. • If no IdP, Bob knows signaling service claims Alice is calling IETF 82 WebRTC Security Architecture 7

  8. � � � � � � � � � � Call Flow (II) Signaling Bob’s Alice Bob Server IdP [Bob Answers] Get Assertion Answer + Assertion Answer + Assertion Check Assertion ICE Checks Media (DTLS-SRTP) • Alice knows Bob has answered – Verified with Bob’s identity provider • Alice and Bob know media is not flowing to innocent third parties (media consent) • Alice and Bob know they have a secure call with each other – Security details displayed via trusted UI IETF 82 WebRTC Security Architecture 8

  9. Permissions Models • One-time camera/microphone access [MUST] • Permanent camera/microphone access (scoped to origin) [MUST] • User-based permissions [SHOULD] – Allow calls to this verified user – Allow calls to any verified user in my system address book (on some set of sites?) • Data channels MAY be created without user consent IETF 82 WebRTC Security Architecture 9

  10. Permissions API • MUST provide a mechanism to distinguish permissions type – E.g., new PeerConnection({permission:’PERMANENT’, ...}) – Allows the browser to display different UIs for each permissions level • MUST provide a mechanism to relinquish any media stream access – E.g., via MediaStream.record() – Allows a site to commit not to observing your data – Needs to be reflected in a trusted UI IETF 82 WebRTC Security Architecture 10

  11. Who “owns” the permissions” • Question: which operation triggers the permissions check? – mediaStream creation – peerConnection.addStream() – peerConnection.setLocalDescription() – peerConnection.setRemoteDescription() • This has UI and programmer implications • An even bigger issue if API doesn’t work in terms of SDP at all IETF 82 WebRTC Security Architecture 11

  12. Permissions UI • MUST clearly indicate when the camera/microphone are in use • SHOULD stop camera and microphone when UI indicator would be masked – E.g., window overlap • SHOULD provide a distinctive UI when user’s identities are directly verifiable IETF 82 WebRTC Security Architecture 12

  13. Why HTTP origins are a problem • Assumption: I’ve authorized http://www.example.com • I’m in an Internet Cafe and visit any URL – Attacker injects IFRAME pretending to be PokerWeb – But calls go to him www.slashdot.org pokerweb.example.org new PeerConnection() { ... }); • Result: attacker has bugged your computer • Violates the Web security model IETF 82 WebRTC Security Architecture 13

  14. Web Security Issues • MUST treat HTTP and HTTPS origins as different permissions domains – e.g., http://example.com/ and https://example.com/ are different • Active mixed content MUST NOT be treated as if it were the HTTPS origin – [OPEN ISSUE] : How do we do this exactly? IETF 82 WebRTC Security Architecture 14

  15. Web Security and State Machine in JS • Proposal is to split up state machine logic – ICE in browser – SDP/Media negotiation in JS – Develop a library to assist in SDP/Media negotiation • Where to JS libraries come from? – Standard procedure is to download from a CDN – E.g., <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"> – At minimum you want HTTPS (not all CDNs do this) – CDN is now inside security boundary • Not clear how different this is – Lots of sites use JQuery, underscore, etc. anyway IETF 82 WebRTC Security Architecture 15

  16. Communications Consent • All direct communications MUST be verified via ICE • The ICE stack MUST be constructed so that the JS cannot obtain the transaction id – This means that at minimum STUN must in browser • Implementations MUST verify continuing consent at least every 30 (?) seconds • OPEN ISSUE : How to verify continuing consent? – ICE keepalives are STUN Binding Indications (one-way) – Proposal: use STUN Binding Requests instead IETF 82 WebRTC Security Architecture 16

  17. IP Location Privacy • Setting up a direct connection leaks an agent’s IP address – And hence information about its location • API MUST allow suppression of ICE negotiation until the user accepts session • API MUST provide a mechanism to do TURN-only candidates – SHOULD allow conversion to non-TURN once peer identity is verified [Jesup] • No need to have browser enforce user consent – A malicious site can get your IP address anyway – If you are running Tor, you want the browser to do media through Tor, though IETF 82 WebRTC Security Architecture 17

