1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
|
<pre>Internet Engineering Task Force (IETF) M. Westerlund
Request for Comments: 7201 Ericsson
Category: Informational C. Perkins
ISSN: 2070-1721 University of Glasgow
April 2014
<span class="h1">Options for Securing RTP Sessions</span>
Abstract
The Real-time Transport Protocol (RTP) is used in a large number of
different application domains and environments. This heterogeneity
implies that different security mechanisms are needed to provide
services such as confidentiality, integrity, and source
authentication of RTP and RTP Control Protocol (RTCP) packets
suitable for the various environments. The range of solutions makes
it difficult for RTP-based application developers to pick the most
suitable mechanism. This document provides an overview of a number
of security solutions for RTP and gives guidance for developers on
how to choose the appropriate security mechanism.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7201">http://www.rfc-editor.org/info/rfc7201</a>.
<span class="grey">Westerlund & Perkins Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Westerlund & Perkins Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2">2</a>. Background . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.1">2.1</a>. Point-to-Point Sessions . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.2">2.2</a>. Sessions Using an RTP Mixer . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.3">2.3</a>. Sessions Using an RTP Translator . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.3.1">2.3.1</a>. Transport Translator (Relay) . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.3.2">2.3.2</a>. Gateway . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.3.3">2.3.3</a>. Media Transcoder . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.4">2.4</a>. Any Source Multicast . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.5">2.5</a>. Source-Specific Multicast . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3">3</a>. Security Options . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.1">3.1</a>. Secure RTP . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.1.1">3.1.1</a>. Key Management for SRTP: DTLS-SRTP . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-3.1.2">3.1.2</a>. Key Management for SRTP: MIKEY . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-3.1.3">3.1.3</a>. Key Management for SRTP: Security Descriptions . . . <a href="#page-15">15</a>
<a href="#section-3.1.4">3.1.4</a>. Key Management for SRTP: Encrypted Key Transport . . <a href="#page-16">16</a>
<a href="#section-3.1.5">3.1.5</a>. Key Management for SRTP: ZRTP and Other Solutions . . <a href="#page-17">17</a>
<a href="#section-3.2">3.2</a>. RTP Legacy Confidentiality . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-3.3">3.3</a>. IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-3.4">3.4</a>. RTP over TLS over TCP . . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-3.5">3.5</a>. RTP over Datagram TLS (DTLS) . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-3.6">3.6</a>. Media Content Security/Digital Rights Management . . . . <a href="#page-19">19</a>
<a href="#section-3.6.1">3.6.1</a>. ISMA Encryption and Authentication . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4">4</a>. Securing RTP Applications . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4.1">4.1</a>. Application Requirements . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4.1.1">4.1.1</a>. Confidentiality . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4.1.2">4.1.2</a>. Integrity . . . . . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-4.1.3">4.1.3</a>. Source Authentication . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-4.1.4">4.1.4</a>. Identifiers and Identity . . . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-4.1.5">4.1.5</a>. Privacy . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-4.2">4.2</a>. Application Structure . . . . . . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-4.3">4.3</a>. Automatic Key Management . . . . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-4.4">4.4</a>. End-to-End Security vs. Tunnels . . . . . . . . . . . . . <a href="#page-25">25</a>
<a href="#section-4.5">4.5</a>. Plaintext Keys . . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-4.6">4.6</a>. Interoperability . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-5">5</a>. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
5.1. Media Security for SIP-Established Sessions Using
DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-5.2">5.2</a>. Media Security for WebRTC Sessions . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-5.3">5.3</a>. IP Multimedia Subsystem (IMS) Media Security . . . . . . <a href="#page-28">28</a>
<a href="#section-5.4">5.4</a>. 3GPP Packet-Switched Streaming Service (PSS) . . . . . . <a href="#page-29">29</a>
<a href="#section-5.5">5.5</a>. RTSP 2.0 . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-6">6</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#section-7">7</a>. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<a href="#section-8">8</a>. Informative References . . . . . . . . . . . . . . . . . . . <a href="#page-31">31</a>
<span class="grey">Westerlund & Perkins Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Real-time Transport Protocol (RTP) [<a href="./rfc3550" title=""RTP: A Transport Protocol for Real-Time Applications"">RFC3550</a>] is widely used in a
large variety of multimedia applications, including Voice over IP
(VoIP), centralized multimedia conferencing, sensor data transport,
and Internet television (IPTV) services. These applications can
range from point-to-point phone calls, through centralized group
teleconferences, to large-scale television distribution services.
The types of media can vary significantly, as can the signaling
methods used to establish the RTP sessions.
So far, this multidimensional heterogeneity has prevented development
of a single security solution that meets the needs of the different
applications. Instead, a significant number of different solutions
have been developed to meet different sets of security goals. This
makes it difficult for application developers to know what solutions
exist and whether their properties are appropriate. This memo gives
an overview of the available RTP solutions and provides guidance on
their applicability for different application domains. It also
attempts to provide an indication of actual and intended usage at the
time of writing as additional input to help with considerations such
as interoperability, availability of implementations, etc. The
guidance provided is not exhaustive, and this memo does not provide
normative recommendations.
It is important that application developers consider the security
goals and requirements for their application. The IETF considers it
important that protocols implement secure modes of operation and
makes them available to users [<a href="./rfc3365" title=""Strong Security Requirements for Internet Engineering Task Force Standard Protocols"">RFC3365</a>]. Because of the
heterogeneity of RTP applications and use cases, however, a single
security solution cannot be mandated [<a href="./rfc7202" title=""Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution"">RFC7202</a>]. Instead, application
developers need to select mechanisms that provide appropriate
security for their environment. It is strongly encouraged that
common mechanisms be used by related applications in common
environments. The IETF publishes guidelines for specific classes of
applications, so it is worth searching for such guidelines.
The remainder of this document is structured as follows. <a href="#section-2">Section 2</a>
provides additional background. <a href="#section-3">Section 3</a> outlines the available
security mechanisms at the time of this writing and lists their key
security properties and constraints. <a href="#section-4">Section 4</a> provides guidelines
and important aspects to consider when securing an RTP application.
Finally, in <a href="#section-5">Section 5</a>, we give some examples of application domains
where guidelines for security exist.
<span class="grey">Westerlund & Perkins Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Background</span>
RTP can be used in a wide variety of topologies due to its support
for point-to-point sessions, multicast groups, and other topologies
built around different types of RTP middleboxes. In the following,
we review the different topologies supported by RTP to understand
their implications for the security properties and trust relations
that can exist in RTP sessions.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Point-to-Point Sessions</span>
The most basic use case is two directly connected endpoints, shown in
Figure 1, where A has established an RTP session with B. In this
case, the RTP security is primarily about ensuring that any third
party be unable to compromise the confidentiality and integrity of
the media communication. This requires confidentiality protection of
the RTP session, integrity protection of the RTP/RTCP packets, and
source authentication of all the packets to ensure no man-in-the-
middle (MITM) attack is taking place.
The source authentication can also be tied to a user or an endpoint's
verifiable identity to ensure that the peer knows with whom they are
communicating. Here, the combination of the security protocol
protecting the RTP session (and, hence, the RTP and RTCP traffic) and
the key management protocol becomes important to determine what
security claims can be made.
+---+ +---+
| A |<------->| B |
+---+ +---+
Figure 1: Point-to-Point Topology
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Sessions Using an RTP Mixer</span>
An RTP mixer is an RTP session-level middlebox around which one can
build a multiparty RTP-based conference. The RTP mixer might
actually perform media mixing, like mixing audio or compositing video
images into a new media stream being sent from the mixer to a given
participant, or it might provide a conceptual stream; for example,
the video of the current active speaker. From a security point of
view, the important features of an RTP mixer are that it generates a
new media stream, has its own source identifier, and does not simply
forward the original media.
<span class="grey">Westerlund & Perkins Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
An RTP session using a mixer might have a topology like that in
Figure 2. In this example, participants A through D each send
unicast RTP traffic to the RTP mixer, and receive an RTP stream from
the mixer, comprising a mixture of the streams from the other
participants.
+---+ +------------+ +---+
| A |<---->| |<---->| B |
+---+ | | +---+
| Mixer |
+---+ | | +---+
| C |<---->| |<---->| D |
+---+ +------------+ +---+
Figure 2: Example RTP Mixer Topology
A consequence of an RTP mixer having its own source identifier and
acting as an active participant towards the other endpoints is that
the RTP mixer needs to be a trusted device that has access to the
security context(s) established. The RTP mixer can also become a
security-enforcing entity. For example, a common approach to secure
the topology in Figure 2 is to establish a security context between
the mixer and each participant independently and have the mixer
source authenticate each peer. The mixer then ensures that one
participant cannot impersonate another.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Sessions Using an RTP Translator</span>
RTP translators are middleboxes that provide various levels of
in-network media translation and transcoding. Their security
properties vary widely, depending on which type of operations they
attempt to perform. We identify and discuss three different
categories of RTP translators: transport translators, gateways, and
media transcoders.
<span class="h4"><a class="selflink" id="section-2.3.1" href="#section-2.3.1">2.3.1</a>. Transport Translator (Relay)</span>
A transport translator [<a href="./rfc5117" title=""RTP Topologies"">RFC5117</a>] operates on a level below RTP and
RTCP. It relays the RTP/RTCP traffic from one endpoint to one or
more other addresses. This can be done based only on IP addresses
and transport protocol ports, and each receive port on the translator
can have a very basic list of where to forward traffic. Transport
translators also need to implement ingress filtering to prevent
random traffic from being forwarded that isn't coming from a
participant in the conference.
Figure 3 shows an example transport translator, where traffic from
any one of the four participants will be forwarded to the other three
<span class="grey">Westerlund & Perkins Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
participants unchanged. The resulting topology is very similar to an
Any Source Multicast (ASM) session (as discussed in <a href="#section-2.4">Section 2.4</a>) but
is implemented at the application layer.
+---+ +------------+ +---+
| A |<---->| |<---->| B |
+---+ | Relay | +---+
| Translator |
+---+ | | +---+
| C |<---->| |<---->| D |
+---+ +------------+ +---+
Figure 3: RTP Relay Translator Topology
A transport translator can often operate without needing access to
the security context, as long as the security mechanism does not
provide protection over the transport-layer information. A transport
translator does, however, make the group communication visible and,
thus, can complicate keying and source authentication mechanisms.
