1 - 2 - 3 - 8 - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - R - S - T - U - V - W - X
SRTP
Click on the red underlined text to get to the source
... This document describes the Secure Real-time Transport Protocol
(SRTP), a profile of the Real-time Transport Protocol (RTP ...
... of RTP and RTCP streams (Section 3). SRTP defines a set of default
cryptographic transforms (Sections 4 and 5), and it allows new
...
... transforms to be introduced in the future (Section 6). With
appropriate key management (Sections 7 and 8), SRTP is secure
(Sections 9) for unicast and multicast RTP ...
... RTP applications (Section 11).
SRTP can achieve high throughput and low packet expansion. SRTP ...
... SRTP can achieve high throughput and low packet expansion. SRTP
proves to be a suitable protection for heterogeneous environments
(mix of wired and wireless networks ...
... random bits may be difficult to obtain, and for the security of SRTP,
pseudo-randomness is sufficient [RFC1750 ...
... and re-ordering.
These properties ensure that SRTP is a suitable protection scheme for
RTP/RTCP ...
...
Besides the above mentioned direct goals, SRTP provides for some
additional features. They have been introduced to lighten the burden
on key management ...
... keying material for
confidentiality and integrity protection, both for the SRTP stream
and the corresponding SRTCP ...
... RFC3551]. Except where explicitly noted, all
aspects of that profile apply, with the addition of the SRTP security
features. Conceptually, we consider SRTP to be a "bump in the stack"
...
... profile apply, with the addition of the SRTP security
features. Conceptually, we consider SRTP to be a "bump in the stack"
implementation which resides between the RTP application and the
...
... RTP application and the
transport layer. SRTP intercepts RTP packets and then forwards an
equivalent SRTP packet ...
... SRTP intercepts RTP packets and then forwards an
equivalent SRTP packet on the sending side, and intercepts SRTP
packets and passes an equivalent RTP packet up the stack on the
...
... RTP packets and then forwards an
equivalent SRTP packet on the sending side, and intercepts SRTP
packets and passes an equivalent RTP packet up the stack on the
receiving ...
...
The format of an SRTP packet is illustrated in Figure 1.
0 1 2 3
...
... RTP pad count | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
| ~ SRTP MKI (OPTIONAL) ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
...
... Authenticated Portion ---+
Figure 1. The format of an SRTP packet. *Encrypted Portion is the
same size as the plaintext ...
... encryption transforms uses any padding; for
these, the RTP and SRTP payload sizes match exactly. New transforms
added to SRTP ...
... SRTP payload sizes match exactly. New transforms
added to SRTP (following Section 6) may require padding, and may
hence produce larger payloads. RTP ...
... MKI and the RECOMMENDED authentication tag are the only
fields defined by SRTP that are not in RTP. Only 8-bit alignment is
...
... particular packet. Note that the MKI SHALL NOT identify
the SRTP cryptographic context, which is identified
according to Section 3.2.3. The MKI MAY be used by key
management ...
... message authentication
data. The Authenticated Portion of an SRTP packet
consists of the RTP header followed by the Encrypted ...
... RTP header followed by the Encrypted
Portion of the SRTP packet. Thus, if both encryption and
authentication ...
... cryptographic context".
SRTP uses two types of keys: session keys and master keys. By a
"session key ...
... cryptographic context are provided by key management
mechanisms external to SRTP, see Section 8.
...
... transforms that are used. The transform-independent parameters of
the cryptographic context for SRTP consist of:
* a 32-bit ...
... header, the ROC is maintained by
SRTP as described in Section 3.3.1.
We define the index of the SRTP packet ...
... SRTP as described in Section 3.3.1.
We define the index of the SRTP packet corresponding to a given
ROC and RTP ...
... replay protection are provided), containing
indices of recently received and authenticated SRTP packets,
* an MKI ...
...
* for each master key, there is a counter of the number of SRTP
packets that have been processed (sent) with that master key
(essential for security, see Sections 3.3.1 and 9),
...
... message authentication.
In addition, for each master key, an SRTP stream MAY use the
following associated values:
...
... alternative to the MKI and assumes that a master key is in one-
to-one correspondence with the SRTP session key on which the
<From, To> range ...
... SRTCP maintains a separate counter for its master key (even if the
master key is the same as that for SRTP, see below), as a means to
maintain a count of the number of SRTCP packets that have been
...
... processed with that key.
