Expand description
WebRTC connection authentication.
This module provides cryptographic authentication for WebRTC connections using SDP hashes and public key encryption to prevent man-in-the-middle attacks. The authentication mechanism ensures that WebRTC connections are established only between legitimate peers with verified identities.
§Security Model
The connection authentication process works by:
- SDP Hash Combination: Combining the SDP hashes from both the WebRTC offer and answer to create a unique authentication token
- Public Key Encryption: Encrypting the authentication data using the recipient’s public key to ensure only they can decrypt it
- Mutual Verification: Both parties verify each other’s ability to decrypt the authentication data, proving they possess the correct private keys
§Authentication Flow
Peer A Peer B
| |
| 1. Create Offer (with SDP) |
|------------------------------------> |
| |
| 2. Create Answer (with SDP) |
| <------------------------------------|
| |
| 3. Generate ConnectionAuth from |
| both SDP hashes |
| |
| 4. Encrypt with peer's public key |
|------------------------------------> |
| |
| 5. Decrypt and verify |
| <------------------------------------|
| |
| 6. Connection authenticated ✓ |§Security Properties
- Identity Verification: Ensures both parties possess the private keys corresponding to their advertised public keys
- Man-in-the-Middle Protection: Prevents attackers from intercepting and modifying the connection establishment process
- Replay Attack Prevention: Uses unique SDP hashes for each connection attempt, preventing replay attacks
Structs§
- Connection
Auth - Connection authentication data derived from WebRTC signaling.
- Connection
Auth Encrypted - Encrypted connection authentication data.