Getting started - the Axis implementation
Typical secure RTSP session workflow
You start a secure RTSP session in a similar way as a non-secure session. The basic steps in the process are:
- The client establishes a TCP/TLS connection to an RTSP server listening on the device
- The client sends RTSP DESCRIBE over the TLS-protected RTSP connection. The server then returns an SDP that indicates the use of SRTP and provides master keys (for example, via a=crypto combined with MIKEY/SDES, or other keying methods).
- The client sends RTSP SETUP to negotiate transport parameters with the server (unicast or multicast and ports).
- The client starts the session by sending RTSP PLAY. The media is then delivered as an SRTP stream via the negotiated transport protocol, while RTSP control remains encrypted over TLS. The server encrypts media and RTCP SR data, while the client encrypts RTCP RR data using the keys provided in the SDP.
Axis-specific differences
Axis devices differ from the standard SRTP/RTSPS model in several important ways.
The client selects the SRTP master key. The client and the device share this key and use it in both directions. This simplifies key management but requires client implementations to support this behavior. The client provides the SRTP master key as part of the RTSP SETUP request. The key is embedded in a Base-64 encoded MIKEY: Multimedia Internet KEYing message.
Axis devices also support updating cryptographic material during an active session. The client achieves this by sending an RTSP SET_PARAMETER request with a new SRTP master key. To enable this, the implementation uses the Master Key Index (MKI) mechanism to identify which key is currently active.