Secure RTSP Streaming with SRTP

Protect your media streams with Secure Real-time Transport Protocol (SRTP). Enable encryption for RTSP publishing and playback using SAVP and SDP crypto attributes.

Introduction to SRTP

Secure Real-time Transport Protocol (SRTP) provides confidentiality, message authentication, and replay protection for RTP media streams. It is essential for securing sensitive audio and video transmissions over untrusted networks.

In RTSP, SRTP is negotiated via the Session Description Protocol (SDP). The key indicators are:

  • RTP/SAVP: Replaces RTP/AVP in the SDP's m= line, indicating Secure RTP with Authentication and Confidentiality using the SRTP specification.
  • a=crypto: SDP attribute that defines the encryption and authentication transform (e.g., AES_CM_128_HMAC_SHA1_80) and the inline master key.

1. Enabling SRTP for RTSP Publishing

Configure the Happytime RTSP Pusher to publish streams using SRTP encryption.

Configuration

Modify the RTSP Pusher configuration file by setting the <srtp> tag to 1 under the <pusher> section:

RTSP Pusher Configuration
<pusher>
    <src>test.mp4</src>
    <transfer>
        <mode>RTSP</mode>
        <rtspurl>rtsp://192.168.3.36/myapp/live</rtspurl>
        <user>admin</user>
        <pass>admin</pass>
    </transfer>
    <video>
        <!-- video settings -->
    </video>
    <audio>
        <!-- audio settings -->
    </audio>
    <metadata>0</metadata>
    <srtp>1</srtp>
</pusher>

Generated SDP

When SRTP is enabled, the pusher sends an ANNOUNCE request containing an SDP offer with SRTP parameters. Look for RTP/SAVP and a=crypto lines:

SDP Offer (SRTP Publishing)
v=0
o=- 0 0 IN IP4 192.168.3.36
c=IN IP4 192.168.3.36
s=session
t=0 0
a=control:*
m=video 0 RTP/SAVP 96
a=rtpmap:96 H264/90000
a=fmtp:96 packetization-mode=1;profile-level-id=42801F;sprop-parameter-sets=Z0KAH5ZSAKALdJQEBAUAAAMAAQAAAwAyhA==,aMuNSA==
a=control:realvideo
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:KSO+hOFs1q5SkEnx8bvp67Om2zyHDD6ZJF4NHAa3
m=audio 0 RTP/SAVP 97
a=rtpmap:97 MPEG4-GENERIC/44100/2
a=fmtp:97 streamtype=5;profile-level-id=1;mode=AAC-hbr;sizelength=13;indexlength=3;indexdeltalength=3;config=121056E500
a=control:realaudio
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:R96zEk3IQ7uLph8DWn0JOCUfXdTL/Jb1RTsTDYkK

Note: The inline: key is base64-encoded and used to derive session keys. It is transmitted in the clear during setup, so ensure your RTSP control channel (typically over TCP) is secured with TLS if needed.

2. Enabling SRTP for RTSP Playback

Request SRTP-encrypted streams from the media server for secure playback.

URL Parameter

The media server supports the srtp URL parameter to enable SRTP for RTSP playback:

Playback URL with SRTP
rtsp://[serverip]:[serverport]/[application-name]/test.mp4?srtp=1

When this URL is requested, the server will respond with an SDP answer that includes RTP/SAVP and a=crypto attributes, indicating it will send encrypted media.

Example SDP Answer (Client Perspective)

The client (e.g., FFplay) will receive an SDP similar to this:

SDP Answer (SRTP Playback)
v=0
o=- 1234567890 1234567890 IN IP4 192.168.3.36
s=Session streamed by "Happytime Media Server"
i=test.mp4
t=0 0
a=tool:Happytime Media Server
a=type:broadcast
a=control:*
m=video 0 RTP/SAVP 96
c=IN IP4 0.0.0.0
b=AS:4000
a=rtpmap:96 H264/90000
a=fmtp:96 packetization-mode=1;profile-level-id=42801F;sprop-parameter-sets=Z0KAH5ZSAKALdJQEBAUAAAMAAQAAAwAyhA==,aMuNSA==
a=control:streamid=0
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:KSO+hOFs1q5SkEnx8bvp67Om2zyHDD6ZJF4NHAa3
m=audio 0 RTP/SAVP 97
c=IN IP4 0.0.0.0
b=AS:128
a=rtpmap:97 MPEG4-GENERIC/44100/2
a=fmtp:97 streamtype=5;profile-level-id=1;mode=AAC-hbr;sizelength=13;indexlength=3;indexdeltalength=3;config=121056E500
a=control:streamid=1
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:R96zEk3IQ7uLph8DWn0JOCUfXdTL/Jb1RTsTDYkK

Testing SRTP Streams

Use ffplay to test SRTP playback. It automatically handles the SRTP key from the SDP.

Test Command

FFplay Command
ffplay "rtsp://192.168.3.36/myapp/live?srtp=1"

If successful, ffplay will establish the RTSP session, receive the SRTP-enabled SDP, and decrypt the incoming RTP packets using the keys provided in the a=crypto attribute.

You can also use ffmpeg to save the decrypted stream:

FFmpeg Command
ffmpeg -i "rtsp://192.168.3.36/myapp/live?srtp=1" -c copy output.mp4

Security Considerations

  • Key Exchange: This example uses inline keys in SDP, which are not secure over unencrypted control channels. For production, consider using keymgmt protocols like MIKEY or DTLS-SRTP.
  • Cipher Suite: AES_CM_128_HMAC_SHA1_80 is widely supported but uses SHA-1. For higher security, prefer AES_CM_128_HMAC_SHA256_80 if both endpoints support it.
  • Control Channel: Always secure the RTSP control connection (TCP) with TLS (rtsp://rtsps://) to protect the SRTP master key during exchange.