All LiveSwitch connections are secured using DTLS. Encryption is mandatory for all WebRTC Data Channel components. With RTCDataChannels, all data is secured with Datagram Transport Layer Security (DTLS). DTLS supports the majority of TLS cipher suites, meaning your data will be as secure as using any standard SSL based connection. DTLS is standardized and built into all browsers that support WebRTC.

DTLS 1.2 with support for cipher suites that support Perfect Forward Secrecy (PFS). 

Cipher Suites Used for DTLS

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256

X.509 Certificates

Secure X.509 certificates are automatically generated for each connection using Elliptic Curve Digital Signature Algorithm (ECDSA) (default, P-256 curve) or RSA (2048-bit) signing, but custom certificates and key-pairs can be provided. Certificate fingerprints, used to verify the peer during key exchange, are exchanged through signaling in the SDP blobs, so it's imperative to ensure security at the signaling layer.

Perfect Forward Secrecy (PFS)

Although WebRTC is very secure, LiveSwitch takes extra precautions to ensure that your communications are kept safe.

Perfect Forward Secrecy (PFS), also known as Forward Secrecy, is an encryption style known for producing temporary private key exchanges between clients and servers. For every individual session initiated by a user, a unique session key is generated. Both of our products, LiveSwitch Cloud and LiveSwitch Server, include Perfect Forward Secrecy (PFS): The highest level of security possible for real-time communication. This ensures that your session keys will not be compromised even if the private key of the server is compromised. LiveSwitch uses PFS as the default for every single session.

FIPS

²Federal Information Processing Standards (FIPS) is a standard for adoption and use by United States Federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce.  FIPS describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

LiveSwitch SDK supports partial FIPS compatibility:

Implemented partial FIPS compatibility for Windows in .Net by switching hashing contexts when FIPS compatibility mode is set to true. In particular, SHA1Managed is switched to SHA1CryptoServiceProvider, SHA256Managed to SHA256CryptoServiceProvider and RijndaelManaged to AesCryptoServiceProvider. In addition, internal property generation uses GUIDs instead of MD5, a section of calls using the MD5 hashing context is replaced with SHA-256 (IL-2465);

Note that not all platforms or third-party libraries are FIPS-compliant, so this should not be used as a guarantee of FIPS compliance.

TLS (Transport Layer Security)

Transport Layer Security (TLS) is an Internet Engineering Task Force (IETF) standard protocol that provides authentication, privacy and data integrity between two communicating computer applications.

LiveSwitch connections are extremely secure once established, provided the signaling layer is also secure. Since the certificate fingerprints must be signaled in the SDP offer/answer blobs, a weakness in the signaling layer allows the possibility of a man-in-the-middle attack. For LiveSwitch, the Gateway provides the signaling layer; and when installed on a server with a trusted SSL certificate, LiveSwitch's Gateway uses TLS encryption (HTTPS/WSS).

TURNS servers extend TURN by using TLS (SSL) to secure the underlying TCP connection. Since app data is already encrypted, this simply adds a layer of security on the TURN headers, but is useful to traverse firewall rules that only allow TLS/SSL traffic. TURNS servers listen on port 5349 by default, but any port can be used. Port 443 is recommended since it's generally allowed by client networks. Firewall rules must be added to allow inbound TCP traffic on the configured port.

HMAC

LiveSwitch Server signaling tokens are used to authenticate gateway requests use HMAC-SHA-2.

³In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and authenticity of a message.

HMAC can provide authentication using a shared secret instead of using digital signatures with asymmetric cryptography. It trades off the need for a complex public key infrastructure by delegating the key exchange to the communicating parties, who are responsible for establishing and using a trusted channel to agree on the key prior to communication.

SSL (Secure Sockets Layer)

⁴SSL stands for Secure Sockets Layer and, in short, it's the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

LiveSwitch uses OpenSSL 1.1.1 TLS on the server for cryptographic key exchange which negotiates Encrypt-then-MAC by default.