Note in particular that the master key(s) MAY be shared between SRTP
and the corresponding SRTCP, if the pre-defined transforms (including
...
...
In addition, there can be cases (see Sections 8 and 9.1) where
several SRTP streams within a given RTP session, identified by their
synchronization source ...
... master and session keys). In such cases, just as in the normal
SRTP/SRTCP parameter sharing above, separate replay lists and packet
counters ...
... stream (SSRC) MUST still be maintained. Also,
separate SRTP indices MUST then be maintained.
A summary of parameters, pre-defined transforms, and default values ...
... A summary of parameters, pre-defined transforms, and default values
for the above parameters (and other SRTP parameters) can be found in
Sections 5 and 8.2.
...
... Initialization Vector (IV) formation, etc.
Future SRTP transform specifications MUST include a section to list
the additional cryptographic context's parameters for that transform,
...
... destination transport
port are the ones in the SRTP packet. It is assumed that, when
presented with this information, the key management returns a context ...
... with the information as described in Section 3.2.
As noted above, SRTP and SRTCP by default share the bulk of the
parameters in the cryptographic context ...
... stream in practice may imply a
binding to the correspondent SRTP crypto context. It is up to the
implementation to assure such binding ...
... directly deducible from the RTP port only. Alternatively, the key
management may choose to provide separate SRTP- and SRTCP- contexts,
...
... contexts,
duplicating the common parameters (such as master key(s)). The
latter approach then also enables SRTP and SRTCP to use, e.g.,
distinct transforms, if so desired. Similar considerations arise
...
... SRTCP to use, e.g.,
distinct transforms, if so desired. Similar considerations arise
when multiple SRTP streams, forming part of one single RTP session,
share keys and other parameters.
...
... SRTP Packet Processing ...
... key management, the sender SHALL do the following to
construct an SRTP packet:
1. Determine which cryptographic context ...
... Section 3.2.3.
2. Determine the index of the SRTP packet using the rollover counter,
the highest sequence number ...
...
2. Run the algorithm in Section 3.3.1 to get the index of the SRTP
packet. The algorithm uses the rollover counter and highest
...
... sequence number in the cryptographic context with the sequence
number in the SRTP packet, as described in Section 3.3.1.
3. Determine the master key and master salt. If the MKI ...
... the context is set to one, use the MKI in the SRTP packet,
otherwise use the index from the previous step, according to
Section 8.1.
...
...
SRTP implementations use an "implicit" packet index for sequencing,
i.e., not all of the index is explicitly carried in the SRTP packet.
...
... SRTP implementations use an "implicit" packet index for sequencing,
i.e., not all of the index is explicitly carried in the SRTP packet.
For the pre-defined transforms, the index i is used in replay
protection (Section 3.3.2), encryption ...
... sequence number to
determine the correct index of a packet, which is the location of the
packet in the sequence of all SRTP packets. A robust approach for
the proper use of a rollover counter requires its handling and use to
...
... sequence number (SEQ) of the first observed SRTP packet (unless the
initial value is provided by out of band signaling such as key
management ...
... After the packet has been processed and authenticated (when enabled
for SRTP packets for the session), the receiver MUST use v to
...
... 32 bits long and the sequence number is 16
bits long, the maximum number of packets belonging to a given SRTP
stream that can be secured with the same key is 2^48 using the pre-
...
... stream that can be secured with the same key is 2^48 using the pre-
defined transforms. After that number of SRTP packets have been sent
with a given (master or session) key, the sender ...
... network. When message authentication is
provided, SRTP protects against such attacks through a Replay List.
Each SRTP ...
... SRTP protects against such attacks through a Replay List.
Each SRTP receiver maintains a Replay List, which conceptually
contains the indices of all of the packets which have been received
...
... replay
protection. Packet indices which lag behind the packet index in the
context by more than SRTP-WINDOW-SIZE can be assumed to have been
received, where SRTP-WINDOW-SIZE is a receiver ...
... context by more than SRTP-WINDOW-SIZE can be assumed to have been
received, where SRTP-WINDOW-SIZE is a receiver-side, implementation-
dependent parameter and MUST be at least 64, but which MAY be set to
...
... encryption
method specified in [RFC3550] and is not needed by the cryptographic
mechanisms used in SRTP.
0 1 2 3
...
... SRTCP packet.
