Source code
Revision control
Copy as Markdown
Other Tools
<!-- go/cmark -->
<!--* freshness: {owner: 'hta' reviewed: '2021-05-13'} *-->
# SRTP in WebRTC
WebRTC mandates encryption of media by means of the Secure Realtime Protocol, or
SRTP, which is described in
The key negotiation in WebRTC happens using DTLS-SRTP which is described in
but not enabled by default.
Unencrypted RTP can be enabled for debugging purposes by setting the
PeerConnections [`disable_encryption`][1] option to true.
## Supported cipher suites
The implementation supports the following cipher suites:
* SRTP_AES128_CM_HMAC_SHA1_80
* SRTP_AEAD_AES_128_GCM
* SRTP_AEAD_AES_256_GCM
The SRTP_AES128_CM_HMAC_SHA1_32 cipher suite is accepted for audio-only
connections if offered by the other side. It is not actively supported, see
[SelectCrypto][2] for details.
The cipher suite ordering allows a non-WebRTC peer to prefer GCM cipher suites,
however they are not selected as default by two instances of the WebRTC library.
## cricket::SrtpSession
The [`cricket::SrtpSession`][3] is providing encryption and decryption of SRTP
provided by `SrtpTransport` or `DtlsSrtpTransport` in the [`SetSend`][4] and
[`SetRecv`][5] methods.
Encryption and decryption happens in-place in the [`ProtectRtp`][6],
[`ProtectRtcp`][7], [`UnprotectRtp`][8] and [`UnprotectRtcp`][9] methods. The
`SrtpSession` class also takes care of initializing and deinitializing `libsrtp`
by keeping track of how many instances are being used.
## webrtc::SrtpTransport and webrtc::DtlsSrtpTransport
The [`webrtc::SrtpTransport`][10] class is controlling the `SrtpSession`
instances for RTP and RTCP. When
`SrtpSession` for RTCP is not needed.
[`webrtc:DtlsSrtpTransport`][11] is a subclass of the `SrtpTransport` that
extracts the keying material when the DTLS handshake is done and configures it
in its base class. It will also become writable only once the DTLS handshake is
done.
## cricket::SrtpFilter
The [`cricket::SrtpFilter`][12] class is used to negotiate SDES.