feat(e2ee) update to SFrame draft -02

Drop end to end signature. The impersonation attack vector is deemed out of
scope since insiders are already part of the meeting.

modules/e2ee/Context.js

@@ -67,9 +67,6 @@ export class Context {
         this._sendCount = BigInt(0); // eslint-disable-line new-cap
 
         this._id = id;
-
-        this._signatureKey = null;
-        this._signatureOptions = null;
     }
 
     /**
@@ -108,34 +105,6 @@ export class Context {
         this._sendCount = BigInt(0); // eslint-disable-line new-cap
     }
 
-    /**
-     * Sets the public or private key used to sign or verify frames.
-     * @param {CryptoKey} public or private CryptoKey object.
-     * @param {Object} signature options. Will be passed to sign/verify and need to specify byteLength of the signature.
-     *  Defaults to ECDSA with SHA-256 and a byteLength of 132.
-     */
-    setSignatureKey(key, options = {
-        name: 'ECDSA',
-        hash: { name: 'SHA-256' },
-        byteLength: 132 // Length of the signature.
-    }) {
-        this._signatureKey = key;
-        this._signatureOptions = options;
-    }
-
-    /**
-     * Decide whether we should sign a frame.
-     * @returns {boolean}
-     * @private
-     */
-    _shouldSignFrame() {
-        if (!this._signatureKey) {
-            return false;
-        }
-
-        return true;
-    }
-
     /**
      * Function that will be injected in a stream and will encrypt the given encoded frames.
      *
@@ -186,12 +155,7 @@ export class Context {
                 }
             }
 
-
-            // If a signature is included, the S bit is set and a fixed number
-            // of bytes (depending on the signature algorithm) is inserted between
-            // CTR and the trailing byte.
-            const signatureLength = this._shouldSignFrame(encodedFrame) ? this._signatureOptions.byteLength : 0;
-            const frameTrailer = new Uint8Array(counterLength + signatureLength + 1);
+            const frameTrailer = new Uint8Array(counterLength + 1);
 
             frameTrailer.set(new Uint8Array(counter.buffer, counter.byteLength - counterLength));
 
@@ -199,9 +163,6 @@ export class Context {
             // This is different from the sframe draft, increases the key space and lets us
             // ignore the case of a zero-length counter at the receiver.
             frameTrailer[frameTrailer.byteLength - 1] = keyIndex | ((counterLength - 1) << 4);
-            if (signatureLength) {
-                frameTrailer[frameTrailer.byteLength - 1] |= 0x80; // set the signature bit.
-            }
 
             // XOR the counter with the saltKey to construct the AES CTR.
             const saltKey = new DataView(this._cryptoKeyRing[keyIndex].saltKey);
@@ -236,13 +197,6 @@ export class Context {
                     // Set the truncated authentication tag.
                     newUint8.set(truncatedAuthTag, UNENCRYPTED_BYTES[encodedFrame.type] + cipherText.byteLength);
 
-                    // Sign with the long-term signature key.
-                    if (signatureLength) {
-                        const signature = await crypto.subtle.sign(this._signatureOptions,
-                            this._signatureKey, truncatedAuthTag);
-
-                        newUint8.set(new Uint8Array(signature), newUint8.byteLength - signature.byteLength - 1);
-                    }
                     encodedFrame.data = newData;
 
                     return controller.enqueue(encodedFrame);
@@ -274,42 +228,17 @@ export class Context {
 
         if (this._cryptoKeyRing[this._currentKeyIndex] && this._cryptoKeyRing[keyIndex]) {
             const counterLength = 1 + ((data[encodedFrame.data.byteLength - 1] >> 4) & 0x7);
-            const signatureLength = data[encodedFrame.data.byteLength - 1] & 0x80
-                ? this._signatureOptions.byteLength : 0;
             const frameHeader = new Uint8Array(encodedFrame.data, 0, UNENCRYPTED_BYTES[encodedFrame.type]);
 
             // Extract the truncated authentication tag.
             const authTagOffset = encodedFrame.data.byteLength - (DIGEST_LENGTH[encodedFrame.type]
-                + counterLength + signatureLength + 1);
+                + counterLength + 1);
             const authTag = encodedFrame.data.slice(authTagOffset, authTagOffset
                 + DIGEST_LENGTH[encodedFrame.type]);
 
