1*d9f75844SAndroid Build Coastguard Worker<?% config.freshness.reviewed = '2021-05-13' %?> 2*d9f75844SAndroid Build Coastguard Worker<?% config.freshness.owner = 'hta' %?> 3*d9f75844SAndroid Build Coastguard Worker 4*d9f75844SAndroid Build Coastguard Worker# SRTP in WebRTC 5*d9f75844SAndroid Build Coastguard Worker 6*d9f75844SAndroid Build Coastguard WorkerWebRTC mandates encryption of media by means of the Secure Realtime Protocol, or 7*d9f75844SAndroid Build Coastguard WorkerSRTP, which is described in 8*d9f75844SAndroid Build Coastguard Worker[RFC 3711](https://datatracker.ietf.org/doc/html/rfc3711). 9*d9f75844SAndroid Build Coastguard Worker 10*d9f75844SAndroid Build Coastguard WorkerThe key negotiation in WebRTC happens using DTLS-SRTP which is described in 11*d9f75844SAndroid Build Coastguard Worker[RFC 5764](https://datatracker.ietf.org/doc/html/rfc5764). The older 12*d9f75844SAndroid Build Coastguard Worker[SDES protocol](https://datatracker.ietf.org/doc/html/rfc4568) is implemented 13*d9f75844SAndroid Build Coastguard Workerbut not enabled by default. 14*d9f75844SAndroid Build Coastguard Worker 15*d9f75844SAndroid Build Coastguard WorkerUnencrypted RTP can be enabled for debugging purposes by setting the 16*d9f75844SAndroid Build Coastguard WorkerPeerConnections [`disable_encryption`][1] option to true. 17*d9f75844SAndroid Build Coastguard Worker 18*d9f75844SAndroid Build Coastguard Worker## Supported cipher suites 19*d9f75844SAndroid Build Coastguard Worker 20*d9f75844SAndroid Build Coastguard WorkerThe implementation supports the following cipher suites: 21*d9f75844SAndroid Build Coastguard Worker 22*d9f75844SAndroid Build Coastguard Worker* SRTP_AES128_CM_HMAC_SHA1_80 23*d9f75844SAndroid Build Coastguard Worker* SRTP_AEAD_AES_128_GCM 24*d9f75844SAndroid Build Coastguard Worker* SRTP_AEAD_AES_256_GCM 25*d9f75844SAndroid Build Coastguard Worker 26*d9f75844SAndroid Build Coastguard WorkerThe SRTP_AES128_CM_HMAC_SHA1_32 cipher suite is accepted for audio-only 27*d9f75844SAndroid Build Coastguard Workerconnections if offered by the other side. It is not actively supported, see 28*d9f75844SAndroid Build Coastguard Worker[SelectCrypto][2] for details. 29*d9f75844SAndroid Build Coastguard Worker 30*d9f75844SAndroid Build Coastguard WorkerThe cipher suite ordering allows a non-WebRTC peer to prefer GCM cipher suites, 31*d9f75844SAndroid Build Coastguard Workerhowever they are not selected as default by two instances of the WebRTC library. 32*d9f75844SAndroid Build Coastguard Worker 33*d9f75844SAndroid Build Coastguard Worker## cricket::SrtpSession 34*d9f75844SAndroid Build Coastguard Worker 35*d9f75844SAndroid Build Coastguard WorkerThe [`cricket::SrtpSession`][3] is providing encryption and decryption of SRTP 36*d9f75844SAndroid Build Coastguard Workerpackets using [`libsrtp`](https://github.com/cisco/libsrtp). Keys will be 37*d9f75844SAndroid Build Coastguard Workerprovided by `SrtpTransport` or `DtlsSrtpTransport` in the [`SetSend`][4] and 38*d9f75844SAndroid Build Coastguard Worker[`SetRecv`][5] methods. 