DTLS-SRTP is the mandatory key exchange mechanism for WebRTC, combining DTLS (Datagram Transport Layer Security) with SRTP (Secure Real-time Transport Protocol).
How DTLS-SRTP works
- After ICE connectivity is established, a DTLS handshake occurs between the peers
- During the DTLS handshake, both peers exchange certificates and negotiate encryption parameters
- The keys derived from the DTLS handshake are used to encrypt RTP media as SRTP
- The DTLS and SRTP traffic is multiplexed on the same port
Why DTLS-SRTP over SDES
DTLS-SRTP replaced SDES (which passed keys in plaintext within SDP) because:
- Key security: DTLS negotiates keys over an encrypted channel. SDES exposed keys to any entity that could see the SDP
- Forward secrecy: DTLS can provide forward secrecy, protecting past sessions even if long-term keys are compromised
- Authentication: DTLS certificate fingerprints in SDP enable peer verification
SDES was explicitly banned from WebRTC due to its security weaknesses.
DTLS 1.3
The WebRTC community is working on DTLS 1.3 adoption, which offers faster handshakes and enables PQC (Post-Quantum Cryptography) support.
