Specifications of Jitsi Encryption

Markus-Rocket · December 6, 2019, 9:38pm

Hi! This is Markus from Rocket.Chat.

We are getting a lot of questions from our users about technical specifications on the encryption algorithms that we use. As Jitsi is often integrated by our users as the preferred conferencing solution, the questions also extend into Jitsi, especially when used in security-sensitive environments.
I was wondering if you could point me to these information or if there is something like a technical white paper including these information. Thanks!

Questions in particular:
how encryption is done,
which ciphers are used,
which hashes are used,
implementations against (e.g. man in the middle) attacks

bringing you in, @saghul

saghul · December 7, 2019, 1:28pm

Hey Markus,

Good to see youi here, welcome to our community!

Being WebRTC compatible, and running in a browser-like environment, the encryption is provided by such environment. WebRTC mandates SRTP-DTLS to be used, so that’s what we use. You can find some more detail about the ciphers and hashes here: https://www.callstats.io/blog/2018/05/16/a-explaining-the-secure-real-time-transport-protocol-srtp IIRC GCM is not enabled by default yet, take a look here: https://bugs.chromium.org/p/chromium/issues/detail?id=713701

Now, with all of the above, in P2P calls end-to-end encryption is achieved. Jitsi Meet uses a P2P mode when there are just 2 participants in a call.

So what happens when there are more than 2 participants? Then the media gets routed through a server, our very own Jitsi Videobridge. Then encryption is done hop-by-hop. That is, media is decrypted by the bridge and encrypted again when sending it out. This is necessary to do advanced video routing because some of the video frame information (such as if a frame is a keyframe, temporal layer index, etc) is only available inside the payload.

There are ongoing efforts to provide a per-frame encryption hook so applications can encrypt media end-to-end, but those are not available yet.

Hope that helps, if you need further information, feel free to ask!

Markus-Rocket · December 7, 2019, 5:34pm

Awesome, @saghul. Thanks, this answers my question.

Keep up the great work with Jitsi!

MagicFab · December 9, 2019, 5:34pm

Thanks for sharing this information. I’ve published it on the wiki, feel free to edit/update it there or just suggest any improvements I’ll edit it.

nc2001 · March 25, 2020, 9:55am

Hi, a quick question related to this: Are the chats in the message window encrypted as well? (Either end-to-end or via the bridge?) - Christopher

damencho · March 25, 2020, 3:11pm

All communication between the clients an the server are encrypted, signalling (messages and so on) go over https, the media is encrypted by webrtc (google for webrtc encryption).