Posts Tagged ietf

How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.

, , , , , ,


Following WebRTC

WebRTC, Web Real-Time Communications, is a fast moving topic these days!  Here are a few of my suggestions for how to keep up.

First a note about terminology.  Although Google named their open source project webrtc, WebRTC is not just a Google project, it is a major industry initiative involving open Internet standards being developed by many participants.  Don’t confuse these two!

1. Follow Browser Announcements and Releases

Google and Mozilla are the browsers most actively implementing WebRTC today.  WebRTC is available in Google Chrome Beta browser. Download and give it a try for the latest WebRTC extensions.  Some future WebRTC capabilities may be in Google’s Chrome Canary which is the developers preview version of the browser.  To experiment with Mozilla Firefox, you will need to use their nightly build.  Microsoft Internet Explorer and Apple Safari don’t yet have anything available, but you can track their future announcements here and here.

2. Follow the Standards

WebRTC is not just about browser deployments, it is about standard APIs and standard protocols.  To really follow what is going on in WebRTC, you need to track the standards being developed in the W3C and IETF.  This can be a bit tricky, but if you start with the W3C WEBRTC Working Group and the IETF RTCWEB Working Group, that is a good start.

If you have an eReader, try this out.  Here is a link to download the entire set of RTCWEB IETF Internet-Drafts in EPUB format  and here is the set in MOBI format.    Various other sets of IETF documents and RFCs is also available at  The conversion is done using a script written by Tero Kivinen – nice  job!  The formatting of the ASCII art is not 100%, but this is a difficult problem.  The MOBI format worked better for me than the EPUB version, but YMMV.  Perhaps one day the IETF will adopt a friendlier format for Internet-Drafts and RFCs, but I’m not holding my breath!

3. Try WebRTC sites and applications

There are a number of sites and applications already taking advantage of WebRTC features.  One of my favorites is FrisB, a cool new way to think about browser to PSTN communication.  You can find plenty of others by searching the web.  Also, many developers announce and discuss their WebRTC projects on Twitter, so searching with the #webrtc hashtag can find lots of cool things.

There are some interesting blogs out there on WebRTC, including a blog by Tsahi Levent-Levi.

WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web Book CoverFor background on WebRTC, there are some decent resources.  You might enjoy this video presentation by one of the editors of the W3C WebRTC specification, Cullen Jennings.  If you like books, you might like “WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web”  written by myself and Dan Burnett, also a co-author of the main WebRTC spec and also the Media Capture and Streams specification.

Best of luck in following WebRTC!  Feel free to share your own favorite ways and links to follow this work.

, , , , , , ,

Leave a comment

My Year – 2011

As 2011 draws to a close, I wanted to take a moment to thank everyone who has helped me this year. It has been an amazing year! Here’s a short list of my highlights:

– In January I gave a SIP Tutorial for the FCC staff in DC. It was a great event, and hopefully I will get another chance to do it again in 2012. The FCC has lots of VoIP and SIP work to do with the transition of the PSTN and E911 to all VoIP. Hopefully we can soon end the ridiculous subsidies for rural telephone service and instead use them to subsidized high speed Internet service for rural areas.  My friend Henning Schulzrinne was just appointed Chief Technology Officer, so I know the FCC is in good hands technically.  I also enjoyed giving the SIP Tutorial in Miami, Sydney, and Austin.

– In February I published my first novel, a Techno thriller about a massive attack on the Internet that gives this blog its name – Counting from Zero. Little did I know how much hacking and security stories there would be in 2011. Some have even called 2011 the Year of the Hactivist, which is hard to argue with. Overall, I couldn’t be happier with the response to the book. Thank you do much to anyone who has read, reviewed, tweeted, or blogged about it – I am very grateful. Look for more book news in early 2012…

– In February I also started blogging and using Twitter. It has been a lot of fun! Thanks to everyone who has read my blog posts or followed me on Twitter.

