The Session Description Protocol Security Description for Media Streams (SDES -RFC 4568) defines a mechanism to negotiate the cryptographic parameters necessary for the Secure Real-time Transport Protocol (SRTP). Specifically, a cryptographic attribute may be added to Session Description Protocol (SDP) unicast media streams. Using the standard SDP offer/answer model, the crypto-suite to be used can be negotiated, as well as other cryptographic parameters (i.e. keys, salts, etc) necessary for SRTP to secure the media stream.
The media attribute defined by SDES is “crypto”, such that a=crypto:<tag> <crypto-suite> inline:<key||salt> [session-parms]
Where:
- tag = unique numeric identifier used by answerer to indicate which crypto attribute is acceptable
- crypto-suite = the exact encryption and authentication transforms to be used for SRTP media stream
- key||salt = concatenated master key and salt, base64 encoded
- session-parms = optional session parameters (i.e. master key lifetime, master key identifier and length, FEC parameters, etc).
In the base specifications, there were only three different crypto-suites defined by SDES, using different variations of AES and SHA1 to provide encryption and authentication, respectively. These three crypto-suites are :
- AES_CM_128_HMAC_SHA1_80
- AES_CM_128_HMAC_SHA1_32
- F8_128_HMAC_SHA1_32
VOCAL’s SDES library also optionally supports
from RFC6188:
- AES_192_CM_HMAC_SHA1_80
- AES_192_CM_HMAC_SHA1_32
- AES_256_CM_HMAC_SHA1_80
- AES_256_CM_HMAC_SHA1_32
from RFC 8269:
- SRTP_ARIA_128_CTR_HMAC_80
- SRTP_ARIA_128_CTR_HMAC_32
- SRTP_ARIA_256_CTR_HMAC_80
- SRTP_ARIA_256_CTR_HMAC_32
from RFC 7714:
- RTP AEAD_AES_128_GCM
- RTP AEAD_AES_256_GCM
While the same crypto-suite is used by both the offerer and answerer, the same keys and salts are not to be used by each side. Therefore, each side will generate and pass these parameters using SDP. At this point to avoid exposing these parameters to unauthorized access, another data security protocol (i.e. SSLv3/TLSv1, etc.) should be used in order to provide security for the SDP messages.
VOCAL’s SDES implementation is optimized for execution on ANSI C and leading DSP architectures. Our embedded software libraries include a complete range of ETSI / ITU / IEEE compliant algorithms, in addition to many other standard and proprietary algorithms. VOCAL’s SDES library is available standalone or with a VoIP stack for convenient integration with developer applications.
Features
- compliant with the Session Description Protocol Security Description for Media Streams RFC 4568
- can be used with SRTP to provide secure voice/video media streams
- straightforward key exchange method
Platforms
- TI TMS320C62x, C64x, C67x, DaVinci
- TI TMS320C54x, TMS320C55x
- TI OMAP
- ADI Blackfin, ADSP-21xx
Please contact us for details regarding other supported platforms.