to-peer based and CDN (Content Delivery Network) based content delivery. WebRTC exposes a data channel that can help to create new applications based on ...
WebRTC Security & Privacy H. Hakan KILINÇ, Doğaç BAŞARAN Introduction
WebRTC Security and Privacy
WebRTC (Web Real-Time Communications) is an open source technology promoted by Google and standardized under the coordination of the W3C and IETF [1], [2], [3]. It was originally designed to have a browser-to-browser real-time communications however it is also possible to adapt web-based communications with other IP-based or legacy networks through gateways. By 2020, over 7 billion end points are expected to include WebRTC, which brings high business opportunities as well as security issues. Robust, fast identity management systems have to be built. Scalability of such solutions would be of at most importance.
With proliferation of smart communication devices such as mobile phones or tablets, unified communications reach to a new level where reliable, robust and secure systems are needed. One of the recent advances in unified communications is the WebRTC technology. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities [1]. It works in HTML5 and two main advantages among other UC systemsi that no plug-in downloads are required in the supported browsers (Chrome, Firefox, Opera) [1] and it is platform independent. Simple developments to current web applications bring additional RTC capability to systems. This technology is both an alternative to current popular OTT(Over The Top) services and may also bring additional RTC abilities to such services at the same time.
According to these features, authentication and key agreement mechanisms based on different mathematical problems such as hash, DLP, ECDLP, BDH and RSA for different user types in below can be examined for WebRTC; Solutions of web-based identity providers such as OpenID, Facebook Connect, Oauth. Password Authenticated Key Exchange (PAKE) based schemes, Hash and symmetric encryption based schemes, Public key cryptography (PKC) (certificate) based schemes Identity based cryptography based schemes
In addition, it is possible to connect to other IP-based or legacy networks such as PSTN, IMS and NGN through WebRTC gateways [SPiDR] which is shown in Figure 2.This brings huge business opportunities for companies i.e., service providers, healthcare systems, banking systems. Also, it may enable efficient hybrids between peerto-peer based and CDN (Content Delivery Network) based content delivery. WebRTC exposes a data channel that can help to create new applications based on data exchange from browsers. In the case of CDN, WebRTC may help to access to contents from any device, platform and browser, with no need to install anything.
Figure 1: WebRTC – Open Source API for Multimedia Communications
Figure 2: WebRTC with IMS network through Gateway.
As WebRTC becomes widely used, one of the main issues would be the security of the communication. For this reason, strong authenticated identity architectures have to be established. Identity is at the heart of any consent decision. Also, performance and security of the authentication and key agreement schemes are two critical factors that affect the applications with large number of the endpoints. In conventional Identity Management systems, third party identity mechanisms i.e., PKI, are used for authentication of endpoints. However, such mechanisms are too cumbersome for typical users. Therefore, to eliminate the public key infrastructure in certificate based authentication schemes and to improve new lightweight authentication mechanisms are needed. An ideal Identity Management System should have some features below; Easy to implement Able to handle large number of endpoints (high performance) Highly secure (solve security vs. performance trade off)
Figure 3. WebRTC with addition of authentication services
Conclusion WebRTC and related technologies are going to bring a lot of new services (i.e. web phones, click-to-call buttons, etc.) for the communication of residential users, customers and internal users of corporations. Real-time multimedia (voice, video or data) communications will be more important with 4G and 5G. Strong identity authentication architecture which will handle tens of millions of endpoints is needed.
References: 1. WebRTC, www.webrtc.org 2. WebRTC 1.0: Real-time Communication Between Browsers, W3C Working Draft 10 February 2015, http://www.w3.org/TR/webrtc/ 3. Real-Time Communication in WEB-browsers (Active WG) , http://tools.ietf.org/wg/rtcweb/ 4. http://www.genband.com/products/experius/webrtc-gateway