– In March I participated in my first robotics competition. The experience was amazing, and I look forward to the start of another build season in just over a week!

– In April, the ZRTP VoIP media security protocol was published as an RFC by the IETF, after 6 years of hard work.  Editing this document is my small contribution to making the Internet more secure.  Here’s to more adoption and deployment in 2012.

– In May the RTCWEB Working Group was chartered by the IETF. The work is progressing slowly but steadily. I expect more progress in 2012, and hope for some strong security to be built into the protocols – lets show that we have learned something over the years…

– In June, I participated in the first ever SIP Network Operators Conference or SIPNOC for short. It was a great success and really shows how SIP has grown up. I am privaleged to have another term on the Board of Directors of the SIP Forum. With the publication of SIPconnect the SIP Trunking recommendation, the business use of SIP continues to grow and expand.

– In November, I has my first experience as a cricket coach. My son started the Priory Amateur Cricket Association or PACA as a club at his school. It has been a blast so far helping the boys learn the basics of cricket. They have done a great job, although we need to reduce the number of no balls! In 2012 we plan to play a one day match against a local cricket club.

So, here’s to 2011 – it was definitely an interesting year!  I hope it was a good one for you and yours.  Here’s to 2012!

, , , , , ,

Leave a comment

Websockets and SIP

Yesterday, RFC 6455 The Websocket Protocol was published by the IETF. This is the latest standard in the efforts to enable more applications to run in the web browser. This protocol, when supported in a browser and webserver allows the two to open additional TCP connections between them, besides the one they are using for the web session to send HTML, JavaScript, etc to the browser.

One area of application is WebRTC, the work to enable real-time communications services in web pages. One approach that has been discussed in both the IETF and W3C is to use Websockets to open a new connection between the browser and web server, and run a signaling, presence, or instant messaging protocol over it. For example, it had been proposed to run SIP, Session Initiation Protocol, this way.

A few months ago I blogged about WebRTC and SIP, and argued that SIP should not be standardized by WebRTC, as had been proposed back then. I still believe this is correct, and recent work in the IETF has centered around instead standardizing some kind of offer/answer media negotiating protocol, but leave the choice of signaling protocol open.

Recently a new Internet Draft was submitted on a Websocket transport for Session Initiation Protocol. I think this is a potentially useful approach and could be a good way to utilize SIP in conjunction with WebRTC. The draft is still in it’s early days, and has not yet been adopted by the SIPCORE Working Group yet, but I think it is a great start. SIP developers who are interested in the WebRTC effort should read this draft and support this work.

In the meantime, it is great to see WebSocket finally published as an RFC, something I hope to see happen to a few of my Internet Drafts in the new year!


If you are interested in WebRTC, you might like my new book “WebRTC: PIs and RTCWEB Protocols of the HTML5 Real-Time Web”

WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web Book Cover


, , , , , , ,


ZRTP Published Today as RFC 6189

Today ZRTP was published by the IETF as RFC 6189. This is a big deal to me for a number of reasons. Let me explain.

RFCs or Request For Comments are the publications about how the technical details of how Internet works. They go all the way back to the earliest days of the ARPANET, used to share information among a small group of researchers. RFCs are published by the RFC Editor and cover Internet fundamentals such as TCP, IP, and SMTP. My first RFC was one for Session Initiation Protocol or  SIP which was published as RFC 3261. Since then, I have published 14 others, but I’m most proud of this one.

ZRTP is a security protocol for providing privacy for VoIP calls over the Internet. It was invented by Phil Zimmermann, who invented PGP (Pretty Good Privacy) for email encryption in the 90’s. When I met him in 2005, he had an idea how to encrypt voice calls and some very rough prototype code. I helped him turn it into a protocol, and wrote the outline of the document that was published today.  I’ve been the editor of this document for the past 5 years.

I think ZRTP is the best way to secure voice and video over the Internet. The reasons are a bit technical, but perhaps I’ll attempt explain why in another post. In the meantime, Phil Zimmermann’s Zfone Project web page has some good points in it.

