Understanding SDES vs DLTS-SRTP

[pablo platt]

I have SDES [1] working and now need to use DTLS-SRTP [2] instead.

Is the only difference in the way the keys are exchanged?
Do the keys and encryption protocols works the same way after exchanging the keys?

In SDES keys are exchanged over the signaling channel with SDP and in DTLS-SRTP the keys are exchanged over a secure DTLS connection?

In DTLS-SRTP are SRTP packets exchanged over the secure DLTS channel?

If it does, isn't it double security?

If I have a library that gives me a DTLS connection, do I need to change something in the way it works or is the DTLS step transparent to the RTP server?

I saw in the docs the need for ClientHello + use_srtp. Does DTLS API usually let me do that?

Thanks

[1] http://tools.ietf.org/html/rfc4568
[2] http://tools.ietf.org/html/rfc5764

[Kaiduan Xie]

Q: Is the only difference in the way the keys are exchanged?

A: Yes.

Q: Do the keys and encryption protocols works the same way after exchanging the keys?

A: Yes

Q: In SDES keys are exchanged over the signaling channel with SDP and in DTLS-SRTP the keys are exchanged over a secure DTLS connection?

A: Yes

Q: In DTLS-SRTP are SRTP packets exchanged over the secure DLTS channel?

If it does, isn't it double security?

A: No.

In DTLS library needs to support use_srtp extension as described in rfc 5764.

Pablo, I assume the DTLS library you mentioned is Erlang DTLS. Does it support use_srtp extension?

Thanks,

/Kaiduan

--
 
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[pablo platt]

On Thu, Dec 12, 2013 at 12:00 AM, Kaiduan Xie <kaid...@gmail.com> wrote:

Q: Is the only difference in the way the keys are exchanged?

A: Yes.

Q: Do the keys and encryption protocols works the same way after exchanging the keys?

A: Yes

Q: In SDES keys are exchanged over the signaling channel with SDP and in DTLS-SRTP the keys are exchanged over a secure DTLS connection?

A: Yes

Q: In DTLS-SRTP are SRTP packets exchanged over the secure DLTS channel?

If it does, isn't it double security?

A: No.

So the DTLS channel is used only to exchange the SRTP keys and the SRTP packets are sent without DTLS?

Do I use the same IP/Port pairs for DTLS and SRTP?

 

In DTLS library needs to support use_srtp extension as described in rfc 5764.

Pablo, I assume the DTLS library you mentioned is Erlang DTLS. Does it support use_srtp extension?

How did you know I'm interested in the soon to be released Erlang DTLS support? :)

I'll ask if they can support it.
Does it means that they only need to include this field? No other change needed in the DTLS library?

[Kaiduan Xie]

DTLS channel is used for sending/receiving SRTP packet, but SRTP packet is not double encrypted/decrypted by DTLS channel.

As said in RFC 5764,

Please read section 5.1.1 and 5.1.2,

   When a user of DTLS wishes to send an RTP packet in SRTP mode, it
   delivers it to the DTLS implementation as an ordinary application
   data write (e.g., SSL_write()).  The DTLS implementation then invokes
   the processing described in RFC 3711, Sections 3 and 4.  The
   resulting SRTP packet is then sent directly on the wire as a single
   datagram with no DTLS framing.  This provides an encapsulation of the
   data that conforms to and interoperates with SRTP.  Note that the RTP
   sequence number rather than the DTLS sequence number is used for
   these packets.

So the DTLS library needs to be modified as 5.1.1 and 5.1.2.

I saw your email on DTLS support from Erlang mail list :)

/Kaiduan

[pablo platt]

Are you using Erlang's implementation with WebRTC?

Do you know how are it will be to add support to DTLS-SRTP?

Thanks

[Kaiduan Xie]

Pablo,

I use Erlang for webRTC signal server/webserver and to build STUN/TURN server.

I do not think DTLS-SRTP is supported in Erlang's DTLS implmentation, but you can contribute it back, adding SRTP support should not be that hard.

/Kaiduan

[Sander Duan]

Hi Pablo and Kaiduan,

I have implemented a simplified version of client-side DTLS-SRTP based on Erlang/OTP R16Bx ssl application, we are using it in our MCU and it communicates with chrome and firefox quite well. 

I can share the code if you are interested in it.

My code is rather rough, and I am looking forward to the release of Erlang/OTP R17, which will officially support DTLS and will be released soon in 2014, as they declared. 

[pablo platt]

Hi Sander,

I'll appreciate if you can share your code.

Thanks

[Sander Duan]

Take a look at the attachment.

