(转)dtls_srtp webrtc
转载dtls_srtp webrtc
此篇其实也是转载多处合集。
注:以下为rfc5764的学习笔记,不保证完全正确。
DTLS-SRTP是DTLS的一个扩展,将SRTP加解密与DTLS的key交换和会话管理相结合。从SRTP的角度看,是为其提供一种新的key协商管理的方法;从DTLS的角度看,是为应用数据提供一个新的数据格式(SRTP/SRTCP)。
1,应用层数据加解密是由SRTP完成的,要求必须是RTP/RTCP的格式。
2,DTLS的握手过程是为SRTP加解密过程协商使用哪种profile和密钥。
3,除了应用数据加密为SRTP格式,其他record-layer的报文仍为普通的DTLS格式(比如TLS control message)
4,当发送SRTP格式的应用层数据时,需要直接跳过DTLS加密层,将SRTP数据包透传到下层的数据传输层做发送。
由于密钥和加密参数是在DTLS握手过程中协商得到的,而此过程是保密的,因而相比常规的方式(比如在通过SDP消息交互来协商)更为安全。在发起DTLS握手之前,需要先设置use-srtp扩展。
接收端使用 DTLS-SRTP
自DTLS下层的传输层收到报文之后,需要根据包头特征手动区分做demultiplexing,一般可以如下进行
检查第一个报文的第一个字节
1,是[0, 1]时,表示可能是STUN报文
2,是[128, 191]时,表示可能时RTP(SRTP)报文
3,是[20, 63]时,表示可能是DTLS record layer报文
其他的类别请根据实际情况做区分处理
相关RFC标准
RFC3711 SRTP
RFC5705 Keying Material Exporters for TLS
webrtc 是一套基于浏览器端实现媒体数据传输的新标准,引入了很多新概念,这其中包括dtls, sdes, dtls-srt, ice, turn, rtp-mux, BWE, FEC jSEP, tricle-ice等术语,
本篇文章先说dtls, dtls-srtp
DTLS:全称 Datagram transport layer security, 即udp + security,数据报层的安全,DTLS采用了TLS的安全机制,但是更轻量级,webrtc引入DTLS用于传输srtp数据包时的安全秘钥交换,dtls-srtp 在srtp基础上又提供了一层安全机制,比sdes更安全。
原文三
DTLS-SRTP is a key exchange mechanism that is mandated for use in WebRTC.
DTLS-SRTP uses DTLS to exchange keys for the SRTP media transport.
SRTP requires an external key exchange mechanism for sharing its session keys, and DTLS-SRTP does that by multiplexing the DTLS-SRTP protocol within the same session as the SRTP media itself.
This method is considered to be more secure than the SDES mechanism that was first used in WebRTC but later on banned from use altogether.
Why would one choose DTLS-SRTP versus just RTP over DTLS?
|
up vote7down votefavorite
|
If I understand DTLS-SRTP correctly, DTLS is used to exchange keys and then the endpoints switch to SRTP for encryption. What is the benefit of this setup versus just sending RTP over DTLS? Is it just about compatibility with existing SRTP stacks?
|
|
asked Jul 22 '17 at 18:38
[图片上传失败...(image-9aaeb1-1540893868591)]
1382
|
|
| |
add a comment
|
1 Answer
|
up vote9down voteaccepted
|
It's all about encryption overhead; how much the extra data the encryption method extends the packet by.
DTLS has a noticeable amount of overhead; the DTLS header alone is 13 bytes, and then you have the IV/nonce, and the tag; this overhead can be more than the actual VoIP payload. In contrast, SRTP was specifically designed to minimize this overhead; except for the tag (which is optional; IMHO, bad idea to omit it, but some people insisted), there is no overhead compared to RTP.
You might ask "what's the big deal about encryption overhead? Doesn't the internet not care that much about packet sizes?" Well, yes, if you're talking about wired internet connections, actually, this overhead might not be that significant. However, for wireless, yes, people do worry about it, because:
-
Because of power; the more bytes you have, the more bytes need to be transmitted (and if you're on a battery, well, that's a concern)
-
Because wireless is a shared media, so the more bytes you broadcast, that's less bandwidth everyone else connecting to the same AP gets.
大致交互流程
webrtc使用sdp除了描述媒体类型,还有一些额外的字段来描述ice的连接候选项。
- chrome浏览器首先获取服务器提供的offer sdp,收到sdp之后,创建应答sdp和ice 候选项发送到服务器。
- 双方都收到sdp之后会首先进行ice连接(即一条udp链路)。
- 连接建立之后,发起dtls交互,得到远端和本地的srtp的key(分别用于解密远端到来的srtp和加密本地即将发出去的rtp数据包)。
- 然后就可以接收和发送rtp,rtcp数据了,发送之前要进行srtp加密,然后通过ice的连接发送出去。
- dtls 和 srtp 的数据包都是通过ice的udp连接进行传输的。
