User controlled trust and security level of Web real-time communications

Kevin Corre 1
1 DiverSe - Diversity-centric Software Engineering
Inria Rennes – Bretagne Atlantique , IRISA_D4 - LANGAGE ET GÉNIE LOGICIEL
Abstract : In this thesis, we propose three main contributions : In our first contribution we study the WebRTC identity architecture and more particularly its integration with existing authentication delegation protocols. This integration has not been studied yet. To fill this gap, we implement components of the WebRTC identity architecture and comment on the issues encountered in the process. In order to answer RQ1, we then study this specification from a privacy perspective an identify new privacy considerations related to the central position of identity provider. In the Web, the norm is the silo architecture of which users are captive. This is even more true of authentication delegation systems where most of the time it is not possible to freely choose an identity provider. In order to answer RQ3, we conduct a survey on the top 500 websites according to Alexa.com to identify the reasons why can't users choose their identity provider. Our results show that while the choice of an identity provider is possible in theory, the lack of implementation of existing standards by websites and identity providers prevent users to make this choice. In our second contribution, we aim at giving more control to users. To this end and in order to answer RQ2, we extend the WebRTC specification to allow identity parameters negotiation. We present a prototype implementation of our proposition to validate it. It reveals some limits due to the WebRTC API, in particular preventing to get feedback on the other peer's authentication strength. We then propose a web API allowing users to choose their identity provider in order to authenticate on a third-party website, answering RQ2. Our API reuse components of the WebRTC identity architecture in a client-server authentication scenario. Again, we validate our proposition by presenting a prototype implementation of our API based on a Firefox extension. Finally, in our third contribution, we look back on RQ1 and propose a trust and security model of a WebRTC session. Our proposed model integrates in a single metric the security parameters used in the session establishment, the encryption parameters for the media streams, and trust in actors of the communication setup as defined by the user. Our model objective is to help non-expert users to better understand the security of their WebRTC session. To validate our approach, we conduct a preliminary study on the comprehension of our model by non-expert users. This study is based on a web survey offering users to interact with a dynamic implementation of our model.
Liste complète des métadonnées

https://tel.archives-ouvertes.fr/tel-01943728
Contributor : Abes Star <>
Submitted on : Tuesday, December 4, 2018 - 10:22:29 AM
Last modification on : Thursday, December 20, 2018 - 1:30:45 AM
Document(s) archivé(s) le : Tuesday, March 5, 2019 - 1:24:40 PM

File

CORRE_Kevin.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01943728, version 1

Citation

Kevin Corre. User controlled trust and security level of Web real-time communications. Cryptography and Security [cs.CR]. Université Rennes 1, 2018. English. ⟨NNT : 2018REN1S029⟩. ⟨tel-01943728⟩

Share

Metrics

Record views

92

Files downloads

306