Secure Real-time Transport Protocol
Encyclopedia
The Secure Real-time Transport Protocol (or SRTP) defines a profile of RTP
(Real-time Transport Protocol), intended to provide encryption, message authentication
and integrity
, and replay protection to the RTP data in both unicast
and multicast
applications. It was developed by a small team of IP
protocol and cryptographic experts from Cisco
and Ericsson
including David Oran, David McGrew, Mark Baugher, Mats Naslund, Elisabetta Carrara, James Black, Karl Norman, and Rolf Blom. It was first published by the IETF in March 2004 as RFC 3711.
Since RTP is closely related to RTCP
(Real Time Control Protocol) which can be used to control the RTP session, SRTP also has a sister protocol, called Secure RTCP (or SRTCP); SRTCP provides the same security-related features to RTCP, as the ones provided by SRTP to RTP.
Utilization of SRTP or SRTCP is optional to the utilization of RTP or RTCP; but even if SRTP/SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled. The only exception is the message authentication feature which is indispensably required when using SRTCP.
as the default cipher
. There are two cipher modes
defined which allow the original block cipher
AES to be used as a stream cipher
:
Segmented Integer Counter Mode: A typical counter mode, which allows random access to any blocks, which is essential for RTP traffic running over unreliable network with possible loss of packets. In the general case, almost any function can be used in the role of "counter", assuming that this function does not repeat for a long number of iterations. But the standard for encryption of RTP data is just a usual integer incremental counter. AES running in this mode is the default encryption algorithm, with a default encryption key length of 128 bits and a default session salt key
length of 112 bits.
f8-mode: A variation of output feedback mode, enhanced to be seekable and with an altered initialization function. The default values of the encryption key and salt key
are the same as for AES
in Counter Mode. (AES running in this mode has been chosen to be used in UMTS
3G
mobile networks.)
Besides the AES cipher, SRTP allows the ability to disable encryption outright, using the so called "NULL cipher", which can be assumed as the second supported cipher (or the third supported cipher mode in sum). In fact, the NULL cipher does not perform any encryption (i.e. the encryption algorithm functions as though the key stream contains only zeroes, and copies the input stream to the output stream without any changes). It is mandatory for this cipher mode to be implemented in any SRTP-compatible system. As such, it can be used when the confidentiality guarantees ensured by SRTP are not required, while other SRTP features (such authentication and message integrity) may be used.
Though technically SRTP can easily accommodate new encryption algorithms, the SRTP standard states that new encryption algorithms besides those described cannot simply be added in some implementation of SRTP protocol. The only legal way to add a new encryption algorithm, while still claiming the compatibility with SRTP standard, is to publish a new companion standard track
RFC
which must clearly define the new algorithm.
To authenticate the message and protect its integrity, the HMAC-SHA1 algorithm (defined in RFC 2104) is used, which produces a 160-bit result, which is then truncated to 80 or 32 bits to become the authentication tag appended to the packet. The HMAC is calculated over the packet payload and material from the packet header, including the packet sequence number. To protect against replay attack
s, the receiver maintains the indices of previously received messages, compares them with the index of each new received message and admits the new message only if it has not been played (i.e. sent) before. Such an approach heavily relies on the integrity protection being enabled (to make it impossible to spoof message indices).
Periodical application of the key derivation function will result in security benefits. It prevents an attacker from collecting large amounts of ciphertext encrypted with one single session key. Certain attacks are easier to carry out when a large amount of ciphertext is available. Furthermore, multiple applications of the key derivation function provides backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that even if an attacker managed to recover a certain session key, he is not able to decrypt messages secured with previous and later session keys derived from the same master key. (Note that, of course, a leaked master key reveals all the session keys derived from it.)
SRTP relies on an external key management protocol to set up the initial master key. Two protocols specifically designed to be used with SRTP are ZRTP
and MIKEY
.
There are also other methods to negotiate the SRTP keys. There are several vendors which offer products that use the SDES
key exchange method.
for phones, servers and applications supporting SRTP
Real-time Transport Protocol
The Real-time Transport Protocol defines a standardized packet format for delivering audio and video over IP networks. RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications, television services and...
(Real-time Transport Protocol), intended to provide encryption, message authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
, and replay protection to the RTP data in both unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
and multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
applications. It was developed by a small team of IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
protocol and cryptographic experts from Cisco
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
and Ericsson
Ericsson
Ericsson , one of Sweden's largest companies, is a provider of telecommunication and data communication systems, and related services, covering a range of technologies, including especially mobile networks...
including David Oran, David McGrew, Mark Baugher, Mats Naslund, Elisabetta Carrara, James Black, Karl Norman, and Rolf Blom. It was first published by the IETF in March 2004 as RFC 3711.
Since RTP is closely related to RTCP
Real time control protocol
The Real-Time Transport Control Protocol is a sister protocol of the Real-time Transport Protocol . Its basic functionality and packet structure is defined in the RTP specification RFC 3550, superseding its original standardization in 1996 .RTCP provides out-of-band statistics and control...
(Real Time Control Protocol) which can be used to control the RTP session, SRTP also has a sister protocol, called Secure RTCP (or SRTCP); SRTCP provides the same security-related features to RTCP, as the ones provided by SRTP to RTP.
Utilization of SRTP or SRTCP is optional to the utilization of RTP or RTCP; but even if SRTP/SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled. The only exception is the message authentication feature which is indispensably required when using SRTCP.
Data flow encryption
For encryption and decryption of the data flow (and hence for providing confidentiality of the data flow), SRTP (together with SRTCP) utilizes AESAdvanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
as the default cipher
Cipher
In cryptography, a cipher is an algorithm for performing encryption or decryption — a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. In non-technical usage, a “cipher” is the same thing as a “code”; however, the concepts...
