Lines Matching full:srtp
17 The Secure Real-time Transport Protocol (SRTP)
34 (SRTP), a profile of the Real-time Transport Protocol (RTP), which
45 3. SRTP Framework . . . . . . . . . . . . . . . . . . . . . . . . 5
47 3.2. SRTP Cryptographic Contexts. . . . . . . . . . . . . . . 7
50 3.2.3. Mapping SRTP Packets to Cryptographic Contexts . 10
51 3.3. SRTP Packet Processing . . . . . . . . . . . . . . . . . 11
61 RFC 3711 SRTP March 2004
79 6. Adding SRTP Transforms . . . . . . . . . . . . . . . . . . . . 29
118 RFC 3711 SRTP March 2004
129 (SRTP), a profile of the Real-time Transport Protocol (RTP), which
134 SRTP provides a framework for encryption and message authentication
135 of RTP and RTCP streams (Section 3). SRTP defines a set of default
138 appropriate key management (Sections 7 and 8), SRTP is secure
141 SRTP can achieve high throughput and low packet expansion. SRTP
147 RTP sequence number for SRTP and an index number for Secure RTCP
158 random bits may be difficult to obtain, and for the security of SRTP,
175 RFC 3711 SRTP March 2004
189 The security goals for SRTP are to ensure:
222 These properties ensure that SRTP is a suitable protection scheme for
232 RFC 3711 SRTP March 2004
237 Besides the above mentioned direct goals, SRTP provides for some
242 confidentiality and integrity protection, both for the SRTP stream
258 3. SRTP Framework
260 RTP is the Real-time Transport Protocol [RFC3550]. We define SRTP as
263 aspects of that profile apply, with the addition of the SRTP security
264 features. Conceptually, we consider SRTP to be a "bump in the stack"
266 transport layer. SRTP intercepts RTP packets and then forwards an
267 equivalent SRTP packet on the sending side, and intercepts SRTP
272 SRTP does to RTP. SRTCP message authentication is MANDATORY and
289 RFC 3711 SRTP March 2004
294 The format of an SRTP packet is illustrated in Figure 1.
314 | ~ SRTP MKI (OPTIONAL) ~ |
321 Figure 1. The format of an SRTP packet. *Encrypted Portion is the
324 The "Encrypted Portion" of an SRTP packet consists of the encryption
331 these, the RTP and SRTP payload sizes match exactly. New transforms
332 added to SRTP (following Section 6) may require padding, and may
346 RFC 3711 SRTP March 2004
357 fields defined by SRTP that are not in RTP. Only 8-bit alignment is
365 the SRTP cryptographic context, which is identified
373 data. The Authenticated Portion of an SRTP packet
375 Portion of the SRTP packet. Thus, if both encryption and
384 3.2. SRTP Cryptographic Contexts
386 Each SRTP stream requires the sender and receiver to maintain
390 SRTP uses two types of keys: session keys and master keys. By a
403 RFC 3711 SRTP March 2004
408 mechanisms external to SRTP, see Section 8.
415 the cryptographic context for SRTP consist of:
420 SRTP extracts from the RTP packet header, the ROC is maintained by
421 SRTP as described in Section 3.3.1.
423 We define the index of the SRTP packet corresponding to a given
440 indices of recently received and authenticated SRTP packets,
442 * an MKI indicator (0/1) as to whether an MKI is present in SRTP and
460 RFC 3711 SRTP March 2004
463 * for each master key, there is a counter of the number of SRTP
470 In addition, for each master key, an SRTP stream MAY use the
490 to-one correspondence with the SRTP session key on which the
493 SRTCP SHALL by default share the crypto context with SRTP, except:
502 master key is the same as that for SRTP, see below), as a means to
506 Note in particular that the master key(s) MAY be shared between SRTP
517 RFC 3711 SRTP March 2004
521 several SRTP streams within a given RTP session, identified by their
525 SRTP/SRTCP parameter sharing above, separate replay lists and packet
527 separate SRTP indices MUST then be maintained.