This is further discussed in <a href="#section-2.4">Section 2.4</a>.
<span class="h4"><a class="selflink" id="section-2.3.2" href="#section-2.3.2">2.3.2</a>. Gateway</span>
Gateways are deployed when the endpoints are not fully compatible.
Figure 4 shows an example topology. The functions a gateway provides
can be diverse and range from transport-layer relaying between two
domains not allowing direct communication, via transport or media
protocol function initiation or termination, to protocol- or media-
encoding translation. The supported security protocol might even be
one of the reasons a gateway is needed.
+---+ +-----------+ +---+
| A |<---->| Gateway |<---->| B |
+---+ +-----------+ +---+
Figure 4: RTP Gateway Topology
The choice of security protocol, and the details of the gateway
function, will determine if the gateway needs to be trusted with
access to the application security context. Many gateways need to be
trusted by all peers to perform the translation; in other cases, some
or all peers might not be aware of the presence of the gateway. The
security protocols have different properties depending on the degree
of trust and visibility needed. Ensuring communication is possible
without trusting the gateway can be a strong incentive for accepting
different security properties. Some security solutions will be able
to detect the gateways as manipulating the media stream, unless the
gateway is a trusted device.
<span class="grey">Westerlund & Perkins Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h4"><a class="selflink" id="section-2.3.3" href="#section-2.3.3">2.3.3</a>. Media Transcoder</span>
A media transcoder is a special type of gateway device that changes
the encoding of the media being transported by RTP. The discussion
in <a href="#section-2.3.2">Section 2.3.2</a> applies. A media transcoder alters the media data
and, thus, needs to be trusted with access to the security context.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Any Source Multicast</span>
Any Source Multicast [<a href="./rfc1112" title=""Host extensions for IP multicasting"">RFC1112</a>] is the original multicast model where
any multicast group participant can send to the multicast group and
get their packets delivered to all group members (see Figure 5).
This form of communication has interesting security properties due to
the many-to-many nature of the group. Source authentication is
important, but all participants with access to the group security
context will have the necessary secrets to decrypt and verify the
integrity of the traffic. Thus, use of any group security context
fails if the goal is to separate individual sources; alternate
solutions are needed.
+-----+
+---+ / \ +---+
| A |----/ \---| B |
+---+ / \ +---+
+ Multicast +
+---+ \ Network / +---+
| C |----\ /---| D |
+---+ \ / +---+
+-----+
Figure 5: Any Source Multicast (ASM) Group
In addition, the potential large size of multicast groups creates
some considerations for the scalability of the solution and how the
key management is handled.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Source-Specific Multicast</span>
Source-Specific Multicast (SSM) [<a href="./rfc4607" title=""Source-Specific Multicast for IP"">RFC4607</a>] allows only a specific
endpoint to send traffic to the multicast group, irrespective of the
number of RTP media sources. The endpoint is known as the media
distribution source. For the RTP session to function correctly with
RTCP over an SSM session, extensions have been defined in [<a href="./rfc5760" title=""RTP Control Protocol (RTCP) Extensions for Single-Source Multicast Sessions with Unicast Feedback"">RFC5760</a>].
Figure 6 shows a sample SSM-based RTP session where several media
sources, MS1...MSm, all send media to a distribution source, which
then forwards the media data to the SSM group for delivery to the
receivers, R1...Rn, and the feedback targets, FT1...FTn. RTCP
reception quality feedback is sent unicast from each receiver to one
<span class="grey">Westerlund & Perkins Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
of the feedback targets. The feedback targets aggregate reception
quality feedback and forward it upstream towards the distribution
source. The distribution source forwards (possibly aggregated and
summarized) reception feedback to the SSM group and back to the
original media sources. The feedback targets are also members of the
SSM group and receive the media data, so they can send unicast repair
data to the receivers in response to feedback if appropriate.
+-----+ +-----+ +-----+
| MS1 | | MS2 | .... | MSm |
+-----+ +-----+ +-----+
^ ^ ^
| | |
V V V
+---------------------------------+
| Distribution Source |
+--------+ |
| FT Agg | |
+--------+------------------------+
^ ^ |
: . |
: +...................+
: | .
: / \ .
+------+ / \ +-----+
| FT1 |<----+ +----->| FT2 |
+------+ / \ +-----+
^ ^ / \ ^ ^
: : / \ : :
: : / \ : :
: : / \ : :
: ./\ /\. :
: /. \ / .\ :
: V . V V . V :
+----+ +----+ +----+ +----+
| R1 | | R2 | ... |Rn-1| | Rn |
+----+ +----+ +----+ +----+
Figure 6: Example SSM-Based RTP Session with Two Feedback Targets
The use of SSM makes it more difficult to inject traffic into the
multicast group, but not impossible. Source authentication
requirements apply for SSM sessions, too; an individual verification
of who sent the RTP and RTCP packets is needed. An RTP session using
SSM will have a group security context that includes the media
sources, distribution source, feedback targets, and the receivers.
Each has a different role and will be trusted to perform different
actions. For example, the distribution source will need to
<span class="grey">Westerlund & Perkins Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
authenticate the media sources to prevent unwanted traffic from being
distributed via the SSM group. Similarly, the receivers need to
authenticate both the distribution source and their feedback target
to prevent injection attacks from malicious devices claiming to be
feedback targets. An understanding of the trust relationships and
group security context is needed between all components of the
system.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Options</span>
This section provides an overview of security requirements and the
current RTP security mechanisms that implement those requirements.
This cannot be a complete survey, since new security mechanisms are
defined regularly. The goal is to help applications designers by
reviewing the types of solutions that are available. This section
will use a number of different security-related terms, as described
in the Internet Security Glossary, Version 2 [<a href="./rfc4949" title=""Internet Security Glossary, Version 2"">RFC4949</a>].
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Secure RTP</span>
The Secure Real-time Transport Protocol (SRTP) [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>] is one of
the most commonly used mechanisms to provide confidentiality,
integrity protection, source authentication, and replay protection
for RTP. SRTP was developed with RTP header compression and third-
party monitors in mind. Thus, the RTP header is not encrypted in RTP
data packets, and the first 8 bytes of the first RTCP packet header
in each compound RTCP packet are not encrypted. The entirety of RTP
packets and compound RTCP packets are integrity protected. This
allows RTP header compression to work and lets third-party monitors
determine what RTP traffic flows exist based on the synchronization
source (SSRC) fields, but it protects the sensitive content.
SRTP works with transforms where different combinations of encryption
algorithm, authentication algorithm, and pseudorandom function can be
used, and the authentication tag length can be set to any value.
SRTP can also be easily extended with additional cryptographic
transforms. This gives flexibility but requires more security
knowledge by the application developer. To simplify things, Session
Description Protocol (SDP) security descriptions (see <a href="#section-3.1.3">Section 3.1.3</a>)
and Datagram Transport Layer Security Extension for SRTP (DTLS-SRTP)
(see <a href="#section-3.1.1">Section 3.1.1</a>) use predefined combinations of transforms, known
as SRTP crypto suites and SRTP protection profiles, that bundle
together transforms and other parameters, making them easier to use
but reducing flexibility. The Multimedia Internet Keying (MIKEY)
protocol (see <a href="#section-3.1.2">Section 3.1.2</a>) provides flexibility to negotiate the
full selection of transforms. At the time of this writing, the
following transforms, SRTP crypto suites, and SRTP protection
profiles are defined or under definition:
<span class="grey">Westerlund & Perkins Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
AES-CM and HMAC-SHA-1: AES Counter Mode encryption with 128-bit keys
combined with 160-bit keyed HMAC-SHA-1 with an 80-bit
authentication tag. This is the default cryptographic transform
that needs to be supported. The transforms are defined in SRTP
[<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>], with the corresponding SRTP crypto suite defined in
[<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>] and SRTP protection profile defined in [<a href="./rfc5764" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)"">RFC5764</a>].
AES-f8 and HMAC-SHA-1: AES f8-mode encryption using 128-bit keys
combined with keyed HMAC-SHA-1 using 80-bit authentication. The
transforms are defined in [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>], with the corresponding SRTP
crypto suite defined in [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>]. The corresponding SRTP
protection profile is not defined.
SEED: A Korean national standard cryptographic transform that is
defined to be used with SRTP in [<a href="./rfc5669" title=""The SEED Cipher Algorithm and Its Use with the Secure Real- Time Transport Protocol (SRTP)"">RFC5669</a>]. Three options are
defined: one using SHA-1 authentication, one using Counter Mode
with Cipher Block Chaining Message Authentication Code (CBC-MAC),
and one using Galois Counter Mode.
ARIA: A Korean block cipher [<a href="#ref-ARIA-SRTP" title=""The ARIA Algorithm and Its Use with the Secure Real-time Transport Protocol(SRTP)"">ARIA-SRTP</a>] that supports 128-, 192-,
and 256-bit keys. It also defines three options: Counter Mode
where combined with HMAC-SHA-1 with 80- or 32-bit authentication
tags, Counter Mode with CBC-MAC, and Galois Counter Mode. It also
defines a different key derivation function than the AES-based
systems.
AES-192-CM and AES-256-CM: Cryptographic transforms for SRTP based
on AES-192 and AES-256 Counter Mode encryption and 160-bit keyed
HMAC-SHA-1 with 80- and 32-bit authentication tags. These provide
192- and 256-bit encryption keys, but otherwise match the default
128-bit AES-CM transform. The transforms are defined in [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]
and [<a href="./rfc6188" title=""The Use of AES-192 and AES-256 in Secure RTP"">RFC6188</a>], and the SRTP crypto suites are defined in
[<a href="./rfc6188" title=""The Use of AES-192 and AES-256 in Secure RTP"">RFC6188</a>].
AES-GCM and AES-CCM: AES Galois Counter Mode and AES Counter Mode
with CBC-MAC for AES-128 and AES-256. This authentication is
included in the cipher text, which becomes expanded with the
length of the authentication tag instead of using the SRTP
authentication tag. This is defined in [<a href="#ref-AES-GCM" title=""AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)"">AES-GCM</a>].
