Changes between Version 7 and Version 8 of SRTP

Timestamp:

Jan 25, 2008 9:39:25 AM (16 years ago)

Author:

bennylp

Comment:

--

SRTP

@@ -1 +1 @@
 = SRTP Support in PJSIP =
 
-This article describes about SRTP support in PJSIP , which was included in version 0.9 (see ticket #61).
+This article describes about SRTP support in PJSIP. SRTP support is included in version 0.9 (see ticket #61).
 
-'''Table of Contents:'''
+'''Table of Contents'''
 [[PageOutline(2-3,,inline)]]
+
+----
+
+== Features ==
+
+The SRTP functionality in PJSIP has the following features:
+ - SRTP ([http://www.ietf.org/rfc/rfc3711.txt RFC 3711]), using the Open Source [http://sourceforge.net/projects/srtp/ libsrtp] library.
+ - Keys exchange using Security Descriptions for Media Streams (SDESC, [http://www.ietf.org/rfc/rfc4568.txt RFC 4568])
+ - Supported cryptos:
+     - AES_CM_128_HMAC_SHA1_80
+     - AES_CM_128_HMAC_SHA1_32
+ - Secure RTCP (SRTCP) is supported.
+
+Negotiation of crypto session parameters in SDP is currently not supported.
+
 ----
 
 == Compatibility Info ==
 
-Please note the following issues regarding compatibility with previous PJSIP code:
+Few notes regarding compatibility with previous PJSIP code.
 
 === Build Systems ===
@@ -17 +32 @@
 '''For GNU build systems:'''
   1. You will need to re-run {{{./configure}}}, {{{make dep}}} and {{{make}}} to update {{{build.mak}}} and rebuild the project dependencies.
-  1. If your Makefile includes {{{build.mak}}} (as explained in [wiki:Getting_Started_Using Getting Stared part 2], you just need to rebuild your application as the input libraries will be updated automatically.
+  1. If your Makefile includes {{{build.mak}}} (as explained in [wiki:Getting_Started_Using Getting Stared part 2]), you just need to rebuild your application as the input libraries will be updated automatically (by {{{build.mak}}}).
   1. If you maintain your own independent Makefile, please add {{{libsrtp-$(TARGET)}}} from {{{third_party/lib}}} directory to your input libraries. 
 
 '''For Visual Studio 6 and 2005:'''
-  1. New {{{libsrtp}}} project has been added into PJSIP workspace.
+  1. New {{{libsrtp}}} project has been added into '''pjproject.dsw''' and '''pjproject-vs8.sln''' workspace.
   1. If you maintain your own application workspace, you need to add {{{libsrtp}}} project into your application. The {{{libsrtp}}} project files are in {{{third_party/build/srtp}}} directory.
 
 '''For Windows Mobile developments:'''
-  1. New {{{libsrtp}}} project has been added into PJSIP workspace.
-  1. If you maintain your own application workspace, you need to add {{{libsrtp}}} project into your application. The {{{libsrtp}}} project files are in {{{third_party/build/srtp}}} directory.
-  1. Make sure you import the Embedded Visual Studio project ({{{libsrtp.vcp}}}) rather than the Visual Studio ({{{libsrtp.vcproj}}}) project!
+  1. New {{{libsrtp}}} project has been added into '''wince_demos.vcw''' workspace (the workspace is located in {{{pjsip-apps/build/wince-evc4}}} directory).
+  1. If you maintain your own application workspace, you need to add '''{{{libsrtp.vcp}}}''' project into your application. The {{{libsrtp}}} project files are in {{{third_party/build/srtp}}} directory.
+  1. If you're using Visual Studio rather than Embedded Visual C++ 4, make sure you import the Embedded Visual Studio project ({{{libsrtp.vcp}}}) rather than the Visual Studio ({{{libsrtp.vcproj}}}) project!
 
