E2EE in lib-jitsi-meet

JuniNewbie · September 16, 2021, 8:02am

Hello, I want to ask is there a way at the moment to use our own key for e2ee ?
We have an application which uses lib-jitsi-meet, but the application itself have rooms, chat etc., and some of these rooms are encrypted with a key.
We can make a jitsi call (with lib-jitsi-meet) within any of these rooms and our task is if the room is encrypted, to get its key and when we make a jitsi call to use that key for the jitsi E2EE.

At the moment I see jitsi automatically make keys and provide them between the participants.

damencho · September 16, 2021, 11:59am

@saghul ?

ilDuna · November 23, 2021, 4:25pm

Do we have any news on this?
I see two interesting commits:
https://github.com/jitsi/lib-jitsi-meet/commit/afc006e99a42439c305c20faab50a1f786254676
https://github.com/jitsi/jitsi-meet/commit/2e69ec71c563e479ef25aa56635eecaa6f7e7356

Any idea / doc on how externally managed key mode will be implemented?
Example: the key will be injected like a jwt token with a query string parameter

pdarcos · November 23, 2021, 4:59pm

I asked the same question here

saghul · November 24, 2021, 1:35pm

Hey folks, sorry I missed this thread.

We are waiting on some validation checks, but externally managed E2EE mode has landed indeed.

This mode is for those who are integrating Jitsi Meet into other applications which already have some kind of E2EE channel where they can derive a shared secret from. This API allows for setting the (shared) key material externally. Jitsi Meet will use it without further deriving it.

pdarcos · November 24, 2021, 4:25pm

Thanks @saghul

Can you explain in a little more detail how jitsi expects to get the secret from an external service?

ilDuna · November 25, 2021, 9:41am

I think we need to fork jitsi-meet.
Add a custom layer to share the secret / key, and finally dispatch a SET_MEDIA_ENCRYPTION_KEY action.
Maybe enabling the externallyManagedKey flag in the settings, just disables all the key rotation stuff…

saghul · November 25, 2021, 11:26am

With this API from the iframe: jitsi-meet/external_api.js at 7bbc3bcf9e2d9dfd9b5ff5cc89c1d32f4701b548 · jitsi/jitsi-meet · GitHub

You pass an object with 2 properties, the CryptoKey itself and an index (to support key rotation). Then you can turn e2ee on and that key will be used: jitsi-meet/external_api.js at 7bbc3bcf9e2d9dfd9b5ff5cc89c1d32f4701b548 · jitsi/jitsi-meet · GitHub

You don’t need to do that, there is an API for it in the iframe.

a30 · July 24, 2022, 2:08pm

Greetings,

Regarding the provided steps to manage the keys externally. I tried to implement the steps as mentioned and seems it does not work in my setup so please correct me if I made any mistakes.

my implementation is as follows:

1-[jitsi-meet] in the config.js file, I added the following piece of code:

   e2ee: {
    labels: {
        labelTooltip: 'Tooltip',
        description: 'Description',
        label: 'E2EE',
        warning: 'Warning'
    },
    externallyManagedKey: true
},

2-[IFrame] client 1 I added the following piece of code:

 participantRoleChanged = async (event) => {

if (event.role === "moderator" && this.props.isModerator) {
    this.api.executeCommand(
    "setMediaEncryptionKey",
     '{ "key" : " [224,43,219,155,8,41,213,245,130,222,60,164,59,155,60,228,8,161,44,93,247,160,192,58,134,9,194,26,117,47,21,56]", "index":  0}'
   );
  this.api.executeCommand('toggleE2EE', true);
}

what is happening exactly is that when client 2 joins the conference, end-to-end encryption is turned off.
Thank you in advance.

saghul · July 25, 2022, 7:07am

Does the other participant have the key too?

a30 · July 26, 2022, 12:45pm

yes,

The other participant code is as follows:

handleVideoConferenceJoined = async (participant) => {
this.api.executeCommand(
“setMediaEncryptionKey”,
‘{ “key” : [100, 175, 30, 245, 105, 114, 96, 219, 125, 87, 54, 124, 41, 165, 61, 22, 179, 127, 177, 253,
189, 25, 157, 26, 75, 16, 238, 20, 180, 221, 17, 190],“index”: 0}’
);
};

what I am getting is the below error message in the first participant console:

Failed to execute ‘encrypt’ on ‘SubtleCrypto’: parameter 2 is not of type ‘CryptoKey’.
at Context.encodeFunction

Moreover, when I try to debug the keyInfo in the setKey function of the class ExternallyManagedKeyHandler [lib-jitsi-meet] I got the following key info:

{“encryptionKey”:false,“index”:0}

saghul · July 26, 2022, 2:46pm

The setMediaEncryptionKey takes an object with a encryptionKey property of type CryptoKey and an index property of type number.

a30 · July 26, 2022, 3:42pm

my understanding of the Olm is that it takes four Curve25519 inputs: Identity keys(public keys)for participant1 and participant2, and one-time keys for paricipint1 and participant2… and what we try to set through the setMediaEncryptionKey command is the one-time keys for both participants.

silvestrpredko · July 26, 2022, 6:52pm

I am also curious on how to set properly own keys for e2ee. What I found is that
setMediaEncryptionKey goes there. And it uses AES symmetric encryption. Could you please take a look? Maybe I am wrong in my suspicions.

P.S If it’s possible could you please share your code as an example?

saghul · July 27, 2022, 7:34am

When using the self-managed mode Olm is not involved. The user supplies the encryption key which will be used for media encryption using AES-GCM (256). So it has to be a key long enough to be usable for that encryption type: jitsi-meet/middleware.js at 346aadc23d6f20b5f8815a682147a45090194acb · jitsi/jitsi-meet · GitHub

saghul · July 27, 2022, 7:35am

You are right. In the Olm case we use to Olm to establish an E2EE channel throough which randomly generated keys are exchanged to perform the symmetric encryption over the media.

In the self-managed mode the use does the key exchange and provides the symmetric key.

pdarcos · July 27, 2022, 2:47pm

Hey Saghul,

You said “In the Olm case we use to Olm to establish an E2EE channel throough which randomly generated keys are exchanged to perform the symmetric encryption over the media.”
Can you point to where in the source code this key establishment happens exactly? I wanted to basically substitute your current version (using unauthenticated megolm) with a new version using megolm too but with some sort of authentication.

Thanks!

saghul · July 28, 2022, 7:26am

We don’t use megolm at all. That’s the single ratchet used for groupchat messages in Matrix. Instead, we send the keys individually to each participant over the Olm channel, which is using the double-ratchet.

This is where the source is: lib-jitsi-meet/OlmAdapter.js at master · jitsi/lib-jitsi-meet · GitHub

Ideally we’d have the ability to do SAS validation (maybe this is what you mean?) but that doesn’t imply replacing the existing channel, it’s something “added on top”. I got started 2 years ago but never managed to finish it: GitHub - saghul/lib-jitsi-meet at e2ee-sas you’re welcome to take it over and send a PR if you finalize it

silvestrpredko · July 28, 2022, 12:37pm

I got the point, you are using OLM only for secure sharing of a symmetric encryption key?

saghul · July 28, 2022, 12:43pm

Keys, multiple, one per participant, but yeah.