The index is explicitly included in each packet, in contrast
to the "implicit" index approach used for SRTP. The SRTCP
index MUST be set to zero ...
... cryptographic context parameters and packet processing
of SRTP by default, with the following changes:
* The receiver ...
... encryption
transform and related parameters SHALL by default be the same
selected for the protection of the associated SRTP stream(s),
while the NULL algorithm ...
... encryption transform
than the one used by the corresponding SRTP. The expected use for
this feature is when the former has NULL-encryption and the latter
...
... key size)
SHALL by default be the same as selected for the protection of the
associated SRTP stream(s).
...
... message authentication
algorithms that can be used in SRTP, below we define default
algorithms in order to avoid the complexity of specifying the
...
... The defined algorithms have been chosen as they fulfill the goals
listed in Section 2. Recommendations on how to extend SRTP with new
transforms are given in Section 6.
...
... * n_s is the bit-length of k_s
* SRTP_PREFIX_LENGTH is the octet length of the keystream prefix, a
...
...
The distinct session keys and salts for SRTP/SRTCP are by default
derived as specified in Section 4.3.
...
... The encryption transforms defined in SRTP map the SRTP packet index
and secret key into a pseudo-random ...
... RTP packet to produce the
Encrypted Portion of the SRTP packet. In case the payload size is
not an integer ...
... +---------------------------------+ |
| Encrypted Portion of SRTP Packet|<--+
+---------------------------------+
...
... +---------------------------------+
Figure 3: Default SRTP Encryption Processing. Here KG denotes the
keystream generator, and (*) denotes bitwise exclusive-or.
...
... RTP is not required.
The SRTP definition of the keystream is illustrated in Figure 3. The
initial octets of each keystream segment ...
... The number of octets in the keystream prefix is denoted as
SRTP_PREFIX_LENGTH. The keystream prefix is indicated by a positive,
...
... prefix is indicated by a positive,
non-zero value of SRTP_PREFIX_LENGTH. This means that, even if
confidentiality ...
... The inclusion of the SSRC allows the use of the same key to protect
distinct SRTP streams within the same RTP session, see the security
...
... time pad situation (Section 9.1). To satisfy this constraint, an
implementation MUST ensure that the combination of the SRTP packet
index of ROC ...
... checked by that module (i.e., sequence-number and SSRC processing in
an SRTP system needs to be protected as well as the key).
...
... Throughout this section, M will denote data to be integrity
protected. In the case of SRTP, M SHALL consist of the Authenticated
Portion of the packet (as specified in Figure 1) concatenated with
...
... bit-length of the output authentication tag
* SRTP_PREFIX_LENGTH is the octet length of the keystream prefix as
...
... The distinct session authentication keys for SRTP/SRTCP are by
default derived as specified in Section 4.3.
...
...
The values of n_a, n_tag, and SRTP_PREFIX_LENGTH MUST be fixed for
any particular fixed value of the key.
...
... sender computes the tag of M and appends it to the packet. The
SRTP receiver verifies a message/authentication tag pair by computing
...
... SRTP_PREFIX_LENGTH (Figure 3) SHALL
be 0. For SRTP (respectively SRTCP), the HMAC SHALL be applied to
...
... encryption or message authentication transform that
is employed (it may be an SRTP pre-defined transform or newly
introduced according to Section 6), interoperable SRTP
...
... is employed (it may be an SRTP pre-defined transform or newly
introduced according to Section 6), interoperable SRTP
implementations MUST use the SRTP key derivation ...
... introduced according to Section 6), interoperable SRTP
implementations MUST use the SRTP key derivation to generate session
keys. Once the key derivation ...
... of the session, there is no need for extra communication between the
parties that use SRTP key derivation.
...
... +-----------+ salt +--------+
Figure 5: SRTP key derivation.
...
...
At least one initial key derivation SHALL be performed by SRTP, i.e.,
the first key derivation is REQUIRED. Further applications of the
...
... lifetime of the associated master key.
Interoperable SRTP implementations MAY also derive session salting
keys for encryption ...
... [HAC]. For the purpose of key derivation in SRTP, a secure PRF with
m = 128 (or more) MUST be used, and a default PRF ...
... bit ROC || SEQ for SRTP):
* Let r = index DIV key_derivation_rate (with DIV as defined above).
...
... range 0x06 to 0xff for other
purposes. The n-bit SRTP key (or salt) for this packet SHALL then be
derived from the master key, k_master as follows:
...
