Security mechanism of webrtc transmission: SRTP protocol

Time:2021-7-9

Introduction:SRTP: secure real time transport

adopt  Dtls negotiationAfter that, both sides of RTC communication are completed  MasterKeyandMasterSaltWe need to negotiate. Next, we continue to analyze how to use the exchanged key to encrypt RTP and RTCP in webrtc to realize the secure transmission of data. At the same time, this article will answer the problems encountered in the use of libsrtp, for example, what is ROC and why is ROC 32 bits? Why return error\_ code=9, error\_ code=10? Does the exchanged key have a life cycle? If so, how long? It is suggested to read before reading this articleDtls negotiationChapter, the combination of the two, the effect is better!

The author enters the school

Proofread Taiyi

Problems to be solved

RTP/RTCPThe protocol does not provide any protection for its payload data. Therefore, if the attacker captures the audio and video data through packet capture tools, such as Wireshark, the audio and video stream can be played directly through this tool, which is a very terrible thing.

In webrtc, in order to prevent this kind of thing from happening, it is not used directlyRTP/RTCPProtocol, but using theSRTP/SRTCPProtocol, that is, secureRTP/RTCPagreement. Webrtc uses the famous libsrtp library to convert the originalRTP/RTCPProtocol data conversion toSRTP/SRTCPProtocol data.

SRTPProblems to be solved:

· yesRTP/RTCPIn order to ensure the security of the data, the load (payload) is encrypted;

GuaranteeRTP/RTCPAt the same time, it can prevent replay attack.

SRTP / srtcp structure

SRTP structure

Security mechanism of webrtc transmission: SRTP protocolSecurity mechanism of webrtc transmission: SRTP protocol

It can be seen from the SRTP structure diagram that:

1. Encryption partEncrypted Portion, bypayload, RTP paddingandRTP pad countPart composition. That is to say, we usually only encrypt the RTP load data.

2. The part to be verifiedAuthenticated Portion, byRTP Header, RTP Header extensionandEncrypted PortionPart composition.

Generally, only the RTP load data needs to be encrypted. If the RTP header extension needs to be encrypted,RFC6904The detailed scheme is given and implemented in libsrtp.

Srtcp structure

Security mechanism of webrtc transmission: SRTP protocol

fromSRTCPAs can be seen from the structure diagram:

1. Encryption partEncrypted Portion, forRTCP HeaderAfter that, rightCompound RTCPIt’s the same.

2. E-flag explicitly indicates whether the RTCP packet is encrypted or not( PS: how to judge whether an RTP packet is encrypted?)

3. SRTCP indexThe display shows the serial number of RTCP packet to prevent replay attack( PS: can the 16 bits serial number of an RTP packet prevent replay attacks

4. Part to be verifiedAuthenticated Portion, byRTCP HeaderandEncrypted PortionPart composition. I got to know each other at firstSRTPandSRTCPNext, we introduce the structure ofEncrypted PortionandAuthenticated PortionHow to get it.

Key management

staySRTP/SRTCPIn the protocol, a binary is used to identify a communication participantSRTP/SRTCPConversations, calledSRTP/SRTCP Session

staySRTPIn the protocol, triples are used to identify a stream and a streamSRTP/SRTCP SessionIt is composed of multiple streams. The description of encryption and decryption parameters of each stream is calledCryptographic Context

Per streamCryptographic ContextThe in contains the following parameters:

· SSRC: SSRC used by stream.

· cipher parameter: key, salt, algorithm description (type, parameter, etc.) used for encryption and decryption.

Authentication parameter: key, salt used for integrity, algorithm description (type, parameter, etc.).

Anti replay data: prevent replay attacks on cached data information, such as ROC, maximum serial number, etc.

staySRTP/SRTCP SessionEach stream will use its own encryption and decryption key and authentication key. These keys are used in the same session and are calledSession Key。 theseSession KeyIt’s through the right wayMaster KeyExported using KDF (key derivation function).

