Hi there. My Automation Testing Environment runs SRTP calls over H323. In this case only payload part of RTP packet is encrypted. (Not whole RTP packet as in case of SIP/TLS). So if I'm Wiresharking the call, how do i actually know from its capture: a) If payload is actually encrypted. b) What encryption algorithm is used. I read that DTMF can give an exact answer for those questions. Could you please expand a bit about that? Thank you in advance. asked 25 Jan '12, 15:03  evgeny1976 edited 25 Jan '12, 15:05 |
One Answer:
First of all you have to be aware of the difference between signaling and media.
In your description you seem to indicate that in the H.323 context only the RTP payload is encrypted, while in the SIP?TLS context the whole RTP packet is encrypted. This is not true. As said above H.323 and SIP are signaling protocols, which may or may not run over encrypted connections. When looking at encrypting media streams, Secure RTP (SRTP) is the standard solution. But these are independent! If you want to look at the encrypted state of your media session, you'll have to check the RFC. From there you can see that it's just the payload that's encrypted, but not the header. So it should be possible to analyze the RTP stream itself, although the payload should not be presentable according to the declared codec. If you want to know which encryption is used, you'll have to dig into either the static configuration or the signaling protocol messages. There the security features are set or negotiated. answered 26 Jan '12, 01:21  Jaap ♦ |
Hi
Thank you for your help...
Analising the payload of RTP packet, how can I tell either it is encripted or not?
If you look how the SRTP framework encrypts RTP packets you'll see that you still have access to the payload type (PT) field. Using that you can try to interpret the payload data, play out the media though the applicable code. If it's unencrypted you will be able to, otherwise you won't.