Real-time Transport Protocol (RTP) is an application level protocol that is intended for delivery of delay sensitive content, such as audio and video, trough different networks (mainly for delivering audio and video over IP networks). RTP is used extensively in communication and entertainment systems that involve streaming multimedia, such as telephony, video teleconference applications and web-based push-to-talk features. RTP is used in conjunction with the RTP Control Protocol (RTCP). While RTP carries the media streams (e.g., audio and video), RTCP is used to monitor transmission statistics and quality of service (QoS) and aids synchronization of multiple audio/video streams.

RTP is widely used by web applications like Real Network’s RealPlayer, Apple’s QuickTime and Microsoft’s NetMeeting. Some of the common applications of RTP are audio and video streaming media services and video conferences. As RTP is usually used trough Internet, the network should be considered as insecure. Although many media streams are publicly available, video conferencing use usually requires confidentiality. In many situations it would be preferable if the user could authenticate the originator and ensure the integrity of media streams. The purpose of RTP is to facilitate delivery, monitoring, reconstruction, mixing and synchronization of multimedia data streams. RTP is designed to use both unicast and multicast transport protocols. RTP is a modular protocol. The base protocol is defined by RFC1889.

Security features provided by RTP

  • Confidentiality – The basic RTP protocol provides flexible facilities for encrypting RTP packets. This facility allows to split packets to encrypted and unencrypted parts.
  • Authentication and Integrity – RTP standard does not specify any authentication, but implicit authentication is assumed if encryption key is known. Integrity is verified by sanity checking decrypted headers.
  • Key Management – The only key management feature of RTP is specified in RFC 1890, which specifies a MD5 based method for deriving the encryption key from the password.

Supplementary Protocols of RTP

  • Session Description Protocol (SDP) – SDP offers facilities to distribute the encryption keys and other security parameters (such as encryption algorithm). SDP itself is neither encrypted nor authenticated and is usually used with SAP or SIP.
  • Session Initiation Protocol (SIP) – SIP protocol can be used alone or in conjunction with SAP and SDP to distribute the encryption keys and other security parameters. SIP supports various strong authentication and encryption methods.
  • Session Announcement Protocol (SAP) – SAP protocol is intended for broadcasting information, such as SDP packets to multicast groups. As SAP is intended for public session announcements, broadcasting encrypted announcements is discouraged.

As RTP is only a framework for implementing protocols, it is not even expected that it would provide all necessary security services. It should be noted that conceptually SDP is a higher level protocol than SIP and SAP, which are protocols that can be used to transport SDP. Security facilities provided by the RTP protocol are inadequate alone. RTP represents excellent design as it does not try to re-implement security features that can be provided by other layers, but instead limits itself to the task it is supposed to solve.