In a world increasingly influenced by the existence of networks connecting a widespread array of computing resources, the topics of data security, information protection and user privacy have never been more important. Personal computers (PCs) typically offer an open architecture as an industry standard which can be used to build a ubiquitous computing platform. Trust in the platform, however, has not commonly been part of such designs. As used herein, the term “platform” can be taken to mean any type of device, including hardware, firmware, software, or any combination of these, whose activity is directed according to a plurality of programmed instructions.
There are many protocols that allow a set of members to participate as a group. This might be for the purpose of establishing a community group to communicate between one or all members simultaneously (e.g., members of the same family, organization, etc.) or a broadcast from a single member to all the other members of the group (i.e., multicast; e.g., an on-line lecture, distribution of a common message to a group of employees, etc.). Examples of such protocols include the Real-time Transport Protocol (RFC 3550, also known as RTP) and the Secure Real-time Transport Protocol (RFC 3711, also known as SRTP).
RTP is a protocol for sending a stream of data between endpoints. This can be point-to-point or multicast in nature. RTP is actually two protocols: one for the data stream (also called RTP) and other for controlling the RTP called the Real-time Transport Control Protocol (RTCP). Each instantiation of communication between end points is a session. However, the base protocol provides simple, but optional protection of the data stream within a session.
SRTP adds a defined mechanism to protect either the session's RTP data stream itself, the session's RTCP, or both. In general, this mechanism uses an encryption key, called a session key, which is unique for the RTP session. SRTP provides for a mechanism to change or “roll” the session key during the RTP session. SRTP defines mechanism and methods for deriving the session key from a Master Key. The Master Key is identified by a Master Key Identifier (MKI), which is not a secret value but is used by a Key Management Component.
The Master Key is a random set of bits that is kept secret amongst the members of the group because session keys are derived from the master key. One member of the group is required to create the Master Key, however, as disclaimed in the RFC's, the distribution mechanism is outside the scope of the current standards. Furthermore, the SRTP draft specifically states that distribution and association of the MKI with an actual Master Key is outside the scope of the SRTP draft and is left for subsequent work.