If I understand DTLS-SRTP correctly, DTLS is used to exchange keys and then the endpoints switch to SRTP for encryption. What is the benefit of this setup versus just sending RTP over DTLS? Is it just about compatibility with existing SRTP stacks?
注:以下为rfc5764的学习笔记,不保证完全正确。
DTLS-SRTP是DTLS的一个扩展,将SRTP加解密与DTLS的key交换和会话管理相结合。从SRTP的角度看,是为其提供一种新的key协商管理的方法;从DTLS的角度看,是为应用数据提供一个新的数据格式(SRTP/SRTCP)。
1,应用层数据加解密是由SRTP完成的,要求必须是RTP/RTCP的格式。
2,DTLS的握手过程是为SRTP加解密过程协商使用哪种profile和密钥。
3,除了应用数据加密为SRTP格式,其他record-layer的报文仍为普通的DTLS格式(比如TLS control message)
4,当发送SRTP格式的应用层数据时,需要直接跳过DTLS加密层,将SRTP数据包透传到下层的数据传输层做发送。
由于密钥和加密参数是在DTLS握手过程中协商得到的,而此过程是保密的,因而相比常规的方式(比如在通过SDP消息交互来协商)更为安全。在发起DTLS握手之前,需要先设置use-srtp扩展。
接收端使用 DTLS-SRTP
自DTLS下层的传输层收到报文之后,需要根据包头特征手动区分做demultiplexing,一般可以如下进行
检查第一个报文的第一个字节
1,是[0, 1]时,表示可能是STUN报文
2,是[128, 191]时,表示可能时RTP(SRTP)报文
3,是[20, 63]时,表示可能是DTLS record layer报文
其他的类别请根据实际情况做区分处理
相关RFC标准
RFC3711 SRTP
RFC5705 Keying Material Exporters for TLS
from:https://www.cnblogs.com/lanyuliuyun/p/8289306.html
webrtc 是一套基于浏览器端实现媒体数据传输的新标准,引入了很多新概念,这其中包括dtls, sdes, dtls-srt, ice, turn, rtp-mux, BWE, FEC jSEP, tricle-ice等术语,
本篇文章先说dtls, dtls-srtp
DTLS:全称 Datagram transport layer security, 即udp + security,数据报层的安全,DTLS采用了TLS的安全机制,但是更轻量级,webrtc引入DTLS用于传输srtp数据包时的安全秘钥交换,dtls-srtp 在srtp基础上又提供了一层安全机制,比sdes更安全。
from:
http://blog.csdn.net/voipmaker
DTLS-SRTP is a key exchange mechanism that is mandated for use in WebRTC.
DTLS-SRTP uses DTLS to exchange keys for the SRTP media transport.
SRTP requires an external key exchange mechanism for sharing its session keys, and DTLS-SRTP does that by multiplexing the DTLS-SRTP protocol within the same session as the SRTP media itself.
This method is considered to be more secure than the SDES mechanism that was first used in WebRTC but later on banned from use altogether.
from:https://webrtcglossary.com/dtls-srtp/
|
7
| |
|
add a comment
|
|
9
|
It's all about encryption overhead; how much the extra data the encryption method extends the packet by. DTLS has a noticeable amount of overhead; the DTLS header alone is 13 bytes, and then you have the IV/nonce, and the tag; this overhead can be more than the actual VoIP payload. In contrast, SRTP was specifically designed to minimize this overhead; except for the tag (which is optional; IMHO, bad idea to omit it, but some people insisted), there is no overhead compared to RTP. You might ask "what's the big deal about encryption overhead? Doesn't the internet not care that much about packet sizes?" Well, yes, if you're talking about wired internet connections, actually, this overhead might not be that significant. However, for wireless, yes, people do worry about it, because:
from:https://crypto.stackexchange.com/questions/50328/why-would-one-choose-dtls-srtp-versus-just-rtp-over-dtls 大致交互流程webrtc使用sdp除了描述媒体类型,还有一些额外的字段来描述ice的连接候选项。
链接:https://www.jianshu.com/p/61e3c9e13456 |
2678
到【灌水乐园】发言
