simple secure federated identity for webrtc (your new phone number)
TRANSCRIPT
![Page 1: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/1.jpg)
SIMPLE SECURE FEDERATED IDENTITY FOR WEBRTC (YOUR NEW PHONE NUMBER)
Tim Panton – Westhawk Ltd @steely_glint
Westhawk ltd - @steely_glint
![Page 2: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/2.jpg)
Liars
Westhawk ltd - @steely_glint https://www.flickr.com/photos/barbiefantasies/14395143510/
![Page 3: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/3.jpg)
“Hello, I’m calling from Windows”CallerId has failed.
Caller id should alert us to this fraud
It does not
Originally geographically based No crypto strength Loosely federated Each hop can inject traffic It was good business
Westhawk ltd - @steely_glint
![Page 4: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/4.jpg)
Security
Westhawk ltd - @steely_glint https://www.flickr.com/photos/madaboutshanghai/184665954
![Page 5: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/5.jpg)
“Let me take you through security”CallerId has failed.
Needless if CallerId worked It does not
Already logged in on Web Used sensor to unlock phone Strong crypto in SIM Phone network strips other
auth It was good business
Westhawk ltd - @steely_glint
![Page 6: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/6.jpg)
Old Wisdom
Westhawk ltd - @steely_glint https://www.flickr.com/photos/3059349393/3320930905/
![Page 7: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/7.jpg)
“Hello this is Wormshill 280”CallerId has failed.
Confirm number on answer
Old wisdom?
Westhawk ltd - @steely_glint
![Page 8: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/8.jpg)
What do ?
Nothing Ignore the problem Most communication is in
context Assume the context will cover
gap
Except people hate robo-calls Landlines are for liars, cheats
and the elderlyWesthawk ltd - @steely_glint
![Page 9: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/9.jpg)
What do ?
Whatsapp Whatsapp style Siloed service No number portability No federation Bootstrap from phone number Tight control on 3rd party apps Messaging and voice in same
channelWesthawk ltd - @steely_glint
![Page 10: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/10.jpg)
Can WebRTC help?
WebRTC No signaling standard No identity standard Massive Silos (hangouts,
facebook etc) Niche apps (on-site apps)Probably not.
Westhawk ltd - @steely_glint
![Page 11: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/11.jpg)
Can WebRTC help?
WebRTC Strong E2E crypto Wide standardization Integrated into web Easy to app-ify Fingerprints
Perhaps….
Westhawk ltd - @steely_glint
![Page 12: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/12.jpg)
Webrtc crypto
Crypto Uses DTLS (with PFS) TLS’s datagram sibling Self signed certificates Contain no id Containing x509 public keys Exchanged securely at media
start NOT over the signaling channel Confirmation via fingerprint
Westhawk ltd - @steely_glint
![Page 13: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/13.jpg)
Webrtc fingerprint
fingerprint Hash over the cert containing public key
Maps uniquely to a public key Sent over signaling channel as
check 32 bytes rendered in hex Hard to read Requires you trust the signaling Not ideal for federation
Westhawk ltd - @steely_glint
![Page 14: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/14.jpg)
Fingerprints as phone numbers.fingerprint Such a good idea I filed a
patent on it
Replace e164 with fingerprints Calls are made between unique
32byte addresses Endpoints can verify each other
simply at media start
Westhawk ltd - @steely_glint
![Page 15: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/15.jpg)
‘Inbound’ example
fingerprint I receive call from a fingerprint Fingerprint is in my address
book I accept call Media start verifies fingerprint Drop call if they don’t match
Westhawk ltd - @steely_glint
![Page 16: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/16.jpg)
‘Outbound’ example
fingerprint I call your fingerprint Signaling claims you answered On media start calculate
fingerprint Drop call if they don’t match Continue call if they do
Westhawk ltd - @steely_glint
![Page 17: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/17.jpg)
What do I have to trust ?
Trust My OS My browser Javascript I’m running The site that provided the
javascript How I got your fingerprintI have (or can have) a legal contract with each of these
Westhawk ltd - @steely_glint
![Page 18: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/18.jpg)
What do I NOT have to trust ?Trust My signaling service
Your signaling service Any federated hops along the way
The verification is end-to-end over the
media
All are parties I have no relation toWesthawk ltd - @steely_glint
![Page 19: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/19.jpg)
Other Trust issues
Trust Uses well established crypto Uses stock browsers Simple(ish) inspectable
javascript Uses public webRTC apis –
nothing else
Westhawk ltd - @steely_glint
![Page 20: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/20.jpg)
Certificate lifecycle API
Lifecycle New Cert per site (per peerConnection)
So my poker club and church see different numbers
All stored in my device Can be stored – or one-time
depending on the site Not exportable or transferable
Westhawk ltd - @steely_glint
![Page 21: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/21.jpg)
I’m not learning a 32byte number!
Numbers You don’t have to I hardly recall any 10 digit
numbers! All stored in my device Protected by my (physical)
fingerprint
Westhawk ltd - @steely_glint
![Page 22: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/22.jpg)
How to transfer fingerprints
transfer Visually with QR codes Show and tell demo Use phone/web cams Requires proximity Intentional gesture Trusted introductions (other out of band ways)
Westhawk ltd - @steely_glint
![Page 23: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/23.jpg)
An implementation
fingersmith Proof of concept https://steely-glint.github.io/
fingersmith/phonefromhere/ Public code from Github
can be trusted/inspected Signaling service untrusted
just passes messages All state at endpoints
Westhawk ltd - @steely_glint
![Page 24: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/24.jpg)
Untrusted federation.
federation This replaces the web of (misplaced) trust in the current SS7 and IPnetworks.
We can have trusted callerID without trusting all the networks on the path If we use webRTC fingerprints instead of e164s
Westhawk ltd - @steely_glint
![Page 25: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/25.jpg)
Sigh, I know it won’t happen
Stuck Even with the OTT threats Telco business model is entrenched Depends on bulk calling More calls mean more leverage End users aren’t important enough
Unfortunately the necessary changes won’t happen in telco-land.
Westhawk ltd - @steely_glint
![Page 26: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/26.jpg)
Fortunately, across the hall in IoT
Iot Very similar problems Consequences even worse Nuisance calls to your Heating?!? No established standards (yet) Still fast moving space Same solution applies But use WebRTC DataChannel
I have hopes….Westhawk ltd - @steely_glint
![Page 27: Simple secure federated identity for webRTC (your new phone number)](https://reader035.vdocuments.us/reader035/viewer/2022070520/58f197e21a28abab138b4571/html5/thumbnails/27.jpg)
Fortunately, IoT
Iot
I have a Lego dog to prove it can be done.
EV3 300Mhz Arm9 Linux 64Mb
Westhawk ltd - @steely_glint