Webrtc transmission security mechanism: SRTP protocol

Time:2021-8-7

Introduction:SRTP: secure real time transport

adopt  Dtls negotiationAfter that, both parties of RTC communication are completed  MasterKeyandMasterSaltNegotiations. Next, we continue to analyze how to use the exchanged key to encrypt RTP and RTCP in webrtc to realize the secure transmission of data. At the same time, this article will answer the problems encountered in the use of libsrtp, for example, what is ROC and why is ROC 32 bits? Why is error returned\_ code=9, error\_ code=10? Does the exchanged key have a life cycle, and if so, how long? Recommended reading before reading this articleDtls negotiationArticle, the combination of the two, the effect is better!

Author Jin Xue

Reviser | Taiyi

Problems to be solved

RTP/RTCPThe protocol does not protect its load data. Therefore, if an attacker captures the audio and video data through a packet capture tool, such as Wireshark, the audio and video stream can be played directly through the tool, which is a very terrible thing.

In webrtc, in order to prevent such things from happening, it is not used directlyRTP/RTCPProtocol, but usedSRTP/SRTCPProtocol, i.e. secureRTP/RTCPagreement. Webrtc uses the well-known libsrtp library to convert the originalRTP/RTCPProtocol data conversion toSRTP/SRTCPProtocol data.

SRTPProblems to be solved:

・ yesRTP/RTCPThe payload is encrypted to ensure data security;

・ warrantyRTP/RTCPPacket integrity, while preventing replay attacks.

SRTP / srtcp structure

SRTP structure

Webrtc transmission security mechanism: SRTP protocolWebrtc transmission security mechanism: SRTP protocol

As can be seen from the SRTP structure diagram:

1. Encryption partEncrypted Portion, bypayload, RTP paddingandRTP pad countPart composition. That is, we usually say that only RTP payload data is encrypted.

2. Parts requiring calibrationAuthenticated Portion, byRTP Header, RTP Header extensionandEncrypted PortionPart composition.

Generally, only RTP load data needs to be encrypted. If RTP header extension needs to be encrypted,RFC6904The detailed scheme is given and implemented in libsrtp.

Srtcp structure

Webrtc transmission security mechanism: SRTP protocol

fromSRTCPYou can see in the structure diagram:

1. Encryption partEncrypted Portion, forRTCP HeaderThe next part, rightCompound RTCPThe same is true.

2. E-flag explicitly indicates whether the RTCP packet is encrypted( PS: how to judge whether an RTP packet is encrypted?)

3. SRTCP indexThe display shows the serial number of the RTCP packet, which is used to prevent replay attacks( PS: can the serial number of 16 bits of an RTP packet prevent replay attacks?)

4. Parts to be verifiedAuthenticated Portion, byRTCP HeaderandEncrypted PortionPart composition. After a preliminary understandingSRTPandSRTCPAfter the structure of, it is introduced nextEncrypted PortionandAuthenticated PortionHow to get it.

Key management

staySRTP/SRTCPIn the protocol, a binary is used to identify a communication participantSRTP/SRTCPSession, calledSRTP/SRTCP Session

staySRTPThe protocol uses triples to identify a stream and a streamSRTP/SRTCP SessionIt consists of multiple streams. The description of encryption and decryption related parameters of each stream is calledCryptographic Context

Of each streamCryptographic ContextThe in contains the following parameters:

・ SSRC: SSRC used by stream.

・ cipher parameter: key, salt and algorithm description (type, parameter, etc.) used for encryption and decryption.

・ authentication parameter: key, salt and algorithm description used for integrity (type, parameter, etc.).

・ anti replay data: prevent replay attacks on cached data information, such as ROC, maximum serial number, etc.

staySRTP/SRTCP SessionIn, each stream will use its own encryption and decryption key and authentication key. These keys are used in the same session and are calledSession Key。 theseSession KeyBy rightMaster KeyExported using KDF (key derivation function).

