Secure Real-time Transport Protocol
The Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications. It was developed by a small team of Internet Protocol and cryptographic experts from Cisco and Ericsson. It was first published by the IETF in March 2004 as RFC 3711.
Since RTP is accompanied by the RTP Control Protocol (RTCP) which is used to control an RTP session, SRTP has a sister protocol, called Secure RTCP (SRTCP); it securely provides the same functions to SRTP as the ones provided by RTCP to RTP.
Utilization of SRTP or SRTCP is optional in RTP or RTCP applications; but even if SRTP or SRTCP are used, all provided features (such as encryption and authentication) are optional and can be separately enabled or disabled. The only exception is the message authentication feature which is indispensable and required when using SRTCP.
Authentication, integrity and replay protection[edit]
The above-listed encryption algorithms do not alone secure message integrity, an attacker will not be able to decrypt data but may be able to forge or replay previously transmitted data. Hence the SRTP standard also provides the means to secure the integrity of data and safety from replay.
To authenticate the message and protect its integrity, the HMAC-SHA1 algorithm[1] is used. This produces a 160-bit result, which is then truncated to 80 or 32 bits to become the authentication tag appended to each packet. The HMAC is calculated over the packet payload and material from the packet header, including the packet sequence number. To protect against replay attacks, the receiver maintains the sequence numbers of previously received messages, compares them with the sequence number in each new received message and admits the new message only if it has not been previously received. This approach relies on the integrity protection to make it impossible to modify the sequence number without detection.
Key derivation[edit]
A key derivation function is used to derive the different keys used in a crypto context (SRTP and SRTCP encryption keys and salts, SRTP and SRTCP authentication keys) from one single master key in a cryptographically secure way. Thus, the key management protocol needs to exchange only one master key, all the necessary session keys are generated by applying the key derivation function.
Periodic application of the key derivation function prevents an attacker from collecting large amounts of ciphertext encrypted with one single session key. This provides protection against certain attacks which are easier to carry out when a large amount of ciphertext is available. Furthermore, multiple applications of the key derivation function provides backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that even if an attacker managed to recover a session key, he is not able to decrypt messages secured with previous and later session keys derived from the same master key. (Note that, of course, a leaked master key reveals all the session keys derived from it.)
SRTP relies on an external key management protocol to set up the initial master key. Two protocols specifically designed to be used with SRTP are ZRTP and MIKEY. There are also other methods to negotiate the SRTP keys. There are several vendors which offer products that use the SDES key exchange method.