Oh, and there is one other reason why I’m proud of this document – I came up with the name ZRTP. RTP stands for Real-time Transport Protocol. And of course, Z stands for Phil!   It was a joke at first, but it kind of stuck.

ZRTP even makes an appearance in my techno thriller novel, Counting from Zero. The protagonist, Mick O’Malley uses ZRTP to ensure that all his voice and video communication is private, thwarting those who would like to wire tap his communications.

It has been a lot of work getting this RFC published, and I’m quite proud of the work. And over the years, I’ve become good friends with Phil, which is a real bonus.

Today I’m going to have a mini celebration – happy first birthday ZRTP, RFC 6189!

, , , , , ,


The Path to Publication

Counting from Zero Book Cover

Counting from Zero Book by Alan B. Johnston

In my first blog posting, I covered the writing the first draft of Counting from Zero.  I thought that was the hard part, until I realized the path in front of me to get to publication!

First, I needed feedback from readers, so I enlisted various friends and family, some in the publishing industry, some not.  My brother Chris was an early reviewer and gave me good feedback on the part on the water. (I’m being deliberately vague for to-be readers who haven’t yet read the book!)  I made quite a few tweaks and changes, and fixed seemingly a million typos and nits.  I probably went through four major drafts over a period of about eight months.  Fortunately, I had my IETF (Internet Engineering Task Force) standards writing experience behind me, which had taught me how many revisions are sometimes needed before something is ready for publication.  I often describe IETF standards work as the ultimate peer reviewed documents.  For example, one of the documents I co-authored underwent 21 revisions over 9 years before it was finalized and published as an RFC document! (Here is only the latter part of the journey!)

Once I felt I had the manuscript ready, I had it copyedited and proofread.  I then wrote a one page ‘query letter’ to literary agents and began sending it all over.  I was shocked at how many agents will not accept a query from email!  They actually require you to kill a tree, pay money to the postal service, and have it delivered as snail mail – just so they can read it on a piece of paper!  I didn’t query any of those agents – if they are so last century in their business methods, would they even appreciate my high tech thriller?  Not likely!  I probably sent out about 120 queries in total.  I ended up getting about a dozen requests for a partial or full manuscript.  Then I waited… and waited… and waited.

Then the whole Wikileaks Internet wars started.  I knew something amazing was happening when I saw a USA Today headline that mentioned botnets!  The timing was right, and I could not wait forever (or more than 8 weeks) for someone to skim a manuscript.  I did eventually talk to one helpful agent that was interested, but she warned me that it would be about 6 months before she could get to work on it, and then it would likely take 12 months to land a publisher, and then it would likely be 12-18 months of publisher rewrites, edits, and process delays before it would be published!  And I thought the 6-8 month times I have had with my technical book publishers, Artech House and Wiley, was a long time!  For technology topics, these timelines are outrageously long!

So, I decided to take the plunge and self-publish.  It was not as difficult as it might seem, although writing the promotional material was really, really hard.  I had some help from friends in the industry, but that was definitely the hardest part.  I used an app from Amazon called ‘kindlegen’ which worked pretty well to product a .mobi file from a .html source file.  I was also pleased to be given the opportunity to sell my work the Amazon Kindle store without any DRM (Digital Rights Management), but that is a topic for another day…

I used the excellent online tools at Smashwords (great name!) to generate the other eBook formats, and I was quite happy with the results there, although there are a few font issues that I wasn’t able to fully resolve in all formats.  The community at Smashwords seems really great as well, and I look forward to getting involved there.

For me, the two best things about self publishing are that I kept creative control of the book (there isn’t anything in there I didn’t want) and that I published on my timeline, not anyone else’s.

So right now I am quite happy with the experience, and getting feedback from friends, family, and people I don’t know about my book is just the best!   Next time I’ll share some thoughts about my experiences using social media to promote self-published eBooks.

, , , , , ,

Leave a comment