KDFIs for exportSession KeyFunction. KDF uses encryption and decryption function by default. For example, after completing dtls, the profile of the negotiated SRTP encryption algorithm is:

SRTP_AES128_CM_HMAC_SHA1_80
         cipher: AES_128_CM
         cipher_key_length: 128
         cipher_salt_length: 112
         maximum_lifetime: 2^31
         auth_function: HMAC-SHA1
         auth_key_length: 160
         auth_tag_length: 80

CorrespondingKDFbyAES128_CMSession KeyThe export process of is shown in the following figure:Webrtc transmission security mechanism: SRTP protocol

Session KeyThe export of depends on the following parameters: •key_label: depending on the type of exported key,key_labelThe values are as follows:Webrtc transmission security mechanism: SRTP protocol

・master\_ Key: the key obtained through negotiation after dtls is completed.

・master\_ salt:   After the completion of dtls, the salt obtained through negotiation.

・packet\_ index:   Package number of RTP / RTCP. SRTP uses 48 bits implicit packets, and srtcp uses 31 bits packet sequence number. reference resourcesSerial number management

・key\_ derivation\_ Rate: key export rate, recorded as KDR. The default value is 0. Key export is performed once. Value range{{1,2,4,...,2^24}。 staykey_derivation_rate>0In this case, the key export is performed once before encryption, and then in packet\_ index/key\_ derivation\_ When rate > 0, execute key export.

r = packet_index / kdr
key_id = label || r
x = key_id XOR master_salt
key = KDF(master_key, x)

‘/’: indicates division. When B = 0, C = A / b = 0.
||: indicates the meaning of connection. A. B and C are represented by network byte order, C = a|b, then the high byte of C is a and the low byte bit is B.
XOR: is an XOR operation, which is aligned according to the low byte bits during calculation.

Use belowAES128_CM, for exampleSession KeyExport process, assumptionsDTLSIt was agreed that:

master_key:  E1F97A0D3E018BE0D64FA32C06DE4139   // 128-bits
master_salt: 0EC675AD498AFEEBB6960B3AABE6           // 112-bits

Export cipher key:

packet_index/kdr:              000000000000
label:                       00
master_salt:   0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor:           0EC675AD498AFEEBB6960B3AABE6     (x, KDF input)
x*2^16:        0EC675AD498AFEEBB6960B3AABE60000 (AES-CM input)
cipher key:    C61E7A93744F39EE10734AFE3FF7A087 (AES-CM output)

Export salt key (cipher salt):

packet_index/kdr:              000000000000
label:                       02
master_salt:   0EC675AD498AFEEBB6960B3AABE6
----------------------------------------------
xor:           0EC675AD498AFEE9B6960B3AABE6     (x, KDF input)
x*2^16:        0EC675AD498AFEE9B6960B3AABE60000 (AES-CM input)
               30CBBC08863D8C85D49DB34A9AE17AC6 (AES-CM ouptut)
cipher salt:   30CBBC08863D8C85D49DB34A9AE1

To export the auth key, you need toauth key94 bytes in length:

packet_index/kdr:                000000000000
label:                         01
master salt:     0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor:             0EC675AD498AFEEAB6960B3AABE6     (x, KDF input)
x*2^16:          0EC675AD498AFEEAB6960B3AABE60000 (AES-CM input)
auth key                           AES input blocks
CEBE321F6FF7716B6FD4AB49AF256A15   0EC675AD498AFEEAB6960B3AABE60000
6D38BAA48F0A0ACF3C34E2359E6CDBCE   0EC675AD498AFEEAB6960B3AABE60001
E049646C43D9327AD175578EF7227098   0EC675AD498AFEEAB6960B3AABE60002
6371C10C9A369AC2F94A8C5FBCDDDC25   0EC675AD498AFEEAB6960B3AABE60003
6D6E919A48B610EF17C2041E47403576   0EC675AD498AFEEAB6960B3AABE60004
6B68642C59BBFC2F34DB60DBDFB2       0EC675AD498AFEEAB6960B3AABE60005

Introduction to aes-cm, refer toAES-CM。

So far, we haveSRTP/SRTCPRequired for encryption and authenticationSession Key:cipher key,auth key,salt key。

Serial number management SRTP serial number management

stayRTPUsed in package structure definition16-bitTo describe the serial number. Considering the need of preventing replay attack, message integrity verification, encrypting data and exporting sessionkey, theSRTPIn the protocol, the serial number of SRTP packet is recorded implicitlypacket_index, use I to identify the packet\_ index。

For the sender, I is calculated as follows:

i = 2^16 * ROC + SEQ

Wherein, SEQ is the serial number of 16 bit package described in RTP package. ROC (rollover   Couter) is the RTP packet sequence number (SEQ) flip count, that is, wheneverSEQ/2^16=0, ROC count plus 1. The initial value of ROC is 0.

