Question

What are the security features of the Vonage Video API (formerly TokBox OpenTok).

Applies To

• Video API
• Security
• Encryption

Answer

Multi-Layered Security

The Video API platform implements security at multiple levels. Vonage Video API’s security measures include restricting endpoint access to sessions, providing a role-based security model, and securing the basic voice and video traffic that moves through the Video API cloud and between endpoints.

Vonage Video API is fully based on proven, open standards, written by industry experts, and used for years in commercial products. The core protocols providing WebRTC Video API security are SRTP for media traffic encryption, and DTLS-SRTP for key negotiation, which are defined by the IETF.

Encryption

Vonage Video API WebRTC-compatible endpoints use the AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.

During peer-to-peer connections (including connections relayed through cloud-based TURN servers), the Vonage Video API endpoints generate random keys at the beginning of the session and in addition they change periodically during the conversation to make it even safer. For connections leveraging the Video API’s cloud-based scaling capabilities, the Video API cloud acts as an endpoint and participates in the key generation activity. In both cases, in order to increase security, keys are ephemeral, with their validity lasting only for a short period of time. They are neither stored nor persisted anywhere.