KDFIs for exportSession KeyFunction, KDF uses encryption and decryption function by default. For example, after completing dtls, the profile of SRTP encryption algorithm obtained through negotiation is as follows:

SRTP_AES128_CM_HMAC_SHA1_80
         cipher: AES_128_CM
         cipher_key_length: 128
         cipher_salt_length: 112
         maximum_lifetime: 2^31
         auth_function: HMAC-SHA1
         auth_key_length: 160
         auth_tag_length: 80

CorrespondingKDFbyAES128_CMSession KeyThe export process of is as follows:Security mechanism of webrtc transmission: SRTP protocol

Session KeyThe export of depends on the following parameters: ·key_label: according to the type of exported key,key_labelThe values are as follows:Security mechanism of webrtc transmission: SRTP protocol

・master\_ Key: the key obtained through negotiation after dtls is completed.

・master\_ salt:   After the dtls is completed, the salt is obtained through negotiation.

・packet\_ index:   Package number of RTP / RTCP. SRTP uses 48 bits implicit packet, srtcp uses 31 bits packet sequence number. reference resourcesSerial number management

・key\_ derivation\_ Rate: export rate of key, denoted as KDR. The default value is 0 and key export is performed once. Value range{{1,2,4,...,2^24}。 staykey_derivation_rate>0In this case, before encryption, a key export is performed, followed by a packet export\_ index/key\_ derivation\_ When rate > 0, key export is performed.

r = packet_index / kdr
key_id = label || r
x = key_id XOR master_salt
key = KDF(master_key, x)

‘/’: denotes integral division. When B = 0, C = A / b = 0.
||: indicates the meaning of connection. A. B and C are represented by network byte order, C = a | B, then the high byte of C is a and the low byte is B.
XOR: is an XOR operation, which is aligned according to the low byte bit.

Use the followingAES128_CM, for exampleSession KeyThe derivation process of the hypothesisDTLSAfter consultation, it was concluded that:

master_key:  E1F97A0D3E018BE0D64FA32C06DE4139   // 128-bits
master_salt: 0EC675AD498AFEEBB6960B3AABE6           // 112-bits

Export cipher key:

packet_index/kdr:              000000000000
label:                       00
master_salt:   0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor:           0EC675AD498AFEEBB6960B3AABE6     (x, KDF input)
x*2^16:        0EC675AD498AFEEBB6960B3AABE60000 (AES-CM input)
cipher key:    C61E7A93744F39EE10734AFE3FF7A087 (AES-CM output)

Export salt key (cipher salt)

packet_index/kdr:              000000000000
label:                       02
master_salt:   0EC675AD498AFEEBB6960B3AABE6
----------------------------------------------
xor:           0EC675AD498AFEE9B6960B3AABE6     (x, KDF input)
x*2^16:        0EC675AD498AFEE9B6960B3AABE60000 (AES-CM input)
               30CBBC08863D8C85D49DB34A9AE17AC6 (AES-CM ouptut)
cipher salt:   30CBBC08863D8C85D49DB34A9AE1

To export the auth key, you need toauth keyThe length is 94 bytes

packet_index/kdr:                000000000000
label:                         01
master salt:     0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor:             0EC675AD498AFEEAB6960B3AABE6     (x, KDF input)
x*2^16:          0EC675AD498AFEEAB6960B3AABE60000 (AES-CM input)
auth key                           AES input blocks
CEBE321F6FF7716B6FD4AB49AF256A15   0EC675AD498AFEEAB6960B3AABE60000
6D38BAA48F0A0ACF3C34E2359E6CDBCE   0EC675AD498AFEEAB6960B3AABE60001
E049646C43D9327AD175578EF7227098   0EC675AD498AFEEAB6960B3AABE60002
6371C10C9A369AC2F94A8C5FBCDDDC25   0EC675AD498AFEEAB6960B3AABE60003
6D6E919A48B610EF17C2041E47403576   0EC675AD498AFEEAB6960B3AABE60004
6B68642C59BBFC2F34DB60DBDFB2       0EC675AD498AFEEAB6960B3AABE60005

Introduction of aes-cm, RefAES-CM。

So far, we’ve got itSRTP/SRTCPEncryption and authentication requiredSession Key:cipher key,auth key,salt key。

Serial number management SRTP serial number management

stayRTPUsed in package structure definition16-bitTo describe the serial number. Considering the need of anti replay attack, message integrity checking, encrypting data and exporting session key, theSRTPIn the protocol, the sequence number of SRTP packet is recorded implicitlypacket_index, using I to identify the packet\_ index。

For the sender, I is calculated as follows:

i = 2^16 * ROC + SEQ

Among them, SEQ is the 16 bit packet number described in RTP packet. ROC (rollover   Couter) is the RTP packet sequence number (SEQ) flip count, that is, wheneverSEQ/2^16=0ROC count plus 1. The initial value of ROC is 0.