NULL: SRTP [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>] also provides a NULL cipher that can be used
when no confidentiality for RTP/RTCP is requested. The
corresponding SRTP protection profile is defined in [<a href="./rfc5764" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)"">RFC5764</a>].
The source authentication guarantees provided by SRTP depend on the
cryptographic transform and key management used. Some transforms
give strong source authentication even in multiparty sessions; others
give weaker guarantees and can authenticate group membership but not
<span class="grey">Westerlund & Perkins Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
sources. Timed Efficient Stream Loss-Tolerant Authentication (TESLA)
[<a href="./rfc4383" title=""The Use of Timed Efficient Stream Loss-Tolerant Authentication (TESLA) in the Secure Real-time Transport Protocol (SRTP)"">RFC4383</a>] offers a complement to the regular symmetric keyed
authentication transforms, like HMAC-SHA-1, and can provide
per-source authentication in some group communication scenarios. The
downside is the need for buffering the packets for a while before
authenticity can be verified.
[<a id="ref-RFC4771">RFC4771</a>] defines a variant of the authentication tag that enables a
receiver to obtain the Roll over Counter for the RTP sequence number
that is part of the Initialization Vector (IV) for many cryptographic
transforms. This enables quicker and easier options for joining a
long-lived RTP group; for example, a broadcast session.
RTP header extensions are normally carried in the clear and are only
integrity protected in SRTP. This can be problematic in some cases,
so [<a href="./rfc6904" title=""Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)"">RFC6904</a>] defines an extension to also encrypt selected header
extensions.
SRTP is specified and deployed in a number of RTP usage contexts;
significant support is provided in SIP-established VoIP clients,
including IP Multimedia Subsystems (IMS), and in the Real Time
Streaming Protocol (RTSP) [<a href="#ref-RTSP" title=""Real Time Streaming Protocol 2.0 (RTSP)"">RTSP</a>] and RTP-based media streaming.
Thus, SRTP in general is widely deployed. When it comes to
cryptographic transforms, the default (AES-CM and HMAC-SHA-1) is the
most commonly used, but it might be expected that AES-GCM,
AES-192-CM, and AES-256-CM will gain usage in future, especially due
to the AES- and GCM-specific instructions in new CPUs.
SRTP does not contain an integrated key management solution; instead,
it relies on an external key management protocol. There are several
protocols that can be used. The following sections outline some
popular schemes.
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Key Management for SRTP: DTLS-SRTP</span>
A Datagram Transport Layer Security (DTLS) extension exists for
establishing SRTP keys [<a href="./rfc5763" title=""Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)"">RFC5763</a>][RFC5764]. This extension provides
secure key exchange between two peers, enabling Perfect Forward
Secrecy (PFS) and binding strong identity verification to an
endpoint. PFS is a property of the key agreement protocol that
ensures that a session key derived from a set of long-term keys will
not be compromised if one of the long-term keys is compromised in the
future. The default key generation will generate a key that contains
material contributed by both peers. The key exchange happens in the
media plane directly between the peers. The common key exchange
procedures will take two round trips assuming no losses. Transport
Layer Security (TLS) resumption can be used when establishing
additional media streams with the same peer, and it reduces the setup
<span class="grey">Westerlund & Perkins Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
time to one RTT for these streams (see [<a href="./rfc5764" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)"">RFC5764</a>] for a discussion of
TLS resumption in this context).
The actual security properties of an established SRTP session using
DTLS will depend on the cipher suites offered and used, as well as
the mechanism for identifying the endpoints of the handshake. For
example, some cipher suites provide PFS, while others do not. When
using DTLS, the application designer needs to select which cipher
suites DTLS-SRTP can offer and accept so that the desired security
properties are achieved. The next choice is how to verify the
identity of the peer endpoint. One choice can be to rely on the
certificates and use a PKI to verify them to make an identity
assertion. However, this is not the most common way; instead, self-
signed certificates are common to use to establish trust through
signaling or other third-party solutions.
DTLS-SRTP key management can use the signaling protocol in four ways:
First, to agree on using DTLS-SRTP for media security. Second, to
determine the network location (address and port) where each side is
running a DTLS listener to let the parts perform the key management
handshakes that generate the keys used by SRTP. Third, to exchange
hashes of each side's certificates to bind these to the signaling and
ensure there is no MITM attack. This assumes that one can trust the
signaling solution to be resistant to modification and not be in
collaboration with an attacker. Finally, to provide an asserted
identity, e.g., [<a href="./rfc4474" title=""Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)"">RFC4474</a>], that can be used to prevent modification
of the signaling and the exchange of certificate hashes. That way,
it enables binding between the key exchange and the signaling.
This usage is well defined for SIP/SDP in [<a href="./rfc5763" title=""Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)"">RFC5763</a>] and, in most
cases, can be adopted for use with other bidirectional signaling
solutions. It is to be noted that there is work underway to revisit
the SIP Identity mechanism [<a href="./rfc4474" title=""Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)"">RFC4474</a>] in the IETF STIR working group.
The main question regarding DTLS-SRTP's security properties is how
one verifies any peer identity or at least prevents MITM attacks.
This does require trust in some DTLS-SRTP external parties: either a
PKI, a signaling system, or some identity provider.
DTLS-SRTP usage is clearly on the rise. It is mandatory to support
in Web Real-Time Communication (WebRTC). It has growing support
among SIP endpoints. DTLS-SRTP was developed in IETF primarily to
meet security requirements for RTP-based media established using SIP.
The requirements considered can be reviewed in "Requirements and
Analysis of Media Security Management Protocols" [<a href="./rfc5479" title=""Requirements and Analysis of Media Security Management Protocols"">RFC5479</a>].
<span class="grey">Westerlund & Perkins Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. Key Management for SRTP: MIKEY</span>
Multimedia Internet Keying (MIKEY) [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] is a keying protocol
that has several modes with different properties. MIKEY can be used
in point-to-point applications using SIP and RTSP (e.g., VoIP calls)
but is also suitable for use in broadcast and multicast applications
and centralized group communications.
MIKEY can establish multiple security contexts or cryptographic
sessions with a single message. It is usable in scenarios where one
entity generates the key and needs to distribute the key to a number
of participants. The different modes and the resulting properties
are highly dependent on the cryptographic method used to establish
the session keys actually used by the security protocol, like SRTP.
MIKEY has the following modes of operation:
Pre-Shared Key: Uses a pre-shared secret for symmetric key crypto
used to secure a keying message carrying the already-generated
session key. This system is the most efficient from the
perspective of having small messages and processing demands. The
downside is scalability, where usually the effort for the
provisioning of pre-shared keys is only manageable if the number
of endpoints is small.
Public Key Encryption: Uses a public key crypto to secure a keying
message carrying the already-generated session key. This is more
resource intensive but enables scalable systems. It does require
a public key infrastructure to enable verification.
Diffie-Hellman: Uses Diffie-Hellman key agreement to generate the
session key, thus providing perfect forward secrecy. The downside
is high resource consumption in bandwidth and processing during
the MIKEY exchange. This method can't be used to establish group
keys as each pair of peers performing the MIKEY exchange will
establish different keys.
HMAC-Authenticated Diffie-Hellman: [<a href="./rfc4650" title=""HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY)"">RFC4650</a>] defines a variant of
the Diffie-Hellman exchange that uses a pre-shared key in a keyed
Hashed Message Authentication Code (HMAC) to verify authenticity
of the keying material instead of a digital signature as in the
previous method. This method is still restricted to
point-to-point usage.
RSA-R: MIKEY-RSA in Reverse mode [<a href="./rfc4738" title=""MIKEY- RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)"">RFC4738</a>] is a variant of the
public key method, which doesn't rely on the initiator of the key
exchange knowing the responder's certificate. This method lets
both the initiator and the responder specify the session keying
<span class="grey">Westerlund & Perkins Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
material depending on the use case. Usage of this mode requires
one round-trip time.
TICKET: Ticket Payload (TICKET) [<a href="./rfc6043" title=""MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)"">RFC6043</a>] is a MIKEY extension using
a trusted centralized key management service (KMS). The initiator
and responder do not share any credentials; instead, they trust a
third party, the KMS, with which they both have or can establish
shared credentials.
IBAKE: Identity-Based Authenticated Key Exchange (IBAKE) [<a href="./rfc6267" title=""MIKEY-IBAKE: Identity-Based Authenticated Key Exchange (IBAKE) Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)"">RFC6267</a>]
uses a KMS infrastructure but with lower demand on the KMS. It
claims to provide both perfect forward and backwards secrecy.
SAKKE: [<a href="./rfc6509" title=""MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)"">RFC6509</a>] provides Sakai-Kasahara Key Encryption (SAKKE) in
MIKEY. It is based on Identity-based Public Key Cryptography and
a KMS infrastructure to establish a shared secret value and
certificateless signatures to provide source authentication. Its
features include simplex transmission, scalability, low-latency
call setup, and support for secure deferred delivery.
MIKEY messages have several different transports. [<a href="./rfc4567" title=""Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)"">RFC4567</a>] defines
how MIKEY messages can be embedded in general SDP for usage with the
signaling protocols SIP, Session Announcement Protocol (SAP), and
RTSP. There also exists a usage of MIKEY defined by the Third
Generation Partnership Project (3GPP) that sends MIKEY messages
directly over UDP [<a href="#ref-T3GPP.33.246">T3GPP.33.246</a>] to key the receivers of Multimedia
Broadcast and Multicast Service (MBMS) [<a href="#ref-T3GPP.26.346">T3GPP.26.346</a>]. [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>]
defines the application/mikey media type, allowing MIKEY to be used
in, e.g., email and HTTP.
Based on the many choices, it is important to consider the properties
needed in one's solution and based on that evaluate which modes are
candidates for use. More information on the applicability of the
different MIKEY modes can be found in [<a href="./rfc5197" title=""On the Applicability of Various Multimedia Internet KEYing (MIKEY) Modes and Extensions"">RFC5197</a>].