 '''Symbian:'''
-  1. To be done.
+  1. Symbian port for libsrtp will be added soon.
+
 
 === API Changes ===
@@ -79 +95 @@
 === Using SRTP in PJSUA-LIB ===
 
-In [http://www.pjsip.org/pjsip/docs/html/group__PJSUA__LIB.htm PJSUA-LIB], the use of SRTP is controlled by settings in both [http://www.pjsip.org/pjsip/docs/html/structpjsua__config.htm pjsua_config] and [http://www.pjsip.org/pjsip/docs/html/structpjsua__acc__config.htm pjsua_acc_config]. The settings in [http://www.pjsip.org/pjsip/docs/html/structpjsua__config.htm pjsua_config] specifies the default settings for all accounts, and the settings in [http://www.pjsip.org/pjsip/docs/html/structpjsua__acc__config.htm pjsua_acc_config] can be used to further set the behavior for that specific account.
+In [http://www.pjsip.org/pjsip/docs/html/group__PJSUA__LIB.htm PJSUA-LIB], the use of SRTP is controlled by settings in both [http://www.pjsip.org/pjsip/docs/html/structpjsua__config.htm pjsua_config] and [http://www.pjsip.org/pjsip/docs/html/structpjsua__acc__config.htm pjsua_acc_config]. The settings in [http://www.pjsip.org/pjsip/docs/html/structpjsua__config.htm pjsua_config] specify the default settings for all accounts, and the settings in [http://www.pjsip.org/pjsip/docs/html/structpjsua__acc__config.htm pjsua_acc_config] can be used to further set the behavior for that specific account.
 
-In both {{{pjsua_config}}} and {{{pjsua_acc_config}}}, there are two configuration items to control:
+In both {{{pjsua_config}}} and {{{pjsua_acc_config}}}, there are two configuration items related to SRTP:
 
  '''{{{use_srtp}}}'''::
   This option controls whether secure media transport (SRTP) should be used for this account. Valid values are:
-   - {{{PJMEDIA_SRTP_DISABLED}}} (0): SRTP is disabled, and incoming call with RTP/SAVP transport will be rejected.
-   - {{{PJMEDIA_SRTP_OPTIONAL}}} (1): SRTP will be advertised and SRTP will be used if remote supports it, but the call may fall back to unsecure media.
+   - {{{PJMEDIA_SRTP_DISABLED}}} (0): SRTP is disabled, and incoming call with RTP/SAVP transport will be rejected with 488/Not Acceptable Here response.
+   - {{{PJMEDIA_SRTP_OPTIONAL}}} (1): SRTP will be advertised and SRTP will be used if remote supports it, but the call may fall back to unsecure media. Incoming call with RTP/SAVP is accepted and responded with RTP/SAVP too.
    - {{{PJMEDIA_SRTP_MANDATORY}}} (2): secure media is mandatory, and the call can only proceed if secure media can be established.
   The default value for this option is {{{PJSUA_DEFAULT_USE_SRTP}}}, which is zero (disabled).
@@ -92 +108 @@
  '''{{{srtp_secure_signaling}}}'''::
   This option controls whether SRTP requires secure signaling to be used. This option is only used when {{{use_srtp}}} option above is non-zero. Valid values are:
-     - 0: SRTP does not require secure signaling
-     - 1: SRTP requires secure transport such as TLS
-     - 2: SRTP requires secure end-to-end transport (SIPS)
+     - 0: SRTP does not require secure signaling (not recommended)
+     - 1: SRTP requires secure transport such as TLS to be used.
+     - 2: SRTP requires secure end-to-end transport ('''sips:''' URI scheme) to be used.
   The default value for this option is {{{PJSUA_DEFAULT_SRTP_SECURE_SIGNALING}}}, which is 1 (require TLS transport).
 
@@ -102 +118 @@
 === pjsua ===
 
-New option '''---use-srtp''' is added, with valid values are 0, 1, or 2. This corresponds to {{{use_srtp}}} setting above.
+Two new options were added to [http://www.pjsip.org/pjsua.htm pjsua]:
+
+ '''{{{--use-srtp=N}}}'''
+   This corresponds to {{{use_srtp}}} setting above. Valid values are 0, 1, or 2. Default value is 0.
+
+ '''{{{--srtp-secure=N}}}'''
+   This corresponds to {{{srtp_secure_signaling}}} setting above. Valid values are 0, 1, or 2. Default value is 1.
 
 Sample usage:
 {{{
- $ ./pjsua --use-tls --use-srtp=1
+ $ ./pjsua --use-tls --use-srtp=1 sip:alice@example.com;transport=tls
 }}}
-
-Note: we need to enable TLS since by default SRTP requires secure signaling to be used (see ''srtp_secure_signaling'' setting above). If you want to use SRTP with non-secure transport (which is not recommended unless for testing purpose only!), you can modify ''srtp_secure_signaling'' setting in pjsua application.
 
