intro.txt 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395
  1. /**
  2. @mainpage Introduction to libSRTP
  3. This document describes libSRTP, the Open Source Secure RTP library
  4. from Cisco Systems, Inc. RTP is the Real-time Transport Protocol, an
  5. IETF standard for the transport of real-time data such as telephony,
  6. audio, and video, defined by RFC 3550. Secure RTP (SRTP) is an RTP
  7. profile for providing confidentiality to RTP data and authentication
  8. to the RTP header and payload. SRTP is an IETF Proposed Standard,
  9. defined in RFC 3711, and was developed in the IETF Audio/Video
  10. Transport (AVT) Working Group. This library supports all of the
  11. mandatory features of SRTP, but not all of the optional features. See
  12. the @ref Features section for more detailed information.
  13. This document is organized as follows. The first chapter provides
  14. background material on SRTP and overview of libSRTP. The following
  15. chapters provide a detailed reference to the libSRTP API and related
  16. functions. The reference material is created automatically (using the
  17. doxygen utility) from comments embedded in some of the C header
  18. files. The documentation is organized into modules in order to improve
  19. its clarity. These modules do not directly correspond to files. An
  20. underlying cryptographic kernel provides much of the basic
  21. functionality of libSRTP, but is mostly undocumented because it does
  22. its work behind the scenes.
  23. @section LICENSE License and Disclaimer
  24. libSRTP is distributed under the following license, which is included
  25. in the source code distribution. It is reproduced in the manual in
  26. case you got the library from another source.
  27. @latexonly
  28. \begin{quote}
  29. Copyright (c) 2001-2005 Cisco Systems, Inc. All rights reserved.
  30. Redistribution and use in source and binary forms, with or without
  31. modification, are permitted provided that the following conditions
  32. are met:
  33. \begin{itemize}
  34. \item Redistributions of source code must retain the above copyright
  35. notice, this list of conditions and the following disclaimer.
  36. \item Redistributions in binary form must reproduce the above
  37. copyright notice, this list of conditions and the following
  38. disclaimer in the documentation and/or other materials provided
  39. with the distribution.
  40. \item Neither the name of the Cisco Systems, Inc. nor the names of its
  41. contributors may be used to endorse or promote products derived
  42. from this software without specific prior written permission.
  43. \end{itemize}
  44. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  45. "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  46. LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  47. FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  48. COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
  49. INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  50. (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  51. SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  52. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  53. STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  54. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  55. OF THE POSSIBILITY OF SUCH DAMAGE.
  56. \end{quote}
  57. @endlatexonly
  58. @section Features Supported Features
  59. This library supports all of the mandatory-to-implement features of
  60. SRTP (as defined by the most recent Internet Draft). Some of these
  61. features can be selected (or de-selected) at run time by setting an
  62. appropriate policy; this is done using the structure srtp_policy_t.
  63. Some other behaviors of the protocol can be adapted by defining an
  64. approriate event handler for the exceptional events; see the @ref
  65. SRTPevents section.
  66. Some options that are not included in the specification are supported.
  67. Most notably, the TMMH authentication function is included, though it
  68. was removed from the SRTP Internet Draft during the summer of 2002.
  69. @latexonly
  70. Some options that are described in the SRTP specification are not
  71. supported. This includes
  72. \begin{itemize}
  73. \item the Master Key Index (MKI),
  74. \item key derivation rates other than zero,
  75. \item the cipher F8,
  76. \item anti-replay lists with sizes other than 128,
  77. \item the use of the packet index to select between master keys.
  78. \end{itemize}
  79. @endlatexonly
  80. The user should be aware that it is possible to misuse this libary,
  81. and that the result may be that the security level it provides is
  82. inadequate. If you are implementing a feature using this library, you
  83. will want to read the Security Considerations section of the Internet
  84. Draft. In addition, it is important that you read and understand the
  85. terms outlined in the @ref LICENSE section.