MIKEY with pre-shared keys is used by 3GPP MBMS [<a href="#ref-T3GPP.33.246">T3GPP.33.246</a>], and
IMS media security [<a href="#ref-T3GPP.33.328">T3GPP.33.328</a>] specifies the use of the TICKET
mode transported over SIP and HTTP. RTSP 2.0 [<a href="#ref-RTSP" title=""Real Time Streaming Protocol 2.0 (RTSP)"">RTSP</a>] specifies use of
the RSA-R mode. There are some SIP endpoints that support MIKEY.
The modes they use are unknown to the authors.
<span class="h4"><a class="selflink" id="section-3.1.3" href="#section-3.1.3">3.1.3</a>. Key Management for SRTP: Security Descriptions</span>
[<a id="ref-RFC4568">RFC4568</a>] provides a keying solution based on sending plaintext keys
in SDP [<a href="./rfc4566" title=""SDP: Session Description Protocol"">RFC4566</a>]. It is primarily used with SIP and the SDP Offer/
Answer model and is well defined in point-to-point sessions where
each side declares its own unique key. Using security descriptions
to establish group keys is less well defined and can have security
<span class="grey">Westerlund & Perkins Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
issues since it's difficult to guarantee unique SSRCs (as needed to
avoid a "two-time pad" attack -- see <a href="./rfc3711#section-9">Section 9 of [RFC3711]</a>).
Since keys are transported in plaintext in SDP, they can easily be
intercepted unless the SDP carrying protocol provides strong
end-to-end confidentiality and authentication guarantees. This is
not normally the case; instead, hop-by-hop security is provided
between signaling nodes using TLS. This leaves the keying material
sensitive to capture by the traversed signaling nodes. Thus, in most
cases, the security properties of security descriptions are weak.
The usage of security descriptions usually requires additional
security measures; for example, the signaling nodes are trusted and
protected by strict access control. Usage of security descriptions
requires careful design in order to ensure that the security goals
can be met.
Security descriptions are the most commonly deployed keying solution
for SIP-based endpoints, where almost all endpoints that support SRTP
also support security descriptions. It is also used for access
protection in IMS Media Security [<a href="#ref-T3GPP.33.328">T3GPP.33.328</a>].
<span class="h4"><a class="selflink" id="section-3.1.4" href="#section-3.1.4">3.1.4</a>. Key Management for SRTP: Encrypted Key Transport</span>
Encrypted Key Transport (EKT) [<a href="#ref-EKT" title=""Encrypted Key Transport for Secure RTP"">EKT</a>] is an SRTP extension that enables
group keying despite using a keying mechanism like DTLS-SRTP that
doesn't support group keys. It is designed for centralized
conferencing, but it can also be used in sessions where endpoints
connect to a conference bridge or a gateway and need to be
provisioned with the keys each participant on the bridge or gateway
uses to avoid decryption and encryption cycles. This can enable
interworking between DTLS-SRTP and other keying systems where either
party can set the key (e.g., interworking with security
descriptions).
The mechanism is based on establishing an additional EKT key, which
everyone uses to protect their actual session key. The actual
session key is sent in an expanded authentication tag to the other
session participants. This key is only sent occasionally or
periodically depending on use cases and depending on what
requirements exist for timely delivery or notification.
The only known deployment of EKT so far is in some Cisco video
conferencing products.
<span class="grey">Westerlund & Perkins Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h4"><a class="selflink" id="section-3.1.5" href="#section-3.1.5">3.1.5</a>. Key Management for SRTP: ZRTP and Other Solutions</span>
The ZRTP [<a href="./rfc6189" title=""ZRTP: Media Path Key Agreement for Unicast Secure RTP"">RFC6189</a>] key management system for SRTP was proposed as an
alternative to DTLS-SRTP. ZRTP provides best effort encryption
independent of the signaling protocol and utilizes key continuity,
Short Authentication Strings, or a PKI for authentication. ZRTP
wasn't adopted as an IETF Standards Track protocol, but was instead
published as an Informational RFC in the IETF stream. Commercial
implementations exist.
Additional proprietary solutions are also known to exist.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. RTP Legacy Confidentiality</span>
<a href="#section-9">Section 9</a> of the RTP standard [<a href="./rfc3550" title=""RTP: A Transport Protocol for Real-Time Applications"">RFC3550</a>] defines a Data Encryption
Standard (DES) or 3DES-based encryption of RTP and RTCP packets.
This mechanism is keyed using plaintext keys in SDP [<a href="./rfc4566" title=""SDP: Session Description Protocol"">RFC4566</a>] using
the "k=" SDP field. This method can provide confidentiality but, as
discussed in <a href="./rfc3550#section-9">Section 9 of [RFC3550]</a>, it has extremely weak security
properties and is not to be used.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. IPsec</span>
IPsec [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] can be used in either tunnel or transport mode to
protect RTP and RTCP packets in transit from one network interface to
another. This can be sufficient when the network interfaces have a
direct relation or in a secured environment where it can be
controlled who can read the packets from those interfaces.
The main concern with using IPsec to protect RTP traffic is that in
most cases, using a VPN approach that terminates the security
association at some node prior to the RTP endpoint leaves the traffic
vulnerable to attack between the VPN termination node and the
endpoint. Thus, usage of IPsec requires careful thought and design
of its usage so that it meets the security goals. An important
question is how one ensures the IPsec terminating peer and the
ultimate destination are the same. Applications can have issues
using existing APIs when determining if IPsec is being used or not
and when determining who the authenticated peer entity is when IPsec
is used.
IPsec with RTP is more commonly used as a security solution between
infrastructure nodes that exchange many RTP sessions and media
streams. The establishment of a secure tunnel between such nodes
minimizes the key management overhead.
<span class="grey">Westerlund & Perkins Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. RTP over TLS over TCP</span>
Just as RTP can be sent over TCP [<a href="./rfc4571" title=""Framing Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) Packets over Connection- Oriented Transport"">RFC4571</a>], it can also be sent over
TLS over TCP [<a href="./rfc4572" title=""Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)"">RFC4572</a>], using TLS to provide point-to-point security
services. The security properties TLS provides are confidentiality,
integrity protection, and possible source authentication if the
client or server certificates are verified and provide a usable
identity. When used in multiparty scenarios using a central node for
media distribution, the security provided is only between the central
node and the peers, so the security properties for the whole session
are dependent on what trust one can place in the central node.
RTSP 1.0 [<a href="./rfc2326" title=""Real Time Streaming Protocol (RTSP)"">RFC2326</a>] and 2.0 [<a href="#ref-RTSP" title=""Real Time Streaming Protocol 2.0 (RTSP)"">RTSP</a>] specify the usage of RTP over the
same TLS/TCP connection that the RTSP messages are sent over. It
appears that RTP over TLS/TCP is also used in some proprietary
solutions that use TLS to bypass firewalls.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. RTP over Datagram TLS (DTLS)</span>
DTLS [<a href="./rfc6347" title=""Datagram Transport Layer Security Version 1.2"">RFC6347</a>] is based on TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] but designed to work over an
unreliable datagram-oriented transport rather than requiring reliable
byte stream semantics from the transport protocol. Accordingly, DTLS
can provide point-to-point security for RTP flows analogous to that
provided by TLS but over a datagram transport such as UDP. The two
peers establish a DTLS association between each other, including the
possibility to do certificate-based source authentication when
establishing the association. All RTP and RTCP packets flowing will
be protected by this DTLS association.
Note that using DTLS for RTP flows is different from using DTLS-SRTP
key management. DTLS-SRTP uses the same key management steps as
DTLS, but uses SRTP for the per-packet security operations. Using
DTLS for RTP flows uses the normal datagram TLS data protection,
wrapping complete RTP packets. When using DTLS for RTP flows, the
RTP and RTCP packets are completely encrypted with no headers in the
clear; when using DTLS-SRTP, the RTP headers are in the clear and
only the payload data is encrypted.
DTLS can use similar techniques to those available for DTLS-SRTP to
bind a signaling-side agreement to communicate to the certificates
used by the endpoint when doing the DTLS handshake. This enables use
without having a certificate-based trust chain to a trusted
certificate root.
There does not appear to be significant usage of DTLS for RTP.
<span class="grey">Westerlund & Perkins Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a>. Media Content Security/Digital Rights Management</span>
Mechanisms have been defined that encrypt only the media content
operating within the RTP payload data and leaving the RTP headers and
RTCP unaffected. There are several reasons why this might be
appropriate, but a common rationale is to ensure that the content
stored by RTSP streaming servers has the media content in a protected
format that cannot be read by the streaming server (this is mostly
done in the context of Digital Rights Management). These approaches
then use a key management solution between the rights provider and
the consuming client to deliver the key used to protect the content
and do not give the media server access to the security context.
Such methods have several security weaknesses such as the fact that
the same key is handed out to a potentially large group of receiving
clients, increasing the risk of a leak.
Use of this type of solution can be of interest in environments that
allow middleboxes to rewrite the RTP headers and select which streams
are delivered to an endpoint (e.g., some types of centralized video
conference systems). The advantage of encrypting and possibly
integrity protecting the payload but not the headers is that the
middlebox can't eavesdrop on the media content, but it can still
provide stream switching functionality. The downside of such a
system is that it likely needs two levels of security: the payload-
level solution, to provide confidentiality and source authentication,
and a second layer with additional transport security ensuring source
authentication and integrity of the RTP headers associated with the
encrypted payloads. This can also result in the need to have two
different key management systems as the entity protecting the packets
and payloads are different with a different set of keys.
The aspect of two tiers of security are present in ISMACryp (see
<a href="#section-3.6.1">Section 3.6.1</a>) and the deprecated 3GPP Packet-switched Streaming
Service solution; see Annex K of [<a href="#ref-T3GPP.26.234R8">T3GPP.26.234R8</a>].
<span class="h4"><a class="selflink" id="section-3.6.1" href="#section-3.6.1">3.6.1</a>. ISMA Encryption and Authentication</span>
The Internet Streaming Media Alliance (ISMA) has defined ISMA
Encryption and Authentication 2.0 [<a href="#ref-ISMACryp2" title=""ISMA Encryption and Authentication Version 2.0"">ISMACryp2</a>]. This specification
defines how one encrypts and packetizes the encrypted application
data units (ADUs) in an RTP payload using the MPEG-4 generic payload
format [<a href="./rfc3640" title=""RTP Payload Format for Transport of MPEG-4 Elementary Streams"">RFC3640</a>]. The ADU types that are allowed are those that can
be stored as elementary streams in an ISO Media File format-based
file. ISMACryp uses SRTP for packet-level integrity and source
authentication from a streaming server to the receiver.
