OLD | NEW |
| (Empty) |
1 Secure RTP (SRTP) Reference Implementation | |
2 David A. McGrew | |
3 Cisco Systems, Inc. | |
4 mcgrew@cisco.com | |
5 | |
6 | |
7 This package provides an implementation of the Secure Real-time | |
8 Transport Protocol (SRTP), the Universal Security Transform (UST), and | |
9 a supporting cryptographic kernel. These mechanisms are documented in | |
10 the Internet Drafts in the doc/ subdirectory. The SRTP API is | |
11 documented in include/srtp.h, and the library is in libsrtp.a (after | |
12 compilation). An overview and reference manual is available in | |
13 doc/libsrtp.pdf. The PDF documentation is more up to date than this | |
14 file. | |
15 | |
16 | |
17 Installation: | |
18 | |
19 ./configure [ options ] # GNU autoconf script | |
20 make # or gmake if needed; use GNU make | |
21 | |
22 The configure script accepts the following options: | |
23 | |
24 --help provides a usage summary | |
25 --disable-debug compile without the runtime debugging system | |
26 --enable-syslog use syslog for error reporting | |
27 --disable-stdout use stdout for error reporting | |
28 --enable-console use /dev/console for error reporting | |
29 --enable-openssl use OpenSSL crypto primitives | |
30 --gdoi use GDOI key management (disabled at present) | |
31 | |
32 By default, debugging is enabled and stdout is used for debugging. | |
33 You can use the above configure options to have the debugging output | |
34 sent to syslog or the system console. Alternatively, you can define | |
35 ERR_REPORTING_FILE in include/conf.h to be any other file that can be | |
36 opened by libSRTP, and debug messages will be sent to it. | |
37 | |
38 This package has been tested on Mac OS X (powerpc-apple-darwin1.4), | |
39 Cygwin (i686-pc-cygwin), and Sparc (sparc-sun-solaris2.6). Previous | |
40 versions have been tested on Linux and OpenBSD on both x86 and sparc | |
41 platforms. | |
42 | |
43 A quick tour of this package: | |
44 | |
45 Makefile targets: all, clean, ... | |
46 README this file | |
47 CHANGES change log | |
48 VERSION version number of this package | |
49 LICENSE legal details (it's a BSD-like license) | |
50 crypto/ciphers/ ciphers (null, aes_icm, ...) | |
51 crypto/math/ crypto math routines | |
52 crypto/hash/ crypto hashing (hmac, tmmhv2, ...) | |
53 crypto/replay/ replay protection | |
54 doc/ documentation: rfcs, apis, and suchlike | |
55 include/ include files for all code in distribution | |
56 srtp/ secure real-time transport protocol implementation | |
57 tables/ apps for generating tables (useful in porting) | |
58 test/ test drivers | |
59 | |
60 | |
61 Applications | |
62 | |
63 Several test drivers and a simple and portable srtp application | |
64 are included in the test/ subdirectory. | |
65 | |
66 test driver function tested | |
67 ------------------------------------------------------------- | |
68 kernel_driver crypto kernel (ciphers, auth funcs, rng) | |
69 srtp_driver srtp in-memory tests (does not use the network) | |
70 rdbx_driver rdbx (extended replay database) | |
71 roc_driver extended sequence number functions | |
72 replay_driver replay database (n.b. not used in libsrtp) | |
73 cipher_driver ciphers | |
74 auth_driver hash functions | |
75 | |
76 The app rtpw is a simple rtp application which reads words from | |
77 /usr/dict/words and then sends them out one at a time using [s]rtp. | |
78 Manual srtp keying uses the -k option; automated key management | |
79 using gdoi will be added later. | |
80 | |
81 usage: rtpw [-d <debug>]* [-k|b <key> [-a][-e <key size>][-g]] [-s | -r] dest_ip
dest_port | |
82 or rtpw -l | |
83 | |
84 Either the -s (sender) or -r (receiver) option must be chosen. | |
85 | |
86 The values dest_ip, dest_port are the ip address and udp port to | |
87 which the dictionary will be sent, respectively. | |
88 | |
89 options: | |
