Real-time / Web

DTLS-SRTP (Encrypted Media Keying)

DTLS-SRTP is the standard mechanism (RFC 5763) for negotiating SRTP encryption keys between two media endpoints over a DTLS handshake. It is the only keying method WebRTC supports, and it is the dominant encryption method for modern SIP media.

How it works

1. SDP offer/answer advertises UDP/TLS/RTP/SAVPF (instead of plain RTP/AVP) and a fingerprint of the endpoint's DTLS certificate.
2. Endpoints exchange a DTLS handshake on the same port that will carry RTP.
3. The DTLS handshake's SRTP profile extension yields the SRTP master keys.
4. Subsequent RTP packets are SRTP-encrypted using those keys.

vs SDES

SDES (Session Description Protocol Security Descriptions) puts the SRTP key directly in the SDP a=crypto line. It works but is insecure if the SIP signaling channel is unencrypted, because the key is exposed to anyone who can read the SIP traffic. Modern stacks default to DTLS-SRTP.

Compatibility

Asterisk pjsip 18+, FreeSWITCH 1.10+, Kamailio 5+ all support DTLS-SRTP natively. DIDHub trunks accept both DTLS-SRTP (for WebRTC clients) and unencrypted RTP (for PBX trunks on private networks).

Related terms

Related glossary terms

Asterisk (open-source PBX framework)

Asterisk is the original open-source telephony framework, started by Mark Spencer in 1999. It is a Class 5 PBX engine: it terminates SIP/IAX

Read →

Attestation Levels (A, B, C)

Attestation levels are the three trust ratings that an originating carrier assigns to outbound calls under STIR/SHAKEN. They tell the termin

Read →

Auto-Provisioning (zero-touch desk phone setup)

Auto-provisioning is how you deploy 50, 500, or 50,000 desk phones without manually configuring each one. The phone boots, fetches its confi

Read →

BYOC (Bring Your Own Carrier)

BYOC is a deployment model where you use a third-party SaaS platform (Vapi, Retell, Microsoft Teams, Zoom Phone, Twilio Flex) for the call-c

Read →