39*d9f75844SAndroid Build Coastguard Worker 40*d9f75844SAndroid Build Coastguard WorkerEncryption and decryption happens in-place in the [`ProtectRtp`][6], 41*d9f75844SAndroid Build Coastguard Worker[`ProtectRtcp`][7], [`UnprotectRtp`][8] and [`UnprotectRtcp`][9] methods. The 42*d9f75844SAndroid Build Coastguard Worker`SrtpSession` class also takes care of initializing and deinitializing `libsrtp` 43*d9f75844SAndroid Build Coastguard Workerby keeping track of how many instances are being used. 44*d9f75844SAndroid Build Coastguard Worker 45*d9f75844SAndroid Build Coastguard Worker## webrtc::SrtpTransport and webrtc::DtlsSrtpTransport 46*d9f75844SAndroid Build Coastguard Worker 47*d9f75844SAndroid Build Coastguard WorkerThe [`webrtc::SrtpTransport`][10] class is controlling the `SrtpSession` 48*d9f75844SAndroid Build Coastguard Workerinstances for RTP and RTCP. When 49*d9f75844SAndroid Build Coastguard Worker[rtcp-mux](https://datatracker.ietf.org/doc/html/rfc5761) is used, the 50*d9f75844SAndroid Build Coastguard Worker`SrtpSession` for RTCP is not needed. 51*d9f75844SAndroid Build Coastguard Worker 52*d9f75844SAndroid Build Coastguard Worker[`webrtc:DtlsSrtpTransport`][11] is a subclass of the `SrtpTransport` that 53*d9f75844SAndroid Build Coastguard Workerextracts the keying material when the DTLS handshake is done and configures it 54*d9f75844SAndroid Build Coastguard Workerin its base class. It will also become writable only once the DTLS handshake is 55*d9f75844SAndroid Build Coastguard Workerdone. 56*d9f75844SAndroid Build Coastguard Worker 57*d9f75844SAndroid Build Coastguard Worker## cricket::SrtpFilter 58*d9f75844SAndroid Build Coastguard Worker 59*d9f75844SAndroid Build Coastguard WorkerThe [`cricket::SrtpFilter`][12] class is used to negotiate SDES. 60*d9f75844SAndroid Build Coastguard Worker 61*d9f75844SAndroid Build Coastguard Worker[1]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/api/peer_connection_interface.h;l=1413;drc=f467b445631189557d44de86a77ca6a0c3e2108d 62*d9f75844SAndroid Build Coastguard Worker[2]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/media_session.cc;l=297;drc=3ac73bd0aa5322abee98f1ff8705af64a184bf61 63*d9f75844SAndroid Build Coastguard Worker[3]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=33;drc=be66d95ab7f9428028806bbf66cb83800bda9241 64*d9f75844SAndroid Build Coastguard Worker[4]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=40;drc=be66d95ab7f9428028806bbf66cb83800bda9241 65*d9f75844SAndroid Build Coastguard Worker[5]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=51;drc=be66d95ab7f9428028806bbf66cb83800bda9241 66*d9f75844SAndroid Build Coastguard Worker[6]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=62;drc=be66d95ab7f9428028806bbf66cb83800bda9241 67*d9f75844SAndroid Build Coastguard Worker[7]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=69;drc=be66d95ab7f9428028806bbf66cb83800bda9241 68*d9f75844SAndroid Build Coastguard Worker[8]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=72;drc=be66d95ab7f9428028806bbf66cb83800bda9241 69*d9f75844SAndroid Build Coastguard Worker[9]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_session.h;l=73;drc=be66d95ab7f9428028806bbf66cb83800bda9241 70*d9f75844SAndroid Build Coastguard Worker[10]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_transport.h;l=37;drc=a4d873786f10eedd72de25ad0d94ad7c53c1f68a 71*d9f75844SAndroid Build Coastguard Worker[11]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/dtls_srtp_transport.h;l=31;drc=2f8e0536eb97ce2131e7a74e3ca06077aa0b64b3 72*d9f75844SAndroid Build Coastguard Worker[12]: https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/pc/srtp_filter.h;drc=d15a575ec3528c252419149d35977e55269d8a41 73