Secure Real-time Transport Protocol Master Salt

Description

The SRTP-MS (Secure Real-time Transport Protocol Master Salt) is a crucial parameter in the SRTP key derivation hierarchy. It is a non-secret random or pseudo-random value, typically 112 bits long for the common AES-CM cipher, that is combined with the secret SRTP Master Key (SRTP-MK) to produce the final session keys. The master salt's primary role is to provide additional entropy and distinctiveness to the key derivation process. During session setup, the SRTP-MS is exchanged between communicating endpoints securely, often within the same SDP signaling that carries the keying material or is derived from a known parameter.

Technically, the key derivation function (KDF) for SRTP, as per RFC 3711, takes the SRTP-MK, the SRTP-MS, the packet index, and the key derivation rate as inputs. The master salt is used to 'salt' the derivation, meaning it ensures that the output session keys are specific to this particular combination of master key and salt. Even if the same SRTP-MK were to be used for two different sessions (which is not recommended but could happen in certain key management scenarios), the use of a different SRTP-MS for each session would result in completely different session keys. This property is vital for cryptographic hygiene and mitigates certain types of key-related attacks.

In the 3GPP system architecture, the SRTP-MS is generated and distributed with the same security guarantees as the SRTP-MK. It is often treated as an inseparable part of the key context. For sessions leveraging 3GPP access security, the SRTP-MS may be derived from network parameters or generated by the network function responsible for media security policy (e.g., the P-CSCF). The UE and the network peer (e.g., a Media Resource Function Processor) must share the identical SRTP-MS value to correctly derive the symmetric session keys. Its management is integral to the overall key management procedures specified in 3GPP TS 24.380, 29.380, and 29.582, ensuring that the media encryption for services like emergency calls, VoNR, and conversational video is robust and compliant with security standards.

Purpose & Motivation

The SRTP-MS exists to address a fundamental cryptographic requirement: preventing key derivation output reuse. Using only a master key for derivation could lead to identical session keys if the master key is reused across different sessions or if the derivation input (like the packet index) cycles. This would be a severe security weakness. The master salt provides a session-unique variable that guarantees the distinctiveness of the derived keys.

Its introduction into the 3GPP security model was driven by the need to align with the well-established IETF SRTP standard (RFC 3711), which mandates or strongly recommends the use of a master salt. It solves the problem of potential key stream repetition and strengthens the overall key derivation process against cryptanalytic attacks. Historically, in earlier or simpler encryption systems, omitting such a salt could lead to vulnerabilities where patterns in the encrypted data might be revealed if keys are related. By incorporating the SRTP-MS, 3GPP ensures that its implementation of media security benefits from the full cryptographic strength of the SRTP specification. It provides the necessary flexibility for the network to enforce key separation policies and supports secure key rollover mechanisms in conjunction with the SRTP-MKI.

Key Features

• Non-secret value that adds entropy to the SRTP key derivation function
• Ensures uniqueness of session keys even with master key reuse across sessions
• Standard length of 112 bits for use with AES in Counter Mode
• Distributed securely in tandem with the SRTP Master Key during session setup
• Critical input to the key derivation process alongside packet index and key derivation rate
• Enhances cryptographic robustness and protects against certain key-related attacks

Evolution Across Releases

Defining Specifications