This sharing will introduce the similarities and differences of webrtc based conference, SFU mode conference and webrtc SFU mode conference data encryption for various current terminal encryption scenarios.
Content from 263 audio and video Architects He Xiaomin’s sharing at the round table in the second half of the video conference.
Ppt material link:https://pan.baidu.com/s/19qf9…
With the wide application of remote collaboration tools in various industries, and many enterprises have announced that they will take remote office as a normal collaboration mode, which means that the popularity of remote collaborative office products such as video conference has been raised to the height of enterprise strategy. It also makes enterprises pay more and more attention to the security of video conference software or platform.
The popularity of video conferencing inevitably means that it needs to support higher concurrency, more convenient use and access to mobile and intelligent terminals. The video conferencing platform built by enterprises can no longer meet the needs of enterprises. Enterprises’ acceptance of public cloud products is gradually increasing, and enterprises’ torture of the security of video conferencing products also follows.
Throughout the world, on the one hand, cyber attacks are more extensive, targeted and destructive than before. On the other hand, due to the objective reasons of the international political environment, the anti globalization development has brought a trust crisis. Government enterprises, military and police and other fields have put forward higher information security requirements for video conference security.
It is a great honor to represent 263 in this event. Today, I will share several encryption methods that 263 is developing and practicing on the end-to-end encryption strategy of video conference.
First, let’s introduce 263. 263 has been deeply engaged in the field of enterprise Internet communication for more than 20 years, providing enterprise customers with products and services such as video conference, enterprise live broadcast, enterprise mailbox, cloud storage, teleconference and so on. In 2015, 263 acquired Zhanshi interactive, the largest interactive live broadcasting platform in China at that time, and comprehensively laid out the product line in the field of enterprise Internet communication.
In recent years, 263 has gradually changed from a traditional tool manufacturer to a one-stop digital marketing service provider. It empowers industry customers through the ability of cloud video technology, greatly improves the overall video service ability in the field of cloud video conference and cloud live broadcasting applications, and meets the needs of enterprise customers for video cooperation such as remote video conference, live marketing and remote training, Help enterprises create new value of digital marketing.
Video conference security background introduction
When it comes to video conference security, one factor that can not be bypassed is the epidemic last year. Since the epidemic in 2020, it has rapidly catalyzed the remote office and remote cooperation market, especially in the segmentation scenarios of various industries such as video conference, online education, online training and online summit, and the terminal is not limited to computer and video conference hardware. For example, in the field of Internet of things, various sensors, UAVs and other terminals also need video communication capability; In the medical field, the transmission of nuclear magnetic resonance images, infrared scanning, and remote tracking and monitoring in the field of government emergency command all need to realize video communication capability on various terminals. There are many kinds of terminals and different requirements for data security, which is a great challenge to the security strategy of video communication platform.
In addition, the overall development trend of video conference industry tends to the integration of protocol standardization, compatibility and capability. At present, the application scenarios of video conferencing are becoming more and more complex. Enterprises adopt self built solutions, and the cost of using private protocols is becoming higher and higher. Therefore, more and more enterprises adopt public cloud solutions, and the probability of network attack is relatively higher. With the upgrading of the intensity of network attack, it becomes more targeted, more destructive and wider in scope, More and more enterprises pay attention to the security and encryption strategy of video conference platform. Next, I will share some encryption methods of traditional video communication and several terminal to terminal encryption methods of video conference developed by 263.
End – to – end encryption
There are three traditional encryption technologies: symmetric encryption, asymmetric encryption and TLS encryption.
Symmetric encryption, that is, it is encrypted by the same method and decrypted by the other party by the same method. This encryption technology requires that the public passwords of both parties need to be allocated in advance through private channels, similar to the codebook in spy movies. Symmetric encryption has the advantages of fast speed and high efficiency, but the disadvantages are also obvious. Once the key is exposed, the data will be eavesdropped.
With the development of encryption technology, asymmetric encryption technology is extended from symmetric encryption technology. The encryption and decryption keys of this technology are different, generally public key encryption and private key decryption. Even if the public key is leaked, it will not lead to data leakage. Communication parties only need to send their public keys to each other in advance to realize public key encryption. After sending it out, the other party receives it and decrypts it again. This technology has a certain improvement in security than symmetric encryption.
