Call E2EE¶

Goal¶

Provide end-to-end encryption for call media such that:

The backend cannot decrypt media.
Key agreement prefers P-256 (Secure Enclave) but supports RSA-2048 fallback for legacy.
Media is encrypted using AES-256-GCM.

Canonical Code¶

Core crypto orchestration: ecall/Modules/Call/Managers/CallEncryptionManager.swift
P-256 Secure Enclave: ecall/Core/Security/P256SecureEnclaveService.swift
Signaling: ecall/Modules/Call/Managers/CallSignalingHandler.swift

Key Agreement / Key Exchange¶

Phase 0: Key Transparency Identity Verification¶

Before any End-to-End Encryption session can be established, the public keys MUST be mathematically verified against the backend Key Transparency framework to thwart Man-in-the-Middle attacks. - Endpoint: TKSAPIService - Cryptographic Proof: Checkpoint signature, VRF hash, and Merkle path evaluated by KTVerifier. - Trust Cache: Keys are validated against PeerTrustStore. If they mismatch, the user is warned and must explicitly override the mismatch.

Phase 1: Preferred P-256 (secp256r1) ECDH via Secure Enclave¶

For 1-1 calls:

Caller derives shared secret using ECDH (Secure Enclave private key + Verified peer public key).
The derived shared secret is used as the AES session key (sessionAESKey).

Entry points:

prepareCallInvitationP256(calleePublicKeyBase64:) -> String? (returns caller public key)
processCallInvitationP256(callerPublicKeyBase64:) -> Bool

Fallback/Legacy: RSA-2048 (RSA-OAEP-SHA256)¶

For legacy participants:

AES session key is generated randomly.
AES session key is encrypted with RSA public key using OAEP-SHA256.