530 for the above parameters (and other SRTP parameters) can be found in
539 Future SRTP transform specifications MUST include a section to list
543 3.2.3. Mapping SRTP Packets to Cryptographic Contexts
559 port are the ones in the SRTP packet. It is assumed that, when
563 As noted above, SRTP and SRTCP by default share the bulk of the
566 binding to the correspondent SRTP crypto context. It is up to the
574 RFC 3711 SRTP March 2004
578 management may choose to provide separate SRTP- and SRTCP- contexts,
580 latter approach then also enables SRTP and SRTCP to use, e.g.,
582 when multiple SRTP streams, forming part of one single RTP session,
588 3.3. SRTP Packet Processing
590 The following applies to SRTP. SRTCP is described in Section 3.4.
594 construct an SRTP packet:
599 2. Determine the index of the SRTP packet using the rollover counter,
631 RFC 3711 SRTP March 2004
641 To authenticate and decrypt an SRTP packet, the receiver SHALL do the
647 2. Run the algorithm in Section 3.3.1 to get the index of the SRTP
650 number in the SRTP packet, as described in Section 3.3.1.
653 the context is set to one, use the MKI in the SRTP packet,
688 RFC 3711 SRTP March 2004
701 SRTP implementations use an "implicit" packet index for sequencing,
702 i.e., not all of the index is explicitly carried in the SRTP packet.
718 packet in the sequence of all SRTP packets. A robust approach for
728 sequence number (SEQ) of the first observed SRTP packet (unless the
732 SRTP packets, the receiver SHOULD estimate the index
745 RFC 3711 SRTP March 2004
749 for SRTP packets for the session), the receiver MUST use v to
761 bits long, the maximum number of packets belonging to a given SRTP
763 defined transforms. After that number of SRTP packets have been sent
802 RFC 3711 SRTP March 2004
818 provided, SRTP protects against such attacks through a Replay List.
819 Each SRTP receiver maintains a Replay List, which conceptually
824 context by more than SRTP-WINDOW-SIZE can be assumed to have been
825 received, where SRTP-WINDOW-SIZE is a receiver-side, implementation-
859 RFC 3711 SRTP March 2004
869 mechanisms used in SRTP.
916 RFC 3711 SRTP March 2004
940 to the "implicit" index approach used for SRTP. The SRTCP
955 of SRTP by default, with the following changes:
964 selected for the protection of the associated SRTP stream(s),
973 RFC 3711 SRTP March 2004
976 than the one used by the corresponding SRTP. The expected use for
997 associated SRTP stream(s).
1030 RFC 3711 SRTP March 2004
1045 algorithms that can be used in SRTP, below we define default
1049 listed in Section 2. Recommendations on how to extend SRTP with new
1068 The distinct session keys and salts for SRTP/SRTCP are by default
1071 The encryption transforms defined in SRTP map the SRTP packet index
1077 Encrypted Portion of the SRTP packet. In case the payload size is
1087 RFC 3711 SRTP March 2004
1099 | Encrypted Portion of SRTP Packet|<--+
1102 Figure 3: Default SRTP Encryption Processing. Here KG denotes the
1110 The SRTP definition of the keystream is illustrated in Figure 3. The
1144 RFC 3711 SRTP March 2004
1163 SRTP packet index i, and the SRTP session salting key k_s, as below.
1172 distinct SRTP streams within the same RTP session, see the security
1194 implementation MUST ensure that the combination of the SRTP packet
1201 RFC 3711 SRTP March 2004
1211 an SRTP system needs to be protected as well as the key).
1258 RFC 3711 SRTP March 2004
1315 RFC 3711 SRTP March 2004
1333 4.1.2.2. f8 SRTP IV Formation
1338 The SRTP IV for 128-bit block AES-f8 SHALL be formed in the following
1372 RFC 3711 SRTP March 2004
1385 protected. In the case of SRTP, M SHALL consist of the Authenticated
1400 The distinct session authentication keys for SRTP/SRTCP are by
1408 SRTP receiver verifies a message/authentication tag pair by computing
1417 The pre-defined authentication transform for SRTP is HMAC-SHA1
1419 be 0. For SRTP (respectively SRTCP), the HMAC SHALL be applied to
1429 RFC 3711 SRTP March 2004
1437 is employed (it may be an SRTP pre-defined transform or newly
1438 introduced according to Section 6), interoperable SRTP
1439 implementations MUST use the SRTP key derivation to generate session
1442 parties that use SRTP key derivation.
1455 Figure 5: SRTP key derivation.
1457 At least one initial key derivation SHALL be performed by SRTP, i.e.,
1467 Interoperable SRTP implementations MAY also derive session salting
1475 [HAC]. For the purpose of key derivation in SRTP, a secure PRF with
1486 RFC 3711 SRTP March 2004
1497 (i.e., the 48-bit ROC || SEQ for SRTP):
1510 purposes. The n-bit SRTP key (or salt) for this packet SHALL then be
1520 - k_e (SRTP encryption): <label> = 0x00, n = n_e.
