admin-siprix

|

March 19, 2026

Secure media between two SIP Clients

Secure voice communication over SIP (Session Initiation Protocol) means protecting media (audio and video streams). This article explains how secure media works and compares two widely used methods for encrypting media: SDES-SRTP and DTLS-SRTP, with a focus on how each handles key exchange.

1. Securing media: SRTP Overview

Audio/video in SIP calls is carried using RTP (Real-time Transport Protocol). To secure it, we use SRTP (Secure RTP), which provides:

  • Encryption (typically AES)
  • Integrity protection (HMAC)
  • Replay protection

But SRTP does not define how encryption keys are exchanged.
That’s where SDES-SRTP and DTLS-SRTP come in.

2. SDES-SRTP (Session Description Protocol Security Descriptions)

SDES-SRTP exchanges encryption keys inside the SIP signalling (SDP) during the SIP offer/answer process.

It works in the following way:

  • Caller sends SIP INVITE with SDP payload containing SRTP keys, which looks like: 
    a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:base64_key_A

    This line specifies crypto suite and keying material.

  • The callee selects a compatible crypto suite and sends its own key in the 200 OK/SDP response 
    a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:base64_key_B
  • After the offer/answer exchange Caller uses: base64_key_A for encrypting outbound SRTP and base64_key_B for decrypting inbound SRTP

Keys are exchanged entirely via SIP signalling (SDP) and it’s very important.
Using SDES-SRTP with SIP over UDP/TCP (without TLS) is fundamentally insecure because the SRTP keys are exposed as cleartext.

Switch to the SIP over TLS (SIPS) solves this as SDP (and keys) are encrypted in transit.
However TLS is often hop-by-hop, not end-to-end and intermediate SIP proxies may still see keys.

3. DTLS-SRTP (Datagram TLS for SRTP)

DTLS-SRTP performs key exchange directly between endpoints over the media path (UDP packets over the ports negotiated and opened for media exchange), not via SIP signalling.
Key idea: Use a DTLS handshake (like HTTPS but for UDP) to derive SRTP keys.

How Key Exchange Works (DTLS)

  • SIP signalling negotiates DTLS usage by adding to SDP 
    a=fingerprint:SHA-256
    a=setup:actpass
  • After call setup endpoints start DTLS handshake over RTP ports
  • DTLS handshake: Exchange certificates, Verify fingerprints (from SDP), Perform key agreement (e.g., ECDHE)
  • Derived keys are exported to SRTP and finally no keys transmitted in SIP

It gives true end-to-end key exchange, but in the same time is more complex and has higher setup latency.

4. How to configure these modes using Siprix VoIP SDK

Siprix VoIP SDK implements SIP client functionality for various platforms (iOS, Android, Window, etc).
It provides unified API, which significantly reduces time, required for development, especially when using cross-platform UI toolkit like Flutter.
Siprix also support secure media using both approaches explained above.
More over, when secure media configured on Siprix side, but remote call side doesn’t support encryption call will not started.

Here is short fragment of the Flutter code, how to specify secure media settings:
a. Use SDES-SRTP and SIP over TLS:

AccountModel acc = AccountModel();
acc.transport = SipTransport.tls;
acc.secureMedia = SecureMedia.SdesSrtp;
...
accountsList.add(acc);

b. Use DTLS-SRTP and SIP over UDP:

AccountModel acc = AccountModel();
acc.transport = SipTransport.udp;
acc.secureMedia = SecureMedia.DtlsSrtp;
...
accountsList.add(acc);

Contact us now, we're here to help!

Request feature