DTLS-SRTP vs SDES-SRTP: Which Secure Media Key Exchange Should You Use in 2025?

DTLS-SRTP vs SDES-SRTP: Which Secure Media Key Exchange Should You Use in 2025?

Telecom & VoIP

When you make a voice or video call over the internet, your words and images are sent as data packets. But what if someone intercepts those packets? Without encryption, your conversation is as open as a postcard. That’s where DTLS-SRTP and SDES-SRTP come in - two ways to lock down your media streams. But they’re not the same. One is the future. The other is hanging on by a thread.

What Exactly Are DTLS-SRTP and SDES-SRTP?

Both are methods to securely exchange encryption keys for SRTP - the protocol that actually encrypts your voice and video data during a call. Think of SRTP as the lock, and DTLS-SRTP or SDES-SRTP as the way you hand out the key.

SDES-SRTP (Security Descriptions for Media Streams) sends the encryption key inside the signaling message - usually SIP or SDP - the same channel that sets up the call. It’s simple: the key is just text, like a password written on a sticky note and passed along with the call invitation. But here’s the catch: if that signaling channel isn’t encrypted, anyone snooping on the network can grab the key and listen in.

DTLS-SRTP (Datagram Transport Layer Security-SRTP) takes a completely different approach. Instead of sending the key over the signaling channel, it establishes a secure handshake directly over the same UDP ports used for the media. It’s like two people meeting in a private room to swap a key - no one else sees it. This handshake uses the same technology that secures HTTPS websites, but optimized for real-time traffic.

Why DTLS-SRTP Is the Default Today

In 2017, the WebRTC standard made DTLS-SRTP mandatory. That wasn’t an accident. It was a response to years of security flaws in older systems. Major browsers followed suit:

  • Firefox removed SDES-SRTP support entirely in version 60 (2018).
  • Chrome prioritizes DTLS-SRTP by default and now warns users when SDES is detected.
  • Apple Safari and Microsoft Edge only support DTLS-SRTP.

Why? Because SDES-SRTP is fundamentally insecure in modern networks. Even if you encrypt your SIP signaling with TLS, you’re still trusting every server between you and the other person. Each one can see the key. DTLS-SRTP doesn’t care about intermediaries - the key is only known to the two endpoints. That’s end-to-end encryption, not hop-by-hop.

According to the IETF RFC 9479 (September 2023), SDES-SRTP is officially deprecated for new WebRTC applications. The standard now says: “Implementations MUST implement DTLS-SRTP and SHOULD NOT implement SDES.”

The Security Gap: Why SDES-SRTP Is Risky

Let’s say you’re a hospital handling patient calls. SDES-SRTP sends the encryption key in the SIP message. If that message passes through a PBX, a firewall, or a cloud proxy - all of which are common - each one can decrypt and re-encrypt the key. That means your call data could be logged, copied, or even altered without you knowing.

DTLS-SRTP prevents that. The handshake includes certificate verification. If someone tries to intercept and modify the key, the certificates won’t match. The call fails. No silent eavesdropping.

This isn’t theoretical. Financial institutions using SDES-SRTP failed PCI-DSS audits because keys were exposed in signaling logs. Switching to DTLS-SRTP fixed it. Healthcare providers following HIPAA and GDPR now require end-to-end encryption - and auditors are starting to demand DTLS-SRTP as proof.

An old SIP PBX machine nervously holds a vulnerable key as a modern smartphone protects it with encryption armor.

Performance Trade-Offs: Speed vs. Security

DTLS-SRTP isn’t perfect. It adds delay. The handshake takes 200-500ms longer than SDES-SRTP. On slow or high-latency networks - think rural areas or mobile connections - that can mean a noticeable lag before the call starts.

It also uses more CPU. During call setup, DTLS-SRTP increases processor load by 15-25%. That’s not a problem on a modern laptop or phone. But on older hardware, low-power IoT devices, or embedded systems with under 64MB of RAM, it can cause instability or dropped calls.

SDES-SRTP? It’s light. No handshake. No certificate checks. Just send the key and go. That’s why it still lives in legacy SIP PBX systems from Avaya and Cisco Unified Communications Manager. For companies that can’t upgrade their entire infrastructure, it’s the only option.

Implementation Reality: What Developers Face

If you’re building a VoIP app today, you don’t have much choice. DTLS-SRTP is the only path forward for new projects. But getting it right isn’t easy.

  • You need libraries that support RFC 5764 - OpenSSL 1.1.1+ or BoringSSL.
  • Certificate management becomes critical. Self-signed certs can cause handshake failures.
  • NAT traversal issues break DTLS-SRTP in about 8-12% of mobile deployments, especially behind complex firewalls.

Developers report it takes 2-3 weeks to implement DTLS-SRTP correctly. SDES-SRTP? You can get it running in 3-5 days. But the long-term cost of SDES is higher: support tickets, compliance failures, and eventual forced upgrades.

Community support reflects this. On Stack Overflow, 78% of WebRTC questions are about DTLS-SRTP. Only 22% are about SDES. That’s not because SDES is popular - it’s because people are struggling to fix DTLS-SRTP in tricky environments.

Split-screen comparison: slow secure handshake vs fast insecure key toss, with official deprecation notice burning below.

Who Still Uses SDES-SRTP?

Not many - and fewer every month. As of 2023:

  • 92.7% of new WebRTC implementations use DTLS-SRTP exclusively (Twilio survey).
  • Only 15-20% of enterprise VoIP systems still rely on SDES-SRTP - mostly for backward compatibility.
  • Legacy PBX systems (Avaya, Cisco, Mitel) account for most of the remaining usage.

