By default the media streams passing through the OpenTok platform are encrypted using AES-128. In routed sessions, the media is encrypted between all clients and the media server. In relayed sessions, the media is encrypted between each pair of clients.
For enhanced security, the OpenTok platform also supports the AES-256 level of encryption on media streams. When a client is connecting to an OpenTok Media Router or another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. In the case of relayed sessions, both clients must support AES-256, otherwise they will fall back to AES-128.
Important: This feature is available as an add-on feature. Contact support@tokbox.com to enable this feature for your OpenTok project keys.
AES-256 is supported (in addition to AES-128) in apps that use the following OpenTok client SDKs:
OpenTok iOS 2.13+
OpenTok Android 2.13+
OpenTok.js 2.13+ running on Chrome 62+ (with a flag set) or on Firefox 56+. On Chrome 62+,
you can enable AES-256 by enabling the Negotiation with GCM cipher suites for SRTP in WebRTC
setting in the chrome://flags page.
In Chrome 62+, you can verify the encryption level by navigating to chrome://webrtc-internals.
Upon publishing or subscribing to a stream, use chrome://webrtc-internals, to verify that the
streams are using AES-256 check the srtpCipher listing under Channel-audio-1 (googComponent).
If it is AES 256, the listing will include AEAD_AES_256_GCM.
Only AES-128 is supported in apps that use the following OpenTok client SDKs:
OpenTok Windows SDK
OpenTok.js 2.13+ running on Safari or the OpenTok plugin for Internet Explorer (note that support for the OpenTok plugin for Internet Explorer is removed in OpenTok 2.17)
OpenTok 2.12 or older
