Encryption algorithms and the patents around them are complex
As part of Chrome 52 release there were some performance and security enhancements, one of them was the decision to switch over to using Elliptic Curve Cryptography for generating the self-sign certificate used in the DTLS handshake.
Since the Elliptic Curve Digital Signature Algorithm (ECDSA) is mandatory in WebRTC applications must support it in order to interoperate with WebRTC.
In my previous post about this, I mentioned the possible interoperability gap for applications that connect WebRTC with other worlds or any other application that provides services to WebRTC clients.
Avoiding the interoperability gap
When we started SwitchRTC we decided to base our media server on the WebRTC open source instead of developing this part from scratch.
SwitchRTC is a cloud native, decomposed SFU for large scale multiparty video and broadcasting (WebRTC CDN) that provides flexible media handling APIs for implementing complex media and stream management scenarios.
This wasn’t easy because it required us to perform changes in the WebRTC code in order to make it a media server that handles a large amount of peers.
When presenting SwitchRTC I always mention this fact and the 2 main advantages:
- We are interoperable by design as we regularly update the WebRTC version we use and therefore it is essentially the same WebRTC on client and server ends
- We immediately benefit from the new features and quality enhancements of WebRTC as they are released
This decision proved to be right also in the case of ECDSA as we didn’t suffer from any interoperability issues following this change.
The patents issue
Lately I was pinged with questions from people concerned about the patents related to ECDSA, mainly regarding the impact of these patents on applications using it to connect or server WebRTC clients.
Now let’s get this clear. I’m not a legal counsel or patents expert so my conclusion and analysis below should be taken with a grain of salt and shouldn’t replace legal advice if you believe there should be concerns for your specific application (and that’s the end of my legal disclaimer).
First and foremost, Chromium is using BoringSSL which is a fork of OpenSSL. Google doesn’t recommend using BoringSSL for 3rd party applications as they change the APIs regularly but OpenSSL is clearly an option.
In this IP Rights Grant on WebRTC.org, Google provides a license to use WebRTC and patents they own or licensed. Meaning they stand behind their usage of BoringSSL forked from OpenSSL.
Additional IP Rights Grant (Patents)
“This implementation” means the copyrightable works distributed by
Google as part of the WebRTC code package.
Google hereby grants to you a perpetual, worldwide, non-exclusive,
no-charge, irrevocable (except as stated in this section) patent
license to make, have made, use, offer to sell, sell, import,
transfer, and otherwise run, modify and propagate the contents of this
implementation of the WebRTC code package, where such license applies
only to those patent claims, both currently owned by Google and
acquired in the future, licensable by Google that are necessarily
infringed by this implementation of the WebRTC code package. This
grant does not include claims that would be infringed only as a
consequence of further modification of this implementation. If you or
your agent or exclusive licensee institute or order or agree to the
institution of patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that this
implementation of the WebRTC code package or any code incorporated
within this implementation of the WebRTC code package constitutes
direct or contributory patent infringement, or inducement of patent
infringement, then any patent rights granted to you under this License
for this implementation of the WebRTC code package shall terminate as
of the date such litigation is filed.
Another interesting usage of OpenSSL is by Cisco on the Cisco Meeting App which specifically uses Elliptic Curve (see page 38).
Although I’m not any patent expert, the backing of Google and usage of ECDSA by large companies such as Cisco (although they may have their related patents to defend themselves) should probably be an all-clear signal to those concerned with this.
I’m not saying there aren’t claims around Elliptic Curve but that doesn’t mean they are specifically related to the implementation of ECDSA in WebRTC.