WebRTC mandates encryption of media by means of the Secure Realtime Protocol, or SRTP, which is described in RFC 3711.
Unencrypted RTP can be enabled for debugging purposes by setting the PeerConnections
disable_encryption option to true.
The implementation supports the following cipher suites:
The SRTP_AES128_CM_HMAC_SHA1_32 cipher suite is accepted for audio-only connections if offered by the other side. It is not actively supported, see SelectCrypto for details.
The cipher suite ordering allows a non-WebRTC peer to prefer GCM cipher suites, however they are not selected as default by two instances of the WebRTC library.
Encryption and decryption happens in-place in the
UnprotectRtcp methods. The
SrtpSession class also takes care of initializing and deinitializing
libsrtp by keeping track of how many instances are being used.
webrtc:DtlsSrtpTransport is a subclass of the
SrtpTransport that extracts the keying material when the DTLS handshake is done and configures it in its base class. It will also become writable only once the DTLS handshake is done.
cricket::SrtpFilter class is used to negotiate SDES.