For the receiver, considering the influence of packet loss and disorder, in addition to maintenanceROC, you also need to maintain a maximum package sequence number currently receiveds_l, when a new packet arrives, the receiver needs to estimate the sequence number of the actual SRTP packet corresponding to the current packet. The initial value of ROC is 0, S\_ The initial value of L is SEQ of the first SRTP packet received. Subsequently, the received SRTP sequence number I is estimated by the following formula:

i = 2^16 * v + SEQ

Among them,vPossible values{ ROC-1, ROC, ROC+1 }, ROC is the ROC maintained locally at the receiving end, and seq is the serial number of the received SRTP. V take roc-1, ROC and ROC + 1 respectively to calculate I, and2^16*ROC + s_l  Compare, that’s closer, V takes the corresponding value. After SRTP decryption and integrity verification, update ROC and s\_ l. There are three situations as follows:

1. V = roc – 1, ROC and S\_ L do not update.

2. V = ROC, if SEQ > s\_ 1, then update s\_ l = SEQ。

3. v = ROC + 1,  ROC = v = ROC + 1,s\_l = SEQ。

More intuitive code Description:

if (s_l < 32768)
    if (SEQ - s_l > 32768)
        set v to (ROC-1) mod 2^32
    else
        set v to ROC
    endif
else
    if (s_l - 32768 > SEQ)
        set v to (ROC+1) mod 2^32
    else
        set v to ROC
    endif
endif
return SEQ + v*65536

Srtcp serial number management

RTCPThere is no field describing sequence number in,SRTCPThe sequence number in the srtcp packet is used31-bitsDescription displayed in, see  Srtcp formatThat is, the maximum serial number in srtcp is 2 ^ 31.

Serial number and communication duration

You can see that the maximum serial number of SRTP is 2 ^ 48 and the maximum serial number of srtcp is 2 ^ 16. In most applications (assuming at least one RTCP packet per 128000 RTP packets), the srtcp sequence number will first reach the upper limit. At the speed of 200 srtcp packets / second, the 2 ^ 31 serial number space of srtcp is enough to ensure communication for about 4 months.

Anti replay attack

The attacker saves the intercepted SRTP / srtcp packet and sends it back to the network to replay the packet. SRTP recipients prevent this attack by maintaining a replay list. Theoretically, the replay list should save the serial numbers of all packets received and verified. In practice, replaylist uses sliding window to prevent replay attack. useSRTP-WINDOW-SIZETo describe the size of the sliding window.

SRTP   Anti replay attack

In the part of serial number management, we detail the receiver according to SEQ, ROC, s of the received SRTP packet\_ L estimate the cost of SRTP packagepacket_indexMethods. At the same time, record the maximum serial number of the SRTP packet that the receiver has received aslocal_packet_index。 Calculate differencedelta

delta =  packet_index - local_packet_index

There are three situations as follows:

1. Delta > 0: indicates that a new package has been received.

2. Delta < – (srtp-window-size – 1) < 0: indicates the serial number of the received package, which is less than the minimum serial number required by the replay window. When libsrtp receives such a package, it will returnsrtp_err_status_replay_old=10, indicating that an old replay package has been received.

3. delta <0,   Delta > = – (srtp-window-size – 1): indicates that a packet within the replay window has been received. If the corresponding package is found in the replay list, it is a duplicate replay package. When libsrtp receives such a package, it will returnsrtp_err_status_replay_fail=9。 Otherwise, an out of order packet is received.

