SRTP Cryptosuite

Owned by Kelli Higdon
Last updated: Mar 06, 2024
2 min read

The SIP SRTP Crypto-Suite configures the cryptosuites that will be offered in the SDP of the outgoing leg and in the SDP of the response of the incoming leg when SRTP is enabled. One or more cryptosuites can be configured and each one can be set to enable or disable SRTCP. The SIP Cryptosuite object is configured under the SIP Profile (SGP)  object and includes the Advanced Encryption Standard, the Window Size Hint, and whether STRCP will be enabled. 

Web GUI Page

Dialogic > Profiles > SIP Profile (SGP) > New SIP SRTP Cryptosuite

Maximum Objects

One SIP SRTP Cryptosuite can be configured per SIP Profile (SGP) 

Related Topics and Dependencies

The SIP SRTP Cryptosuite object is configured under the SIP Profile object. Before the SIP SRTP Cryptosuite object can be configured, TLS (Transport Layer Security) must first be configured.

SIP Profile - SGP

Configure SRTP

Configure TLS 

Field Descriptions

Crypto-suite

The crypto-suite identifies the type of encryption employed in the SRTP media stream. Each Cryptosuite selected will be offered in the a= line of the offer on the incoming side and will be offered in the response message sent back to the remote gateway on the incoming leg. Select from drop down menu one, two, or all the Crypto-suites.

AES_CM_128_HMAC_SHA1_32 - This Cryptosuite is similar to the AES_CM_128_HMAC_SHA1_80 Cryptosuite below except it offers a 32 bit authentication tag.

AES_CM_128_HMAC_SHA1_80 - This is the default Advanced Encryption Standard. It offers a 128 bit master key along with an 80 bit authentication tag. This Cryptosuite has a default lifetime of 2^48 SRTP Packets or 2^31 SRTCP Packets.

F8_128_HMAC_SHA1_80 - This Cryptosuite is identical to AES_CM_128_HMAC_SHA1_80 except the cipher is used in F8 mode. Universal Mobile Telecommunications System (UMTS) 3G Mobile Networks uses AES-F8 mode.

Refer to RFC 4568 for more information on each crypto-suite.

Window size hint

The window size hint is used to protect from Denial Of Service attacks during SRTP session. Replay protection stores a list of packets and their indexes that have been received during a SRTP session. The receiver checks the index value of each new packet with the index of the packet stored within this window. Only packets with index values ahead of the window are accepted. The size of the replay protection window is determined by the Window Size Hint. The Default value is 64 and can be as high as 99. Select the value from the drop down menu.

SRTCP Encryption

RTCP Packets are used to determine Quality of Service of a specific VoIP connection. The SRTP Encryption field allows the IMG 2020 to either send these packets encrypted or not.

Disabled(default) - Encryption on RTCP packets is disabled. Any RTCP packets sent are not encrypted or secure.

Enabled  - Encrypts any RTCP packets so that any RTCP packets being sent are encrypted and secure.

Return to Documentation Home I Return to Sangoma Support