But even those systems are under pressure. Browser vendors are removing support. Chrome 118 (October 2023) shows warnings when SDES is negotiated. By Q2 2025, Chrome will drop it entirely. That means any SDES-only device will stop working with modern browsers - no warning, no fallback.

What Should You Do?

If you’re setting up a new system:

  • Use DTLS-SRTP. No exceptions. It’s the standard. It’s secure. It’s future-proof.
  • Make sure your signaling (SIP over TLS or WSS) is encrypted too - DTLS-SRTP protects the media, but you still need secure signaling to prevent call hijacking.
  • Test your NAT and firewall rules. Use tools like STUN/TURN servers to handle tricky network setups.

If you’re stuck with SDES-SRTP:

  • Don’t panic - but don’t delay either.
  • Map out every device using SDES. Inventory your PBX, softphones, and gateways.
  • Plan an upgrade path. Look for firmware updates that support DTLS-SRTP. If your vendor doesn’t offer it, start replacing hardware.
  • Use SDES only as a temporary bridge - not a long-term solution.

For developers: Start with WebRTC libraries like PJSIP or libwebrtc - they handle DTLS-SRTP automatically. Don’t try to roll your own key exchange. The complexity isn’t worth the risk.

The Future Is DTLS-SRTP - And It’s Already Here

The shift isn’t coming. It’s done. By 2026, less than 15% of VoIP systems will still use SDES-SRTP. The rest will be on DTLS-SRTP. That’s not speculation - it’s what browsers, regulators, and security experts are already enforcing.

DTLS-SRTP isn’t flawless. It’s slower. It’s heavier. It needs better documentation. But it’s the only method that gives you true end-to-end encryption without trusting the network. And in a world where data breaches cost companies millions, that’s not a luxury - it’s the baseline.

Choosing SDES-SRTP today isn’t about convenience. It’s about betting against the industry, the standards, and the future of secure communication. And that’s a risk no one should take.

Is SDES-SRTP still secure if I use TLS for signaling?

No. Even with TLS on the signaling channel, SDES-SRTP only provides hop-by-hop security. Every server between you and the other person can see the encryption key. DTLS-SRTP avoids this entirely by exchanging keys directly between endpoints, making it the only true end-to-end solution.

Why did Firefox remove SDES-SRTP support?

Firefox removed SDES-SRTP in version 60 (2018) because it posed a fundamental security risk. The key exchange happened over the signaling channel, making it vulnerable to interception even if the signaling was encrypted. Mozilla’s engineering team prioritized user security over backward compatibility, following IETF recommendations.

Does DTLS-SRTP work on mobile networks?

Yes - but it can fail in about 8-12% of cases due to NAT and firewall issues. That’s why proper TURN server configuration is critical. Most modern VoIP platforms handle this automatically, but if you’re building your own system, test on real mobile networks before deployment.

Can I use DTLS-SRTP with older SIP phones?

Only if the phone supports RFC 5764. Most legacy SIP phones from before 2015 do not. If you need to connect them, you’ll need a gateway or proxy that translates between DTLS-SRTP and SDES-SRTP - but this reintroduces security risks. The better path is to upgrade the endpoints.

Will DTLS-SRTP be replaced by something else?

Not anytime soon. DTLS-SRTP is the foundation of WebRTC and is actively being improved. Future enhancements include integration with QUIC and Encrypted Client Hello (ECH) to reduce handshake delays and improve privacy. It’s the standard for the next decade.

DTLS-SRTP SDES-SRTP VoIP security SRTP key exchange WebRTC encryption
Dawn Phillips
Dawn Phillips
I’m a technical writer and analyst focused on IP telephony and unified communications. I translate complex VoIP topics into clear, practical guides for ops teams and growing businesses. I test gear and configs in my home lab and share playbooks that actually work. My goal is to demystify reliability and security without the jargon.

Write a comment

Featured Post

Screen Sharing During VoIP Calls: Essential Collaboration Features for Remote Teams
Screen Sharing During VoIP Calls: Essential Collaboration Features for Remote Teams
VoIP for Sports Teams and Venues: How Modern Communication Boosts Operations and Fan Engagement
VoIP for Sports Teams and Venues: How Modern Communication Boosts Operations and Fan Engagement

Categories

Recent Post

Codec Support on IP Phones: Compatibility Lists for Major Vendors in 2025
Codec Support on IP Phones: Compatibility Lists for Major Vendors in 2025
VoIP Device Security Hardening: Configuration Best Practices
VoIP Device Security Hardening: Configuration Best Practices
Why Your VoIP Call Recording Isn’t Capturing Inbound Audio: Fixing Mix, Mono, and Stereo Path Issues
Why Your VoIP Call Recording Isn’t Capturing Inbound Audio: Fixing Mix, Mono, and Stereo Path Issues
Integration Migration: How to Switch CRM and Business Tools Without Breaking Your Workflow
Integration Migration: How to Switch CRM and Business Tools Without Breaking Your Workflow
Analog Gateways for VoIP: Understanding FXS and FXO Ports for Seamless Phone System Upgrades
Analog Gateways for VoIP: Understanding FXS and FXO Ports for Seamless Phone System Upgrades

Tags

VoIP vs landlines VoIP audio quality VoIP codecs landline reliability VoIP call quality VoIP CRM integration VoIP quality G.711 G.729 VoIP security VoIP encryption FCR contact center metrics shared line appearance VoIP shared line multiple phones same number shared call appearance business VoIP features call recording compliance call storage regulations