<span class="grey">Westerlund & Perkins Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Key management for an ISMACryp-based system can be achieved through
Open Mobile Alliance (OMA) Digital Rights Management 2.0 [<a href="#ref-OMADRMv2" title=""OMA Digital Rights Management V2.0"">OMADRMv2</a>],
for example.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Securing RTP Applications</span>
In the following, we provide guidelines for how to choose appropriate
security mechanisms for RTP applications.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Application Requirements</span>
This section discusses a number of application requirements that need
to be considered. An application designer choosing security
solutions requires a good understanding of what level of security is
needed and what behavior they strive to achieve.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. Confidentiality</span>
When it comes to confidentiality of an RTP session, there are several
aspects to consider:
Probability of compromise: When using encryption to provide media
confidentiality, it is necessary to have some rough understanding
of the security goal and how long one can expect the protected
content to remain confidential. National or other regulations
might provide additional requirements on a particular usage of an
RTP. From that, one can determine which encryption algorithms are
to be used from the set of available transforms.
Potential for other leakage: RTP-based security in most of its forms
simply wraps RTP and RTCP packets into cryptographic containers.
This commonly means that the size of the original RTP payload is
visible to observers of the protected packet flow. This can
provide information to those observers. A well-documented case is
the risk with variable bitrate speech codecs that produce
different sized packets based on the speech input [<a href="./rfc6562" title=""Guidelines for the Use of Variable Bit Rate Audio with Secure RTP"">RFC6562</a>].
Potential threats such as these need to be considered and, if they
are significant, then restrictions will be needed on mode choices
in the codec, or additional padding will need to be added to make
all packets equal size and remove the informational leakage.
Another case is RTP header extensions. If SRTP is used, header
extensions are normally not protected by the security mechanism
protecting the RTP payload. If the header extension carries
information that is considered sensitive, then the application
needs to be modified to ensure that mechanisms used to protect
against such information leakage are employed.
<span class="grey">Westerlund & Perkins Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Who has access: When considering the confidentiality properties of a
system, it is important to consider where the media handled in the
clear. For example, if the system is based on an RTP mixer that
needs the keys to decrypt the media, process it, and repacketize
it, then is the mixer providing the security guarantees expected
by the other parts of the system? Furthermore, it is important to
consider who has access to the keys. The policies for the
handling of the keys, and who can access the keys, need to be
considered along with the confidentiality goals.
As can be seen, the actual confidentiality level has likely more to
do with the application's usage of centralized nodes, and the details
of the key management solution chosen, than with the actual choice of
encryption algorithm (although, of course, the encryption algorithm
needs to be chosen appropriately for the desired security level).
<span class="h4"><a class="selflink" id="section-4.1.2" href="#section-4.1.2">4.1.2</a>. Integrity</span>
Protection against modification of content by a third party, or due
to errors in the network, is another factor to consider. The first
aspect that one assesses is what resilience one has against
modifications to the content. Some media types are extremely
sensitive to network bit errors, whereas others might be able to
tolerate some degree of data corruption. Equally important is to
consider the sensitivity of the content, who is providing the
integrity assertion, what is the source of the integrity tag, and
what are the risks of modifications happening prior to that point
where protection is applied. These issues affect what cryptographic
algorithm is used, the length of the integrity tags, and whether the
entire payload is protected.
RTP applications that rely on central nodes need to consider if
hop-by-hop integrity is acceptable or if true end-to-end integrity
protection is needed. Is it important to be able to tell if a
middlebox has modified the data? There are some uses of RTP that
require trusted middleboxes that can modify the data in a way that
doesn't break integrity protection as seen by the receiver, for
example, local advertisement insertion in IPTV systems. There are
also uses where it is essential that such in-network modification be
detectable. RTP can support both with appropriate choices of
security mechanisms.
Integrity of the data is commonly closely tied to the question of
source authentication. That is, it becomes important to know who
makes an integrity assertion for the data.
<span class="grey">Westerlund & Perkins Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h4"><a class="selflink" id="section-4.1.3" href="#section-4.1.3">4.1.3</a>. Source Authentication</span>
Source authentication is about determining who sent a particular RTP
or RTCP packet. It is normally closely tied with integrity, since a
receiver generally also wants to ensure that the data received is
what the source really sent, so source authentication without
integrity is not particularly useful. Similarly, integrity
protection without source authentication is also not particularly
useful; a claim that a packet is unchanged that cannot itself be
validated as from the source (or some from other known and trusted
party) is meaningless.
Source authentication can be asserted in several different ways:
Base level: Using cryptographic mechanisms that give authentication
with some type of key management provide an implicit method for
source authentication. Assuming that the mechanism has sufficient
strength not to be circumvented in the time frame when you would
accept the packet as valid, it is possible to assert a source-
authenticated statement; this message is likely from a source that
has the cryptographic key(s) to this communication.
What that assertion actually means is highly dependent on the
application and how it handles the keys. If only the two peers
have access to the keys, this can form a basis for a strong trust
relationship that traffic is authenticated coming from one of the
peers. However, in a multiparty scenario where security contexts
are shared among participants, most base-level authentication
solutions can't even assert that this packet is from the same
source as the previous packet.
Binding the source and the signaling: A step up in the assertion
that can be done in base-level systems is to tie the signaling to
the key exchange. Here, the goal is to at least be able to assert
that the source of the packets is the same entity with which the
receiver established the session. How feasible this is depends on
the properties of the key management system, the ability to tie
the signaling to a particular source, and the degree of trust the
receiver places on the different nodes involved.
For example, systems where the key exchange is done using the
signaling systems, such as security descriptions [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>] enable
a direct binding between signaling and key exchange. In such
systems, the actual security depends on the trust one can place in
the signaling system to correctly associate the peer's identifier
with the key exchange.
<span class="grey">Westerlund & Perkins Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Using identifiers: If the applications have access to a system that
can provide verifiable identifiers, then the source authentication
can be bound to that identifier. For example, in a point-to-point
communication, even symmetric key crypto, where the key management
can assert that the key has only been exchanged with a particular
identifier, can provide a strong assertion about the source of the
traffic. SIP Identity [<a href="./rfc4474" title=""Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)"">RFC4474</a>] provides one example of how this
can be done and could be used to bind DTLS-SRTP certificates used
by an endpoint to the identity provider's public key to
authenticate the source of a DTLS-SRTP flow.
Note that all levels of the system need to have matching
capability to assert identifiers. If the signaling can assert
that only a given entity in a multiparty session has a key, then
the media layer might be able to provide guarantees about the
identifier used by the media sender. However, using a signaling
authentication mechanism built on a group key can limit the media
layer to asserting only group membership.
<span class="h4"><a class="selflink" id="section-4.1.4" href="#section-4.1.4">4.1.4</a>. Identifiers and Identity</span>
There exist many different types of systems providing identifiers
with different properties (e.g., SIP Identity [<a href="./rfc4474" title=""Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)"">RFC4474</a>]). In the
context of RTP applications, the most important property is the
possibility to perform source authentication and verify such
assertions in relation to any claimed identifiers. What an
identifier really represents can also vary but, in the context of
communication, one of the most obvious is the identifiers
representing the identity of the human user with which one
communicates. However, the human user can also have additional
identifiers in a particular role. For example, the human (Alice) can
also be a police officer, and in some cases, an identifier for her
role as police officer will be more relevant than one that asserts
that she is Alice. This is common in contact with organizations,
where it is important to prove the person's right to represent the
organization. Some examples of identifier/identity mechanisms that
can be used:
Certificate based: A certificate is used to assert the identifiers
used to claim an identity; by having access to the private part of
the certificate, one can perform signing to assert one's identity.
Any entity interested in verifying the assertion then needs the
public part of the certificate. By having the certificate, one
can verify the signature against the certificate. The next step
is to determine if one trusts the certificate's trust chain.
Commonly, by provisioning the verifier with the public part of a
root certificate, this enables the verifier to verify a trust
chain from the root certificate down to the identifier in the
<span class="grey">Westerlund & Perkins Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
certificate. However, the trust is based on all steps in the
certificate chain being verifiable and trusted. Thus, the
provisioning of root certificates and the ability to revoke
compromised certificates are aspects that will require
infrastructure.
Online identity providers: An online identity provider (IdP) can
authenticate a user's right to use an identifier and then perform
assertions on their behalf or provision the requester with short-
term credentials to assert the identifiers. The verifier can then
contact the IdP to request verification of a particular
identifier. Here, the trust is highly dependent on how much one
trusts the IdP. The system also becomes dependent on having
access to the relevant IdP.
In all of the above examples, an important part of the security
properties is related to the method for authenticating the access to
the identity.
<span class="h4"><a class="selflink" id="section-4.1.5" href="#section-4.1.5">4.1.5</a>. Privacy</span>
RTP applications need to consider what privacy goals they have. As
RTP applications communicate directly between peers in many cases,
the IP addresses of any communication peer will be available. The
main privacy concern with IP addresses is related to geographical
location and the possibility to track a user of an endpoint. The
main way to avoid such concerns is the introduction of relay (e.g., a
Traversal Using Relay NAT (TURN) server [<a href="./rfc5766" title=""Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)"">RFC5766</a>]) or centralized
media mixers or forwarders that hide the address of a peer from any
other peer. The security and trust placed in these relays obviously
needs to be carefully considered.
RTP itself can contribute to enabling a particular user to be tracked
between communication sessions if the Canonical Name (CNAME) is
generated according to the RTP specification in the form of
user@host. Such RTCP CNAMEs are likely long-term stable over
multiple sessions, allowing tracking of users. This can be desirable
for long-term fault tracking and diagnosis, but it clearly has
privacy implications. Instead, cryptographically random ones could
be used as defined by "Guidelines for Choosing RTP Control Protocol
(RTCP) CNAMEs" [<a href="./rfc7022" title=""Guidelines for Choosing RTP Control Protocol (RTCP) Canonical Names (CNAMEs)"">RFC7022</a>].