The third type is TLS encryption. The advantage of TLS encryption is that it solves the problem of identity authentication on the basis of asymmetric encryption. The encrypted communication process is to first apply for a certificate from the certification authority, authenticate the certificate as a public key and send it to the other party. After the other party receives the certificate, it verifies whether its certificate is valid in the third party. After the verification of the two parties passes, it starts the process of public key encryption and private key decryption.
Conference data encryption based on webrtc
Next, I will focus on data encryption based on webrtc. In order to better protect customers’ information security, 263 cloud video service uses self-developed webrtc technology, and focuses on strengthening the security of video conference data.
Because the protocol setting of webrtc itself is end-to-end communication, most meetings based on webrtc are data between the client and the platform of webrtc server. The process is standard SDP session negotiation – ice drilling to solve data and network problems – key exchange between both parties based on UDP dtls – SRTP data transmission. The sender encrypts the data with public key and sends it through SRTP channel, and the other party decrypts it after receiving it.
SRTP is used for media data, and the datachannel can transmit signaling. It is rarely used by major platforms, and SCTP encryption is used. During the session establishment process of webrtc, the exchange of session signaling is not standardized. Generally speaking, it is implemented based on websocket to be compatible with browsers, but it can also be implemented by itself. As shown in the figure above, TLS encryption of TCP is used for signaling and SCTP / SRTP encryption of UDP is used for data (the new version of webrtc has been implemented based on UDP / http3 / quic).
The process of key exchange is the key of webrtc, which is illustrated here. For example, there are two terminals under the conference platform based on webrtc. To forward media data, the process is to first establish a session. During the establishment process, one or two pairs of keys will be generated. The upstream stream and downstream stream are two independent peer-to-peer streams, that is, sending and receiving are a pair of keys respectively. Suppose that terminal a generates (a, a), the server generates (S1, S1), and terminal B is the same process. After completion, they all establish their own media streams. The next step is the data forwarding process. Terminal a uses the public key encryption server to send it to the server. The server decrypts it with the key negotiated between them, and then processes it (including the processes of packet Grouping, sorting, packet loss resistance and NACK). In the distribution process, SFU diversion may also be done, that is, simulcast diversion, Then, when sending it to each terminal, it will be encrypted and sent with their negotiated key. After receiving it, the terminal will decrypt it, and vice versa.
This realizes that the channel between each terminal and the server in the whole conference is encrypted, and the server will decrypt, package, re encrypt and send the received data. The problem is that the memory and CPU consumption of the server is relatively high in a series of processing processes.
At present, this encryption technology has been applied on 263 platform. 263 based on the self-developed webrtc technology, it not only realizes the stable, smooth and ultra-low delay video communication of cloud video conference and cloud live broadcast products, but also uses this encryption technology to protect the data security of government, finance, medicine and other industries and enterprise customers with high data security requirements.
One – to – one private conversation in video conference
For 1-to-1 video conference, 263 designs a private conversation encryption method to ensure the security of video conference. Suppose this is a standard conference server. Terminals a and B normally enter the conference and want to have a private session between them. The session uses a third-party platform. The platform based SDK extension protocol makes its own encrypted signaling extension. Its process is: terminal a wants to initiate the session, its husband forms a key, sends the public key to the other party, and B accepts the session, After the response is generated, the public key is also sent back, and one-to-one encrypted data stream forwarding can be realized.
End to end encryption in SFU mode
In SFU mode, i.e. distribution mode, the conference server needs to distribute each terminal data to multiple people through the server. Therefore, the whole process encryption cannot be performed for each 1-to-1 data stream, but only the data transmission channel encryption of online stream or downstream stream can be realized. We now require that throughout the distribution process, the conference server cannot crack the signaling or data of each terminal to ensure that it will not be monitored. To achieve a trusted call on an untrusted platform, the following process is required: first, each terminal becomes a pair of “signaling keys”, and will broadcast its public key to the venue when joining the club. When sending the signaling to be encrypted later, you only need to use the other party’s public key for encryption. In this way, all terminals can send signaling to the server, but the server cannot crack the signaling.
