Skip to content

SRTP master key and salt derivation

Crypto - srtp-master-key

CRY-02 - status: review - audio, video, group

Derive the per-participant SRTP master key/salt from the call key, then expand the six SRTP/SRTCP session keys.

The call's shared callKey is delivered per recipient device in the offer's <enc> payload (see call-offer). Derive in two layers.

Layer 1 — WAHKDF (per participant). HKDF-SHA256:

IKM  = callKey
salt = (none)
info = participantLID            ; the participant's LID bytes
L    = 46
OKM  = masterKey(16) || masterSalt(14) || unused(16)

The trailing 16 bytes of OKM MUST be discarded.

Layer 2 — RFC 3711 key derivation. Expand the six session keys from masterKey/masterSalt with AES-128-CM per RFC 3711 §4.3, using masterSalt as the IV and XORing the label into iv[7]:

key_i = AES-128-CM(masterKey, IV = masterSalt with iv[7] ^= label_i)

Labels 0x000x05 MUST produce, in order: SRTP cipher key (16), SRTP auth key (20), SRTP salt (14), SRTCP cipher key (16), SRTCP auth key (20), SRTCP salt (14). Negotiated suite: AES_CM_128_HMAC_SHA1_80.

Hop-by-hop SRTP (see srtp-hop-by-hop) MUST skip Layer 1: the relay supplies 30 bytes of masterKey || masterSalt directly; apply only Layer 2.

Requires: call-offer
Breakdown: call-key, group-call-crypto, sframe-media, srtp-e2e, srtp-hop-by-hop, video-packetization, media-loop, ssrc, call-accept, flow-outgoing-1to1

Implemented by

Flavor Status Source Notes
whatsapp-rust working history - blame - commits 674e851
zapo-caller working
meowcaller planned util/hkdf + srtp/e2e are planned modules

Annotation wacrg:CRY-02 — a flavor marks its implementation site in source with this comment; a script clones the source, finds it, and attaches the commit blame/permalink.

Contributors

Contributor Role
Rajeh Taher Rajeh Taher wrote initial spec

protocol history / diff - blame

Open questions - Exact byte layout of participantLID used as HKDF info across all client versions.

References - RFC 3711 — SRTP - RFC 5869 — HKDF

Changelog

  • 2026-06-21 — Initial spec entry.

Back to the full spec