If privacy goals exist, they need to be considered and the system
designed with them in mind. In addition, certain RTP features might
have to be configured to safeguard privacy or have requirements on
how the implementation is done.
<span class="grey">Westerlund & Perkins Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Application Structure</span>
When it comes to RTP security, the most appropriate solution is often
highly dependent on the topology of the communication session. The
signaling also impacts what information can be provided and if this
can be instance specific or common for a group. In the end, the key
management system will highly affect the security properties achieved
by the application. At the same time, the communication structure of
the application limits what key management methods are applicable.
As different key management methods have different requirements on
underlying infrastructure, it is important to take that aspect into
consideration early in the design.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Automatic Key Management</span>
The guidelines for Cryptographic Key Management [<a href="./rfc4107" title=""Guidelines for Cryptographic Key Management"">RFC4107</a>] provide an
overview of why automatic key management is important. They also
provide a strong recommendation on using automatic key management.
Most of the security solutions reviewed in this document provide or
support automatic key management, at least to establish session keys.
In some more long-term use cases, credentials might need to be
manually deployed in certain cases.
For SRTP, an important aspect of automatic key management is to
ensure that two-time pads do not occur, in particular by preventing
multiple endpoints using the same session key and SSRC. In these
cases, automatic key management methods can have strong dependencies
on signaling features to function correctly. If those dependencies
can't be fulfilled, additional constrains on usage, e.g., per-
endpoint session keys, might be needed to avoid the issue.
When selecting security mechanisms for an RTP application, it is
important to consider the properties of the key management. Using
key management that is both automatic and integrated will provide
minimal interruption for the user and is important to ensure that
security can, and will remain, to be on by default.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. End-to-End Security vs. Tunnels</span>
If the security mechanism only provides a secured tunnel, for
example, like some common uses of IPsec (<a href="#section-3.3">Section 3.3</a>), it is
important to consider the full end-to-end properties of the system.
How does one ensure that the path from the endpoint to the local
tunnel ingress/egress is secure and can be trusted (and similarly for
the other end of the tunnel)? How does one handle the source
authentication of the peer, as the security protocol identifies the
other end of the tunnel? These are some of the issues that arise
when one considers a tunnel-based security protocol rather than an
<span class="grey">Westerlund & Perkins Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
end-to-end one. Even with clear requirements and knowledge that one
still can achieve the security properties using a tunnel-based
solution, one ought to prefer to use end-to-end mechanisms, as they
are much less likely to violate any assumptions made about
deployment. These assumptions can also be difficult to automatically
verify.
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Plaintext Keys</span>
Key management solutions that use plaintext keys, like SDP security
descriptions (<a href="#section-3.1.3">Section 3.1.3</a>), require care to ensure a secure
transport of the signaling messages that contain the plaintext keys.
For plaintext keys, the security properties of the system depend on
how securely the plaintext keys are protected end-to-end between the
sender and receiver(s). Not only does one need to consider what
transport protection is provided for the signaling message, including
the keys, but also the degree to which any intermediaries in the
signaling are trusted. Untrusted intermediaries can perform MITM
attacks on the communication or can log the keys, resulting in the
encryption being compromised significantly after the actual
communication occurred.
<span class="h3"><a class="selflink" id="section-4.6" href="#section-4.6">4.6</a>. Interoperability</span>
Few RTP applications exist as independent applications that never
interoperate with anything else. Rather, they enable communication
with a potentially large number of other systems. To minimize the
number of security mechanisms that need to be implemented, it is
important to consider if one can use the same security mechanisms as
other applications. This can also reduce problems with determining
what security level is actually negotiated in a particular session.
The desire to be interoperable can, in some cases, be in conflict
with the security requirements of an application. To meet the
security goals, it might be necessary to sacrifice interoperability.
Alternatively, one can implement multiple security mechanisms; this,
however, introduces the complication of ensuring that the user
understands what it means to use a particular security system. In
addition, the application can then become vulnerable to bid-down
attacks.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Examples</span>
In the following, we describe a number of example security solutions
for applications using RTP services or frameworks. These examples
are provided to illustrate the choices available. They are not
normative recommendations for security.
<span class="grey">Westerlund & Perkins Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Media Security for SIP-Established Sessions Using DTLS-SRTP</span>
In 2009, the IETF evaluated media security for RTP sessions
established using point-to-point SIP sessions. A number of
requirements were determined, and based on those, the existing
solutions for media security and especially the keying methods were
analyzed. The resulting requirements and analysis were published in
[<a href="./rfc5479" title=""Requirements and Analysis of Media Security Management Protocols"">RFC5479</a>]. Based on this analysis and working group discussion,
DTLS-SRTP was determined to be the best solution.
The security solution for SIP using DTLS-SRTP is defined in
"Framework for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer Security
(DTLS)" [<a href="./rfc5763" title=""Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)"">RFC5763</a>]. On a high level, the framework uses SIP with SDP
offer/answer procedures to exchange the network addresses where the
server endpoint will have a DTLS-SRTP-enabled server running. The
SIP signaling is also used to exchange the fingerprints of the
certificate each endpoint will use in the DTLS establishment process.
When the signaling is sufficiently completed, the DTLS-SRTP client
performs DTLS handshakes and establishes SRTP session keys. The
clients also verify the fingerprints of the certificates to verify
that no man in the middle has inserted themselves into the exchange.
DTLS has a number of good security properties. For example, to
enable a MITM, someone in the signaling path needs to perform an
active action and modify both the signaling message and the DTLS
handshake. Solutions also exist that enable the fingerprints to be
bound to identities. SIP Identity provides an identity established
by the first proxy for each user [<a href="./rfc4474" title=""Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)"">RFC4474</a>]. This reduces the number
of nodes the connecting User Agent has to trust to include just the
first-hop proxy rather than the full signaling path. The biggest
security weakness of this system is its dependency on the signaling.
SIP signaling passes multiple nodes and there is usually no message
security deployed, only hop-by-hop transport security, if any,
between the nodes.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Media Security for WebRTC Sessions</span>
Web Real-Time Communication (WebRTC) [<a href="#ref-WebRTC" title=""Overview: Real Time Protocols for Browser-based Applications"">WebRTC</a>] is a solution providing
JavaScript web applications with real-time media directly between
browsers. Media is transported using RTP and protected using a
mandatory application of SRTP [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>], with keying done using DTLS-
SRTP [<a href="./rfc5764" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)"">RFC5764</a>]. The security configuration is further defined in
"WebRTC Security Architecture" [<a href="#ref-WebRTC-SEC">WebRTC-SEC</a>].
A hash of the peer's certificate is provided to the JavaScript web
application, allowing that web application to verify identity of the
peer. There are several ways in which the certificate hashes can be
<span class="grey">Westerlund & Perkins Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
verified. An approach identified in the WebRTC security architecture
[<a href="#ref-WebRTC-SEC">WebRTC-SEC</a>] is to use an identity provider. In this solution, the
identity provider, which is a third party to the web application,
signs the DTLS-SRTP hash combined with a statement on the validity of
the user identity that has been used to sign the hash. The receiver
of such an identity assertion can then independently verify the user
identity to ensure that it is the identity that the receiver intended
to communicate with, and that the cryptographic assertion holds; this
way, a user can be certain that the application also can't perform a
MITM and acquire the keys to the media communication. Other ways of
verifying the certificate hashes exist; for example, they could be
verified against a hash carried in some out-of-band channel (e.g.,
compare with a hash printed on a business card) or using a verbal
short authentication string (e.g., as in ZRTP [<a href="./rfc6189" title=""ZRTP: Media Path Key Agreement for Unicast Secure RTP"">RFC6189</a>]) or using
hash continuity.
In the development of WebRTC, there has also been attention given to
privacy considerations. The main RTP-related concerns that have been
raised are:
Location disclosure: As Interactive Connectivity Establishment (ICE)
negotiation [<a href="./rfc5245" title=""Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols"">RFC5245</a>] provides IP addresses and ports for the
browser, this leaks location information in the signaling to the
peer. To prevent this, one can block the usage of any ICE
candidate that isn't a relay candidate, i.e., where the IP and
port provided belong to the service providers media traffic relay.
Prevent tracking between sessions: Static RTP CNAMEs and DTLS-SRTP
certificates provide information that is reused between session
instances. Thus, to prevent tracking, such information ought not
be reused between sessions, or the information ought not be sent
in the clear. Note that generating new certificates each time
prevents continuity in authentication, however, as WebRTC users
are expected to use multiple devices to access the same
communication service, such continuity can't be expected anyway;
instead, the above-described identity mechanism has to be relied
on.
Note: The above cases are focused on providing privacy from other
parties, not on providing privacy from the web server that provides
the WebRTC JavaScript application.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. IP Multimedia Subsystem (IMS) Media Security</span>
In IMS, the core network is controlled by a single operator or by
several operators with high trust in each other. Except for some
types of accesses, the operator is in full control, and no packages
are routed over the Internet. Nodes in the core network offer
<span class="grey">Westerlund & Perkins Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
services such as voice mail, interworking with legacy systems (Public
Switched Telephone Network (PSTN), Global System for Mobile
Communications (GSM), and 3G), and transcoding. Endpoints are
authenticated during the SIP registration using either IMS and
Authentication and Key Agreement (AKA) (using Subscriber Identity
Module (SIM) credentials) or SIP Digest (using a password).
In IMS media security [<a href="#ref-T3GPP.33.328">T3GPP.33.328</a>], end-to-end encryption is,
therefore, not seen as needed or desired as it would hinder, for
example, interworking and transcoding, making calls between
incompatible terminals impossible. Because of this, IMS media
security mostly uses end-to-access-edge security where SRTP is
terminated in the first node in the core network. As the SIP
signaling is trusted and encrypted (with TLS or IPsec), security
descriptions [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>] is considered to give good protection against
eavesdropping over the accesses that are not already encrypted (GSM,
3G, and Long Term Evolution (LTE)). Media source authentication is
based on knowledge of the SRTP session key and trust in that the IMS
network will only forward media from the correct endpoint.
For enterprises and government agencies, which might have weaker
trust in the IMS core network and can be assumed to have compatible
terminals, end-to-end security can be achieved by deploying their own
key management server.
