256 bit encryption for DTLS-SRTP


Our customer has requirement of having 256 bit encryption for webrtc data.

What are the steps to make this happen? Is it possible? I’m ok to make code changes myself and share it back to the community, if I get it working.

Isn’t it already using at least 1024 key length?

tls ciphers depends both on client and server. If you tcpdump dtls exchange, you’ll see that firefox and chromium don’t offer the same ciphers in the client hello (Firefox offer more advanced ones - I think that ChaCha is rating 256 on key size).
In my server case, server code picks the same cipher with both browsers (AES128) - but it could depend on the java version, and possibly the certificates installed. I have never seen any doc on the specific Jitsi subject, but there could be info about generic Java servers with web clients that could be adapted.

As the link states, chrome uses 128 bit ECDSA keys. 1024 RSA keys are not as secure. And it is about DTLS. I already successfully changed DTLS encryption of video bridge to 256 bit.

Video is encrypted with SRTP (I had wrote it wrong on title), jitsi videobridge supports only 128 bit encryption ATM. Both chrome and Firefox can support 256 bit also. https://tokbox.com/developer/guides/advanced-media-stream-encryption/

Can I modify the title somehow to have DTLS-SRTP instead of dtls-rctp?

Calling the cavalry @Jonathan_Lennox @bbaldino any thoughts on this? Thanks.

Jonathan can probably give a more complete answer, but the code where we list SRTP protection profiles is here

We’d first need to support AES-GCM SRTP – there’s no DTLS/SRTP codepoint for negotiation of 256-bit AES-CM encryption.

That’s on my to-do list to add, though. (Most of the work would be in the jitsi-srtp module.)

Once that’s done supporting 256-bit AES/GCM SRTP would be pretty straightforward, assuming browsers also support it.

That’s how far I got with my research. With further research: javax.crypto seems to have support for AES GCM, so I will give a try for it.

Also I took a look into jitsi-srtp, was easy to read and we’ll documented code, so doesn’t seem to be too hard to implement.