The Session Description Protocol Security Description for Media Streams (SDES) defines a mechanism to negotiate the cryptographic parameters necessary for the Secure Real-time Transport Protocol (SRTP). Specifically, a cryptographic attribute may be added to Session Description Protocol (SDP) unicast media streams. Using the standard SDP offer/answer model, the crypto-suite to be used can be negotiated, as well as other cryptographic parameters (i.e. keys, salts, etc) necessary for SRTP to secure the media stream.
The media attribute defined by SDES is "crypto", such that
a=crypto:<tag> <crypto-suite> inline:<key||salt> [session-parms] and
At present, there are only three different crypto-suites defined by SDES, using different variations of AES and SHA1 to provide encryption and authentication, respectively. These three crypto-suites are AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32, F8_128_HMAC_SHA1_32. While the same crypto-suite is used by both the offerer and answerer, the same keys and salts are not to be used by each side. Therefore, each side will generate and pass these parameters using SDP. At this point it should be noted that another data security protocol (i.e. SSLv3/TLSv1, etc.) should be used in order to provide security for the SDP messages.
SRTP is the security layer which resides between the RTP/RTCP application layer and the transport layer, generating SRTP packets from the RTP/RTCP stream and forwarding these to the receiver. Similarly, it also transforms incoming SRTP packets to RTP/RTCP packets and passes these up the stack. The cryptographic state information associated with each SRTP stream is termed the cryptographic context. It must be maintained by both the sender and receiver of SRTP streams. If there are several SRTP streams present within a given RTP session, separate cryptographic contexts must be maintained for each. A cryptographic context includes any session key (a key directly in encryption/message authentication) and the master key (a securely exchanged random bit string used to derive session keys), as well as other working session parameters.
VOCAL's embedded software libraries include a complete range of ETSI / ITU / IEEE compliant algorithms, in addition to many other standard and proprietary algorithms. Our software is optimized for execution on ANSI C and leading DSP architectures (TI, ADI, AMD, ARM, MIPS, CEVA, LSI Logic ZSP, etc.). These include a suite of encryption libraries (AES, 3-DES, etc.), which have a small footprint and are optimized for high performance.