Verifying privacy of web real-time communications (WebRTC) media channels via corresponding WebRTC data channels, and related methods, systems, and computer-readable media

US 9,112,840 B2
Filed: 07/17/2013
Issued: 08/18/2015
Est. Priority Date: 07/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method for verifying privacy of a Web Real-Time Communications (WebRTC) media channel, comprising:

establishing, by a first WebRTC client executing on a first computing device and a second WebRTC client executing on a second computing device, a WebRTC media channel between the first WebRTC client and the second WebRTC client using a keying material;

establishing, using the same keying material, a WebRTC data channel between the first WebRTC client and the second WebRTC client corresponding to the WebRTC media channel;

negotiating, in the WebRTC data channel, a cryptographic key exchange between the first WebRTC client and the second WebRTC client;

generating a first Short Authentication String (SAS) and a second SAS based on the cryptographic key exchange in the WebRTC data channel; and

displaying the first SAS via the first WebRTC client and the second SAS via the second WebRTC client, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verification of privacy of Web Real-Time Communications (WebRTC) media channels via corresponding WebRTC data channels, and related methods, systems, and computer-readable media are disclosed. In this regard, in one embodiment, a method for verifying privacy of a WebRTC media channel comprises establishing the WebRTC media channel between first and second WebRTC clients using a keying material. The method further comprises establishing a corresponding WebRTC data channel between the first and second WebRTC clients using the keying material, and negotiating, in the WebRTC data channel, a cryptographic key exchange. The method also comprises generating a first and a second Short Authentication String (SAS) based on the cryptographic key exchange in the WebRTC data channel. The method further comprises displaying the first SAS and the second SAS, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.

66 Citations

20 Claims

1. A method for verifying privacy of a Web Real-Time Communications (WebRTC) media channel, comprising:
- establishing, by a first WebRTC client executing on a first computing device and a second WebRTC client executing on a second computing device, a WebRTC media channel between the first WebRTC client and the second WebRTC client using a keying material;
  
  establishing, using the same keying material, a WebRTC data channel between the first WebRTC client and the second WebRTC client corresponding to the WebRTC media channel;
  
  negotiating, in the WebRTC data channel, a cryptographic key exchange between the first WebRTC client and the second WebRTC client;
  
  generating a first Short Authentication String (SAS) and a second SAS based on the cryptographic key exchange in the WebRTC data channel; and
  
  displaying the first SAS via the first WebRTC client and the second SAS via the second WebRTC client, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the WebRTC data channel is established prior to establishing the WebRTC media channel.
  - 3. The method of claim 1, further comprising comparing a first fingerprint corresponding to a keying material for establishing the WebRTC media channel with a second fingerprint corresponding to a keying material for establishing the WebRTC data channel, such that a mismatch between the first fingerprint and the second fingerprint indicates the existence of the MitM attacker.
  - 4. The method of claim 1, further comprising, responsive to a match between the first SAS and the second SAS, re-keying the WebRTC media channel based on the cryptographic key exchange in the WebRTC data channel.
  - 5. The method of claim 1, further comprising:
    - caching cryptographic key material created by the first WebRTC client and the second WebRTC client during the cryptographic key exchange;
      
      signing a third SAS and a fourth SAS generated in a subsequent cryptographic key exchange between the first WebRTC client and the second WebRTC client using the cached cryptographic key material; and
      
      automatically comparing the third SAS and the fourth SAS based on the cached cryptographic key material, such that a mismatch between the third SAS and the fourth SAS indicates the existence of the MitM attacker.
  - 6. The method of claim 5, wherein caching the cryptographic key material comprises:
    - storing a first derivation of the cryptographic key material in a first persistent data store by the first WebRTC client; and
      
      storing a second derivation of the cryptographic key material in a second persistent data store by the second WebRTC client.
  - 7. The method of claim 1, wherein negotiating the cryptographic key exchange between the first WebRTC client and the second WebRTC client comprises negotiating a key exchange based on a digital signature provided by an Identity Provider.
  - 8. The method of claim 1, wherein the cryptographic key exchange comprises a key exchange based on a public key cryptographic algorithm.
  - 9. The method of claim 8, wherein the public key cryptographic algorithm comprises a Diffie-Hellman key exchange.

