/// <summary>
/// 4.3.3. AES-CM PRF
///
/// The currently defined PRF, keyed by 128, 192, or 256 bit master key,
/// has input block size m = 128 and can produce n-bit outputs for n up
/// to 2^23. PRF_n(k_master,x) SHALL be AES in Counter Mode as described
/// in Section 4.1.1, applied to key k_master, and IV equal to (x*2^16),
/// and with the output keystream truncated to the n first (left-most)
/// bits. (Requiring n/128, rounded up, applications of AES.)
///
/// https://tools.ietf.org/html/rfc3711#section-4.3.3
/// </summary>
private static byte[] PseudoRandomFunction(byte[] masterKey, byte[] x, int keyLength)
{
var iv = new byte[SrtpConstants.SrtpPseudoRandomFunctionInputBlockSize];
x.CopyTo(iv, 0);
return(AesCounterMode.GenerateKeystreamSegment(masterKey, iv, keyLength));
}
private static byte[] EncryptPayloadWithAesCtrMode(SrtpDerivedkeys derivedKeys, uint ssrc, byte[] rtpBody, int packetIndex)
{
var sessionKey = derivedKeys.SessionKey;
var cipherSalt = derivedKeys.CipherSalt;
// where the 128-bit integer value IV SHALL be defined by the SSRC, the
// SRTP packet index i, and the SRTP session salting key k_s, as below.
//
// IV = (k_s * 2^16) XOR (SSRC * 2^64) XOR (i * 2^16)
var iv =
cipherSalt.ShiftLeft(16)
.Xor(BitConverter.GetBytes(IPAddress.HostToNetworkOrder(ssrc)).ShiftLeft(64))
.Xor(BitConverter.GetBytes(IPAddress.HostToNetworkOrder(packetIndex)).ShiftLeft(16));
var encrypted = AesCounterMode.Encrypt(sessionKey, iv, rtpBody);
return(encrypted);
}
