The web has been a rapidly changing space in terms of its infrastructure and the information users create upon it. WebRTC is a new set of technologies which enriches the web infrastructures leading to new ways to create and share information. In this paper, various domains promising a better web ecosystem for the users and developers both have been explored. The challenges concerned to Identity Authentication and Identity Resolution have been reviewed. Understanding the present technologies, the paper also mentions some future unmined applications of WebRTC in our daily life. Finally, some theoretical prospects of technical improvement and their deployment have been recommended.
Web Real-Time Communications (WebRTC) brings an extremely powerful technology close to users while opening up the path for innovative adoptions within the communications landscape. WebRTC is the first browser-based technology that breaks with the Web’s client-server architecture by enabling direct browser-to-browser communication. It is an ongoing joint effort from the W3C and IETF to develop standards that will enable real time communication (RTC) between Web browsers. Although Web browsers can communicate through voice and video using browser-dependent plugins and extensions, WebRTC is the first industrial effort to develop an open platform for RTC over the Web based on standard APIs and protocols.
More than 30 companies and organizations— including Google, Microsoft, Cisco, Mozilla, Huawei, and Ericsson — are investing in WebRTC; their hope is to change both the telecommunications industry and the Web ecosystem. It could change telecommunications by lowering the barrier for Internet companies, browser vendors, and device makers to provide RTC services over the Web. With proper standards, websites and Web browsers collectively can become a new open platform for delivering RTC and collaboration services to users. With this platform and the flexibility of HTML5, developers can rapidly create real-time Web applications that run on any operating system and any device. For users, WebRTC’s benefit isn’t just free phone calls — it’s the ability to interact in a global communication space in an unconstrained way.
WebRTC offers web application developers the ability to write rich, real-time multimedia applications (think video chat) on the web, without requiring plugins, downloads or installs. It’s purpose is to help build a strong RTC platform that works across multiple web browsers, across multiple platforms.
The overall architecture looks something like this:
Exploring WebRTC Identity
First we consider the usual way identity is managed for communication services. In the telephony world, identity is generally managed in a shared way between providers. An identity is tied to a publicly known address such as a phone number that enforces international standardized rules common for all communication providers (CPs).
These addresses play two roles: in the signaling role, they route the session initiation message to the callee; in the identity role, they let the callee identify the caller and vice versa.
Things are quite different on the Web. WebRTC lacks a built-in identity system, so it uses those developed for the Web in general. For this reason, the identity layer’s problems are new and unique.
The WebRTC security architecture consists of three distinct component layers:
- The media layer consists of Web browsers that exchange secure real-time media using the Secure Real-Time Protocol (SRTP).
- The signaling layer consists of pages and websites that control the calls between browsers.
Creating a global RTC system over the Web entails some acute technical challenges:
- Identity authentication. How can we authenticate users on the Web? That is, how do we verify their identities to ensure that only the intended parties receive confidential or private information?
- Identity resolution. How can we locate users on the Web? That is, how do we use identity to find the pages users are visiting so we can deliver calls to them when they’re moving between different websites?
WebRTC uses two distinct paths for communication: the signaling path goes from the call initiator to the call receiver via the existing HTTP(S) connections to the calling sites; the media path is set up in a peer-to-peer fashion between the call initiator and the receiver using network protocols such as Session Traversal Utilities for NAT (Network Address Translation) and Datagram Transport Layer Security-Secure Real-Time Transport Protocol (DTLS-SRTP) for RTC.
For identity and authentication, both communicating parties employ an identity provider (IdP).
The considerable flexibility in deployment is simultaneously one of the most exciting and most challenging aspects of WebRTC technology. We can apply WebRTC in multiple deployment settings, ranging from a simple scenario with one user contacting the helpdesk from a single calling site to more complex scenarios with multiple calling sites, multiple identity providers, and media gateway services working together to set up video conferencing facilities.
Addressing User Identity in WebRTC
User identities in WebRTC services can be involved in two different activities:
- The authentication process by which the service— here, the Communication Provider — authorizes the user to log in; and
- The verification of the peer users’ identity within a call (or any data transfer).
Addressing Threats in Peer-to-Peer Web
The model of WebRTC threats that we’ve discussed needs a few necessary security mechanisms:
- Signaling traffic protection (between each browser and the server) using HTTPS;
- Media traffic protection (between browsers) using DTLS-SRTP;
- End-to-end authentication of the communicating peers using Cryptographic Identity by verifying the given key pair and its holder; and
These mechanisms are being implemented in browsers right now. As they become available, we will see whether an ecosystem of end-to-end secure WebRTC applications develops.
If the web takes the form a Global Communication Space, certainly it will revolutionize the internet industry as well as telecommunication industry!
- L. Li, W. Chou, Z. Qiu, and T. Cai, “Who Is Calling Which Page on the Web?”, Internet Computing, IEEE, Nov/Dec, pp. 26-33, 2014
- L. Desmet and M. Johns, “Real-Time Communications Security on the Web”, Internet Computing, IEEE, Nov/Dec, pp. 8-10, 2014
- R. L. Barnes and M. Thomson, ”Browser-to-Browser Security Assurances for WebRTC”, Internet Computing, IEEE, Nov/Dec, pp. 11-17, 2014
- V. Beltran, E. Bertin and N. Crespi, “User Identity for WebRTC- A matter of trust”, Internet Computing, IEEE, Nov/Dec, pp. 18-25, 2014
More about the author- Pankaj Kumar