EldoS | Feel safer!

Software components for data protection, secure storage and transfer

DTLS application data header

Posted: 02/11/2016 06:55:03
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13


I got the master secret but i need decrypt the RTP packets.

In the library, there is a class that i can use to decrypt the array bytes?

And in this case, how i use it?

Posted: 02/11/2016 07:34:24
by Ken Ivanov (Team)


As far as I understand, prior to decrypting packets you have to generate session keys as explained in RFC5764 p.4.2 and RFC 5705. To implement the extraction method described in RFC 5705 you can leverage your existing TElDTLSClient descendant to call protected methods of TElDTLSClient. The PRF() function referred to in RFC 5705 is implemented in the TLS1PRF() method.

While all encryption building blocks are implemented and available in SBB, it looks like SRTP uses its own encryption schemes (e.g. AES128-CM) based on CTR mode, explained in RFC 3711. As those schemes are SRTP-specific, you will need to implement them by yourself. You can use TElSymmetricCrypto (AES encryption) and TElHashFunction (HMAC functions) components to implement the SRTP scheme.

Posted: 02/11/2016 10:33:05
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13


I got the session keys, i am trying to use the TElSymmetricCrypto class and i have these questions:

To decrypt the audio i am getting the RTP payload. This is correct?

AES256 cypher needs the input message to be multiple of 16. But RTP payload is 164 bytes.
To do that the payload have a multiple of 16, i am putting a zeroed buffer padding of 12 bytes before the payload.
What is the correct way to put the padding? after or before?

For creating an instance of the TElSymmetricCrypto class, i need to set the cipher suite (in my case is TLS_RSA_WITH_AES_256_CBC_SHA). What constant define this cipher suite in the library? And what TSBSymmetricCryptoMode should I pass to TElSymmetricCrypto CreateInstance?

Many thanks.
Posted: 02/11/2016 10:56:47
by Ken Ivanov (Team)

As per the spec, SRTP uses AES in CTR mode which doesn't require 16 byte block alignment. Please specify the cmCTR mode when creating the crypto object to make it work in CTR mode.

Cipher suites only apply to (D)TLS. We are not experts in SRTP, but it seems that it uses a different approach and its own encryption modes (as defined in RFC 3711).

The easiest way to create a crypto is using the factory:

TElSymmetricCryptoFactory fac = new TElSymmetricCryptoFactory();

TElSymmetricCrypto crypto = fac.CreateInstance(SBConstants.Unit.SB_ALGORITHM_CNT_AES256, TSBSymmetricCryptoMode.cmCTR);

TElSymmetricKeyMaterial km = new TElSymmetricKeyMaterial();
km.Key = ...;
km.IV = ...; // depending on particular CTR implementation, you might need to provide block number here


Posted: 02/18/2016 10:48:52
by Peter  (Basic support level)
Joined: 01/14/2016
Posts: 13

Hi, i hope they can help me

As the RFC 3711 p.3.3, i follow the section that indicates how to proceed to decrypt SRTP.
In other post you answered me where is the master key.
Do you know where is the master salt (to use like IV) in the DTLS object?

Many thanks.
Posted: 02/18/2016 11:54:58
by Ken Ivanov (Team)

Hi Peter,

As far as I understand SRTP (and I can hardly call myself an expert in it without looking further into the spec), you use the single DTLS master secret to generate the whole set of SRTP keys and IVs. There is no such parameter as master salt in DTLS, and you don't need it - every keys you need for SRTP purposes are [supposedly] derived from the master key.

On a side note, I am afraid your questions have gone far beyond the scope of basic technical support that we can provide free of charge. We could probably have a deeper look into SRTP and come up with some further advice for you, but this can only be done on a paid basis. Sorry.




Topic viewed 5699 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!