... session keys and salt SHALL now be derived using:
- k_e (SRTP encryption): <label> = 0x00, n = n_e.
...
... encryption): <label> = 0x00, n = n_e.
- k_a (SRTP message authentication): <label> = 0x01, n = n_a.
...
... message authentication): <label> = 0x01, n = n_a.
- k_s (SRTP salting key): <label> = 0x02, n = n_s.
...
... SRTCP SHALL by default use the same master key (and master salt) as
SRTP. To do this securely, the following changes SHALL be done to
the definitions in Section 4.3.1 when applying session key derivation
...
... The default transforms also are mandatory-to-implement transforms in
SRTP. Of course, "mandatory-to-implement" does not imply
"mandatory-to-use". Table 1 summarizes the pre-defined transforms.
...
... MUST NOT be applied with a value of n_tag, nor n_a, that are smaller
than these defaults. For SRTP, smaller values are NOT RECOMMENDED,
but MAY be used after careful consideration of the issues in Section
7.5 and 9.5.
...
... Adding SRTP Transforms ...
... Section 4 provides examples of the level of detail needed for
defining transforms. Whenever a new transform is to be added to
SRTP, a companion standard track RFC MUST be written to exactly
define how the new transform can be used with SRTP (and SRTCP ...
... SRTP, a companion standard track RFC MUST be written to exactly
define how the new transform can be used with SRTP (and SRTCP). Such
a companion RFC SHOULD avoid overlap with the SRTP ...
... SRTP (and SRTCP). Such
a companion RFC SHOULD avoid overlap with the SRTP protocol document.
Note however, that it MAY be necessary to extend the SRTP ...
... SRTP protocol document.
Note however, that it MAY be necessary to extend the SRTP or SRTCP
cryptographic context ...
... default values), add steps to the packet processing, or even add
fields to the SRTP/SRTCP packets. The companion RFC SHALL explain
any known issues regarding interactions between the transform and
...
... SRTCP packets. The companion RFC SHALL explain
any known issues regarding interactions between the transform and
other aspects of SRTP.
Each new transform document SHOULD specify its key attributes, e.g.,
...
... lifetime, re-keying and key
derivation, whether sharing of keys between SRTP and SRTCP is allowed
or not, etc.
...
...
This section explains the rationale behind several important features
of SRTP.
...
... Key derivation reduces the burden on the key establishment. As many
as six different keys are needed per crypto context (SRTP and SRTCP
encryption keys ...
... secure way. Thus, the key management protocol needs to exchange only
one master key (plus master salt when required), and then SRTP itself
derives all the necessary session keys (via the first, mandatory
...
...
No authentication transforms are currently provided in SRTP other
than HMAC-SHA1. Future transforms, like the above mentioned
...
... PCST1] [PCST2], more work is needed to rigorously
specify these technologies. Thus SRTP data origin authentication in
groups ...
...
As shown in Figure 1, the authentication tag is RECOMMENDED in SRTP.
A full 80-bit authentication ...
... affecting a longer duration of output.
Certainly not all SRTP or telephony applications meet the criteria
for short or zero-length authentication tags. Section 9.5.1
...
... KEYMGT] [SDMS]
for establishing an SRTP cryptographic context (e.g., an SRTP master
key). Both proprietary and open-standard key management methods ...
... SDMS]
for establishing an SRTP cryptographic context (e.g., an SRTP master
key). Both proprietary and open-standard key management methods are
...
...
For initialization, an interoperable SRTP implementation SHOULD be
given the SSRC and MAY be given the initial RTP ...
... endpoint (to properly initialize its replay list).
If the pre-defined transforms are used, SRTP allows sharing of the
same master key between SRTP/SRTCP ...
... If the pre-defined transforms are used, SRTP allows sharing of the
same master key between SRTP/SRTCP streams belonging to the same RTP
session.
...
... RTP
session.
First, sharing between SRTP streams belonging to the same RTP session
is secure if the design of the synchronization ...
... discussion.
Second, sharing between SRTP and the corresponding SRTCP is secure.
The fact that an SRTP ...
... SRTP and the corresponding SRTCP is secure.
The fact that an SRTP stream and its associated SRTCP stream ...
... SSRC does not constitute a problem for the two-time
pad due to the key derivation. Thus, SRTP and SRTCP corresponding to
one RTP session ...
