The Secure Real-Time Transport Protocol, is an extension profile of RTP (Real-Time Transport Protocol) which adds further security features, such as encryption, message authentication, confidentiality and replay protection.
The initial negotiation of SRTP and its security parameters is done using the Session Description Protocol (SDP) together with extensions for conveying keying material. SRTP needs to interact with key management protocols (e.g. MIKEY, ZRTP, SDES, DTLS) in order to negotiate the security parameters for the media traffic session.
SDES – security parameters and keys to set up SRTP sessions are exchanged in clear text in form of SDP attributes, hence relying on the signaling plane to secure the SDP message, using for instance TLS.
MIKEY – performs the key exchange and negotiates cryptographic parameters on behalf of multimedia applications. Its messages are transported in the SDP payload and encoded in base64.
ZRTP – a shared secret and other security parameters are exchanged relying on Diffie-Hellman. Mutual authentication can use a Short Authentication String (SAS), so it doesn’t require support from a PKI. The ZRTP exchange takes place over the same port numbers used by the multimedia session for the RTP traffic (as opposed to the signaling path).
DTLS – enables the exchange of the cryptographic parameters and derive keying material. The key exchange takes place in the media plane and are multiplexed on the same ports as the media itself. We will elaborate on this in a future post but, in short, once some of the ICE checks have completed, DTLS-SRTP allows the SRTP media channel to be established with no need to reveal keys in the SDP message exchange as is done with SDES.
The Peeredge Switch supports SDES and DTLS to negotiation SRTP parameters.