In this blog entry we describe Master Key Identifier feature in Secure RTP and the addition of this feature to FreeSWITCH platform.
FreeSWITCH and Skype For Business
FreeSWITCH is a media processing platform and a very popular software for VOIP telephony, WebRTC, audio and video conferencing. It supports multiple protocols, audio/video profiles and implements range of multimedia endpoints. Unfortunately, up till now FreeSWITCH couldn’t be used with Skype For Business because of the limitation of it’s Secure RTP protocol implementation. The MKI feature was missing.
MKI is a Master Key Identifier send in SRTP packet to associate an incoming packet with a particular master key. It can be used as a security enhancement to the SRTP endpoint which can arrange for the change of the security key by expiring the key or by issuing the dynamic request. It is described in RFC 4568 – Session Description Protocol (SDP) Security Descriptions for Media Streams.
An example of SDP with MKI is:
o=- 177 1 IN IP4 126.96.36.199
c=IN IP4 188.8.131.52
m=audio 50638 RTP/SAVP 97 101 13 0 8
c=IN IP4 184.108.40.206
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:zl7kZCox/PtpvvL87wX9N2HyPSS7Lph4HftGQWBQ|2^31|1:1
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:HSC2fkk7oSQ+a1JgmdhWpMoDmFDfILC+Z248whUE|2^31
Two crypto attributes are present in this media description. Both crypto use AES_CM_128_HMAC_SHA1_80 suite for encryption/decryption. The first crypto identified with tag :1 contains a master key “in line” with lifetime of 2^31 packets and identified by Master Key Index of 1, 1 byte in size in RTP packet. Second crypto contains security key with it’s lifetime only.
If the SDP response sent to Skype For Business doesn’t contain MKI, the call get’s rejected or packet decryption fails and audio can’t be played correctly.
In November 2017, Data And Signal worked with FreeSWITCH and Telnyx – VOIP infrastructure provider. The result of this effort is the support for MKI added to the FreeSWITCH’s implementation of SRTP. FreeSWITCH now parses master keys with their indices as per RFC 4568 and maps the MKI incoming in RTP packets to specific master key. From then on, the packets are decrypted properly and calls between Skype For Business clients and the FreeSWITCH platform can be connected.
New feature is available in FreeSWITCH Advantage.
RFC 1890 – RTP Profile for Audio and Video Conferences with Minimal Control
RFC 3550 – RTP: A Transport Protocol for Real-Time Applications
RFC 3551 – RTP Profile for Audio and Video Conferences with Minimal Control
RFC 4568 – Session Description Protocol (SDP) Security Descriptions for Media Streams
RFC 3711 – The Secure Real-time Transport Protocol (SRTP)