  18. Communications Security: Implementation Requirements (Proposed) • MUST implement DTLS-SRTP (for media) and DTLS (for data) • MAY implement RTP(?) and SDES(??) for backward compatibility purposes • Security MUST be default state – Implementations MUST offer DTLS and/or DTLS-SRTP for every channel – MUST accept DTLS and/or DTLS-SRTP whenever offered ∗ ∗ Somewhat harder with a low-level API, but still possible with the right design. IETF 82 WebRTC Security Architecture 18

  19. Communications Security: API Requirements • Implementations MUST support PFS modes • Implementations MUST allow JS to force new long-term key generation – E.g., new PeerConnection({new_authentication_key:true,...}) – This allows unlinkability • Implementations SHOULD allow JS to set authentication key lifetime – This allows key continuity • When DTLS is used, API MUST NOT provide access to the traffic keying material IETF 82 WebRTC Security Architecture 19

  20. Communications Security: UI [based on draft-kaufman-rtcweb-security-ui] • MUST provide a security inspector interface in browser chrome • Up-front items – Security characteristics of incoming stream – Security characteristics of outgoing A/V – Whether the transmission keys were pairwise derived or provided by a server – Verified far endpoint identity if available • With drill-down – Cipher suites – PFS yes or no – Out-of-band verification mechanism such as fingerprint or SAS IETF 82 WebRTC Security Architecture 20

  21. Example IdP Interaction: BrowserId Alice’s Brower Bob’s Brower Offer WebRTC JS Code WebRTC JS Code Peer Connection Peer Connection Signed Signed Fingerprint ’Alice’ Fingerprint Fingerprint BrowserID BrowserID Signer Verifier Check Certificate Get Certificate Identity Provider IETF 82 WebRTC Security Architecture 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Janus: back to the future of WebRTC History IETF WebRTC Janus Gateways Lorenzo Miniero

Janus: back to the future of WebRTC History IETF WebRTC Janus Gateways Lorenzo Miniero

TF-WebRTC L. Miniero Meetecho Janus: back to the future of WebRTC History IETF WebRTC Janus Gateways Lorenzo Miniero Requirements Architecture lorenzo@meetecho.com Next steps 1 st TF-WebRTC meeting 15 th December 2014, Paris Outline

653 views • 44 slides
WebRTC WebRTC: Real-Time Communica2ons on the Web Dan Burne9, PhD Alan Johnston, PhD Rowan

WebRTC WebRTC: Real-Time Communica2ons on the Web Dan Burne9, PhD Alan Johnston, PhD Rowan

WebRTC WebRTC: Real-Time Communica2ons on the Web Dan Burne9, PhD Alan Johnston, PhD Rowan University h9p://standardsplay.com h9p://allthingsrtc.org IETF 100 Singapore November 2017 0 WebRTC: A Joint Standards Effort Internet

778 views • 60 slides
WebRTC: Leveraging New Features October 15, 2019 Website: https://webrtc.internaut.com/iit-2019/

WebRTC: Leveraging New Features October 15, 2019 Website: https://webrtc.internaut.com/iit-2019/

WebRTC, Mobility, Cloud, IOT and More... IIT REAL-TIME COMMUNICATIONS Conference &amp; Expo Oct 14-16, 2019 Chicago WebRTC: Leveraging New Features October 15, 2019 Website: https://webrtc.internaut.com/iit-2019/ Bernard Aboba

481 views • 31 slides
WebRTC isn't just for (video) conference calls Tim Panton CTO |pipe| @steely_glint WebRTC

WebRTC isn't just for (video) conference calls Tim Panton CTO |pipe| @steely_glint WebRTC

WebRTC isn't just for (video) conference calls Tim Panton CTO |pipe| @steely_glint WebRTC Great for conf calls But also other things Meetecho Zero install ( for users) Semantics of IETF meeting Complex media priorities Miku Privacy Nat

343 views • 18 slides
Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are

Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are

Connecting people: WebRTC and the Pexip collaboration platform TF-WebRTC : May 19, 2015 Who are Pexip? Founded in April 2012 Strong video heritage Manufacture Infjnity a pure-software, virtualized, distributed, scalable

553 views • 38 slides
TF-WebRTC Mihly Mszros 12/15/14 Paris / France Aim of the TF-WebRTC Build community

