Managing Master Key

The Secure Real-Time Transport Protocol (SRTP) stream requires the sender and receiver to maintain the cryptographic context of the packets. SRTP uses two types of keys: master keys and session keys for packet encryption and decryption. Master key is a random bit string. The session keys are derived from the master key. The Session key is used directly in cryptographic transform for encryption or message authentication.

A single master key provides keying material for confidentiality and integrity protection of both SRTP and the corresponding SRTCP stream. For each master key, a count of processed packets is maintained. There is a limit on the number of packets processed by a single master key. SRTCP maintains a separate counter for master key even if the master key is the same as that for SRTP. The counter counts the number of SRTCP packets processed with the key.

The SRTP stack checks for the count of packet processed when the RTP/RTCP packets are encrypted or decrypted. If the number of packets processed is maximum, the master key status is identified as stale. The SRTP notifies the SRTP client of the master key status. This is Notifying the Master Key Expiry.

The SRTP stack can request for a new master key(ReKey) even before the master key status is identified as stale.This is ReKey request.

An SRTP session must be created and initialized before an application requests for a RTP/RTCP packet decryption and encryption.

The two variants of the API SRTPMasterKeyStaleEvent() must be implemented by the application.

  1. An RTP/RTCP packet is encrypted or decrypted .
  2. The SRTP uses the current master key to check the count of packet processed. If the number of packets processed is not the maximum permissible value, the count is increased. If the number of packets processed has reached maximum permissible value, the SRTP DLL notifies the expiry(stale) state of the current master key.
  3. The SRTP DLL notifies the master key status using the API's SRTPMasterKeyStaleEvent() of the class MSRTPReKeyingObserver .The notification can be initiated by MSRTPReKeyingObserver or CSRTPSession.

    1. The prototypes for both the variants of SRTPMasterKeyStaleEvent() are described below:
      •  virtual void SRTPMasterKeyStaleEvent(const CSRTPStream& aStream)=0;
                             
                          

        This API is called by the SRTP Stream initiated with MSRTPReKeyingObserver, if a master key is identified as stale and needs to be refreshed.

        aStream is the input parameter. It contains the stream of the master key that needs to be refreshed.

      •  virtual void SRTPMasterKeyStaleEvent(const CSRTPSession& aSession)=0;
                             
                          

        This API is called by SRTP Stream initiated with CSRTPSession if a master key is identified as stale and needs to be refreshed.

        aSession is the input parameter. It contains the session of the master key that needs to be refreshed.

  4. The SRTP DLL requests for a new master key using the API ReKeyNeeded() of the classCSRTPSession.

    1. The prototype of the API is as described below:
      • void ReKeyNeeded(const CSRTPStream& aStream, TBool aIsStrmCrypto);
                             
                          

        This API requests for ReKey.

        aStream is the input parameter that needs the Rekey.

        aIsStrmCrypto is the boolean input parameter. It contains true if stream has its own cryptographic context. Else the value is false.

SRTP stack notifies the SRTP client of the master key expiry state.

SRTP stack requests for ReKey.