Secure RTSP with SRTP

Protect your real-time video streams using Secure RTP (SRTP). Learn how to publish and play encrypted streams with Happytimesoft.

What is SRTP?

Secure Real-time Transport Protocol (SRTP) encrypts RTP media packets, protecting your video and audio streams from eavesdropping.

SRTP uses cryptographic keys passed in the SDP (Session Description Protocol) offer/answer to establish a secure session.

The key indicator of SRTP in SDP is the RTP/SAVP transport and the a=crypto attribute.

SRTP Basics

  • Transport: RTP/SAVP (Secure Audio/Video Profile) instead of RTP/AVP.
  • Crypto Attribute: a=crypto:tag cipher-suite key-method:key
  • Common Cipher: AES_CM_128_HMAC_SHA1_80 - 128-bit AES encryption with 80-bit authentication.
  • Key Method: inline: - The base64-encoded key is embedded directly in the SDP.
Note: While inline keys are convenient for testing, they are not truly secure as the key is visible in the SDP. For production, consider using external keying (e.g., DTLS-SRTP) if supported.

1. Publishing an SRTP Stream

Use Happytime RTSP Pusher to publish a media file as an encrypted SRTP stream.

Configuration (rtsppusher.cfg)

rtsppusher.cfg
<pusher>
    <src>test.mp4</src>
    <transfer>
        <mode>RTSP</mode>
        <rtspurl>rtsp://192.168.3.36/myapp/live</rtspurl>
        <user>admin</user>
        <pass>admin</pass>
    </transfer>
    <video>
        <!-- Video settings -->
    </video>
    <audio>
        <!-- Audio settings -->
    </audio>
    <metadata>0</metadata>
    <!-- Enable SRTP -->
    <srtp>1</srtp>
</pusher>

Resulting SDP (in ANNOUNCE)

SDP Offer
v=0
o=- 0 0 IN IP4 192.168.3.36
c=IN IP4 192.168.3.36
s=session
t=0 0
a=control:*
m=video 0 RTP/SAVP 96
a=rtpmap:96 H264/90000
a=fmtp:96 packetization-mode=1;profile-level-id=42801F
a=control:realvideo
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:KSO+hOFs1q5SkEnx8bvp67Om2zyHDD6ZJF4NHAa3
m=audio 0 RTP/SAVP 97
a=rtpmap:97 MPEG4-GENERIC/44100/2
a=fmtp:97 streamtype=5;profile-level-id=1;mode=AAC-hbr;config=121056E500
a=control:realaudio
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:R96zEk3IQ7uLph8DWn0JOCUfXdTL/Jb1RTsTDYkK

The RTP/SAVP and a=crypto lines confirm SRTP is enabled. The server will use these keys to encrypt the RTP packets.

2. Playing an SRTP Stream

Use the Happytime RTSP Server to serve a file and enable SRTP playback via URL parameter.

Playback URL

Enable SRTP Playback
rtsp://[serverip]:[serverport]/test.mp4?srtp=1

Appending ?srtp=1 to the RTSP URL signals the server to initiate an SRTP session.

Testing with FFmpeg/FFplay

Use open-source tools to test your SRTP setup.

Test SRTP Playback

Command
ffplay "rtsp://192.168.3.36/myapp/live?srtp=1"

If configured correctly, FFplay will negotiate SRTP and decrypt the stream using the keys from the SDP.

Best Practices

  • Key Security: Avoid inline keys in production. Use DTLS-SRTP or SDES with secure signaling for key exchange.
  • Compatibility: Ensure both client and server support the same SRTP cipher suite (e.g., AES_CM_128_HMAC_SHA1_80).
  • Firewall: SRTP uses the same ports as RTP, but the encrypted payload may affect deep packet inspection.
  • Authentication: Combine SRTP with RTSP authentication (user/pass) for defense in depth.
  • Testing: Use Wireshark to verify RTP packets are encrypted (payload should be random-looking).