TF-WebRTC Mihly Mszros 12/15/14 Paris / France Aim of the TF-WebRTC Build community

TF-WebRTC Mihly Mszros 12/15/14 Paris / France Aim of the TF-WebRTC Build community &amp; competence Gather Information and circulate it in our community. Collect usage scenarios, focus points Gravity: Connect people in the

266 views • 11 slides
WebRTC &amp; ORTC Tutorial October 14, 2019 Tutorial website:

WebRTC &amp; ORTC Tutorial October 14, 2019 Tutorial website:

WebRTC, Mobility, Cloud, IOT and More... IIT REAL-TIME COMMUNICATIONS Conference &amp; Expo Oct 14-16, 2019 Chicago WebRTC &amp; ORTC Tutorial October 14, 2019 Tutorial website: https://webrtc.internaut.com/iit-2019/ Bernard Aboba

1.73k views • 128 slides
Ostro OS security architecture An IoT OS security architecture that is so boring that you can

Ostro OS security architecture An IoT OS security architecture that is so boring that you can

Ostro OS security architecture An IoT OS security architecture that is so boring that you can sleep soundly at night Ismo Puustinen, Intel Finland What is Ostro OS? https://ostroproject.org IoT operating system, based on Yocto project

261 views • 9 slides
WEBRTC, MOBILE CONSIDERATIONS AND VOICE OVER IP IETF e W3C 0 c . 1 r u Google C o T

WEBRTC, MOBILE CONSIDERATIONS AND VOICE OVER IP IETF e W3C 0 c . 1 r u Google C o T

WEBRTC, MOBILE CONSIDERATIONS AND VOICE OVER IP IETF e W3C 0 c . 1 r u Google C o T s R - Microsoft n b e e p Apple W o ... 2011 2017 WebRTC (Real-Time Communications) Acquiring audio and video

577 views • 45 slides
Proposed SACM Architecture Dra=-camwinget-sacm-architecture-00

Proposed SACM Architecture Dra=-camwinget-sacm-architecture-00

Proposed SACM Architecture Ad-hoc SACM Arch team July 2014 Proposed SACM Architecture Dra=-camwinget-sacm-architecture-00 posted in June 2014

294 views • 8 slides
WebRTC multipoint conferencing with recording using a Media Server 2 Goal: WebRTC conferencing

WebRTC multipoint conferencing with recording using a Media Server 2 Goal: WebRTC conferencing

WebRTC multipoint conferencing with recording using a Media Server 2 Goal: WebRTC conferencing prototype that allows more than four participants to communicate simultaneously 1. supports recording of conversations 2. allows participants in

639 views • 32 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Limited Address Range The proposed architecture: LAR Architecture for Reducing Code

Limited Address Range The proposed architecture: LAR Architecture for Reducing Code

ICS/Eindhoven University of Technology Introduction Limited Address Range The proposed architecture: LAR Architecture for Reducing Code Sequential code generation for LAR Annotated Conflict Graph(ACG) Size in Embedded

292 views • 4 slides
WEBRTC API in Chrome Implementation experience Harald Alvestrand Our goal Make the web

WEBRTC API in Chrome Implementation experience Harald Alvestrand Our goal Make the web

WEBRTC API in Chrome Implementation experience Harald Alvestrand Our goal Make the web browser the best RTC platform To achieve this: Provide a fully functional, production quality implementation of the WEBRTC API and RTCWEB protocol

387 views • 7 slides
Spec status W3C IETF WebRTC 1.0 CR JSEP RFC Media Capture and Streams CR Data Channel

Spec status W3C IETF WebRTC 1.0 CR JSEP RFC Media Capture and Streams CR Data Channel

Spec status W3C IETF WebRTC 1.0 CR JSEP RFC Media Capture and Streams CR Data Channel ~RFC Identifiers for WebRTC's Statistics WD RTP Usage ~RFC Transports ~RFC Audio/Video codecs RFC Requirements RFC JavaScript APIs - 2

280 views • 11 slides
The BaBL project Real-Time Closed-Captioning for WebRTC Luis Villaseor Muoz