  86. @section Installing Installing and Building libSRTP
  87. @latexonly
  88. To install libSRTP, download the latest release of the distribution
  89. from \texttt{srtp.sourceforge.net}. The format of the names of the
  90. distributions are \texttt{srtp-A.B.C.tgz}, where \texttt{A} is the
  91. version number, \texttt{B} is the major release number, \texttt{C} is
  92. the minor release number, and \texttt{tgz} is the file
  93. extension\footnote{The extension \texttt{.tgz} is identical to
  94. \texttt{tar.gz}, and indicates a compressed tar file.} You probably
  95. want to get the most recent release. Unpack the distribution and
  96. extract the source files; the directory into which the source files
  97. will go is named \texttt{srtp}.
  98. libSRTP uses the GNU \texttt{autoconf} and \texttt{make}
  99. utilities\footnote{BSD make will not work; if both versions of make
  100. are on your platform, you can invoke GNU make as \texttt{gmake}.}. In
  101. the \texttt{srtp} directory, run the configure script and then make:
  102. \begin{verbatim}
  103. ./configure [ options ]
  104. make
  105. \end{verbatim}
  106. The configure script accepts the following options:
  107. \begin{quote}
  108. \begin{description}
  109. \item[--help] provides a usage summary.
  110. \item[--disable-debug] compiles libSRTP without the runtime
  111. dynamic debugging system.
  112. \item[--enable-generic-aesicm] compile in changes for ismacryp
  113. \item[--enable-syslog] use syslog for error reporting.
  114. \item[--disable-stdout] diables stdout for error reporting.
  115. \item[--enable-console] use \texttt{/dev/console} for error reporting
  116. \item[--gdoi] use GDOI key management (disabled at present).
  117. \end{description}
  118. \end{quote}
  119. By default, dynamic debugging is enabled and stdout is used for
  120. debugging. You can use the configure options to have the debugging
  121. output sent to syslog or the system console. Alternatively, you can
  122. define ERR\_REPORTING\_FILE in \texttt{include/conf.h} to be any other
  123. file that can be opened by libSRTP, and debug messages will be sent to
  124. it.
  125. This package has been tested on the following platforms: Mac OS X
  126. (powerpc-apple-darwin1.4), Cygwin (i686-pc-cygwin), Solaris
  127. (sparc-sun-solaris2.6), RedHat Linux 7.1 and 9 (i686-pc-linux), and
  128. OpenBSD (sparc-unknown-openbsd2.7).
  129. @endlatexonly
  130. @section Applications Applications
  131. @latexonly
  132. Several test drivers and a simple and portable srtp application are
  133. included in the \texttt{test/} subdirectory.
  134. \begin{center}
  135. \begin{tabular}{ll}
  136. \hline
  137. Test driver & Function tested \\
  138. \hline
  139. kernel\_driver & crypto kernel (ciphers, auth funcs, rng) \\
  140. srtp\_driver & srtp in-memory tests (does not use the network) \\
  141. rdbx\_driver & rdbx (extended replay database) \\
  142. roc\_driver & extended sequence number functions \\
  143. replay\_driver & replay database \\
  144. cipher\_driver & ciphers \\
  145. auth\_driver & hash functions \\
  146. \hline
  147. \end{tabular}
  148. \end{center}
  149. The app rtpw is a simple rtp application which reads words from
  150. /usr/dict/words and then sends them out one at a time using [s]rtp.
  151. Manual srtp keying uses the -k option; automated key management
  152. using gdoi will be added later.
  153. The usage for rtpw is
  154. \texttt{rtpw [[-d $<$debug$>$]* [-k $<$key$>$ [-a][-e]] [-s | -r] dest\_ip
  155. dest\_port] | [-l]}
  156. Either the -s (sender) or -r (receiver) option must be chosen. The
  157. values dest\_ip, dest\_port are the IP address and UDP port to which
  158. the dictionary will be sent, respectively. The options are:
  159. \begin{center}
  160. \begin{tabular}{ll}
  161. -s & (S)RTP sender - causes app to send words \\
  162. -r & (S)RTP receive - causes app to receive words \\
  163. -k $<$key$>$ & use SRTP master key $<$key$>$, where the
  164. key is a hexadecimal value (without the
  165. leading "0x") \\
  166. -e & encrypt/decrypt (for data confidentiality)
  167. (requires use of -k option as well)\\
  168. -a & message authentication
  169. (requires use of -k option as well) \\
  170. -l & list the available debug modules \\
  171. -d $<$debug$>$ & turn on debugging for module $<$debug$>$ \\
  172. \end{tabular}
  173. \end{center}
  174. In order to get a random 30-byte value for use as a key/salt pair, you
  175. can use the \texttt{rand\_gen} utility in the \texttt{test/}
  176. subdirectory.