-            // Verify the long-term signature of the authentication tag.
-            if (signatureLength) {
-                if (this._signatureKey) {
-                    const signature = data.subarray(data.byteLength - signatureLength - 1, data.byteLength - 1);
-                    const validSignature = await crypto.subtle.verify(this._signatureOptions,
-                            this._signatureKey, signature, authTag);
-
-                    if (!validSignature) {
-                        // TODO: surface this to the app. We are encrypted but validation failed.
-                        console.error('Long-term signature mismatch (or no signature key)');
-
-                        return;
-                    }
-
-                    // TODO: surface this to the app. We are now encrypted and verified.
-                } else {
-                    // TODO: surface this to the app. We are now encrypted but can not verify.
-                }
-
-                // Then set signature bytes to 0.
-                data.set(new Uint8Array(signatureLength), encodedFrame.data.byteLength - (signatureLength + 1));
-            }
-
             // Set authentication tag bytes to 0.
             data.set(new Uint8Array(DIGEST_LENGTH[encodedFrame.type]), encodedFrame.data.byteLength
-                - (DIGEST_LENGTH[encodedFrame.type] + counterLength + signatureLength + 1));
+                - (DIGEST_LENGTH[encodedFrame.type] + counterLength + 1));
 
             // Do truncated hash comparison of the authentication tag.
             // If the hash does not match we might have to advance the ratchet a limited number
@@ -350,8 +279,8 @@ export class Context {
             // Extract the counter.
             const counter = new Uint8Array(16);
 
-            counter.set(data.slice(encodedFrame.data.byteLength - (counterLength + signatureLength + 1),
-                encodedFrame.data.byteLength - (signatureLength + 1)), 16 - counterLength);
+            counter.set(data.slice(encodedFrame.data.byteLength - (counterLength + 1),
+                encodedFrame.data.byteLength - 1), 16 - counterLength);
             const counterView = new DataView(counter.buffer);
 
             // XOR the counter with the saltKey to construct the AES CTR.
@@ -369,7 +298,7 @@ export class Context {
             }, this._cryptoKeyRing[keyIndex].encryptionKey, new Uint8Array(encodedFrame.data,
                     UNENCRYPTED_BYTES[encodedFrame.type],
                     encodedFrame.data.byteLength - (UNENCRYPTED_BYTES[encodedFrame.type]
-                    + DIGEST_LENGTH[encodedFrame.type] + counterLength + signatureLength + 1))
+                    + DIGEST_LENGTH[encodedFrame.type] + counterLength + 1))
             ).then(plainText => {
                 const newData = new ArrayBuffer(UNENCRYPTED_BYTES[encodedFrame.type] + plainText.byteLength);
                 const newUint8 = new Uint8Array(newData);

