[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-developers] Set Master Key for SRTP in linphone
From: |
Greg Troxel |
Subject: |
Re: [Linphone-developers] Set Master Key for SRTP in linphone |
Date: |
Thu, 04 Jun 2020 06:51:51 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (berkeley-unix) |
Mark Murawski <markm-lists@intellasoft.net> writes:
> Here is specific information about how SRTP operates:
> https://tools.ietf.org/html/rfc3711
>
> See this section on Key Derivation:
> https://tools.ietf.org/html/rfc3711#section-4.3.1
[It is still on my TODO list to really understand the entire SRTP ecosystem.]
That explains how to go from a provided master key to individual
algorithm keys, and section 8 talks about external key management.
I realize it's conventional to label this "SRTP" in a UI, but it seems
that these UIs are mislabeled, in that SRTP itself, without an associated
key management scheme, requires providing a key to both endpoints.
When people and programs simply say "SRTP", I think they could mean
either of these:
Session Description Protocol (SDP) Security Descriptions for Media Streams
https://tools.ietf.org/html/rfc4568
SRTP Extension for DTLS
https://tools.ietf.org/html/rfc5764
The first is about SIP providing keys over the TLS-protected signaling
channel.
The second is within the data channel, but has a scheme to bootstrap
authentication from the signaling channel:
A DTLS-SRTP session may be indicated by an external signaling
protocol like SIP. When the signaling exchange is integrity-
protected (e.g., when SIP Identity protection via digital signatures
is used), DTLS-SRTP can leverage this integrity guarantee to provide
complete security of the media stream. A description of how to
indicate DTLS-SRTP sessions in SIP and SDP [RFC4566], and how to
authenticate the endpoints using fingerprints can be found in
[RFC5763].
So:
What is linphone doing when configured for "SRTP"?
What is linphone doing when configured for "DTLS"
Do people think it is a bug that the UI does not make this clear?
Or is it obvious that SRTP is short for "SDES-SRTP (RFC4568)"?
And that DTLS is short for RFC5764?