Then there is the encrypted sending process of data. Data encryption and signaling are all different. If everyone’s data is required to be encrypted and sent out, the server can not decrypt, but also all terminals can receive it, which requires an authorization process.
For example, client a uses the “A1” data key. After joining the association, the data of client a can be encrypted with its own A1 public key, and then sent to the server; The server does not know the data private key of client a, so it cannot decrypt; When other clients need to receive a’s data, they will first send a request signaling, which is encrypted with the signaling public key “a” and forwarded to terminal a; A will carry out authentication after receiving it to ensure that the other party is a legitimate terminal (the application can establish its own authentication platform and include the certificate in the request). After the authentication is approved, the corresponding response can be sent. The response includes the data private key “A1”.
Note that here, the public key is used as the private key and the private key as the public key, which is a reverse process. In this way, terminal B can receive the data stream of the server. B has been authorized to decrypt a’s encrypted data using a’s private key. In this way, forwarding the encrypted data channel through the server has been completed.
This is the process of end-to-end encryption and its certificate in SFU mode. First, there are two client terminals a and B. The following is a third-party application based on the conference Platform SDK. A client first issues an encrypted video stream to the conference management server, and the server will broadcast it to the used terminal; Then, before viewing, terminal B needs to obtain the certificate from the certificate platform built by the customer, and then subscribe to the video stream and provide the certificate to the conference management server; After receiving the request, the server forwards the request containing certificate B to terminal a, terminal a authenticates the certificate on the certificate server, and then forwards its public key to B through the conference management server. B receives the request, and data flow can be exchanged between a and B.
End to end encryption in webrtc SFU mode
In the webrtc SFU mode, if you want to use the standard protocol of webrtc and encrypt between terminals on it, you need the following process.
The previous process is the same as just now, using encrypted signaling channels. After the standard webrtc session is established, for example, a B requests a’s data and B requests the private key of the data. Then, in the process of data stream distribution, before the SRTP encryption of webrtc, make an API layer callback and give it to the application side to make another layer of encryption, and then use the SRTP encryption.
In addition, on the webrtc server, you only need to decrypt the channel, do not need complete video frame data decryption, do not group frames and other processes, just do a sorting, and then distribute it to everyone or use the webrtc connection. In this way, after receiving the data, B not only needs to decrypt the SRTP, but also needs to decrypt the encryption processing of the API layer made by the customer. In this way, the end-to-end encryption process is embedded in webrtc.
The encrypted signaling channel of webrtc SFU is the same as that of standard conference. The private key request needs to establish such a process independently of webrtc. The distribution of data stream has three changes just introduced: one more layer of encryption, one less layer of framing, and one more layer of decryption. Based on the above method, a trusted encrypted data communication process can be realized through the design of the protocol.
There are two problems. One is identity authentication and the other is protocol compatibility.
Identity authentication. We have realized that the server is secure and the transmission channel is secure, but there is no clear definition of whether the terminal is secure or not. The certification process just mentioned is not standardized. We only provide open APIs or similar methods, and users can implement them flexibly. Generally speaking, one to many certificate authentication is difficult to achieve a standardized process. In addition to using the certificate platform, it can also be implemented at the hardware level, such as the way of dongle.
Protocol compatibility. On a set of encrypted webrtc system, if you want to be compatible with the standard webrtc browser client, you need other solutions. After the browser gets the data, it will not decrypt the API, and the transmitted data does not have the encryption process of public key “A1”. We have two solutions: first, the system supports both encrypted and unencrypted meetings, and the encrypted meeting does not support the browser temporarily. 2、 The SDK of the server layer is provided so that users can establish a management platform based on the SDK for authorization. In this way, when accessing the browser, it can be fully decrypted and re encrypted before distribution by the server. For such distribution, it is recommended that a third party build a server in its trusted computer room to realize transfer.
That’s all I share today. Thank you.
Please scan the drawing for details__ QR code__ Or click__ Read the original text__ Learn more about the conference.