Secure Real-Time Transport Protocol (Secure RTP or SRTP)

Why Trust Techopedia

What is Secure Real-Time Transport Protocol (Secure RTP or SRTP)?

Secure Real-time Transport Protocol (Secure RTP or SRTP) is a security extension for the Real-Time Transport Protocol (RTP). The purpose of SRTP is to prevent audio and video transmissions from being intercepted or compromised while data is in transit over an IP network.

Secure RTP is used by many popular voice over IP (VoIP), videoconferencing, telemedicine, unified communications (UC), online gaming, and IP-surveillance platforms.

This lightweight extension for RTP uses encryption to protect data privacy, hashed message authentication code (HMAC) to verify data authenticity and integrity, and packet sequence numbering to prevent replay attacks.

What is Secure Real-Time Transport Protocol (Secure RTP or SRTP)?

Key Takeaways

  • Secure real-time transport protocol (SRTP) is an extension of the real-time transport protocol (RTP).
  • SRTP uses encryption, hash-based message authentications, and sequence numbering to secure real-time data deliveries that require low latency.
  • SRTP is defined in RFC 3711 by the Internet Engineering Task Force (IETF).
  • SRTP is designed to be lightweight and work in conjunction with other communication and security protocols.
  • SRTP is compatible with most real-time communication platforms.

Why SRTP is Important

In the early 2000s, audio and video transmissions over the Internet relied heavily on the real-time transport protocol, which is designed for delivering real-time audio and video data with minimal latency.

Network administrators and security engineers began to see new ways that RTP was vulnerable to cyberattacks, however, after collaborating with Cisco and other vendors, they came up with a proposal to enhance RTP with security features.

The proposal, known as Secure RTP, used encryption, message authentication, and data integrity checks to protect data in transit while still maintaining low latency. In 2004, a working group from the Internet Engineering Task Force (IETF) formalized the proposal and published RFC 3711.

Today, SRTP is an essential component of secure real-time communication over untrusted networks like the Internet. The protocol’s thoughtful, lightweight design allows it to be used alongside other communication protocols and supports a wide variety of use cases.

Use Cases for SRTP

Real-time transport protocol’s ability to secure RTP made it a popular choice for developers working on a wide range of real-time communication applications:

Voice over IP (VoIP)
Cisco Webex, Avaya, and Microsoft Teams use SRTP to secure audio streams during calls and protect users’ voice data from eavesdropping and tampering.
Video conferencing
Zoom, Google Meet, and Skype for Business use SRTP to secure video and audio streams and ensure privacy and data integrity for conferencing participants.
Telemedicine
Amwell and Teladoc use SRTP to safeguard patient confidentiality during online medical consultations.
Unified communications
Cisco Unified Communications Manager and Avaya Aura use SRTP to enable secure real-time collaboration across distributed teams.
IP surveillance
Ubiquiti uses SRTP to encrypt video streams between cameras and their network video recorder (NVR). 

How the Secure Real-Time Transport Protocol Works

Real-time communication can contain private, business-critical, or legally protected information. To secure data transmissions, Secure RTP encrypts data packet payloads (the actual content) with Advanced Encryption Standard (AES). This ensures that even if a transmission is intercepted, the actual audio and/or video content cannot be understood by an unauthorized entity.

To verify that data in transit hasn’t been tampered with, SRTP includes a hash-based message authentication code. To prevent replay attacks that reuse old packets to initiate unauthorized actions, SRTP tracks packets with sequence numbers. If a packet is duplicated or received out of order, it is discarded.

It’s important to note that even though SRTP encrypts a packet’s payload, it doesn’t encrypt the entire packet header. Some fields, like IP addresses, need to remain visible for routing purposes and enable RTP to function correctly. When secure RTP packets are sent through a VPN tunnel, however, the virtual private network (VPN) connection will encrypt the entire packet and mask IP addresses and other header details to provide stronger privacy.

How the Secure Real-Time Transport Protocol Works

Key Features of Secure Real-Time Transport Protocol

SRTP is a versatile security protocol that can be applied to any real-time data transmitted with RTP.

The protocol’s most important features are:

Confidentiality
SRTP ensures that only the intended recipients can decrypt packet payloads.
Message authentication
SRTP ensures that new packets are from the expected source and haven’t been tampered with during transmission.
Replay protection
SRTP prevents threat actors from capturing and transmitting packets to disrupt communication or inject false information.
Key management
SRTP uses strong encryption key management protocols to ensure encryption keys are exchanged securely and protected at rest.
Flexibility and extensibility
SRTP can be tailored to meet specific security requirements and accommodate future protocols and advancements in cryptography.
Lightweight design
SRTP requires minimal processing in order to maintain low latency.

Benefits of SRTP for Secure Communications

SRTP’s encryption and authentication features help organizations comply with data protection regulations like HIPAA (for healthcare) and GDPR (for data privacy).

Both regulations require safeguards to protect the confidentiality, integrity, and privacy of sensitive information, and SRTP’s security measures help make sure that real-time communications meet these regulatory compliance requirements.

Secure Real-Time Transport Protocol Pros and Cons

SRTP offers significant security benefits for real-time communication, but it’s important to be aware of the protocol’s limitations and potential challenges.

Pros

  • Secure RTP helps prevent eavesdropping and man-in-the-middle attacks (MITM)
  • It has minimal overhead, ensuring real-time application performance
  • Supports AES with 128-bit and 256-bit keys, allowing flexible encryption
  • SRTP is an IETF standard, so it’s well-known and has been widely adopted
  • Helps organizations meet security requirements for regulations like HIPAA and GDPR

Cons

  • SRTP’s complexity can make back end implementation complex and challenging
  • Itrotects multimedia packet payloads but leaves some packet header fields exposed
  • SRTP’s encryption and authentication can add computational overhead, affecting playback on resource-limited mobile devices
  • Default settings on firewalls can block SRTP and create a poor user experience (UX)

The Bottom Line

Secure real-time transport protocol, by definition, enhances the security of real-time communication by layering confidentiality, integrity, and authentication mechanisms on top of the underlying real-time transport protocol.

Technically, SRTP encapsulates the RTP packets and adds its own security headers before completing encryption and authentication operations. This process ensures that real-time data is protected from eavesdropping, tampering, and other security threats while it’s being transmitted over the network.

FAQs

What is secure real-time transport protocol in simple terms?

What are real-time protocols in real-time systems?

What is the difference between SRTP and RTP?

How is SRTP encrypted?

Related Terms

Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.

Advertisements