By default the media streams passing through the OpenTok platform are encrypted using AES-128. In routed sessions, the media is encrypted between all clients and the media server. In relayed sessions, the media is encrypted between each pair of clients.
For enhanced security, the AES-256 add-on feature provides the AES-256 level of encryption on media streams.
Important: This feature is available as an add-on feature.
With the AES-256 add-on feature enabled, when a client is connecting to an OpenTok Media Router or another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. In the case of relayed sessions, both clients must support AES-256, otherwise they will fall back to AES-128.
After you enable the AES-256 Encryption add-on, this feature will be activated automatically for all the projects in your account.
AES-256 is supported (in addition to AES-128) in apps that use the following OpenTok client SDKs:
OpenTok iOS 2.13+
OpenTok Android 2.13+
OpenTok.js 2.13+ running on Chrome 62+ (with a flag set) or on Firefox 56+. On Chrome 62+,
you can enable AES-256 by enabling the Negotiation with GCM cipher suites for SRTP in WebRTC
setting in the chrome://flags
page.
In Chrome 62+, you can verify the encryption level by navigating to chrome://webrtc-internals
.
Upon publishing or subscribing to a stream, use chrome://webrtc-internals
, to verify that the
streams are using AES-256 check the srtpCipher
listing under Channel-audio-1 (googComponent)
.
If it is AES 256, the listing will include AEAD_AES_256_GCM
.
Only AES-128 is supported in apps that use the following OpenTok client SDKs:
OpenTok Windows SDK
OpenTok.js 2.13+ running on Safari or the OpenTok plugin for Internet Explorer (note that support for the OpenTok plugin for Internet Explorer is removed in OpenTok 2.17)
OpenTok 2.12 or older