Signaling encryption, Media flow encryption – H3C Technologies H3C MSR 50 User Manual

286

Signaling encryption

TLS runs over TCP and provides a complete set of authentication and encryption solutions for application

layer protocols. When you establish a TLS connection, both sides must authenticate each other by using

their own digital certificates. They can communicate with each other only after passing authentication.
SIP messages are encrypted during SIP over TLS transmissions to prevent your data from being sniffed

and increases the security of voice communications.

Media flow encryption

RTP and RTCP are the supported media flow protocols. RTP provides end-to-end real-time transmission for

real-time data such as audio and video data. RTCP monitors data transmission in real time and performs

congestion and traffic control in time. RTP and RTCP can work together to optimize the transmission

efficiency by providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, the Secure Real-Time Transport

Protocol (SRTP) was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire RTP/RTCP

packet, and for packet replay protection.
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in the

crypto header field of the Session Description Protocol (SDP). The initiator sends its encryption

information to the receiver for negotiation. If the negotiation is successful, the receiver returns

corresponding encryption information. After you establish a session, each end uses its own key to encrypt

sent RTP/RTCP packets and uses the key of the peer to decrypt received RTP/RTCP packets.
SDP negotiation includes the following cryptographic attributes:

Table 240 Cryptographic attributes

Attribute Description Remarks

Tag

The tag attribute is an identifier for a particular cryptographic
attribute to determine which of the several offered cryptographic
attributes was chosen by the receiver.

Required.

Crypto-Suite

The crypto-suite attribute defines the encryption and
authentication algorithm. The device supports suites

AES_CM_128_HMAC_SHA1_80 and

AES_CM_128_HMAC_SHA1_32.

Required.

Key Parameters

The key parameters attribute defines key information, including
the key generation algorithm and the key value.

Required.

Session
Parameters

The session parameters attribute defines session parameters,
such as key generation rate, UNENCRYPTED_SRTP,

UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and FEC.

Optional.
Not supported.

When you use SRTP to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and

authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and

authenticates RTP/RTCP packets. For more information about the encryption engine, see Security

Configuration Guide in H3C MSR Series Routers Configuration Guides (V5).
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,

see "Configuring SIP trunk."