W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2011

[whatwg] PeerConnection: encryption feedback

From: Matthew Kaufman <matthew@matthew.at>
Date: Wed, 23 Mar 2011 17:13:01 -0700
Message-ID: <4D8A8C8D.9090706@matthew.at>
On 3/23/2011 3:17 PM, Harald Alvestrand wrote:
> Is there really an advantage to not using SRTP and reusing the RTP 
> format for the data messages?

I'd go one further... why not DTLS-SRTP for the media and DTLS with some 
other header shim for the data messages?

In particular, there are significant security advantages to end-to-end 
keying rather than transmitting keys over the signaling channel.

> This is a well-known and well-analyzed encryption format, with 
> reasonably known security properties and library support (from 
> libraries that already have to be included in order to support 
> audio/video).

Also agree here. Lets not re-invent something that's been invented *and* 
analyzed.

>
> I also fail to see the requirement for the masking, given that the 
> requirement for ICE (at least once the bug of not using passwords in 
> ICE is fixed) protects against cross-socket attacks.
>

Also agree. The STUN connectivity check message in ICE is sufficient to 
prove that the far end wants the data... masking to avoid proxies is a 
non-issue for this channel.

Matthew Kaufman
Received on Wednesday, 23 March 2011 17:13:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:31 UTC