For the receiver, considering the influence of packet loss and out of order, in addition to the maintenanceROC, and maintain a maximum number of packets currently receiveds_lWhen a new packet arrives, the receiver needs to estimate the sequence number of the actual SRTP packet corresponding to the current packet. The initial value of ROC is 0, S\_ The initial value of L is the sequence of the first SRTP packet received. Subsequently, the received SRTP sequence number I is estimated by the following formula:

i = 2^16 * v + SEQ

Among them,vPossible values{ ROC-1, ROC, ROC+1 }ROC is the ROC maintained locally at the receiving end, and seq is the serial number of the received SRTP. V take roc-1, ROC, ROC + 1 to calculate I, and2^16*ROC + s_l  Compare, which is closer, and V takes the corresponding value. After SRTP decryption and integrity verification, the ROC and s are updated\_ l. There are three situations as follows:

1. V = roc – 1, ROC and s\_ L do not update.

2. V = ROC, if SEQ > s\_ 1, then update s\_ l = SEQ。

3. v = ROC + 1,  ROC = v = ROC + 1,s\_l = SEQ。

More intuitive code Description:

if (s_l < 32768)
    if (SEQ - s_l > 32768)
        set v to (ROC-1) mod 2^32
    else
        set v to ROC
    endif
else
    if (s_l - 32768 > SEQ)
        set v to (ROC+1) mod 2^32
    else
        set v to ROC
    endif
endif
return SEQ + v*65536

Srtcp serial number management

RTCPThere is no field describing the ordinal in,SRTCPThe sequence number of the srtcp packet, using the31-bitsThe description is shown in  Srtcp formatThat is to say, the maximum sequence number of srtcp is 2 ^ 31.

Serial number and communication time

It can be seen that the maximum sequence number of SRTP is 2 ^ 48, and the maximum sequence number of srtcp is 2 ^ 16. In most applications (assuming that there is at least one RTCP packet per 128000 RTP packets), the srtcp sequence number will reach the upper limit first. At the speed of 200 srtcp packets per second, the 2 ^ 31 sequence number space of srtcp is enough to ensure communication for about four months.

Anti replay attack

The attacker saves the intercepted SRTP / srtcp packet and sends it back to the network to realize the replay of the packet. SRTP receivers prevent this attack by maintaining a replay list. Theoretically, the replay list should store the sequence numbers of all received packets and complete the verification. In practice, replaylist uses sliding window to prevent replay attack. useSRTP-WINDOW-SIZETo describe the size of the sliding window.

SRTP   Anti replay attack

In the part of serial number management, we detail the receiver, according to the sequence, ROC, s of the received SRTP packet\_ L estimate the cost of SRTP packagepacket_indexIt’s the best way. At the same time, the maximum sequence number of the SRTP packet received by the receiver is recorded aslocal_packet_index。 Calculate the differencedelta

delta =  packet_index - local_packet_index

There are three situations as follows:

1. Delta > 0: indicates that a new packet has been received.

2. Delta < – (srtp-window-size – 1) < 0: indicates the sequence number of the received packet, which is less than the minimum sequence number required by the replay window. When libsrtp receives such a packet, it returnssrtp_err_status_replay_old=10, indicating that an old replay packet has been received.

3. delta <0,   Delta > = – (srtp-window-size – 1): indicates that the packet in the replay window has been received. If the corresponding package is found in the replaylist, it is a duplicate replay package. When libsrtp receives such a packet, it returnssrtp_err_status_replay_fail=9。 Otherwise, an out of order packet is received.