Work on interworking with WebRTC is currently ongoing; the security
will still be end-to-access-edge but using DTLS-SRTP [<a href="./rfc5763" title=""Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)"">RFC5763</a>]
instead of security descriptions.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. 3GPP Packet-Switched Streaming Service (PSS)</span>
The 3GPP Release 11 PSS specification of the Packet-switched
Streaming Service (PSS) [<a href="#ref-T3GPP.26.234R11">T3GPP.26.234R11</a>] defines, in Annex R, a set
of security mechanisms. These security mechanisms are concerned with
protecting the content from being copied, i.e., Digital Rights
Management (DRM). To meet these goals with the specified solution,
the client implementation and the application platform are trusted to
protect against access and modification by an attacker.
PSS is media controlled by RTSP 1.0 [<a href="./rfc2326" title=""Real Time Streaming Protocol (RTSP)"">RFC2326</a>] streaming over RTP.
Thus, an RTSP client whose user wants to access a protected content
will request a session description (SDP [<a href="./rfc4566" title=""SDP: Session Description Protocol"">RFC4566</a>]) for the protected
content. This SDP will indicate that the media is protected by
ISMACryp 2.0 [<a href="#ref-ISMACryp2" title=""ISMA Encryption and Authentication Version 2.0"">ISMACryp2</a>] encoding application units (AUs). The
key(s) used to protect the media is provided in one of two ways. If
a single key is used, then the client uses some DRM system to
retrieve the key as indicated in the SDP. Commonly, OMA DRM v2
[<a href="#ref-OMADRMv2" title=""OMA Digital Rights Management V2.0"">OMADRMv2</a>] will be used to retrieve the key. If multiple keys are to
<span class="grey">Westerlund & Perkins Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
be used, then an additional RTSP stream for key updates in parallel
with the media streams is established, where key updates are sent to
the client using Short Term Key Messages defined in the "Service and
Content Protection for Mobile Broadcast Services" part [<a href="#ref-OMASCP" title=""Service and Content Protection for Mobile Broadcast Services"">OMASCP</a>] of
the OMA Mobile Broadcast Services [<a href="#ref-OMABCAST" title=""Mobile Broadcast Services Version 1.0"">OMABCAST</a>].
Worth noting is that this solution doesn't provide any integrity
verification method for the RTP header and payload header
information; only the encoded media AU is protected. 3GPP has not
defined any requirement for supporting any solution that could
provide that service. Thus, replay or insertion attacks are
possible. Another property is that the media content can be
protected by the ones providing the media, so that the operators of
the RTSP server have no access to unprotected content. Instead, all
that want to access the media are supposed to contact the DRM keying
server, and if the device is acceptable, they will be given the key
to decrypt the media.
To protect the signaling, RTSP 1.0 supports the usage of TLS. This
is, however, not explicitly discussed in the PSS specification.
Usage of TLS can prevent both modification of the session description
information and help maintain some privacy of what content the user
is watching as all URLs would then be confidentiality protected.
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. RTSP 2.0</span>
The Real-time Streaming Protocol 2.0 [<a href="#ref-RTSP" title=""Real Time Streaming Protocol 2.0 (RTSP)"">RTSP</a>] offers an interesting
comparison to the PSS service (<a href="#section-5.4">Section 5.4</a>) that is based on RTSP 1.0
and service requirements perceived by mobile operators. A major
difference between RTSP 1.0 and RTSP 2.0 is that 2.0 is fully defined
under the requirement to have a mandatory-to-implement security
mechanism. As it specifies one transport media over RTP, it is also
defining security mechanisms for the RTP-transported media streams.
The security goal for RTP in RTSP 2.0 is to ensure that there is
confidentiality, integrity, and source authentication between the
RTSP server and the client. This to prevent eavesdropping on what
the user is watching for privacy reasons and to prevent replay or
injection attacks on the media stream. To reach these goals, the
signaling also has to be protected, requiring the use of TLS between
the client and server.
Using TLS-protected signaling, the client and server agree on the
media transport method when doing the SETUP request and response.
The secured media transport is SRTP (SAVP/RTP) normally over UDP.
The key management for SRTP is MIKEY using RSA-R mode. The RSA-R
mode is selected as it allows the RTSP server to select the key
despite having the RTSP client initiate the MIKEY exchange. It also
<span class="grey">Westerlund & Perkins Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
enables the reuse of the RTSP server's TLS certificate when creating
the MIKEY messages, thus ensuring a binding between the RTSP server
and the key exchange. Assuming the SETUP process works, this will
establish a SRTP crypto context to be used between the RTSP server
and the client for the RTP-transported media streams.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
This entire document is about security. Please read it.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
We thank the IESG for their careful review of [<a href="./rfc7202" title=""Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution"">RFC7202</a>], which led to
the writing of this memo. John Mattsson has contributed the IMS
Media Security example (<a href="#section-5.3">Section 5.3</a>).
The authors wish to thank Christian Correll, Dan Wing, Kevin Gross,
Alan Johnston, Michael Peck, Ole Jacobsen, Spencer Dawkins, Stephen
Farrell, John Mattsson, and Suresh Krishnan for their reviews and
proposals for improvements to the text.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Informative References</span>
[<a id="ref-AES-GCM">AES-GCM</a>] McGrew, D. and K. Igoe, "AES-GCM and AES-CCM
Authenticated Encryption in Secure RTP (SRTP)", Work in
Progress, September 2013.
[<a id="ref-ARIA-SRTP">ARIA-SRTP</a>] Kim, W., Lee, J., Kim, D., Park, J., and D. Kwon, "The
ARIA Algorithm and Its Use with the Secure Real-time
Transport Protocol(SRTP)", Work in Progress, November
2013.
[<a id="ref-EKT">EKT</a>] McGrew, D. and D. Wing, "Encrypted Key Transport for
Secure RTP", Work in Progress, February 2014.
[<a id="ref-ISMACryp2">ISMACryp2</a>] Internet Streaming Media Alliance (ISMA), "ISMA
Encryption and Authentication Version 2.0", November
2007, <<a href="http://www.oipf.tv/images/site/DOCS/mpegif/ISMA/isma_easpec2.0.pdf">http://www.oipf.tv/images/site/DOCS/mpegif/ISMA/</a>
<a href="http://www.oipf.tv/images/site/DOCS/mpegif/ISMA/isma_easpec2.0.pdf">isma_easpec2.0.pdf</a>>.
[<a id="ref-OMABCAST">OMABCAST</a>] Open Mobile Alliance, "Mobile Broadcast Services Version
1.0", February 2009,
<<a href="http://technical.openmobilealliance.org/Technical/release_program/bcast_v1_0.aspx">http://technical.openmobilealliance.org/Technical/</a>
<a href="http://technical.openmobilealliance.org/Technical/release_program/bcast_v1_0.aspx">release_program/bcast_v1_0.aspx</a>>.
<span class="grey">Westerlund & Perkins Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
[<a id="ref-OMADRMv2">OMADRMv2</a>] Open Mobile Alliance, "OMA Digital Rights Management
V2.0", July 2008,
<<a href="http://technical.openmobilealliance.org/Technical/release_program/drm_v2_0.aspx">http://technical.openmobilealliance.org/</a>
<a href="http://technical.openmobilealliance.org/Technical/release_program/drm_v2_0.aspx">Technical/release_program/drm_v2_0.aspx</a>>.
[<a id="ref-OMASCP">OMASCP</a>] Open Mobile Alliance, "Service and Content Protection for
Mobile Broadcast Services", January 2013,
<<a href="http://technical.openmobilealliance.org/Technical/release_program/docs/BCAST/V1_0_1-20130109-A/OMA-TS-BCAST_SvcCntProtection-V1_0_1-20130109-A.pdf">http://technical.openmobilealliance.org/Technical/</a>
<a href="http://technical.openmobilealliance.org/Technical/release_program/docs/BCAST/V1_0_1-20130109-A/OMA-TS-BCAST_SvcCntProtection-V1_0_1-20130109-A.pdf">release_program/docs/BCAST/V1_0_1-20130109-A/</a>
<a href="http://technical.openmobilealliance.org/Technical/release_program/docs/BCAST/V1_0_1-20130109-A/OMA-TS-BCAST_SvcCntProtection-V1_0_1-20130109-A.pdf">OMA-TS-BCAST_SvcCntProtection-V1_0_1-20130109-A.pdf</a>>.
[<a id="ref-RFC1112">RFC1112</a>] Deering, S., "Host extensions for IP multicasting", STD
5, <a href="./rfc1112">RFC 1112</a>, August 1989.
[<a id="ref-RFC2326">RFC2326</a>] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time
Streaming Protocol (RTSP)", <a href="./rfc2326">RFC 2326</a>, April 1998.
[<a id="ref-RFC3365">RFC3365</a>] Schiller, J., "Strong Security Requirements for Internet
Engineering Task Force Standard Protocols", <a href="https://www.rfc-editor.org/bcp/bcp61">BCP 61</a>, <a href="./rfc3365">RFC</a>
<a href="./rfc3365">3365</a>, August 2002.
[<a id="ref-RFC3550">RFC3550</a>] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, <a href="./rfc3550">RFC 3550</a>, July 2003.
[<a id="ref-RFC3640">RFC3640</a>] van der Meer, J., Mackie, D., Swaminathan, V., Singer,
D., and P. Gentric, "RTP Payload Format for Transport of
MPEG-4 Elementary Streams", <a href="./rfc3640">RFC 3640</a>, November 2003.
[<a id="ref-RFC3711">RFC3711</a>] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol
(SRTP)", <a href="./rfc3711">RFC 3711</a>, March 2004.
[<a id="ref-RFC3830">RFC3830</a>] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
Norrman, "MIKEY: Multimedia Internet KEYing", <a href="./rfc3830">RFC 3830</a>,
August 2004.
[<a id="ref-RFC4107">RFC4107</a>] Bellovin, S. and R. Housley, "Guidelines for
Cryptographic Key Management", <a href="https://www.rfc-editor.org/bcp/bcp107">BCP 107</a>, <a href="./rfc4107">RFC 4107</a>, June
2005.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC4383">RFC4383</a>] Baugher, M. and E. Carrara, "The Use of Timed Efficient
Stream Loss-Tolerant Authentication (TESLA) in the Secure
Real-time Transport Protocol (SRTP)", <a href="./rfc4383">RFC 4383</a>, February
2006.
