Decrypting RTP Packet Data

SRTP generates SRTP packets from the RTP stream and forwards the packets to the receiver. SRTP transforms incoming SRTP packets to RTP packets and passes them up the stack. To ensure the confidentiality of the packet content, data encryption is used. Encrypted RTP packet data is encapsulated for transmission in a single lower-layer packet as a unit. The presence of encryption and the correct usage of key are confirmed by the receiver through header and payload validity checks.

At the receiving end, the packet is authenticated first. Authentication is followed by is decoding the encrypted payload. This process is known as decryption. Decryption requires a decryption key.

An SRTP session must be created and initialized before an application requests for a RTP payload decryption.

  1. An application requests for decryption of RTP packet.
  2. The SRTP DLL checks for the cryptographic context of the input stream. If a match is not found, SRTP DLL checks for the cryptographic context of the session.
  3. The SRTP DLL checks the replay list for the packet index. If a packet with the same index is found in the replay list the packet is dropped.
  4. The SRTP DLL computes the authentication tag for the packet. The computed tag is matched with the tag in the packet. If the tags match, the packet is accepted and the packet index is added to the replay list.

  5. The packet is decrypted using UnprotectRTPL() API of the class CSRTPSession.The session keys in the cryptographic context of the current SRTP session are used for decryption.

    1. The prototype for the API UnprotectRTPL() is as described below.
                           IMPORT_C HBufC8* UnprotectRTPL(TUint aSSRC, const TDesC8& aPacket); 
      This API is invoked if the session finds a match stream and unprotect stream. aSSRC is the input parameter that contains the Synchronisation Source (SSRC). Synchronisation Source is the source of the stream of RTP packets identified by a 32 bit numeric. SSRC identifier is a part of the RTP packet header. aPacket is the input parameter that contains packet to be unprotected. The length of descriptor should match the actual data length. A mismatch in the length descriptor and actual length may lead to incorrect encryption. HBufC8 is the output parameter that contains the decrypted packet.

      The API leaves, if matching stream is not found.

      In late binding cases, the API tries to find a stream with SSRC is equal to zero and unprotect the packet.

  6. The SRTP DLL updates the count of packets decrypted.

On successful execution of the API, decrypted data is returned.

If any of the above mentioned checks fail, the packet is discarded.