... message authentication also has a dependency on SSRC
uniqueness that is unrelated to the problem of keystream reuse: SRTP
streams authenticated under the same key MUST have a distinct SSRC ...
... authenticated field
used to distinguish between different SRTP streams. Were two streams
to use identical SSRC ...
... stream into the other without detection.
SRTP/SRTCP MUST NOT share master keys under any other circumstances
than the ones given above, i.e., between SRTP ...
... SRTP/SRTCP MUST NOT share master keys under any other circumstances
than the ones given above, i.e., between SRTP and its corresponding
SRTCP, and, between streams belonging to the same RTP session ...
... The recommended way for a particular key management system to provide
re-key within SRTP is by associating a master key in a crypto context
with an MKI ...
... wireless links do not cater for added
bits, therefore SRTP also defines a more economic way of triggering
re-keying, via use of <From, To>, which works in some specific,
...
...
In addition to the use of the MKI, SRTP defines another optional
mechanism for master key retrieval, the <From, To>. The <From, To>
specifies the range ...
... mechanism for master key retrieval, the <From, To>. The <From, To>
specifies the range of SRTP indices (a pair of sequence number and
ROC ...
... part of the crypto context. By looking at the 48-bit SRTP index of
the current SRTP packet, the corresponding master key can be found by
...
... bit SRTP index of
the current SRTP packet, the corresponding master key can be found by
determining which From-To interval it belongs to. For SRTCP, the
...
... determining which From-To interval it belongs to. For SRTCP, the
most recently observed/used SRTP index (which can be obtained from
the cryptographic context) is used for this purpose, even though
...
... re-keying points. Also, the re-key triggering on SRTCP is based on
the correspondent SRTP stream, i.e., when the SRTP stream ...
... the correspondent SRTP stream, i.e., when the SRTP stream changes the
master key, so does the correspondent SRTCP ...
... default values for the <From, To> are "from the first observed
packet" and "until further notice". However, the maximum limit of
SRTP/SRTCP packets that are sent under each given master/session key
...
...
The table below lists all SRTP parameters that key management can
supply. For reference, it also provides a summary of the default and
...
... key management can
supply. For reference, it also provides a summary of the default and
mandatory-to-support values for an SRTP implementation as described
in Section 5.
...
... automatic key management be used for establishing and maintaining
SRTP and SRTCP keying material; this requirement ...
... requirement is to avoid
keystream reuse, which is more likely to occur with manual key
management. Furthermore, in SRTP, a "two-time pad" is avoided by
requiring the key, or some other parameter of cryptographic
...
... RTCP stream and packet. The pre-
defined SRTP transforms accomplish packet-uniqueness by including the
packet index and stream-uniqueness by inclusion of the SSRC ...
... above, the RECOMMENDED policy for an SSRC collision error is for the
participant to leave the SRTP session as it is a sign of malfunction.
...
... in [MF00]. In summary, the effective key size of SRTP when used in a
security system in which m distinct keys are used, is equal to the
...
... throughput of that cipher.
The use of the SRTP and SRTCP indices in the pre-defined transforms
fixes the maximum number of packets that can be secured with the same
...
... SRTCP indices in the pre-defined transforms
fixes the maximum number of packets that can be secured with the same
key. This limit is fixed to 2^48 SRTP packets for an SRTP stream,
...
... fixes the maximum number of packets that can be secured with the same
key. This limit is fixed to 2^48 SRTP packets for an SRTP stream,
and 2^31 SRTCP ...
... stream,
and 2^31 SRTCP packets, when SRTP and SRTCP are considered
independently. Due to for example re-keying ...
... MUST keep packet counts. However, when the session keys for related
SRTP and SRTCP streams are derived from the same master key (the
default behavior, Section 4.3), the upper bound that has to be
...
... default behavior, Section 4.3), the upper bound that has to be
considered is in practice the minimum of the two quantities. That
is, when 2^48 SRTP packets or 2^31 SRTCP packets have been secured
with the same key (whichever occurs before), the key management ...
... sender of RTCP discovers that the sender of SRTP (or SRTCP) has not
updated the master or session key ...
... SRTCP) has not
updated the master or session key prior to sending 2^48 SRTP (or 2^31
SRTCP) packets belonging to the same SRTP ...
... enough to secure approximately 4 months of communication.
Note that if the master key is to be shared between SRTP streams
within the same RTP session (Section 9.1), although the above bounds
...
