Secure Real-time Transport Protocol

SRTP and SRTCP use Advanced Encryption Standard (AES) as the default cipher. There are two cipher modes defined which allow the AES block cipher to be used as a stream cipher: ; Segmented Integer Counter Mode: A typical counter mode, which allows random access to any blocks, which is essential for RTP traffic running over unreliable network with possible loss of packets. In the general case, almost any function can be used in the role of counter, assuming that this function does not repeat for a large number of iterations. But the standard for encryption of RTP data is just a usual integer incremental counter. AES running in this mode is the default encryption algorithm, with a default key size of 128 bits and a default session salt key length of 112 bits. ; f8-mode: A variation of output feedback mode, enhanced to be seekable and with an altered initialization function. The default values of the encryption key and salt key are the same as for AES in counter mode. (AES running in this mode has been chosen to be used in 3G mobile networks.) Besides the AES cipher, SRTP allows the ability to disable encryption outright, using the so-called null encryption cipher, which can be assumed as an alternate supported cipher. In fact, the null encryption cipher does not perform any encryption; the encryption algorithm functions as the identity function, and copies the input stream to the output stream without any changes. It is mandatory for this cipher mode to be implemented in any SRTP-compatible system. As such, it can be used when the confidentiality guarantees ensured by SRTP are not required, while other SRTP features, such as authentication and message integrity, may be used. Though SRTP can easily accommodate new encryption algorithms, the SRTP standard states that new encryption algorithms may only be introduced through publication of a new companion standard track RFC which must clearly define the new algorithm. == Authentication, integrity and replay protection ==

The above-listed encryption algorithms do not alone secure message integrity, an attacker will not be able to decrypt data but may be able to forge or replay previously transmitted data. Hence the SRTP standard also provides the means to secure the integrity of data and safety from replay. To authenticate the message and protect its integrity, the HMAC-SHA1 algorithm is used. This produces a 160-bit result, which is then truncated to 80 or 32 bits to become the authentication tag appended to each packet. The HMAC is calculated over the packet payload and material from the packet header, including the packet sequence number. To protect against replay attacks, the receiver maintains the sequence numbers of previously received messages, compares them with the sequence number in each new received message and admits the new message only if it has not been previously received. This approach relies on the integrity protection to make it impossible to modify the sequence number without detection. == Key derivation ==

A key derivation function is used to derive the different keys used in a crypto context (SRTP and SRTCP encryption keys and salts, SRTP and SRTCP authentication keys) from one single master key in a cryptographically secure way. Thus, the key management protocol needs to exchange only one master key, all the necessary session keys are generated by applying the key derivation function. Periodic application of the key derivation function prevents an attacker from collecting large amounts of ciphertext encrypted with one single session key. This provides protection against certain attacks which are easier to carry out when a large amount of ciphertext is available. Furthermore, multiple applications of the key derivation function provides backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that even if an attacker managed to recover a session key, he is not able to decrypt messages secured with previous and later session keys derived from the same master key. (Note that, of course, a leaked master key reveals all the session keys derived from it.) SRTP relies on an external key management protocol to set up the initial master key. Two protocols specifically designed to be used with SRTP are ZRTP and MIKEY. There are also other methods to negotiate the SRTP keys. There are several vendors which offer products that use the SDES key exchange method. == DTLS-SRTP ==

• has defined DTLS-SRTP. DTLS-SRTP uses the DTLS protocol to deliver master key, and allows public key authentication. == Interoperability and applications ==

See '''' for phones, servers and applications that support SRTP. Telephony (VoIP) • Asterisk (PBX) Web browser support Known web browsers with SRTP support of some kind • Blink (browser engine) family • Chromium (web browser) supporting (but not universally) SRTP experimentally since 2016 • Opera (web browser) • Vivaldi (web browser) Web browser families with some level of SRTP in the mainline updating branches from the core rendering system • Gecko (software) • MSHTML (superseded, but minimal support existed at time of expiration) • WebKit So far no known SRTP support exists for text-based web browsers. == Standards documents ==

• , Proposed Standard, The Secure Real-time Transport Protocol (SRTP) • , Proposed Standard, Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP) • , Standard 65, RTP Profile for Audio and Video Conferences with Minimal Control • , Standard 64, RTP: A Transport Protocol for Real-Time Applications • , Informational, HMAC: Keyed-Hashing for Message Authentication • , Proposed Standard, AES-GCM authenticated encryption in the Secure Real-time Transport Protocol (SRTP) == References ==