Secure Real-time Transport Protocol

Last updated

The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications. It was developed by a small team of Internet Protocol and cryptographic experts from Cisco and Ericsson. It was first published by the IETF in March 2004 as RFC   3711.

Contents

Since RTP is accompanied by the RTP Control Protocol (RTCP) which is used to control an RTP session, SRTP has a sister protocol, called Secure RTCP (SRTCP); it securely provides the same functions to SRTP as the ones provided by RTCP to RTP.

Utilization of SRTP or SRTCP is optional in RTP or RTCP applications; but even if SRTP or SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled. The only exception is the message authentication feature which is indispensable and required when using SRTCP.

Data flow encryption

SRTP and SRTCP use Advanced Encryption Standard (AES) as the default cipher. There are two cipher modes defined which allow the AES block cipher to be used as a stream cipher:

Segmented Integer Counter Mode
A typical counter mode, which allows random access to any blocks, which is essential for RTP traffic running over unreliable network with possible loss of packets. In the general case, almost any function can be used in the role of counter, assuming that this function does not repeat for a large number of iterations. But the standard for encryption of RTP data is just a usual integer incremental counter. AES running in this mode is the default encryption algorithm, with a default key size of 128 bits and a default session salt key length of 112 bits.
f8-mode
A variation of output feedback mode, enhanced to be seekable and with an altered initialization function. The default values of the encryption key and salt key are the same as for AES in counter mode. (AES running in this mode has been chosen to be used in 3G mobile networks.)

Besides the AES cipher, SRTP allows the ability to disable encryption outright, using the so-called null encryption cipher, which can be assumed as an alternate supported cipher. In fact, the null encryption cipher does not perform any encryption; the encryption algorithm functions as the identity function, and copies the input stream to the output stream without any changes. It is mandatory for this cipher mode to be implemented in any SRTP-compatible system. As such, it can be used when the confidentiality guarantees ensured by SRTP are not required, while other SRTP features, such as authentication and message integrity, may be used.

Though SRTP can easily accommodate new encryption algorithms, the SRTP standard states that new encryption algorithms may only be introduced through publication of a new companion standard track RFC which must clearly define the new algorithm.

Authentication, integrity and replay protection

The above-listed encryption algorithms do not alone secure message integrity, an attacker will not be able to decrypt data but may be able to forge or replay previously transmitted data. Hence the SRTP standard also provides the means to secure the integrity of data and safety from replay.

To authenticate the message and protect its integrity, the HMAC-SHA1 algorithm [1] is used. This produces a 160-bit result, which is then truncated to 80 or 32 bits to become the authentication tag appended to each packet. The HMAC is calculated over the packet payload and material from the packet header, including the packet sequence number. To protect against replay attacks, the receiver maintains the sequence numbers of previously received messages, compares them with the sequence number in each new received message and admits the new message only if it has not been previously received. This approach relies on the integrity protection to make it impossible to modify the sequence number without detection.

Key derivation

A key derivation function is used to derive the different keys used in a crypto context (SRTP and SRTCP encryption keys and salts, SRTP and SRTCP authentication keys) from one single master key in a cryptographically secure way. Thus, the key management protocol needs to exchange only one master key, all the necessary session keys are generated by applying the key derivation function.

Periodic application of the key derivation function prevents an attacker from collecting large amounts of ciphertext encrypted with one single session key. This provides protection against certain attacks which are easier to carry out when a large amount of ciphertext is available. Furthermore, multiple applications of the key derivation function provides backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that even if an attacker managed to recover a session key, he is not able to decrypt messages secured with previous and later session keys derived from the same master key. (Note that, of course, a leaked master key reveals all the session keys derived from it.)

SRTP relies on an external key management protocol to set up the initial master key. Two protocols specifically designed to be used with SRTP are ZRTP and MIKEY. There are also other methods to negotiate the SRTP keys. There are several vendors which offer products that use the SDES key exchange method.

DTLS-SRTP

Interoperability and applications

See Comparison of VoIP software § Secure VoIP software for phones, servers and applications that support SRTP.

Telephony (VoIP)

Web browser support

Usage share of web browsers according to StatCounter Usage share of web browsers (Source StatCounter).svg
Usage share of web browsers according to StatCounter

Known browsers with SRTP support of some kind

Web browser families with some level of SRTP in the mainline updating branches from the core rendering system

So far no known SRTP support exists for text-based web browsers. Although SRTP could be used to operate in a VPN, in conjunction with web browsers, no VPN networks are known to be using it.

Standards documents

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

Counter Mode Cipher Block Chaining Message Authentication Code Protocol or CCM mode Protocol (CCMP) is an encryption protocol designed for Wireless LAN products that implements the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced data cryptographic encapsulation mechanism designed for data confidentiality and based upon the Counter Mode with CBC-MAC of the Advanced Encryption Standard (AES) standard. It was created to address the vulnerabilities presented by Wired Equivalent Privacy (WEP), a dated, insecure protocol.

The RTP Control Protocol (RTCP) is a binary-encoded out-of-band signaling protocol that functions alongside the Real-time Transport Protocol (RTP). Its basic functionality and packet structure is defined in RFC 3550. RTCP provides statistics and control information for an RTP session. It partners with RTP in the delivery and packaging of multimedia data but does not transport any media data itself.

CCM mode is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and confidentiality. CCM mode is only defined for block ciphers with a block length of 128 bits.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Multimedia Internet KEYing (MIKEY) is a key management protocol that is intended for use with real-time applications. It can specifically be used to set up encryption keys for multimedia sessions that are secured using SRTP, the security protocol commonly used for securing real-time communications such as VoIP.

SDES for Media Streams is a way to negotiate the key for Secure Real-time Transport Protocol. It has been proposed for standardization to the IETF in July 2006

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

Institute of Electrical and Electronics Engineers (IEEE) standardization project for encryption of stored data, but more generically refers to the Security in Storage Working Group (SISWG), which includes a family of standards for protection of stored data and for the corresponding cryptographic key management.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Acrobits is a privately owned software development company creating VoIP Clients for mobile platforms, based in Prague, Czech Republic.

In cryptography, the Double Ratchet Algorithm is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF), such as a hash function, and is therefore called a double ratchet.

Application Layer Transport Security (ALTS) is a Google-developed authentication and transport encryption system used for securing Remote Procedure Call (RPC) within Google machines. Google started its development in 2007, as a tailored modification of TLS.

ChaCha20-Poly1305 is an authenticated encryption with additional data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. Its usage in IETF protocols is standardized in RFC 8439. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

References

  1. RFC   2104
  2. "Secure Calling Tutorial - Asterisk Project - Asterisk Project Wiki". wiki.asterisk.org. Retrieved 2019-12-22.
  3. "Asterisk SRTP". VoIP-Info. 2007-02-13. Retrieved 2019-12-22.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.