An experiment in securing WebRTC

Last updated: 27 October 2014

WebRTC is a new web technology, enabling easy real-time communications between web browsers via the use of simple Javascript APIs. Designed over the last few years by collaborators working in the IETF and W3C, it is an emerging technology in web industry. The main Internet browsers all support it, and it has clear potential which will be realized in powerful communication applications very soon.

However, as you’d expect, we’ve been working to secure WebRTC communications, ensuring the channel remains safe in a global context of concern about cyber hacks and breaches: in particular, user authentication must be fast, reliable and safe.

Today, a secure element like the SIM card is an ideal place to store credentials and process authentication operations. We’ve previously talked about our support for the addition of a secure element API to the open web platform. This API, based on SIM Alliance Open Mobile API specification, enables access to security functions from web applications.

Recently, our R&D team developed a proof of concept demo which secures WebRTC-based audio and video calls between two mobile devices, supported by the phones’ SIM cards. Each SIM card used on a cellular network contains the profile of a user, described as an IMS (IP Multimedia System) profile. It contains the user’s public identity, his private identity, the server address… as well as an authentication key. So, on IMS compliant networks, the SIM card is used by the IMS client to automatically register and authenticate the user on the IMS network at a high security level.

Our demo, developed by our R&D teams in France & China, merges Web RTC technology and IMS technology. It uses two Sony Xperia Z1s registered to a web server alongside an IMS infrastructure.

Schematic of how the Secure WebRTC demo functions

How it works:

  • The HTML IMS client running on the mobile is downloaded and executed by the browser (Chrome, in our case, but also works with Firefox OS) on each mobile device.
  • The IMS profile of the user is provisioned in the SIM card.
  • When the user clicks on the « login » button of the web IMS client to trigger a WebRTC call, the SIP registration is transparently processed without user interaction.
  • The SIM card executes the authentication by checking the network cryptogram and computes the authentication result according to the IETF’s Authentication and Key Agreement v2 spec.
  • Once the IMS web application is authenticated, a SRTP session can be set up to transport the media streams, the Web RTC session is secure and active.

The benefit for the user is two-fold: no interminable forms to fill in, and no passwords to remember. For the service providers, high security access will reduce the impact of cyber attacks and fraud attempts. Moreover, the IMS profile can easily be managed over the air, enabling the deployment and administration of new services.

The promise of WebRTC is becoming a reality, but the security of these services must be monitored carefully: new channels mean the potential of new exploits and vulnerabilities, so we need to give people the freedom to use these channels by securing them. SIM cards, and secure elements in general, can play a central role in improving the security of web apps and simplify the user experience. It is also a perfect showcase of the potential of standardization.

2 thoughts on “An experiment in securing WebRTC

  1. This sounds interesting, but the focus on IMS-integrated applications will limit this to a very small slice of the emerging WebRTC marketplace. Most telco/carrier-driven WebRTC services are completely orthogonal to their IMS strategy (if they have one).

    Are there any ways to access the SIM either from browser or (more importantly) WebRTC-enriched native applications, to enable improved security?


    Dean Bubley
    Disruptive Analysis

    1. This IMS-based WebRTC application is a demo showing how web applications can get access to and benefit from secure elements, and SIM/UICC in particular. There is an ongoing industry effort, in which Gemalto is actively participating, to standardize such interfaces, so that any domain specific application may use secure hardware to protect their assets and credentials. This has led to SIM Alliance’s Open Mobile API [1] for the native mobile environments, which is already implemented and available on many smartphones. The standardization of similar interface for web application is currently discussed both in W3C and GlobalPatform. These specifications do not restrict usage to a single authentication scheme, such as IMS, but offer applications to use the secure elements the way that most suits their needs. It is up to each application domain to define what security scheme they want to implement.


Leave a Reply

Your email address will not be published. Required fields are marked *