Need Stronger SRTP Ciphers (256 Bit)

Home » Asterisk Users » Need Stronger SRTP Ciphers (256 Bit)
Asterisk Users 2 Comments

Hi folks,

At least several endpoints (soft phone and desk phones) are supporting various 256 bit ciphers for SRTP these days. I *believe* libsrtp has been updated to allow this, and that only the code in Asterisk has not been been updated to allow these stronger ciphers.

Would anyone with the know-how be willing/able to submit a patch ?

Thank you,

Kevin Long

2 thoughts on - Need Stronger SRTP Ciphers (256 Bit)

  • Some more information (would love some thoughts on this, I have never submitted a patch yet).

    Groundwire (Popular SIP app) supports the following cipher suites for SRTP:

    AES_CM_128_HMAC_SHA1_32
    AES_CM_128_HMAC_SHA1_80
    AES_CM_192_HMAC_SHA1_32
    AES_CM_192_HMAC_SHA1_80
    AES_CM_256_HMAC_SHA1_32
    AES_CM_256_HMAC_SHA1_80
    AEAD_AES_128_GCM
    AEAD_AES_256_GCM

    I see in the asterisk 13.9.1 source tarsal, in res/res_srtp.c :

    Could adding support for the above cipher suites be as simple as adding more options to this switch/case statement with the appropriate parameters or is there more to it?

    Thank you!

    static int policy_set_suite(crypto_policy_t *p, enum ast_srtp_suite suite)
    {
    switch (suite) {
    case AST_AES_CM_128_HMAC_SHA1_80:
    p->cipher_type = AES_128_ICM;
    p->cipher_key_len = 30;
    p->auth_type = HMAC_SHA1;
    p->auth_key_len = 20;
    p->auth_tag_len = 10;
    p->sec_serv = sec_serv_conf_and_auth;
    return 0;

    case AST_AES_CM_128_HMAC_SHA1_32:
    p->cipher_type = AES_128_ICM;
    p->cipher_key_len = 30;
    p->auth_type = HMAC_SHA1;
    p->auth_key_len = 20;
    p->auth_tag_len = 4;
    p->sec_serv = sec_serv_conf_and_auth;
    return 0;

    default:
    ast_log(LOG_ERROR, “Invalid crypto suite: %u\n”, suite);

  • Kevin Long wrote:

    It could maybe be as simple as that, but until it is attempted it’s unknown what other stuff may need to be adjusted.

    Cheers,