The following figure more intuitively illustrates the three areas against replay attacks:

Webrtc transmission security mechanism: SRTP protocol

The minimum value of srtp-window-size is 64. The application can be set to a larger value as needed, and libsrtp will be rounded up to an integer multiple of 32. For example, in webrtc  SRTP-WINDOW-SIZE= 1024。 Users can adjust as needed, but to achieve the purpose of preventing replay attack.

SRTCP   Anti replay attack

In srtcp, packet index is given explicitly. In libsrtp, the anti replay attack window size of srtcp is 128. usewindow_startRecord the starting serial number of anti replay attack. The check steps of srtcp anti replay attack are as follows:

1. index > window\_ Start + 128: new srtcp packet received.

2. index < window\_ Start: the serial number of the received package is on the left side of the replay window. It can be considered that we have received an older package. After libsrtp receives such a package, it will return tosrtp_err_status_replay_old=10

3. replay\_ list\_ index = index – windwo\_ Start: replay in the replay list\_ list\_ The identification bit corresponding to index is 1, indicating that the package has been received, and libsrtp returnssrtp_err_status_replay_fail=9。 The corresponding identification bit is 0, indicating that out of order packets are received.

Encryption and verification algorithm

In SRTP, AES encryption algorithm of CTR (counter mode) mode is used. CTR mode generates continuous key stream by increasing an encryption counter. The counter can be any key that ensures no repeated output for a long time. According to different counting methods, it can be divided into the following two types:

AES-ICM:   ICM mode (integer counter mode) uses integer count operation.

AES-GCM: GCM mode (Galois counter mode, based on Galois domain counting mode), and the counting operation is defined in Galois domain.

In SRTP, useAES-ICMComplete the encryption algorithm and useHMAC-SHA1completeMACCalculation, data integrity verification, encryption and MAC calculation need to be completed in two steps.AES-GCMBased on the idea of aead (authenticated encryption with associated data), it is calculated while encrypting the dataMACValue to achieve a step to complete the calculation of encryption and verification information. Let’s discuss this separatelyAES-ICMandAES_GSMThe usage of.

AEC—ICM

Webrtc transmission security mechanism: SRTP protocolWebrtc transmission security mechanism: SRTP protocol

The figure above describesAES-ICMThe K in the figure is exported through KDFSessionKey。 Both encryption and encryption are performed by encrypting counter and XOR with plaintext p to obtain encrypted data C. on the contrary, XOR with ciphertext C to obtain plaintext data P. For security reasons, counter generation depends onSession Salt,   Packet index and SSRC of the package. Counter is the count of 128 bits. The generation method is defined as follows:

one byte
<-->
0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00|   SSRC    |   packet index  | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
|                  salt (k_s)             |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
                                                    v
                                            +-------------+
                    encryption key (k_e) -> | AES encrypt |
                                            +-------------+
                                                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
|                keystream block                |<--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

HMAC—SHA1

Hash based message authentication code (HMAC) is a message authentication code (MAC) generated by special calculation method. It uses cryptographic hash function and an encryption key. It can be used to ensure the integrity of data and authenticate a message. HMAC uses a standard algorithm to mix the key into the hash calculation process. The implementation of HMAC encryption is as follows:

HMAC(K,M) = H ( (K XOR opad ) + H( (K XOR ipad ) + M ) )

・ H: hash algorithm, such as MD5, SHA-1, SHA-256.

・ B: the length of block bytes. Block is the basic unit of hash operation. Here B = 64.

・ L: byte length calculated by hash algorithm( L=16 for MD5, L=20 for SHA-1)。

・ K: shared key. The length of K can be arbitrary, but for security reasons, it is recommended that the length of k > B.

When the length of K is greater than B, the hash algorithm will be executed on K first, and the obtained l length result will be used as a new shared key. If the length of K

・ M: content to be certified.

・ OPAD: external filling constant, 0x5C, repeated B times.

・ iPad: internal filling constant, 0x36, repeated B times.

・ XOR: XOR operation.

・ +: Represents “connection” operation.

The calculation steps are as follows:

1. Fill 0x00 after K until its length is equal to B.

2. XOR the result of step 1 with the iPad.

3. Attach the information to be encrypted to the result of step 2.

4. Call the H method.

5. XOR the result of step 1 with OPAD.

6. Attach the result of step 4 to the result of step 5.

7. Call the H method.

SRTPandSRTCPcalculationAuthentication tag, usedKCorresponding to the key management sectionRTP auth keyandRTCP auth key, the hash algorithm used isSHA-1Authentication tagThe length of is 80 bits.

