SRTP

The Secure Real-Time Transport Protocol (SRTP), is an extension profile of Real-Time Transport Protocol (RTP) which adds further security features, such as encryption, message authentication, confidentiality, and replay protection.

The initial negotiation of SRTP and its security parameters is done using the Session Description Protocol (SDP) together with extensions for conveying keying material. SRTP needs to interact with key management protocols (e.g. SDES, MIKEY, ZRTP, DTLS) to negotiate the security parameters for the media traffic session.

SDES Security parameters and keys to set up SRTP sessions are exchanged in clear text in form of SDP attributes, hence relying on the signaling plane to secure the SDP message using TLS, for instance.

MIKEY Performs the key exchange and negotiates cryptographic parameters on behalf of multimedia applications. Its messages are transported in the SDP payload and encoded in base64.

ZRTP A shared secret and other security parameters are exchanged, relying on Diffie-Hellman. Mutual authentication can use a Short Authentication String (SAS), so it doesn’t require support from a PKI. The ZRTP exchange takes place over the same port numbers used by the multimedia session for the RTP traffic (as opposed to the signaling path).

DTLS Enables the exchange of the cryptographic parameters and derives keying material. The key exchange takes place in the media plane and is multiplexed on the same ports as the media itself. We will elaborate on this in a future post, but, in short, once some of the ICE checks have been completed, DTLS-SRTP allows the SRTP media channel to be established with no need to reveal keys in the SDP message exchange as is done with SDES.

The Peeredge SBC supports SDES and DTLS to negotiate SRTP parameters.