更改密码 WebRTC
[英]Change cipher in WebRTC
问题描述
I'm doing a research and pilot project on WebRTC (browser/JavaScript based) and I'm now looking into the security implementation of it.
我正在 WebRTC(基于浏览器/JavaScript)上做一个研究和试点项目,我现在正在研究它的安全实现。
I understand (please correct me otherwise) that the DTLS-SRTC implements an encryption mechanism and I can only find references to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.我了解(请纠正我)DTLS-SRTC 实现了一种加密机制,我只能找到对 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 的引用。
I also got to think that any STUN/TURN servers in between are not taking part to the encryption mechanism so that the payload will simply pass untouched via a TURN server.我还必须想到,介于两者之间的任何 STUN/TURN 服务器都没有参与加密机制,因此有效载荷将通过 TURN 服务器原封不动地传递。
This make me asking if it is possible to set and chose among a list of available cyphers and key length for WebRTC in a browser/JavaScript solution... or if TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the only one.这让我问是否可以在浏览器/JavaScript 解决方案中设置和选择 WebRTC 的可用密码和密钥长度列表......或者 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 是否是唯一的。
If the cypher/key length can be set, can you please advice on how to do it in JavaScript or point to some specific documentation for achieving that?如果可以设置密码/密钥长度,请问您能否在 JavaScript 中就如何操作提出建议,或者指向一些具体的文档来实现这一点?
1 个解决方案
解决方案1
4 已采纳 2022-05-01 19:28:38
First I want to answer your direct questions, the notes on things that weren't asked explicitly.首先,我想回答您的直接问题,即未明确提出的问题的注释。
You are correct that TURN doesn't provide security to the WebRTC session. When a TURN server is used the data is already encrypted when it passes through the TURN server.您是正确的,TURN 不为 WebRTC session 提供安全性。当使用 TURN 服务器时,数据在通过 TURN 服务器时已经加密。 The TURN server can't modify or inspect the data flowing through it. TURN 服务器无法修改或检查流经它的数据。
You can't control the CipherSuites via Javascript. No APIs exist for that today.您无法通过 Javascript 控制 CipherSuites。目前不存在用于此的 API。
Browser's offer multiple DTLS and SRTP CipherSuites.浏览器提供多个 DTLS 和 SRTP CipherSuites。 Here is the list that FireFox 98 uses.这是 FireFox 98 使用的列表。
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
and these are the SRTP CipherSuites这些是 SRTP CipherSuites
SRTP Protection Profile: SRTP_AEAD_AES_128_GCM (0x0007)
SRTP Protection Profile: SRTP_AEAD_AES_256_GCM (0x0008)
SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_80 (0x0001)
SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_32 (0x0002)
WebRTC uses two CipherSuites. WebRTC 使用两个 CipherSuite。 One is for DTLS and one for SRTP.一种用于 DTLS,另一种用于 SRTP。 DTLS is for DataChannel messages and SRTP is for Media. DTLS 用于数据通道消息,SRTP 用于媒体。
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is a TLS CipherSuite (not a SRTP CipherSuite). TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256是 TLS CipherSuite(不是 SRTP CipherSuite)。
The only way you can have any control over the CipherSuite is by running a WebRTC implementation that isn't in the browser.您可以控制 CipherSuite 的唯一方法是运行不在浏览器中的 WebRTC 实现。 A WebRTC server/client of your choosing could provide APIs to change these.您选择的 WebRTC 服务器/客户端可以提供 API 来更改这些。
WebRTC for the Curious#Securing could also be helpful.好奇#Securing 的 WebRTC也可能有帮助。 It touches on the points in this answer a bit deeper.它更深入地触及了这个答案中的要点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.