90 | |
91 -s (s)rtp sender - causes app to send words | |
92 | |
93 -r (s)rtp receive - causes app to receive words | |
94 | |
95 -k <key> use srtp master key <key>, where the | |
96 key is a hexadecimal value (without the | |
97 leading "0x") | |
98 | |
99 -b <key> same as -k but with base64 encoded key | |
100 | |
101 -e <keysize> encrypt/decrypt (for data confidentiality) | |
102 (requires use of -k option as well) | |
103 (use 128, 192, or 256 for keysize) | |
104 | |
105 -g use AES-GCM mode (must be used with -e) | |
106 | |
107 -a message authentication | |
108 (requires use of -k option as well) | |
109 | |
110 -l list debug modules | |
111 | |
112 -d <debug> turn on debugging for module <debug> | |
113 -i specify input/output file | |
114 (instead of using dictionary file) | |
115 | |
116 | |
117 In order to get random 30-byte values for use as key/salt pairs , you | |
118 can use the following bash function to format the output of | |
119 /dev/random (where that device is available). | |
120 | |
121 function randhex() { | |
122 cat /dev/random | od --read-bytes=32 --width=32 -x | awk '{ print $2 $3 $4 $5
$6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 }' | |
123 } | |
124 | |
125 | |
126 An example of an SRTP session using two rtpw programs follows: | |
127 | |
128 set k=c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451 | |
129 | |
130 [sh1]$ test/rtpw -s -k $k -e 128 -a 0.0.0.0 9999 | |
131 Security services: confidentiality message authentication | |
132 set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC
7451 | |
133 setting SSRC to 2078917053 | |
134 sending word: A | |
135 sending word: a | |
136 sending word: aa | |
137 sending word: aal | |
138 ... | |
139 | |
140 [sh2]$ test/rtpw -r -k $k -e 128 -a 0.0.0.0 9999 | |
141 security services: confidentiality message authentication | |
142 set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC
7451 | |
143 19 octets received from SSRC 2078917053 word: A | |
144 19 octets received from SSRC 2078917053 word: a | |
145 20 octets received from SSRC 2078917053 word: aa | |
146 21 octets received from SSRC 2078917053 word: aal | |
147 ... | |
148 | |
149 Implementation Notes | |
150 | |
151 * The srtp_protect() function assumes that the buffer holding the | |
152 rtp packet has enough storage allocated that the authentication | |
153 tag can be written to the end of that packet. If this assumption | |
154 is not valid, memory corruption will ensue. | |
155 | |
156 * Automated tests for the crypto functions are provided through | |
157 the cipher_type_self_test() and auth_type_self_test() functions. | |
158 These functions should be used to test each port of this code | |
159 to a new platform. | |
160 | |
161 * Replay protection is contained in the crypto engine, and | |
162 tests for it are provided. | |
163 | |
164 * This implementation provides calls to initialize, protect, and | |
165 unprotect RTP packets, and makes as few as possible assumptions | |
166 about how these functions will be called. For example, the | |
167 caller is not expected to provide packets in order (though if | |
168 they're called more than 65k out of sequence, synchronization | |
169 will be lost). | |
170 | |
171 * The sequence number in the rtp packet is used as the low 16 bits | |
172 of the sender's local packet index. Note that RTP will start its | |
173 sequence number in a random place, and the SRTP layer just jumps | |
174 forward to that number at its first invocation. An earlier | |
175 version of this library used initial sequence numbers that are | |
176 less than 32,768; this trick is no longer required as the | |
177 rdbx_estimate_index(...) function has been made smarter. | |
178 | |
179 * The replay window is 128 bits in length, and is hard-coded to this | |
180 value for now. | |
181 | |
182 | |
OLD | NEW |