 The Interface of dtls4srtp modules can be used as the following test code does:

test code begin,

----------------------------------------------------------------------------------------------------------------------------------

-include_lib("ssl/src/ssl_internal.hrl").

-include_lib("ssl/src/ssl_handshake.hrl").

-include("dtls4srtp_record.hrl").

as_client() ->

    application:start(crypto),

    application:start(asn1),

    application:start(public_key),

    application:start(ssl),

    CertF = "./MyCert.pem",

    KeyF = "./MyCert_key.pem",

    Dtls = dtls4srtp:new(client, not_specified, undefined, CertF, KeyF)

    {ok, Socket} =gen_udp:open(5670, [binary, {active, true}, {recbuf, 8192}]),

    Owner = spawn(fun() -> test_loop(Dtls, Socket) end),

    gen_udp:controlling_process(Socket, Owner),

    %

    PeerIPPort = mock_peer_ipport(),

    PeerFingerprint = mock_peer_fingerprint(),

    Owner ! {start, PeerIPPort, PeerFingerprint},

    timer:send_after(3000, Owner, stop).

test_loop(D, Peer, Sock) ->

    receive

    {start, PeerIpPort, PeerFP} ->

       dtls4srtp:set_owner(D, self()),

            dtls4srtp:set_peer_cert_fingerprint(D, FPorCrypto)

            dtls4srtp:start(D),

            test_loop(D, PeerIpPort, Sock);

    {dtls, flight, <<_RecordType,254,255,_Epoch:16,_Seq:48,_Len:16, _ContentType, _Bin/binary>>=Data} ->

       io:format("Data:~n~p~n", [Data]),

            send_flight(Sock, Peer, Data),

       test_loop(D, Peer, Sock);

        {udp, _Socket, _Addr, _Port, <<0:2,_:1,1:1,_:1,1:1,_:2,_/binary>>=DtlsFlight} ->

            dtls4srtp:on_received(D, DtlsFlight),

            test_loop(D, Peer, Sock);

    stop ->

            dtls4srtp:shutdown(D),

       io:format("test stopped.~n")

    end.

mock_peer_ipport() ->

    {"x.x.x.x", 5670}.

mock_peer_fingerprint() ->

    {sha256, <<16#aaaaaaaaa...>>}.

send_flight(Sock, {PeerIp, PeerPort}, Data) ->

    gen_udp:send(Sock, PeerIp, PeerPort, Data).

----------------------------------------------------------------------------------------------------------------------------------

test code end.

The above test code can not be copied and ran, unless providing the corect certificate files and peer fingerprint, and there being a live peer DTLS-server running.

[pablo platt]

Sander,

Is there a chance you could open a github repo so other can contribute and test it?

How do I generate the certs?

Can I use the same certs for all users?

What is the flight message?

Where are SRTP packets?
Does your code handles SRTP or do I need to do it with my code?

Thank you for the code.

--

[Sander Duan]

Is there a chance you could open a github repo so other can contribute and test it?

---We are waiting for the official Erlang/OTP implementation of DTLS-SRTP, as it will be carried out pretty soon. Before that, we have no plan to open source it to the public.

How do I generate the certs?

---You may generate the cert-files and key-files by using openssl, I did this by using an simplified Erlang module named 'erl_make_certs.erl' found on the internet.

Can I use the same certs for all users?

---Yes.

What is the flight message?

---A flight is a compound DTLS message, which contains 1 or more record-layer frames.

Where are SRTP packets?

---Once the DTLS channel is established, SRTP packets will be received from and sent to the UDP socket as specified to the 'Owner' in my test code.

Does your code handles SRTP or do I need to do it with my code?

---You need to handle SRTP packets by your self. DTLS only provides you the key-materials to encrypt/decrypt your SRTP/SRTCP packets.

[pablo platt]

@Sander,

It seems that Erlang R17 won't have full DTLS support?

Do you have good results with your own DTLS implementation?

Is there a chance you'll consider an open source project if the official Erlang DTLS will be delayed?

Thanks

[Max Lapshin]

This is absolutely amazing!

With small fixes dtls4srtp.zip  package is implementing DTLS!

Thanks, Sander!

[pablo platt]

On Fri, Aug 14, 2015 at 8:17 PM, Max Lapshin <max.l...@gmail.com> wrote:

This is absolutely amazing!

With small fixes dtls4srtp.zip  package is implementing DTLS!

Only the client side.
 

Thanks, Sander!

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/0aa49ee8-7cec-4422-84fe-76d2b8477b79%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Max Lapshin]

Well, it is a first but important step.

Right now I have small problems handling SRTP, but after DTLS I hope it will not be a problem.