Last updated: 27 October 2014
However, as you’d expect, we’ve been working to secure WebRTC communications, ensuring the channel remains safe in a global context of concern about cyber hacks and breaches: in particular, user authentication must be fast, reliable and safe.
Today, a secure element like the SIM card is an ideal place to store credentials and process authentication operations. We’ve previously talked about our support for the addition of a secure element API to the open web platform. This API, based on SIM Alliance Open Mobile API specification, enables access to security functions from web applications.
Recently, our R&D team developed a proof of concept demo which secures WebRTC-based audio and video calls between two mobile devices, supported by the phones’ SIM cards. Each SIM card used on a cellular network contains the profile of a user, described as an IMS (IP Multimedia System) profile. It contains the user’s public identity, his private identity, the server address… as well as an authentication key. So, on IMS compliant networks, the SIM card is used by the IMS client to automatically register and authenticate the user on the IMS network at a high security level.
Our demo, developed by our R&D teams in France & China, merges Web RTC technology and IMS technology. It uses two Sony Xperia Z1s registered to a web server alongside an IMS infrastructure.
How it works:
- The HTML IMS client running on the mobile is downloaded and executed by the browser (Chrome, in our case, but also works with Firefox OS) on each mobile device.
- The IMS profile of the user is provisioned in the SIM card.
- When the user clicks on the « login » button of the web IMS client to trigger a WebRTC call, the SIP registration is transparently processed without user interaction.
- The SIM card executes the authentication by checking the network cryptogram and computes the authentication result according to the IETF’s Authentication and Key Agreement v2 spec.
- Once the IMS web application is authenticated, a SRTP session can be set up to transport the media streams, the Web RTC session is secure and active.
The benefit for the user is two-fold: no interminable forms to fill in, and no passwords to remember. For the service providers, high security access will reduce the impact of cyber attacks and fraud attempts. Moreover, the IMS profile can easily be managed over the air, enabling the deployment and administration of new services.
The promise of WebRTC is becoming a reality, but the security of these services must be monitored carefully: new channels mean the potential of new exploits and vulnerabilities, so we need to give people the freedom to use these channels by securing them. SIM cards, and secure elements in general, can play a central role in improving the security of web apps and simplify the user experience. It is also a perfect showcase of the potential of standardization.