  177. An example of an SRTP session using two rtpw programs follows:
  178. \begin{verbatim}
  179. [sh1] set k=`test/rand_gen -n 30`
  180. [sh1] echo $k
  181. c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451
  182. [sh1]$ test/rtpw -s -k $k -ea 0.0.0.0 9999
  183. Security services: confidentiality message authentication
  184. set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451
  185. setting SSRC to 2078917053
  186. sending word: A
  187. sending word: a
  188. sending word: aa
  189. sending word: aal
  190. sending word: aalii
  191. sending word: aam
  192. sending word: Aani
  193. sending word: aardvark
  194. ...
  195. [sh2] set k=c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451
  196. [sh2]$ test/rtpw -r -k $k -ea 0.0.0.0 9999
  197. security services: confidentiality message authentication
  198. set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451
  199. 19 octets received from SSRC 2078917053 word: A
  200. 19 octets received from SSRC 2078917053 word: a
  201. 20 octets received from SSRC 2078917053 word: aa
  202. 21 octets received from SSRC 2078917053 word: aal
  203. ...
  204. \end{verbatim}
  205. @endlatexonly
  206. @section Review Secure RTP Background
  207. In this section we review SRTP and introduce some terms that are used
  208. in libSRTP. An RTP session is defined by a pair of destination
  209. transport addresses, that is, a network address plus a pair of UDP
  210. ports for RTP and RTCP. RTCP, the RTP control protocol, is used to
  211. coordinate between the participants in an RTP session, e.g. to provide
  212. feedback from receivers to senders. An @e SRTP @e session is
  213. similarly defined; it is just an RTP session for which the SRTP
  214. profile is being used. An SRTP session consists of the traffic sent
  215. to the SRTP or SRTCP destination transport addresses. Each
  216. participant in a session is identified by a synchronization source
  217. (SSRC) identifier. Some participants may not send any SRTP traffic;
  218. they are called receivers, even though they send out SRTCP traffic,
  219. such as receiver reports.
  220. RTP allows multiple sources to send RTP and RTCP traffic during the
  221. same session. The synchronization source identifier (SSRC) is used to
  222. distinguish these sources. In libSRTP, we call the SRTP and SRTCP
  223. traffic from a particular source a @e stream. Each stream has its own
  224. SSRC, sequence number, rollover counter, and other data. A particular
  225. choice of options, cryptographic mechanisms, and keys is called a @e
  226. policy. Each stream within a session can have a distinct policy
  227. applied to it. A session policy is a collection of stream policies.
  228. A single policy can be used for all of the streams in a given session,
  229. though the case in which a single @e key is shared across multiple
  230. streams requires care. When key sharing is used, the SSRC values that
  231. identify the streams @b must be distinct. This requirement can be
  232. enforced by using the convention that each SRTP and SRTCP key is used
  233. for encryption by only a single sender. In other words, the key is
  234. shared only across streams that originate from a particular device (of
  235. course, other SRTP participants will need to use the key for
  236. decryption). libSRTP supports this enforcement by detecting the case
  237. in which a key is used for both inbound and outbound data.
  238. @section Overview libSRTP Overview
  239. libSRTP provides functions for protecting RTP and RTCP. RTP packets
  240. can be encrypted and authenticated (using the srtp_protect()
  241. function), turning them into SRTP packets. Similarly, SRTP packets
  242. can be decrypted and have their authentication verified (using the
  243. srtp_unprotect() function), turning them into RTP packets. Similar
  244. functions apply security to RTCP packets.