modules/e2ee/Context.spec.js

@@ -170,172 +170,4 @@ describe('E2EE Context', () => {
             await sender.encodeFunction(makeAudioFrame(), sendController);
         });
     });
-
-    describe('E2EE Signature', () => {
-        let privateKey;
-        let publicKey;
-
-        // Generated one-time using
-        // await crypto.subtle.generateKey({name: 'ECDSA', namedCurve: 'P-521'}, false, ['sign', 'verify']);
-        // then exported as JWK. Only use as test vectors.
-        const rawPublicKey = {
-            crv: 'P-521',
-            ext: true,
-            key_ops: [ 'verify' ], // eslint-disable-line camelcase
-            kty: 'EC',
-            x: 'AEs3y1FyefvjTC6JaJ1s00k5CFnESu5xIofPAmu286Y4UWyx8kB3jTHPKDO8bK81XT2_HbbN9ONm2D5TYCCxoR5r',
-            y: 'AZHlLHuSEWM401dy2lo-nu100Hp1ixcYePf9sNboaZruXctvoAt_sAX6MM0NccHx4587yhWfn9NG7fCX60P5KAvA'
-        };
-        const rawPrivateKey = {
-            crv: 'P-521',
-            ext: true,
-            key_ops: [ 'sign' ], // eslint-disable-line camelcase
-            kty: 'EC',
-            d: 'AV3aTIFuO9Zm0SXVlnujUvlvGvyPrY0pEOtX2pxD2JwPvWWoLXfTA052MHhqiii2RORe_7Ivm_PNeBwhYcO04i-K',
-            x: 'AEs3y1FyefvjTC6JaJ1s00k5CFnESu5xIofPAmu286Y4UWyx8kB3jTHPKDO8bK81XT2_HbbN9ONm2D5TYCCxoR5r',
-            y: 'AZHlLHuSEWM401dy2lo-nu100Hp1ixcYePf9sNboaZruXctvoAt_sAX6MM0NccHx4587yhWfn9NG7fCX60P5KAvA'
-        };
-
-        beforeEach(async () => {
-            privateKey = await crypto.subtle.importKey('jwk', rawPrivateKey, { name: 'ECDSA',
-                namedCurve: 'P-521' }, false, [ 'sign' ]);
-            publicKey = await crypto.subtle.importKey('jwk', rawPublicKey, { name: 'ECDSA',
-                namedCurve: 'P-521' }, false, [ 'verify' ]);
-
-            await sender.setKey(key, 0);
-            await receiver.setKey(key, 0);
-            sender.setSignatureKey(privateKey);
-            receiver.setSignatureKey(publicKey);
-        });
-
-        it('signs the first frame', async done => {
-            sendController = {
-                enqueue: encodedFrame => {
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    // Check that the signature bit is set.
-                    expect(data[data.byteLength - 1] & 0x80).toEqual(0x80);
-
-                    // An audio frame will have an overhead of 6 bytes with this counter and key size:
-                    //   4 bytes truncated signature, counter (1 byte) and 1 byte trailer.
-                    // In addition to that we have the 132 bytes signature.
-                    expect(data.byteLength).toEqual(audioBytes.length + 6 + 132);
-
-                    // TODO: provide test vector for the signature.
-                    done();
-                }
-            };
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-        });
-
-        it('signs subsequent frames from different sources', async done => {
-            let frameCount = 0;
-
-            sendController = {
-                enqueue: encodedFrame => {
-                    frameCount++;
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    expect(data[data.byteLength - 1] & 0x80).toEqual(0x80);
-
-                    if (frameCount === 2) {
-                        done();
-                    }
-                }
-            };
-
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-
-            const secondFrame = makeAudioFrame();
-
-            secondFrame.getMetadata = () => {
-                return { synchronizationSource: 456 };
-            };
-            await sender.encodeFunction(secondFrame, sendController);
-        });
-
-        it('signs subsequent key frames from the same source', async done => {
-            let frameCount = 0;
-
-            sendController = {
-                enqueue: encodedFrame => {
-                    frameCount++;
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    expect(data[data.byteLength - 1] & 0x80).toEqual(0x80);
-
-                    if (frameCount === 2) {
-                        done();
-                    }
-                }
-            };
-
-            await sender.encodeFunction(makeVideoFrame(), sendController);
-            await sender.encodeFunction(makeVideoFrame(), sendController);
-        });
-
-
-        it('signs subsequent frames from the same source', async done => {
-            let frameCount = 0;
-
-            sendController = {
-                enqueue: encodedFrame => {
-                    frameCount++;
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    expect(data[data.byteLength - 1] & 0x80).toEqual(0x80);
-
-                    if (frameCount === 2) {
-                        done();
-                    }
-                }
-            };
-
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-        });
-
-        it('signs after ratcheting the sender key', async done => {
-            let frameCount = 0;
-
-            sendController = {
-                enqueue: encodedFrame => {
-                    frameCount++;
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    expect(data[data.byteLength - 1] & 0x80).toEqual(0x80);
-
-                    if (frameCount === 2) {
-                        done();
-                    }
-                }
-            };
-
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-
-            // Ratchet the key. We reimport from the raw bytes.
-            const material = await importKey(key);
-
-            await sender.setKey(await ratchet(material), 0);
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-        });
-
-        it('verifies the frame', async done => {
-            sendController = {
-                enqueue: async encodedFrame => {
-                    await receiver.decodeFunction(encodedFrame, receiveController);
-                }
-            };
-            receiveController = {
-                enqueue: encodedFrame => {
-                    const data = new Uint8Array(encodedFrame.data);
-
-                    expect(data.byteLength).toEqual(audioBytes.length);
-                    expect(Array.from(data)).toEqual(audioBytes);
-                    done();
-                }
-            };
-            await sender.encodeFunction(makeAudioFrame(), sendController);
-        });
-    });
 });