. There are two cipher modes
Block cipher modes of operation
In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.A block cipher by itself allows encryption only of a single data block of the cipher's block length. When targeting a variable-length message, the data must first be...
defined which allow the original block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
AES to be used as a stream cipher
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
:
Segmented Integer Counter Mode: A typical counter mode, which allows random access to any blocks, which is essential for RTP traffic running over unreliable network with possible loss of packets. In the general case, almost any function can be used in the role of "counter", assuming that this function does not repeat for a long number of iterations. But the standard for encryption of RTP data is just a usual integer incremental counter. AES running in this mode is the default encryption algorithm, with a default encryption key length of 128 bits and a default session salt key
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
length of 112 bits.
f8-mode: A variation of output feedback mode, enhanced to be seekable and with an altered initialization function. The default values of the encryption key and salt key
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
are the same as for AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
in Counter Mode. (AES running in this mode has been chosen to be used in UMTS
Universal Mobile Telecommunications System
Universal Mobile Telecommunications System is a third generation mobile cellular technology for networks based on the GSM standard. Developed by the 3GPP , UMTS is a component of the International Telecommunications Union IMT-2000 standard set and compares with the CDMA2000 standard set for...
3G
3G
3G or 3rd generation mobile telecommunications is a generation of standards for mobile phones and mobile telecommunication services fulfilling the International Mobile Telecommunications-2000 specifications by the International Telecommunication Union...
mobile networks.)
Besides the AES cipher, SRTP allows the ability to disable encryption outright, using the so called "NULL cipher", which can be assumed as the second supported cipher (or the third supported cipher mode in sum). In fact, the NULL cipher does not perform any encryption (i.e. the encryption algorithm functions as though the key stream contains only zeroes, and copies the input stream to the output stream without any changes). It is mandatory for this cipher mode to be implemented in any SRTP-compatible system. As such, it can be used when the confidentiality guarantees ensured by SRTP are not required, while other SRTP features (such authentication and message integrity) may be used.
Though technically SRTP can easily accommodate new encryption algorithms, the SRTP standard states that new encryption algorithms besides those described cannot simply be added in some implementation of SRTP protocol. The only legal way to add a new encryption algorithm, while still claiming the compatibility with SRTP standard, is to publish a new companion standard track
Internet standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force .-Overview:...
RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
which must clearly define the new algorithm.
Authentication, integrity and replay protection
The above-listed encryption algorithms do not secure message integrity themselves, allowing the attacker to either forge the data or at least to replay previously transmitted data. Hence the SRTP standard also provides the means to secure the integrity of data and safety from replay.To authenticate the message and protect its integrity, the HMAC-SHA1 algorithm (defined in RFC 2104) is used, which produces a 160-bit result, which is then truncated to 80 or 32 bits to become the authentication tag appended to the packet. The HMAC is calculated over the packet payload and material from the packet header, including the packet sequence number. To protect against replay attack
Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...
s, the receiver maintains the indices of previously received messages, compares them with the index of each new received message and admits the new message only if it has not been played (i.e. sent) before. Such an approach heavily relies on the integrity protection being enabled (to make it impossible to spoof message indices).
Key Derivation
A key derivation function is used to derive the different keys used in a crypto context (SRTP and SRTCP encryption keys and salts, SRTP and SRTCP authentication keys) from one single master key in a cryptographically secure way. Thus, the key management protocol needs to exchange only one master key, all the necessary session keys are generated by applying the key derivation function.Periodical application of the key derivation function will result in security benefits. It prevents an attacker from collecting large amounts of ciphertext encrypted with one single session key. Certain attacks are easier to carry out when a large amount of ciphertext is available. Furthermore, multiple applications of the key derivation function provides backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that even if an attacker managed to recover a certain session key, he is not able to decrypt messages secured with previous and later session keys derived from the same master key. (Note that, of course, a leaked master key reveals all the session keys derived from it.)
SRTP relies on an external key management protocol to set up the initial master key. Two protocols specifically designed to be used with SRTP are ZRTP
ZRTP
ZRTP is a cryptographic key-agreement protocol to negotiate the keys for encryption between two end points in a Voice over Internet Protocol phone telephony call based on the Real-time Transport Protocol. It uses Diffie-Hellman key exchange and the Secure Real-time Transport Protocol for...
and MIKEY
Mikey
Multimedia Internet KEYing is a key management protocol that is intended for use with real-time applications. It can specifically be used to set up encryption keys for multimedia sessions that are secured using SRTP.MIKEY is defined in RFC 3830....
.
There are also other methods to negotiate the SRTP keys. There are several vendors which offer products that use the SDES
SDES
SDES stands for Session Description Protocol Security Descriptions for Media Streams and is a way to negotiate the key for Secure Real-time Transport Protocol. It has been standardized by IETF in July 2006 as RFC 4568.- How it works :...
key exchange method.
SRTP Interoperability
see Comparison of VoIP softwareComparison of VoIP software
VoIP software is used to conduct telephone-like voice conversations across Internet Protocol based networks. VoIP stands for "Voice over IP". For residential markets, VoIP phone service is often cheaper than traditional public switched telephone network service and can remove geographic...
for phones, servers and applications supporting SRTP
External links
- RFCs
- RFC 3711, Proposed Standard, The Secure Real-time Transport Protocol (SRTP)
- RFC 4771, Proposed Standard, Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)
- RFC 3551, Standard 65, RTP Profile for Audio and Video Conferences with Minimal Control
- RFC 3550, Standard 64, RTP: A Transport Protocol for Real-Time Applications
- RFC 2104, Informational, HMAC: Keyed-Hashing for Message Authentication
- Entry for SRTP in the voip-info.org-Wiki