What is Secure Real-Time Transport Protocol (Secure RTP or SRTP)?
Secure Real-time Transport Protocol (Secure RTP or SRTP) is a security extension for the Real-Time Transport Protocol (RTP). The purpose of SRTP is to prevent audio and video transmissions from being intercepted or compromised while data is in transit over an IP network.
Secure RTP is used by many popular voice over IP (VoIP), videoconferencing, telemedicine, unified communications (UC), online gaming, and IP-surveillance platforms.
This lightweight extension for RTP uses encryption to protect data privacy, hashed message authentication code (HMAC) to verify data authenticity and integrity, and packet sequence numbering to prevent replay attacks.
Key Takeaways
- Secure real-time transport protocol (SRTP) is an extension of the real-time transport protocol (RTP).
- SRTP uses encryption, hash-based message authentications, and sequence numbering to secure real-time data deliveries that require low latency.
- SRTP is defined in RFC 3711 by the Internet Engineering Task Force (IETF).
- SRTP is designed to be lightweight and work in conjunction with other communication and security protocols.
- SRTP is compatible with most real-time communication platforms.
- Show Full Guide
Why SRTP is Important
In the early 2000s, audio and video transmissions over the Internet relied heavily on the real-time transport protocol, which is designed for delivering real-time audio and video data with minimal latency.
Network administrators and security engineers began to see new ways that RTP was vulnerable to cyberattacks, however, after collaborating with Cisco and other vendors, they came up with a proposal to enhance RTP with security features.
The proposal, known as Secure RTP, used encryption, message authentication, and data integrity checks to protect data in transit while still maintaining low latency. In 2004, a working group from the Internet Engineering Task Force (IETF) formalized the proposal and published RFC 3711.
Today, SRTP is an essential component of secure real-time communication over untrusted networks like the Internet. The protocol’s thoughtful, lightweight design allows it to be used alongside other communication protocols and supports a wide variety of use cases.
Use Cases for SRTP
Real-time transport protocol’s ability to secure RTP made it a popular choice for developers working on a wide range of real-time communication applications:
How the Secure Real-Time Transport Protocol Works
Real-time communication can contain private, business-critical, or legally protected information. To secure data transmissions, Secure RTP encrypts data packet payloads (the actual content) with Advanced Encryption Standard (AES). This ensures that even if a transmission is intercepted, the actual audio and/or video content cannot be understood by an unauthorized entity.
To verify that data in transit hasn’t been tampered with, SRTP includes a hash-based message authentication code. To prevent replay attacks that reuse old packets to initiate unauthorized actions, SRTP tracks packets with sequence numbers. If a packet is duplicated or received out of order, it is discarded.
It’s important to note that even though SRTP encrypts a packet’s payload, it doesn’t encrypt the entire packet header. Some fields, like IP addresses, need to remain visible for routing purposes and enable RTP to function correctly. When secure RTP packets are sent through a VPN tunnel, however, the virtual private network (VPN) connection will encrypt the entire packet and mask IP addresses and other header details to provide stronger privacy.
Key Features of Secure Real-Time Transport Protocol
SRTP is a versatile security protocol that can be applied to any real-time data transmitted with RTP.
The protocol’s most important features are:
Benefits of SRTP for Secure Communications
SRTP’s encryption and authentication features help organizations comply with data protection regulations like HIPAA (for healthcare) and GDPR (for data privacy).
Both regulations require safeguards to protect the confidentiality, integrity, and privacy of sensitive information, and SRTP’s security measures help make sure that real-time communications meet these regulatory compliance requirements.
Secure Real-Time Transport Protocol Pros and Cons
SRTP offers significant security benefits for real-time communication, but it’s important to be aware of the protocol’s limitations and potential challenges.
Pros
- Secure RTP helps prevent eavesdropping and man-in-the-middle attacks (MITM)
- It has minimal overhead, ensuring real-time application performance
- Supports AES with 128-bit and 256-bit keys, allowing flexible encryption
- SRTP is an IETF standard, so it’s well-known and has been widely adopted
- Helps organizations meet security requirements for regulations like HIPAA and GDPR
Cons
- SRTP’s complexity can make back end implementation complex and challenging
- Itrotects multimedia packet payloads but leaves some packet header fields exposed
- SRTP’s encryption and authentication can add computational overhead, affecting playback on resource-limited mobile devices
- Default settings on firewalls can block SRTP and create a poor user experience (UX)
The Bottom Line
Secure real-time transport protocol, by definition, enhances the security of real-time communication by layering confidentiality, integrity, and authentication mechanisms on top of the underlying real-time transport protocol.
Technically, SRTP encapsulates the RTP packets and adds its own security headers before completing encryption and authentication operations. This process ensures that real-time data is protected from eavesdropping, tampering, and other security threats while it’s being transmitted over the network.
FAQs
What is secure real-time transport protocol in simple terms?
What are real-time protocols in real-time systems?
What is the difference between SRTP and RTP?
How is SRTP encrypted?
References
- RFC 3711 – The Secure Real-time Transport Protocol (SRTP) (Datatracker.ietf)
- The leader in collaboration & customer experience | Webex (Webex)
- Avaya | Leader in CX, Cloud Collaboration & Contact Center Solutions (Avaya)
- Video Conferencing, Meetings, Calling | Microsoft Teams (Microsoft)
- One platform to connect | Zoom (Zoom)
- Skype for Business Online (Microsoft)
- Hybrid Care at Scale | Amwell (Business.amwell)
- Telehealth & Telemedicine Provider | Teladoc Health (Teladochealth)
- Cisco Unified Communications Manager – Cisco (Cisco)
- Avaya Aura | Business Platform for Unified Comms & Customer Experience (Avaya)
- UniFi Camera Security – Ubiquiti (Ui)