... RFC2104] so that an existing HMAC
implementation can be plugged into SRTP without problems. Since the
default tag size is 80 bits ...
...
SRTP's pre-defined ciphers are "seekable" stream ciphers, i.e.,
ciphers able to efficiently seek to arbitrary locations in their
...
... not depend on preceding packets). By using seekable stream ciphers,
SRTP avoids the denial of service attacks that are possible on stream
...
...
In SRTP, RTP headers are sent in the clear to allow for header
compression. This means that data such as payload type ...
... information might also be "leaked".
SRTP is a low-cost method, which allows header compression to reduce
...
... identification, and these risks are discussed in Section 9.5.1. To
protect against these attacks, each SRTP stream SHOULD be protected
by HMAC-SHA1 ...
... authentication (the NULL
authentication algorithm). These options allow SRTP to be used to
provide confidentiality in situations where
...
... authentication tag MUST ensure that only a negligible fraction of the
packets passed to the RTP application by the SRTP receiver can be
forgeries ...
... RTP padding as discussed in reference to Figure 1, when
used together with CBC mode. Later transform additions to SRTP MUST
therefore carefully consider the risk of using this padding without
proper integrity protection ...
... Forward Error Correction (e.g., RFC
2733prop) processing with SRTP SHALL be to perform FEC processing prior
to SRTP ...
... SRTP SHALL be to perform FEC processing prior
to SRTP processing on the sender side and to perform SRTP processing
...
... to SRTP processing on the sender side and to perform SRTP processing
prior to FEC processing on the receiver ...
... receiver side. Any change to this
ordering (reversing it, or, placing FEC between SRTP encryption and
SRTP ...
... RTCP traffic in
many different scenarios. SRTP has a number of configuration
options, in particular regarding key usage, and can have impact on
...
... the total performance of the application according to the way it is
used. Hence, the use of SRTP is dependent on the kind of scenario
and application it is used with. In the following, we briefly
illustrate some use cases for SRTP ...
... SRTP is dependent on the kind of scenario
and application it is used with. In the following, we briefly
illustrate some use cases for SRTP, and give some guidelines for
recommended setting of its options.
...
... Receiver
Reports that the sender might need to process. In SRTP, the sender
may have to keep state ...
... traffic. This shared master key could then be the
same one used by the sender to protect its outbound SRTP traffic.
Alternatively, it could be a master key shared only among the
...
... SRTCP sources send at different times). Thus, in
case key derivation is wanted for SRTP, the cryptographic context for
SRTP ...
... SRTP, the cryptographic context for
SRTP can be kept separate from the SRTCP crypto context, so that it
...
... is possible to have a key_derivation_rate of 0 for SRTCP and a non-
zero value for SRTP.
Use of the MKI ...
... (see Section 8.1).
If there are more than one SRTP/SRTCP stream (within the same RTP
session ...
... SRTCP stream (within the same RTP
session) that share the master key, the upper limit of 2^48 SRTP
packets / 2^31 SRTCP packets means that, before one of the streams
reaches its maximum number of packets, re-keying ...
... reasons (e.g., the key is at the end of its lifetime). When using
SRTP default transforms, the master key MUST be replaced before any
of the index spaces are exhausted for any of the streams protected by
one and the same master key.
...
...
How key management re-keys SRTP implementations is out of scope, but
it is clear that there are straightforward ways to manage keys for a
multicast group ...
... SRTCP in some large-group scenarios.
As mentioned, there are potential problems in using the SRTP index,
rather than the SRTCP index, for determining the master key. In
...
... be the case that SRTCP packets are not under the current master key
of the correspondent SRTP. Therefore, using the MKI for re-keying in
...
...
The description of these scenarios highlights some recommendations on
the use of SRTP, mainly related to re-keying and large scale
multicast ...
... SHOULD be used in this case.
- If multiple SRTP streams in the same RTP session share the same
master key, also moderate rate re-keying ...
... key management protocol conveys these protocol numbers,
not SRTP, and each key management protocol chooses the numbering
scheme and syntax that it requires.
...
...
Specification of a key management protocol for SRTP is out of scope
here. Section 8.2, however, provides guidance on the parameters that
need to be defined for the default and mandatory transforms.
...
... pseudo-code for the algorithm to
determine the index i of an SRTP packet with sequence number SEQ. In
...
...
SRTP PREFIX LENGTH : 0
...