couple of questions on srtpenc/srtpdec configuration

Olivier Crête olivier.crete at collabora.com
Fri Jul 29 21:14:44 UTC 2016 

Hi,

First, you may want to have a look at the dtlssrtpenc/dec elements,
they probably do exactly what you want to do. And even if they don't,
they are a good example of how to implement DTLS-SRTP with the
srtpenc/dec elements.

On Thu, 2016-07-28 at 13:14 -0700, Andres Gonzalez wrote:
> Question: I am assuming the srtpenc property "key" is NOT the RFC5764
> "srtp_mki" value.  Is this assumption correct?

The srtpenc/dec elements indeed don't offer the MKI, because libsrtp
doesn't support it.. And as far as I know, no one really uses it.

> Question: I am assuming the output of *this* openssl API routine is
> what
> should be used for the srtpenc property "key"   Is this assumption
> correct?

Yes, you have to give the right one depending on if you're the client
or server, one goes to the encoder and the other to the decoder.

> I have studied the source code of a different project that uses
> libsrtp for
> SRTP.  These examples show the generation of the 4 subkeys:
> client_write_SRTP_master_key, server_write_SRTP_master_key,
> client_write_SRTP_master_salt, and server_write_SRTP_master_salt.
> 
> Question: I am assuming that the srtpenc element internally generates
> those
> 4 required subkeys from the main "key" property so that application
> code
> does not explicitly have to generate these subkeys.   Is this
> assumption
> correct?

Those are not subkeys. On the client, you need to give the client
key+salt to the encoder and the server key+salt to the decoder, and the
opposite at the server.

See example in the gst-plugins-bad/ext/dtls


> 
> Question: I am assuming that this DTLS mode dependency for key
> generation is
> only applicable to libsrtp library, and not in general for SRTP keys
> for use
> with srtpenc, that is, all of that dependency is dealt with
> internally and
> therefore of no concern at the application pipeline code layer.   Is
> this
> assumption correct?
> 

No, the mode is a DTLS thing, not a SRTP thing, SRTP has no client or
server. It just has a encoder and a decoder, and they both need the
same key to be able to decode what was encoded. That said, normally you
use a different key for each direction.

-- 
Olivier Crête
olivier.crete at collabora.com

More information about the gstreamer-devel mailing list