SRTP stands for Secure RTP.
What is SRTP?
SRTP is defined in IETF RFC 3711 specification.
RTP (=Real-Time Transport Protocol) is used as the baseline. It offers the ability to send and receive voice and video data in real time over the network, usually no top of UDP.
The protocol is “built” on top of RTP as a secure transport protocol for real time media and is mandated for use by WebRTC. What it does is offer a secure, private mechanism to send and receive data by using encryption.
The SRTP Protocol
On top of RTC, the SRTP protocol provides these security characteristics:
- Integrity. The receiver can validate that no man in the middle has changed the packet sent from the originator along the way
- Authentication. Both the receiver and the server if they want, can authenticate the identity of the other
- Privacy. No one intercepting the traffic can read it because it is encrypted
The data is both encrypted and authenticated by private keys that are derived from a shared secret that is known only to the sender and the receiver of the media. The shared secret is obtained by the use of DTLS-SRTP, a key exchange mechanism that is initiated when a connection is being established.
Good to know
It is important to note that the header of an SRTP packet is never encrypted, providing some amount of meta data to those listening in to the transmission.
SRTP is coupled with SRTCP, the implementation of secure RTCP.
It is the only media transport mechanism used by WebRTC.
While the protocol allows for a NULL encryption mechanism (=no encryption or privacy), this mechanism is disabled by WebRTC, making it impossible to send media in the clear in browser implementations of WebRTC.