1522 - k_a (SRTP message authentication): <label> = 0x01, n = n_a.
1524 - k_s (SRTP salting key): <label> = 0x02, n = n_s.
1543 RFC 3711 SRTP March 2004
1557 SRTP. To do this securely, the following changes SHALL be done to
1561 Replace the SRTP index by the 32-bit quantity: 0 || SRTCP index
1579 SRTP. Of course, "mandatory-to-implement" does not imply
1590 SRTP and SRTCP.
1600 RFC 3711 SRTP March 2004
1620 than these defaults. For SRTP, smaller values are NOT RECOMMENDED,
1631 6. Adding SRTP Transforms
1635 SRTP, a companion standard track RFC MUST be written to exactly
1636 define how the new transform can be used with SRTP (and SRTCP). Such
1637 a companion RFC SHOULD avoid overlap with the SRTP protocol document.
1638 Note however, that it MAY be necessary to extend the SRTP or SRTCP
1641 fields to the SRTP/SRTCP packets. The companion RFC SHALL explain
1643 other aspects of SRTP.
1649 derivation, whether sharing of keys between SRTP and SRTCP is allowed
1657 RFC 3711 SRTP March 2004
1667 of SRTP.
1672 as six different keys are needed per crypto context (SRTP and SRTCP
1673 encryption keys and salts, SRTP and SRTCP authentication keys), but
1676 one master key (plus master salt when required), and then SRTP itself
1714 RFC 3711 SRTP March 2004
1731 No authentication transforms are currently provided in SRTP other
1746 specify these technologies. Thus SRTP data origin authentication in
1771 RFC 3711 SRTP March 2004
1776 As shown in Figure 1, the authentication tag is RECOMMENDED in SRTP.
1828 RFC 3711 SRTP March 2004
1831 Certainly not all SRTP or telephony applications meet the criteria
1840 for establishing an SRTP cryptographic context (e.g., an SRTP master
1844 key management systems that service SRTP session.
1846 For initialization, an interoperable SRTP implementation SHOULD be
1855 If the pre-defined transforms are used, SRTP allows sharing of the
1856 same master key between SRTP/SRTCP streams belonging to the same RTP
1859 First, sharing between SRTP streams belonging to the same RTP session
1866 Second, sharing between SRTP and the corresponding SRTCP is secure.
1867 The fact that an SRTP stream and its associated SRTCP stream both
1869 pad due to the key derivation. Thus, SRTP and SRTCP corresponding to
1873 uniqueness that is unrelated to the problem of keystream reuse: SRTP
1885 RFC 3711 SRTP March 2004
1888 used to distinguish between different SRTP streams. Were two streams
1892 SRTP/SRTCP MUST NOT share master keys under any other circumstances
1893 than the ones given above, i.e., between SRTP and its corresponding
1899 re-key within SRTP is by associating a master key in a crypto context
1905 bits, therefore SRTP also defines a more economic way of triggering
1909 SRTP senders SHALL count the amount of SRTP and SRTCP traffic being
1912 interface to SRTP and are not defined by this protocol specification.
1916 In addition to the use of the MKI, SRTP defines another optional
1918 specifies the range of SRTP indices (a pair of sequence number and
1920 part of the crypto context. By looking at the 48-bit SRTP index of
1921 the current SRTP packet, the corresponding master key can be found by
1923 most recently observed/used SRTP index (which can be obtained from
1942 RFC 3711 SRTP March 2004
1951 the correspondent SRTP stream, i.e., when the SRTP stream changes the
1957 SRTP/SRTCP packets that are sent under each given master/session key
1969 The table below lists all SRTP parameters that key management can
1971 mandatory-to-support values for an SRTP implementation as described
1999 RFC 3711 SRTP March 2004
2005 SRTP and SRTCP encr transf. AES_CM, NULL AES_CM
2008 SRTP and SRTCP auth transf. HMAC-SHA1 HMAC-SHA1
2010 SRTP and SRTCP auth params:
2012 SRTP prefix_length 0 0
2027 SRTP-packets-max-lifetime 2^48 2^48
2043 sender's order between FEC and SRTP FEC-SRTP FEC-SRTP
2056 RFC 3711 SRTP March 2004
2069 SRTP and SRTCP keying material; this requirement is to avoid
2071 management. Furthermore, in SRTP, a "two-time pad" is avoided by
2074 defined SRTP transforms accomplish packet-uniqueness by including the
2105 participant to leave the SRTP session as it is a sign of malfunction.