The following figure shows the three areas of anti replay attack more intuitively

Security mechanism of webrtc transmission: SRTP protocol

The minimum value of srtp-window-size is 64. The application can be set to a larger value as needed, and libsrtp will be rounded up to an integer multiple of 32. For example, in webrtc  SRTP-WINDOW-SIZE= 1024。 Users can adjust it according to their needs, but to prevent replay attack.

SRTCP   Anti replay attack

In srtcp, packet index is given explicitly. In libsrtp, the anti replay window size of srtcp is 128. usewindow_startRecord the starting sequence number of anti replay attack. The checking steps of srtcp anti replay attack are as follows:

1. index > window\_ Start + 128: new srtcp packet received.

2. index < window\_ Start: the serial number of the received packet is on the left side of the replay window. It can be considered that we have received an older packet. After libsrtp receives such a packet, it returns to thesrtp_err_status_replay_old=10

3. replay\_ list\_ index = index – windwo\_ Start: replay in the replaylist\_ list\_ The ID bit corresponding to index is 1, indicating that the packet has been received, and libsrtp returnssrtp_err_status_replay_fail=9。 The corresponding identification bit is 0, indicating that the out of order packet is received.

Encryption and verification algorithm

In SRTP, the AES encryption algorithm of CTR (counter mode) mode is used. CTR mode generates a continuous key stream by incrementing an encryption counter. The counter can be any key that can guarantee no repeated output for a long time. According to the different counting methods, it can be divided into the following two types:

AES-ICM:   ICM mode (integer counter mode) uses integer counting operation.

AES-GCM: GCM mode (Galois counter mode), the counting operation is defined in Galois field.

In SRTP, usingAES-ICMComplete the encryption algorithm, while using theHMAC-SHA1completeMACCalculation, data integrity check, encryption and MAC calculation need to be completed in two steps.AES-GCMBased on the idea of aead (authenticated encryption with associated data), this paper encrypts the data and computes the data at the same timeMACOne step is realized to complete the calculation of encryption and verification information. The following is about thisAES-ICMandAES_GSMThe usage of.

AEC—ICM

Security mechanism of webrtc transmission: SRTP protocolSecurity mechanism of webrtc transmission: SRTP protocol

The picture above depictsAES-ICMThe K in the figure is exported through KDFSessionKey。 Both encryption and encryption are based on the encryption of counter and XOR operation with plaintext p to get encrypted data C, otherwise XOR operation with ciphertext C to get plaintext data P. For security, counter generation depends onSession Salt,   Packet index and SSRC of the package. Counter is the count of 128 bits. The generation method is defined as follows:

one byte
<-->
0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00|   SSRC    |   packet index  | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
|                  salt (k_s)             |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
                                                    v
                                            +-------------+
                    encryption key (k_e) -> | AES encrypt |
                                            +-------------+
                                                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
|                keystream block                |<--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

HMAC—SHA1

Hash based message authentication code (HMAC) is a kind of message authentication code (MAC) generated by special calculation. It uses cryptographic hash function and an encryption key. It can be used to ensure the integrity of data and to verify the identity of a message. HMAC through a standard algorithm, in the process of hash calculation, the key is mixed into the calculation process. The implementation of HMAC encryption is as follows:

HMAC(K,M) = H ( (K XOR opad ) + H( (K XOR ipad ) + M ) )

· H: hash algorithm, such as MD5, SHA-1, SHA-256.

· B: the length of a block byte. A block is the basic unit of hash operation. Here B = 64.

L: the byte length calculated by hash algorithm( L=16 for MD5, L=20 for SHA-1)。

· K: shared key, the length of K can be arbitrary, but for security reasons, it is recommended that the length of k > B.

When the length of K is greater than B, the hash algorithm will be executed on K first, and the L length result will be used as the new shared key. If the length of K

· M: content to be certified.

· OPAD: external filling constant, which is 0x5C, repeated B times.

· iPad: the internal filling constant is 0x36, repeated B times.

· XOR: XOR operation.

· +: stands for “join” operation.

