0

How do peers in WebRTC authenticate each other?

Mukesh Kumar
  • 302
  • 1
  • 2
  • 9
  • The question is too unclear and too broad for me. In the title you ask about DTLS in general, which is a protocol not only used for WebRTC. In the question body you are more focused on WebRTC but not exclusive. Note that these details are relevant, since DTLS can handle a variety of authentications similar to TLS. And TLS does not require CA either but can deal with self-signed certificates or even completely omit certificates on favor of PSK or other authentication methods. – Steffen Ullrich Sep 26 '20 at 20:49

2 Answers2

3

DTLS in WebRTC uses self-signed certificates. RFC 5763 has the details, in a nutshell the certificate fingerprint is matched against the one provided in the a=fingerprint line of the SDP.

Community
  • 1
  • 1
Philipp Hancke
  • 15,855
  • 2
  • 23
  • 31
  • 1
    that RFC is only about a single specific use of DTLS. Latest DTLS specification by itself is RFC 6347, and it obviously does not say anything about forcing self signed certificate. Like TLS it can work with "any" certificate. – Patrick Mevzek Sep 25 '20 at 15:00
  • @PatrickMevzek: Yes and no. The question title is about DTLS in general but the body specifically mentions WebRTC. Within this narrowed context the answer here is correct. – Steffen Ullrich Sep 26 '20 at 20:46
2

As the comment from Patrick Mevzek already mentioned:

It doesn't depend on DTLS or TLS, if a self-signed certificate is trusted/accepted.

This depends only from the peer's trusted certificates. If the client's or server's certificate path/chain contains a certificate, which signature could be verified by a trusted certificate, then it's assumed to be trusted. There maybe some additional checks as valid time or key-usage or the hostname. The trusted certificates are usually stored in a "trust store". So, if your server should use such a self-signed certificate, add that self-signed to your client's trust-store. If the client then receives just that self-signed certificate as path, it checks, if the signer (in that case the certificate itself) is in the trust store.

What doesn't work with such self-signed certificates is that other clients, which haven't added that certificate to their trust store, will trust that server.

How do peers in p2p systems like Webrtc authenticate each other?

If these peers add the certificate of the other into their trust store ahead, then they will trust each other.

Do they require a certificate from a CA?

If you can't add the other's certificate ahead, then you need certificates, which are signed by a CA (certificate), which is already in the trust store of the peer's.

Achim Kraus
  • 729
  • 1
  • 7
  • 11
  • From my understanding within the WebRTC p2p scenario the certificates are not added to the trust store. Instead the fingerprint of the peers (self-signed) certificate is announced in the SDP and can thus be used for certificate validation within the context of the specific call. – Steffen Ullrich Sep 26 '20 at 20:44
  • "like Webrtc" made me believe, it's a general question about x509 for DTLS in difference to TLS. In my opinion, there is no difference, and x509 need trusts ahead. But sure, only the one who asked, knows, what was asked :-). – Achim Kraus Sep 27 '20 at 06:24
  • I fully agree that the question is too unspecific. Still, in case of WebRTC the certificates are not added to the trust store contrary to what you describe in your question. The trust is simply checked by comparing the certificates fingerprint to the one specified inside the SDP. – Steffen Ullrich Sep 27 '20 at 06:36
  • Yes, if you focus on the "trust store". If you focus on "establish trust ahead", either by a complete certificate to trust, or the fingerprint of such a trusted certificate, then the difference is not that large. My point in my answer was more, that you need to trust, either by common CAs or by exchange trusted certificates ahead, maybe even just the fingerprints. – Achim Kraus Sep 27 '20 at 09:53
  • I don't really understand your argument on what I should focus on and on what not. I've tried to point out a factual error (about how authentication works in WebRTC) in your answer in the hope that it gets fixed. Wouldn't it be better if you would edit the question to fix this part instead of arguing that one should not focus on this but on another part of your answer? – Steffen Ullrich Sep 27 '20 at 10:03
  • We will see, if the question gets clarified. Sure, if it's about webrtc, my answer about how certificates are used in a other scenarios, is a "factual error". – Achim Kraus Sep 27 '20 at 12:42
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/222146/discussion-between-steffen-ullrich-and-achim-kraus). – Steffen Ullrich Sep 27 '20 at 12:43