  245. The typedef srtp_stream_t points to a structure holding all of the
  246. state associated with an SRTP stream, including the keys and
  247. parameters for cipher and message authentication functions and the
  248. anti-replay data. A particular srtp_stream_t holds the information
  249. needed to protect a particular RTP and RTCP stream. This datatype
  250. is intentionally opaque in order to better seperate the libSRTP
  251. API from its implementation.
  252. Within an SRTP session, there can be multiple streams, each
  253. originating from a particular sender. Each source uses a distinct
  254. stream context to protect the RTP and RTCP stream that it is
  255. originating. The typedef srtp_t points to a structure holding all of
  256. the state associated with an SRTP session. There can be multiple
  257. stream contexts associated with a single srtp_t. A stream context
  258. cannot exist indepent from an srtp_t, though of course an srtp_t can
  259. be created that contains only a single stream context. A device
  260. participating in an SRTP session must have a stream context for each
  261. source in that session, so that it can process the data that it
  262. receives from each sender.
  263. In libSRTP, a session is created using the function srtp_create().
  264. The policy to be implemented in the session is passed into this
  265. function as an srtp_policy_t structure. A single one of these
  266. structures describes the policy of a single stream. These structures
  267. can also be linked together to form an entire session policy. A linked
  268. list of srtp_policy_t structures is equivalent to a session policy.
  269. In such a policy, we refer to a single srtp_policy_t as an @e element.
  270. An srtp_policy_t strucutre contains two crypto_policy_t structures
  271. that describe the cryptograhic policies for RTP and RTCP, as well as
  272. the SRTP master key and the SSRC value. The SSRC describes what to
  273. protect (e.g. which stream), and the crypto_policy_t structures
  274. describe how to protect it. The key is contained in a policy element
  275. because it simplifies the interface to the library. In many cases, it
  276. is desirable to use the same cryptographic policies across all of the
  277. streams in a session, but to use a distinct key for each stream. A
  278. crypto_policy_t structure can be initialized by using either the
  279. crypto_policy_set_rtp_default() or crypto_policy_set_rtcp_default()
  280. functions, which set a crypto policy structure to the default policies
  281. for RTP and RTCP protection, respectively.
  282. @section Example Example Code
  283. This section provides a simple example of how to use libSRTP. The
  284. example code lacks error checking, but is functional. Here we assume
  285. that the value ssrc is already set to describe the SSRC of the stream
  286. that we are sending, and that the functions get_rtp_packet() and
  287. send_srtp_packet() are available to us. The former puts an RTP packet
  288. into the buffer and returns the number of octets written to that
  289. buffer. The latter sends the RTP packet in the buffer, given the
  290. length as its second argument.
  291. @verbatim
  292. srtp_t session;
  293. srtp_policy_t policy;
  294. uint8_t key[30];
  295. // initialize libSRTP
  296. srtp_init();
  297. // set policy to describe a policy for an SRTP stream
  298. crypto_policy_set_rtp_default(&policy.rtp);
  299. crypto_policy_set_rtcp_default(&policy.rtcp);
  300. policy.ssrc = ssrc;
  301. policy.key = key;
  302. policy.next = NULL;
  303. // set key to random value
  304. crypto_get_random(key, 30);
  305. // allocate and initialize the SRTP session
  306. srtp_create(&session, &policy);
  307. // main loop: get rtp packets, send srtp packets
  308. while (1) {
  309. char rtp_buffer[2048];
  310. unsigned len;
  311. len = get_rtp_packet(rtp_buffer);
  312. srtp_protect(session, rtp_buffer, &len);
  313. send_srtp_packet(rtp_buffer, len);
  314. }
  315. @endverbatim
  316. @section ISMAcryp ISMA Encryption Support
  317. The Internet Streaming Media Alliance (ISMA) specifies a way
  318. to pre-encrypt a media file prior to streaming. This method
  319. is an alternative to SRTP encryption, which is potentially
  320. useful when a particular media file will be streamed
  321. multiple times. The specification is available online
  322. at http://www.isma.tv/specreq.nsf/SpecRequest.
  323. libSRTP provides the encryption and decryption functions needed for ISMAcryp
  324. in the library @t libaesicm.a, which is included in the default
  325. Makefile target. This library is used by the MPEG4IP project; see
  326. http://mpeg4ip.sourceforge.net/.
  327. Note that ISMAcryp does not provide authentication for
  328. RTP nor RTCP, nor confidentiality for RTCP.
  329. ISMAcryp RECOMMENDS the use of SRTP message authentication for ISMAcryp
  330. streams while using ISMAcryp encryption to protect the media itself.
  331. */