Real-time / Web

DTLS-SRTP (Encrypted Media Keying)

DTLS-SRTP is the standard mechanism (RFC 5763) for negotiating SRTP encryption keys between two media endpoints over a DTLS handshake. It is the only keying method WebRTC supports, and it is the dominant encryption method for modern SIP media.

How it works

  1. SDP offer/answer advertises UDP/TLS/RTP/SAVPF (instead of plain RTP/AVP) and a fingerprint of the endpoint's DTLS certificate.
  2. Endpoints exchange a DTLS handshake on the same port that will carry RTP.
  3. The DTLS handshake's SRTP profile extension yields the SRTP master keys.
  4. Subsequent RTP packets are SRTP-encrypted using those keys.

vs SDES

SDES (Session Description Protocol Security Descriptions) puts the SRTP key directly in the SDP a=crypto line. It works but is insecure if the SIP signaling channel is unencrypted, because the key is exposed to anyone who can read the SIP traffic. Modern stacks default to DTLS-SRTP.

Compatibility

Asterisk pjsip 18+, FreeSWITCH 1.10+, Kamailio 5+ all support DTLS-SRTP natively. DIDHub trunks accept both DTLS-SRTP (for WebRTC clients) and unencrypted RTP (for PBX trunks on private networks).

Related terms

WebRTC (Web Real-Time Communications)

SIP over WebSocket (WSS)

RTP and RTCP

SRTP (Secure RTP)

SDES (a=crypto SRTP keying)

Ready to get a number?

Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.

Browse numbers Talk to sales