modules/e2ee/E2EEContext.js

@@ -139,17 +139,4 @@ export default class E2EEcontext {
             keyIndex
         });
     }
-
-    /**
-     * Set the E2EE signature key for the specified participant.
-     * @param {string} participantId - the ID of the participant who's key we are setting.
-     * @param {CryptoKey} key - the webcrypto key to set.
-     */
-    setSignatureKey(participantId, key) {
-        this._worker.postMessage({
-            operation: 'setSignatureKey',
-            participantId,
-            key
-        });
-    }
 }

modules/e2ee/E2EEncryption.js

@@ -17,13 +17,6 @@ const logger = getLogger(__filename);
 // joins or leaves.
 const DEBOUNCE_PERIOD = 5000;
 
-// We use ECDSA with Curve P-521 for the long-term signing keys. See
-//   https://developer.mozilla.org/en-US/docs/Web/API/EcKeyGenParams
-const SIGNATURE_OPTIONS = {
-    name: 'ECDSA',
-    namedCurve: 'P-521'
-};
-
 /**
  * This module integrates {@link E2EEContext} with {@link JitsiConference} in order to enable E2E encryption.
  */
@@ -39,7 +32,6 @@ export class E2EEncryption {
         this._enabled = false;
         this._initialized = false;
         this._key = undefined;
-        this._signatureKeyPair = undefined;
 
         this._e2eeCtx = new E2EEContext();
         this._olmAdapter = new OlmAdapter(conference);
@@ -131,17 +123,6 @@ export class E2EEncryption {
         this._enabled = enabled;
 
         if (!this._initialized && enabled) {
-            // Generate a frame signing key pair. Per session currently.
-            this._signatureKeyPair = await crypto.subtle.generateKey(SIGNATURE_OPTIONS,
-                true, [ 'sign', 'verify' ]);
-            this._e2eeCtx.setSignatureKey(this.conference.myUserId(), this._signatureKeyPair.privateKey);
-
-            // Serialize the JWK of the signing key. Using JSON, might be easy to xml-ify.
-            const serializedSigningKey = await crypto.subtle.exportKey('jwk', this._signatureKeyPair.publicKey);
-
-            // TODO: sign this with the OLM account key.
-            this.conference.setLocalParticipantProperty('e2ee.signatureKey', JSON.stringify(serializedSigningKey));
-
             // Need to re-create the peerconnections in order to apply the insertable streams constraint.
             // TODO: this was necessary due to some audio issues when indertable streams are used
             // even though encryption is not performed. This should be fixed in the browser eventually.
@@ -268,19 +249,6 @@ export class E2EEncryption {
         case 'e2ee.idKey':
             logger.debug(`Participant ${participant.getId()} updated their id key: ${newValue}`);
             break;
-        case 'e2ee.signatureKey':
-            logger.debug(`Participant ${participant.getId()} updated their signature key: ${newValue}`);
-            if (newValue) {
-                const parsed = JSON.parse(newValue);
-
-                const importedKey = await crypto.subtle.importKey('jwk', parsed, { name: 'ECDSA',
-                    namedCurve: parsed.crv }, true, parsed.key_ops);
-
-                this._e2eeCtx.setSignatureKey(participant.getId(), importedKey);
-            } else {
-                logger.warn(`e2ee signatureKey for ${participant.getId()} could not be updated with empty value.`);
-            }
-            break;
         }
     }
 

modules/e2ee/Worker.js

@@ -58,16 +58,6 @@ onmessage = async event => {
         } else {
             context.setKey(false, keyIndex);
         }
-    } else if (operation === 'setSignatureKey') {
-        const { participantId, key, signatureOptions } = event.data;
-
-        if (!contexts.has(participantId)) {
-            contexts.set(participantId, new Context(participantId));
-        }
-        const context = contexts.get(participantId);
-
-        context.setSignatureKey(key, signatureOptions);
-
     } else if (operation === 'cleanup') {
         const { participantId } = event.data;