In calculating SRTP, the content m to be authenticated is:

M = Authenticated Portion + ROC

Among them,+Represents the “connect” operation,Authenticated PortionstaySRTPGiven in the structure diagram of.

In calculationSRTCPWhen, the content m to be certified is:

M=Authenticated Portion

Among them,Authenticated PortionstaySRTCPGiven in the structure diagram of.

through the use ofAuthenticated PortionAlgorithm, SRTP / srtcpEncrypted Portion Portionpart.

AES—GCM

AES-GCMUsing counter mode to encrypt data, this operation can be effectively pipelined. The operation used by GCM authentication is especially suitable for effective implementation in hardware. stayGCM-SPECThe theoretical knowledge of GCM is described in detail,Section4.2 HardwareThe hardware implementation is described in detail.

AES-GCMstaySRTPApplication of encryption inRFC7714Described in detail. Key management and serial number management are the same as those described in this article. Note:

  1. AES-GCMAs an aead (authenticated encryption with associated data) encryption algorithm, what are the inputs and outputs, corresponding toSRTP/SRTCPIs understood in the package structure.
  1. CounterIt is that the calculation method is different from that described in aes-icm, which requires special attention.

libsrtpIt has been achievedAES-GCM, interested students can study it in combination with the code.

Use of libsrtp

libsrtpIt is a widely used open source project of SRTP / srtcp encryption. The frequently used APIs are as follows:

1. srtp_init, initialize the SRTP library and initialize the internal encryption algorithm. It must be called before using SRTP.

2. srtp_create, create SRTP\_ Session can be understood in combination with the concepts of session and session key introduced in this article.

3. srtp_unprotect/srtp_protect, RTP packet encryption and decryption interface.

4. srtp_protect_rtcp/srtp_unprotect_rtcp, the encryption and decryption interface of RTCP packet.

5. srtp_set_stream_roc/srtp_get_stream_roc, set and obtain the ROC of stream. These two interfaces are added in the latest version 2.3.

Important structuresrtp_policy_tUsed to initialize encryption and decryption parameterssrtp_createUse this structure in. The following parameters need attention:

1. Obtained after dtls negotiationMasterKeyandMasterSaltThis structure is passed to libsrtp for the generation of session keys.

2. window_size, corresponding to the window size of SRTP anti replay attack described earlier.

3. allow_repeat_tx, whether retransmission of packets with the same sequence number is allowed.

SRSIt is a new generation of real-time communication server. Students interested in libsrtp can quickly set up a debugging environment on the machine, conduct relevant tests, and have a deeper understanding of relevant algorithms.

summary

This paper throughSRTP/SRTCPAn in-depth and detailed interpretation of relevant principles and answers the problems encountered in the use of libsrtp, hoping to help students in the related fields of real-time audio and video communication.

reference

RFC3711:  SRTP

RFC6904: Encrypted SRTP Header Extensions

Integer Counter Mode

RFC-6188: The Use of AES-192 and AES-256 in Secure RTP

RFC7714:  AES-GCM for SRTP

RFC2104:  HMAC

RFC2202: Test Cases for HMAC-MD5 and HMAC-SHA-1

GCM-SPEC:  GCM


“Video cloud technology”, the official account of your most noteworthy audio and video technology, is pushing practical technical articles from Ali cloud every week. Official account back office technology can be added to Ali cloud video cloud technology exchange group, and the author will explore audio and video technology to get more industry latest information.

Copyright notice:The content of this article is spontaneously contributed by Alibaba cloud real name registered users, and the copyright belongs to the original author. Alibaba cloud developer community does not own its copyright or bear corresponding legal liabilities. Please refer to Alibaba cloud developer community user service agreement and Alibaba cloud developer community intellectual property protection guidelines for specific rules. If you find any content suspected of plagiarism in the community, fill in the infringement complaint form to report. Once verified, the community will immediately delete the content suspected of infringement.