The BaBL project Real-Time Closed-Captioning for WebRTC Luis Villaseor Muoz

The BaBL project Real-Time Closed-Captioning for WebRTC Luis Villaseor Muoz lvillase@hawk.iit.edu 30 th April 2014 1 BaBL, version 1.0: Project Goal To develop a proof of concept WebRTC conference application that is able to use the

359 views • 35 slides
Pro rojects cts Introductory Lectures / Quizzes: 2 HP Python Programming Project : 5 HP

Pro rojects cts Introductory Lectures / Quizzes: 2 HP Python Programming Project : 5 HP

9/6/2016 TD TDDD63 63: Pro rojects cts Introductory Lectures / Quizzes: 2 HP Python Programming Project : 5 HP jonas.kvarnstrom@liu.se 2016 jonkv@ida jonkv@ida Proje oject ct: : Why? 2 2 Why a programming project? Direct

314 views • 29 slides
Good M orning! M CS1250 Introduction to Journalism October 2016, Ulrich Werner, Adj. Prof.

Good M orning! M CS1250 Introduction to Journalism October 2016, Ulrich Werner, Adj. Prof.

Good M orning! M CS1250 Introduction to Journalism October 2016, Ulrich Werner, Adj. Prof. (IIS-RU) Whats on the Plan for today Earning and keeping Trust Journalist Ethics Fairness and Balance Plagiarism and Fabrication

463 views • 19 slides
Models of concurrency, categories, and games Lectures 3 - 6 Pierre Clairambault and Glynn Winskel

Models of concurrency, categories, and games Lectures 3 - 6 Pierre Clairambault and Glynn Winskel

Models of concurrency, categories, and games Lectures 3 - 6 Pierre Clairambault and Glynn Winskel Models of concurrency, categories, and games ENS Lyon, September 2017 EVENT STRUCTURES Event structures are the concurrent analogue of trees in

1.24k views • 55 slides
An algebraic presentation of innocence Paul-Andr Mellis CNRS, Universit Paris Denis Diderot

An algebraic presentation of innocence Paul-Andr Mellis CNRS, Universit Paris Denis Diderot

An algebraic presentation of innocence Paul-Andr Mellis CNRS, Universit Paris Denis Diderot Peripatetic Seminar on Sheaves and Logic in honor of Martin Hyland and Peter Johnstone Cambridge Sunday 4 April 2009 1 Le poisson soluble Is

800 views • 42 slides
Slides on the Slides on the CERN-Solid CERN-Solid collaboration collaboration 1 The

Slides on the Slides on the CERN-Solid CERN-Solid collaboration collaboration 1 The

Slides on the Slides on the CERN-Solid CERN-Solid collaboration collaboration 1 The CERN-Solid collaboration The CERN-Solid collaboration Presentation at the Open Search SYMposium (OSSYM) 2020/10/12 Event details Maria Dimou

1.09k views • 14 slides
YALLA Yet Another Logic Language for Argumentation Pierre Bisquert, Claudette Cayrol, Florence

YALLA Yet Another Logic Language for Argumentation Pierre Bisquert, Claudette Cayrol, Florence

YALLA Yet Another Logic Language for Argumentation Pierre Bisquert, Claudette Cayrol, Florence Dupin de Saint-Cyr, Marie-Christine Lagasquie-Schiex INRA &amp; IRIT, France 2nd Madeira Workshop on Belief Revision and Argumentation February

779 views • 53 slides
Artificial Intelligence. Decision Tasks. Petr Po s k Czech Technical University in Prague

Artificial Intelligence. Decision Tasks. Petr Po s k Czech Technical University in Prague

CZECH TECHNICAL UNIVERSITY IN PRAGUE Faculty of Electrical Engineering Department of Cybernetics Artificial Intelligence. Decision Tasks. Petr Po s k Czech Technical University in Prague Faculty of Electrical Engineering Dept. of

885 views • 66 slides
Kantian Ethics Key Concepts (from last time) Acts and omissions Kant: The good

Kantian Ethics Key Concepts (from last time) Acts and omissions Kant: The good

Philosophy 240: Ethics January 25 Kantian Ethics Key Concepts (from last time) Acts and omissions Kant: The good will Kant: The categorical imperative Questions You Should Be Able to Answer How does the criticism

298 views • 3 slides

More recommend