10. A system for verifying privacy of a Web Real-Time Communications (WebRTC) media channel, comprising:
- at least one communications interface;
  
  a first computing device associated with the at least one communications interface and comprising a first WebRTC client, the first WebRTC client comprising a first WebRTC privacy verification agent; and
  
  a second computing device associated with the at least one communications interface and comprising a second WebRTC client, the second WebRTC client comprising a second WebRTC privacy verification agent;
  
  the first WebRTC client and the second WebRTC client configured to establish a WebRTC media channel between the first WebRTC client and the second WebRTC client using a keying material; and
  
  the first WebRTC privacy verification agent and the second WebRTC privacy verification agent configured to;
  
  establish, using the same keying material, a WebRTC data channel between the first WebRTC client and the second WebRTC client corresponding to the WebRTC media channel;
  
  negotiate, in the WebRTC data channel, a cryptographic key exchange between the first WebRTC client and the second WebRTC client;
  
  generate a first Short Authentication String (SAS) and a second SAS based on the cryptographic key exchange in the WebRTC data channel; and
  
  display the first SAS via the first WebRTC client and the second SAS via the second WebRTC client, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the first WebRTC privacy verification agent and the second WebRTC privacy verification agent are configured to establish the WebRTC data channel prior to the first WebRTC client and the second WebRTC client establishing the WebRTC media channel.
  - 12. The system of claim 10, wherein the first WebRTC privacy verification agent and the second WebRTC privacy verification agent are further configured to compare a first fingerprint corresponding to a keying material for establishing the WebRTC media channel with a second fingerprint corresponding to a keying material for establishing the WebRTC data channel, such that a mismatch between the first fingerprint and the second fingerprint indicates the existence of the MitM attacker.
  - 13. The system of claim 10, wherein the first WebRTC client and the second WebRTC client are further configured to, responsive to a match between the first SAS and the second SAS, re-key the WebRTC media channel based on the cryptographic key exchange in the WebRTC data channel.
  - 14. The system of claim 10, wherein the first WebRTC privacy verification agent and the second WebRTC privacy verification agent are further configured to:
    - cache cryptographic key material created by the first WebRTC privacy verification agent and the second WebRTC privacy verification agent during the cryptographic key exchange;
      
      sign a third SAS and a fourth SAS generated in a subsequent cryptographic key exchange between the first WebRTC client and the second WebRTC client using the cached cryptographic key material; and
      
      automatically compare the third SAS and the fourth SAS based on the cached cryptographic key material, such that a mismatch between the third SAS and the fourth SAS indicates the existence of the MitM attacker.
  - 15. The system of claim 14, wherein the first WebRTC privacy verification agent and the second WebRTC privacy verification agent are configured to cache the cryptographic key material by:
    - storing a first derivation of the cryptographic key material in a first persistent data store by the first WebRTC privacy verification agent; and
      
      storing a second derivation of the cryptographic key material in a second persistent data store by the second WebRTC privacy verification agent.

16. A non-transitory computer-readable medium having stored thereon computer-executable instructions to cause a processor to implement a method, comprising:
- establishing a Web Real-Time Communications (WebRTC) media channel between a first WebRTC client and a second WebRTC client using a keying material;
  
  establishing, using the same keying material, a WebRTC data channel between the first WebRTC client and the second WebRTC client corresponding to the WebRTC media channel;
  
  negotiating, in the WebRTC data channel, a cryptographic key exchange between the first WebRTC client and the second WebRTC client;
  
  generating a first Short Authentication String (SAS) and a second SAS based on the cryptographic key exchange in the WebRTC data channel; and
  
  displaying the first SAS via the first WebRTC client and the second SAS via the second WebRTC client, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16 having stored thereon the computer-executable instructions to cause the processor to implement the method, wherein the WebRTC data channel is established prior to establishing the WebRTC media channel.
  - 18. The non-transitory computer-readable medium of claim 16 having stored thereon the computer-executable instructions to cause the processor to implement the method, further comprising comparing a first fingerprint corresponding to a keying material for establishing the WebRTC media channel with a second fingerprint corresponding to a keying material for establishing the WebRTC data channel, such that a mismatch between the first fingerprint and the second fingerprint indicates the existence of the MitM attacker.
  - 19. The non-transitory computer-readable medium of claim 16 having stored thereon the computer-executable instructions to cause the processor to implement the method, further comprising re-keying the WebRTC media channel based on the cryptographic key exchange in the WebRTC data channel, responsive to a match between the first SAS and the second SAS.
  - 20. The non-transitory computer-readable medium of claim 16 having stored thereon the computer-executable instructions to cause the processor to implement the method, further comprising:
    - caching cryptographic key material created by the first WebRTC client and the second WebRTC client during the cryptographic key exchange;
      
      signing a third SAS and a fourth SAS generated in a subsequent cryptographic key exchange between the first WebRTC client and the second WebRTC client using the cached cryptographic key material; and
      
      automatically comparing the third SAS and the fourth SAS based on the cached cryptographic key material, such that a mismatch between the third SAS and the fourth SAS indicates the existence of the MitM attacker.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Johnston, Alan B., Yoakum, John H.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US13/944,368
Publication Number

US 20150026473A1
Time in Patent Office

762 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 9/3215   using a plurality of channe...

Verifying privacy of web real-time communications (WebRTC) media channels via corresponding WebRTC data channels, and related methods, systems, and computer-readable media

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Verifying privacy of web real-time communications (WebRTC) media channels via corresponding WebRTC data channels, and related methods, systems, and computer-readable media

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others