Each stream is delivered using transport level encryption. This encryption is unique per user so that if a single stream is compromised the key used to decrypt the stream cannot be used to decrypt other streams, even for the same content.
We transfer our data using Secure Real-Time Transport Protocol (SRTP). SRTP defines a profile of Real-Time Transport Protocol (RTP), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data.
For encryption and decryption of the data flow (and hence for providing confidentiality of the data flow), we use AES128-CM as the default cipher.
To authenticate the message, protect its integrity, and to provide replay protection, we use the HMAC-SHA1 algorithm (defined in RFC 2104). This produces a 160-bit result, which is then truncated to 80 bits to become the authentication tag appended to the packet.
To securely establish the keys for all of the above, we use Datagram Transport Layer Security (DTLS).
For more information about our key management workflows, please see our documentation at phenixrts.com/docs.