Search Mailing List Archives
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Thu Feb 9 02:33:37 PST 2012
On 2/8/12 8:24 PM, Marc wrote:
> Have you ever heard of SRTP http://srtp.sourceforge.net/srtp.html
> and are there any security auditions or reviews about it ?
SRTP is the way to symmetrically encipher RTP flow (that can carry audio
or video inside).
SRTP need to be feed with a key, and different key exchange exists:
- SDES (end-to-site key exchange within SIP/TLS enciphered channel)
- ZRTP (end-to-end encryption with Short Authentication String human
- MIKEY (use x509v3 digital certificate)
So, ZRTP use SRTP in the AES-CTR 256bit mode while SDES use SRTP in the
AES-CTR 128bit mode.
The way you do the SRTP key exchange directly influence the "security
model" and the "thread model" that you would like to manage.
Example graphics on how different key exchange works:
- SDES http://www.privatewave.com/media/0/72847454125568/schema_2.jpg
- ZRTP http://www.privatewave.com/media/0/64694073876826/schema_1.jpg
The SRTP implementation you cited is the universally used one in almost
any commercial and opensource tool that need to do encryption of RTP flow.
More information about the liberationtech