<span class="grey">Westerlund & Perkins Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
[<a id="ref-RFC4474">RFC4474</a>] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", <a href="./rfc4474">RFC 4474</a>, August 2006.
[<a id="ref-RFC4566">RFC4566</a>] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", <a href="./rfc4566">RFC 4566</a>, July 2006.
[<a id="ref-RFC4567">RFC4567</a>] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E.
Carrara, "Key Management Extensions for Session
Description Protocol (SDP) and Real Time Streaming
Protocol (RTSP)", <a href="./rfc4567">RFC 4567</a>, July 2006.
[<a id="ref-RFC4568">RFC4568</a>] Andreasen, F., Baugher, M., and D. Wing, "Session
Description Protocol (SDP) Security Descriptions for
Media Streams", <a href="./rfc4568">RFC 4568</a>, July 2006.
[<a id="ref-RFC4571">RFC4571</a>] Lazzaro, J., "Framing Real-time Transport Protocol (RTP)
and RTP Control Protocol (RTCP) Packets over Connection-
Oriented Transport", <a href="./rfc4571">RFC 4571</a>, July 2006.
[<a id="ref-RFC4572">RFC4572</a>] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", <a href="./rfc4572">RFC 4572</a>, July 2006.
[<a id="ref-RFC4607">RFC4607</a>] Holbrook, H. and B. Cain, "Source-Specific Multicast for
IP", <a href="./rfc4607">RFC 4607</a>, August 2006.
[<a id="ref-RFC4650">RFC4650</a>] Euchner, M., "HMAC-Authenticated Diffie-Hellman for
Multimedia Internet KEYing (MIKEY)", <a href="./rfc4650">RFC 4650</a>, September
2006.
[<a id="ref-RFC4738">RFC4738</a>] Ignjatic, D., Dondeti, L., Audet, F., and P. Lin, "MIKEY-
RSA-R: An Additional Mode of Key Distribution in
Multimedia Internet KEYing (MIKEY)", <a href="./rfc4738">RFC 4738</a>, November
2006.
[<a id="ref-RFC4771">RFC4771</a>] Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity
Transform Carrying Roll-Over Counter for the Secure Real-
time Transport Protocol (SRTP)", <a href="./rfc4771">RFC 4771</a>, January 2007.
[<a id="ref-RFC4949">RFC4949</a>] Shirey, R., "Internet Security Glossary, Version 2", <a href="./rfc4949">RFC</a>
<a href="./rfc4949">4949</a>, August 2007.
[<a id="ref-RFC5117">RFC5117</a>] Westerlund, M. and S. Wenger, "RTP Topologies", <a href="./rfc5117">RFC 5117</a>,
January 2008.
<span class="grey">Westerlund & Perkins Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
[<a id="ref-RFC5197">RFC5197</a>] Fries, S. and D. Ignjatic, "On the Applicability of
Various Multimedia Internet KEYing (MIKEY) Modes and
Extensions", <a href="./rfc5197">RFC 5197</a>, June 2008.
[<a id="ref-RFC5245">RFC5245</a>] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", <a href="./rfc5245">RFC 5245</a>, April
2010.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August 2008.
[<a id="ref-RFC5479">RFC5479</a>] Wing, D., Fries, S., Tschofenig, H., and F. Audet,
"Requirements and Analysis of Media Security Management
Protocols", <a href="./rfc5479">RFC 5479</a>, April 2009.
[<a id="ref-RFC5669">RFC5669</a>] Yoon, S., Kim, J., Park, H., Jeong, H., and Y. Won, "The
SEED Cipher Algorithm and Its Use with the Secure Real-
Time Transport Protocol (SRTP)", <a href="./rfc5669">RFC 5669</a>, August 2010.
[<a id="ref-RFC5760">RFC5760</a>] Ott, J., Chesterfield, J., and E. Schooler, "RTP Control
Protocol (RTCP) Extensions for Single-Source Multicast
Sessions with Unicast Feedback", <a href="./rfc5760">RFC 5760</a>, February 2010.
[<a id="ref-RFC5763">RFC5763</a>] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", <a href="./rfc5763">RFC 5763</a>, May 2010.
[<a id="ref-RFC5764">RFC5764</a>] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the
Secure Real-time Transport Protocol (SRTP)", <a href="./rfc5764">RFC 5764</a>,
May 2010.
[<a id="ref-RFC5766">RFC5766</a>] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal
Using Relays around NAT (TURN): Relay Extensions to
Session Traversal Utilities for NAT (STUN)", <a href="./rfc5766">RFC 5766</a>,
April 2010.
[<a id="ref-RFC6043">RFC6043</a>] Mattsson, J. and T. Tian, "MIKEY-TICKET: Ticket-Based
Modes of Key Distribution in Multimedia Internet KEYing
(MIKEY)", <a href="./rfc6043">RFC 6043</a>, March 2011.
[<a id="ref-RFC6188">RFC6188</a>] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", <a href="./rfc6188">RFC 6188</a>, March 2011.
<span class="grey">Westerlund & Perkins Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
[<a id="ref-RFC6189">RFC6189</a>] Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media
Path Key Agreement for Unicast Secure RTP", <a href="./rfc6189">RFC 6189</a>,
April 2011.
[<a id="ref-RFC6267">RFC6267</a>] Cakulev, V. and G. Sundaram, "MIKEY-IBAKE: Identity-Based
Authenticated Key Exchange (IBAKE) Mode of Key
Distribution in Multimedia Internet KEYing (MIKEY)", <a href="./rfc6267">RFC</a>
<a href="./rfc6267">6267</a>, June 2011.
[<a id="ref-RFC6347">RFC6347</a>] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", <a href="./rfc6347">RFC 6347</a>, January 2012.
[<a id="ref-RFC6509">RFC6509</a>] Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption
in Multimedia Internet KEYing (MIKEY)", <a href="./rfc6509">RFC 6509</a>,
February 2012.
[<a id="ref-RFC6562">RFC6562</a>] Perkins, C. and JM. Valin, "Guidelines for the Use of
Variable Bit Rate Audio with Secure RTP", <a href="./rfc6562">RFC 6562</a>, March
2012.
[<a id="ref-RFC6904">RFC6904</a>] Lennox, J., "Encryption of Header Extensions in the
Secure Real-time Transport Protocol (SRTP)", <a href="./rfc6904">RFC 6904</a>,
April 2013.
[<a id="ref-RFC7022">RFC7022</a>] Begen, A., Perkins, C., Wing, D., and E. Rescorla,
"Guidelines for Choosing RTP Control Protocol (RTCP)
Canonical Names (CNAMEs)", <a href="./rfc7022">RFC 7022</a>, September 2013.
[<a id="ref-RFC7202">RFC7202</a>] Perkins, C. and M. Westerlund, "Securing the RTP Protocol
Framework: Why RTP Does Not Mandate a Single Media
Security Solution", <a href="./rfc7202">RFC 7202</a>, April 2014.
[<a id="ref-RTSP">RTSP</a>] Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M.,
and M. Stiemerling, "Real Time Streaming Protocol 2.0
(RTSP)", Work in Progress, February 2014.
[<a id="ref-T3GPP.26.234R11">T3GPP.26.234R11</a>]
3GPP, "Technical Specification Group Services and System
Aspects; Transparent end-to-end Packet-switched Streaming
Service (PSS); Protocols and codecs", 3GPP TS 26.234
11.1.0, September 2012,
<<a href="http://www.3gpp.org/DynaReport/26234.htm">http://www.3gpp.org/DynaReport/26234.htm</a>>.
<span class="grey">Westerlund & Perkins Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
[<a id="ref-T3GPP.26.234R8">T3GPP.26.234R8</a>]
3GPP, "Technical Specification Group Services and System
Aspects; Transparent end-to-end Packet-switched Streaming
Service (PSS); Protocols and codecs", 3GPP TS 26.234
8.4.0, September 2009,
<<a href="http://www.3gpp.org/DynaReport/26234.htm">http://www.3gpp.org/DynaReport/26234.htm</a>>.
[<a id="ref-T3GPP.26.346">T3GPP.26.346</a>]
3GPP, "Multimedia Broadcast/Multicast Service (MBMS);
Protocols and codecs", 3GPP TS 26.346 10.7.0, March 2013,
<<a href="http://www.3gpp.org/DynaReport/26346.htm">http://www.3gpp.org/DynaReport/26346.htm</a>>.
[<a id="ref-T3GPP.33.246">T3GPP.33.246</a>]
3GPP, "3G Security; Security of Multimedia Broadcast/
Multicast Service (MBMS)", 3GPP TS 33.246 11.1.0,
December 2012,
<<a href="http://www.3gpp.org/DynaReport/33246.htm">http://www.3gpp.org/DynaReport/33246.htm</a>>.
[<a id="ref-T3GPP.33.328">T3GPP.33.328</a>]
3GPP, "IP Multimedia Subsystem (IMS) media plane
security", 3GPP TS 33.328 12.1.0, December 2012,
<<a href="http://www.3gpp.org/DynaReport/33328.htm">http://www.3gpp.org/DynaReport/33328.htm</a>>.
[<a id="ref-WebRTC-SEC">WebRTC-SEC</a>]
Rescorla, E., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22WebRTC+Security+Architecture%22'>"WebRTC Security Architecture"</a>, Work in
Progress, February 2014.
[<a id="ref-WebRTC">WebRTC</a>] Alvestrand, H., "Overview: Real Time Protocols for
Browser-based Applications", Work in Progress, February
2014.
<span class="grey">Westerlund & Perkins Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc7201">RFC 7201</a> Options for Securing RTP Sessions April 2014</span>
Authors' Addresses
Magnus Westerlund
Ericsson
Farogatan 6
SE-164 80 Kista
Sweden
Phone: +46 10 714 82 87
EMail: magnus.westerlund@ericsson.com
Colin Perkins
University of Glasgow
School of Computing Science
Glasgow G12 8QQ
United Kingdom
EMail: csp@csperkins.org
URI: <a href="http://csperkins.org/">http://csperkins.org/</a>
Westerlund & Perkins Informational [Page 37]
</pre>
|
