Encrypting (S)RTP via SDES (key exchange in SDP)
SRTP in its oldest, simplest and most deployed implementation encrypts the (UDP) audio stream using a key that was exchanged via SIP(S), in the SDP body of the SIP packet.
This method, called SDES (SDP Security Descriptions), can be considered secure under two conditions:
Encrypted SIPS (for example, TLS) was used for exchanging keys in signaling
All the SIP(S) proxies between caller and callee are trusted
Because SIP(S) packets must be interpreted by proxies, the organizations that own or manage each single proxy between caller and callee know the key and can decrypt the audio. Also, someone can succeed in inserting him or herself into the proxy chain, and acting as a man-in-the-middle (mitm), pretending to be one such legitimate proxy, and then decrypt and/or tamper with the audio.
Many wrongly identify "SRTP" with "SRTP via SDES". SRTP is actually RTP encrypted via keys, and there are many different methods to exchange those keys.
Anyway, anyone...