2113 RFC 3711 SRTP March 2004
2128 in [MF00]. In summary, the effective key size of SRTP when used in a
2142 The use of the SRTP and SRTCP indices in the pre-defined transforms
2144 key. This limit is fixed to 2^48 SRTP packets for an SRTP stream,
2145 and 2^31 SRTCP packets, when SRTP and SRTCP are considered
2149 SRTP and SRTCP streams are derived from the same master key (the
2152 is, when 2^48 SRTP packets or 2^31 SRTCP packets have been secured
2156 a sender of RTCP discovers that the sender of SRTP (or SRTCP) has not
2157 updated the master or session key prior to sending 2^48 SRTP (or 2^31
2158 SRTCP) packets belonging to the same SRTP (SRTCP) stream, it is up to
2170 RFC 3711 SRTP March 2004
2179 Note that if the master key is to be shared between SRTP streams
2200 implementation can be plugged into SRTP without problems. Since the
2213 SRTP's pre-defined ciphers are "seekable" stream ciphers, i.e.,
2217 SRTP avoids the denial of service attacks that are possible on stream
2227 RFC 3711 SRTP March 2004
2245 In SRTP, RTP headers are sent in the clear to allow for header
2252 SRTP is a low-cost method, which allows header compression to reduce
2260 SRTP messages are subject to attacks on their integrity and source
2262 SRTP stream SHOULD be protected
2271 SRTP MAY be used with weak authentication (e.g., a 32-bit
2273 authentication algorithm). These options allow SRTP to be used to
2284 RFC 3711 SRTP March 2004
2300 packets passed to the RTP application by the SRTP receiver can be
2341 RFC 3711 SRTP March 2004
2398 RFC 3711 SRTP March 2004
2410 used together with CBC mode. Later transform additions to SRTP MUST
2426 2733) processing with SRTP SHALL be to perform FEC processing prior
2427 to SRTP processing on the sender side and to perform SRTP processing
2429 ordering (reversing it, or, placing FEC between SRTP encryption and
2430 SRTP authentication) SHALL be signaled out of band.
2434 SRTP can be used as security protocol for the RTP/RTCP traffic in
2435 many different scenarios. SRTP has a number of configuration
2438 used. Hence, the use of SRTP is dependent on the kind of scenario
2440 illustrate some use cases for SRTP, and give some guidelines for
2455 RFC 3711 SRTP March 2004
2486 Reports that the sender might need to process. In SRTP, the sender
2497 same one used by the sender to protect its outbound SRTP traffic.
2512 RFC 3711 SRTP March 2004
2516 case key derivation is wanted for SRTP, the cryptographic context for
2517 SRTP can be kept separate from the SRTCP crypto context, so that it
2519 zero value for SRTP.
2524 If there are more than one SRTP/SRTCP stream (within the same RTP
2525 session) that share the master key, the upper limit of 2^48 SRTP
2547 SRTP default transforms, the master key MUST be replaced before any
2551 How key management re-keys SRTP implementations is out of scope, but
2569 RFC 3711 SRTP March 2004
2580 As mentioned, there are potential problems in using the SRTP index,
2584 of the correspondent SRTP. Therefore, using the MKI for re-keying in
2590 the use of SRTP, mainly related to re-keying and large scale
2598 - If multiple SRTP streams in the same RTP session share the same
2613 SRTP uses cryptographic transforms which a key management protocol
2617 not SRTP, and each key management protocol chooses the numbering
2626 RFC 3711 SRTP March 2004
2629 Specification of a key management protocol for SRTP is out of scope
2683 RFC 3711 SRTP March 2004
2740 RFC 3711 SRTP March 2004
2797 RFC 3711 SRTP March 2004
2854 RFC 3711 SRTP March 2004
2860 determine the index i of an SRTP packet with sequence number SEQ. In
2884 SRTP PREFIX LENGTH : 0
2911 RFC 3711 SRTP March 2004
2968 RFC 3711 SRTP March 2004
3025 RFC 3711 SRTP March 2004
3082 RFC 3711 SRTP March 2004
3139 RFC 3711 SRTP March 2004