 
 === Using SRTP Transport Directly ===
 
-The SRTP transport may also be used directly without having to involve SDP negotiations. However, you will need to have a different mechanism to exchange keys between endpoints.
+The SRTP transport may also be used directly without having to involve SDP negotiations (for example, to use SRTP without SIP). Please see '''streamutil''' from the samples collection for a sample application. For this to work, you will need to have a different mechanism to exchange keys between endpoints.
 
 To use SRTP transport directly:
@@ -129 +149 @@
 === Changes in Media Transport Interface === #med-tp-changes
 
-Since the availability of SRTP changes contents of SDP (Session Description Protocol) and the SDP negotiation, we need to add new interfaces in PJMEDIA transport API to allow media transport to modify and negotiate SDP. Incidently this would work well with ICE too (previously we treat ICE as a special kind of media transport so it is treated differently, but with this new interfaces, all media transports will behave uniformly (anyway that's what API abstraction is for!)).
+Since the availability of SRTP changes SDP (Session Description Protocol) contents and the SDP negotiation, we needed to modify/add new interfaces in PJMEDIA transport API to allow media transport to modify and negotiate SDP. Incidently this would work well with ICE too (previously we treat ICE as a special kind of media transport so it is treated differently, but with this new interfaces, all media transports will behave uniformly (anyway that's what API abstraction is for!)).
 
 New interfaces in media transport are as follows (please consult the PJMEDIA transport documentation for more info):
 
  '''media_create()'''::
-  This callback is called by application (or PJSUA-LIB) to allow the media transport to add more information in the SDP offer, before the offer is sent to remote. Additionally, for answerer side, this callback allows the media transport to reject the offer from the remote before this offer is processed by the SDP negotiator.
+  This callback is called by application (or PJSUA-LIB) to allow the media transport to add more information in the SDP offer, before the offer is sent to remote. Additionally, for answerer side, this callback allows the media transport to reject the offer before this offer is processed by the SDP negotiator.
 
  '''media_start()'''::
-  This callback is called after offer and answer are negotiated, and before the media is started. For answerer side, this callback will be called before the answer is sent to remote, to allow media transport to put additional info in the SDP. The media transport also has the final chance to negotiate the offer and answer before media is really started.
+  This callback is called after offer and answer are negotiated, and both SDPs are available, and before the media is started. For answerer side, this callback will be called before the answer is sent to remote, to allow media transport to put additional info in the SDP. For offerer side, this callback will be called after SDP answer is received. In this callback, the media transport has the final chance to negotiate/validate the offer and answer before media is really started (and answer is sent, for answerer side).
 
  '''media_stop()'''::
@@ -143 +163 @@
 
  '''simulate_lost()'''::
-  This has nothing to do with SRTP, but since all media transports support this feature (packet loss simulation), we add this as a new interface.
+  This has nothing to do with SRTP, but since all media transports support this feature (packet loss simulation), we added this as a new interface.
 
 
@@ -154 +174 @@
 I think the diagram above is self-explanatory.
 
-With SRTP, the SRTP is implemented as some kind of "adapter", which is plugged between the stream and the actual media transport that does sending/receiving RTP/RTCP packets. When SRTP is used, the interconnection between stream and transport is like the diagram below:
+SRTP functionality is implemented as some kind of "adapter", which is plugged between the stream and the actual media transport that does sending/receiving RTP/RTCP packets. When SRTP is used, the interconnection between stream and transport is like the diagram below:
 
 [[Image(media-srtp-transport.PNG)]]
 
-So to stream, the SRTP transport behaves as if it is a media transport (because it '''is''' a media transport), and to the media transport it behaves as if it is a stream. The SRTP object will forward RTP packets back and forth from stream to the actual transport and vice versa, encrypting/decrypting the RTP/RTCP packets as necessary.
+So to stream, the SRTP transport behaves as if it is a media transport (because it '''is''' a media transport), and to the media transport it behaves as if it is a stream. The SRTP object then forwards RTP packets back and forth between stream and the actual transport, encrypting/decrypting the RTP/RTCP packets as necessary.
 
 The neat thing about this design is the SRTP "adapter" then can be used to encrypt any kind of media transports. We currently have UDP and ICE media transports that can benefit SRTP, and we could add SRTP to any media transports that will be added in the future.