The calculation steps are as follows:

1. Fill 0x00 after K until its length equals B.

2. XOR the result of step 1 with iPad.

3. Attach the information to be encrypted to the result of step 2.

4. Call h method.

5. XOR the result of step 1 with OPAD.

6. Attach the result of step 4 to the result of step 5.

7. Call h method.

SRTPandSRTCPcalculationAuthentication tag, usedKCorresponding to the key management partRTP auth keyandRTCP auth keyThe hash algorithm used isSHA-1Authentication tagIts length is 80 bits.

When calculating SRTP, the content m to be authenticated is:

M = Authenticated Portion + ROC

Among them,+Represents the join operation,Authenticated PortionstaySRTPThe structure diagram of is given.

In calculationSRTCPThe content m to be authenticated is:

M=Authenticated Portion

Among them,Authenticated PortionstaySRTCPThe structure diagram of is given.

through the use ofAuthenticated PortionAlgorithm to calculate the SRTP / srtcpEncrypted Portion Portionpart.

AES—GCM

AES-GCMThe counter mode is used to encrypt data, which can be pipelined effectively. The operation used in GCM authentication is especially suitable for effective implementation in hardware. stayGCM-SPECThe theoretical knowledge of GCM is described in detail,Section4.2 HardwareThe hardware implementation is described in detail.

AES-GCMstaySRTPThe application of encryption inRFC7714It is described in detail. Key management and serial number management are the same as those described in this paper

  1. AES-GCMAs an aead (authenticated encryption with associated data) encryption algorithm, what are the input and output, corresponding toSRTP/SRTCPPackage structure.
  1. CounterHowever, the calculation method is different from that described in aes-icm and needs to be focused.

libsrtpIt’s doneAES-GCM, interested students, can combine code to study.

The use of libsrtp

libsrtpIs widely used SRTP / srtcp encryption open source project. The commonly used APIs are as follows:

1. srtp_initTo initialize the SRTP library and the internal encryption algorithm, you must call it before using SRTP.

2. srtp_create, create SRTP\_ Session can be understood in combination with the concepts of session and session key introduced in this article.

3. srtp_unprotect/srtp_protectRTP packet encryption and decryption interface.

4. srtp_protect_rtcp/srtp_unprotect_rtcp, RTCP packet encryption and decryption interface.

5. srtp_set_stream_roc/srtp_get_stream_roc, set and obtain the ROC of stream. These two interfaces are added in the latest version 2.3.

Important structuresrtp_policy_t, which is used to initialize the encryption and decryption parameterssrtp_createThis structure is used in. The following parameters need attention:

1. After dtls negotiationMasterKeyandMasterSaltThis structure is passed to libsrtp to generate session key.

2. window_sizeCorresponding to the SRTP anti replay attack window size we described earlier.

3. allow_repeat_tx, whether to allow retransmission of packets with the same sequence number.

SRSLibsrtp is a new generation of real-time communication server. Students who are interested in libsrtp can quickly set up a debugging environment on this machine, conduct relevant tests, and have a deeper understanding of relevant algorithms.

summary

In this paper, through the analysis ofSRTP/SRTCPIn depth and detailed interpretation of the relevant principles, to answer the problems encountered in the use of libsrtp, hoping to help students in the field of real-time audio and video communication.

reference

RFC3711:  SRTP

RFC6904: Encrypted SRTP Header Extensions

Integer Counter Mode

RFC-6188: The Use of AES-192 and AES-256 in Secure RTP

RFC7714:  AES-GCM for SRTP

RFC2104:  HMAC

RFC2202: Test Cases for HMAC-MD5 and HMAC-SHA-1

GCM-SPEC:  GCM


“Video cloud technology”, the official account of your most noteworthy audio and video technology, is pushing practical technical articles from Ali cloud every week. Official account back office technology can be added to Ali cloud video cloud technology exchange group, and the author will explore audio and video technology to get more industry latest information.

Copyright notice:The content of this article is spontaneously contributed by alicloud real name registered users, and the copyright belongs to the original author. The alicloud developer community does not own its copyright, nor does it bear the corresponding legal responsibility. For specific rules, please refer to the user service agreement of alicloud developer community and the guidelines for intellectual property protection of alicloud developer community. If you find any suspected plagiarism content in the community, fill in the infringement complaint form to report. Once verified, the community will immediately delete the suspected infringement content.