Media Encryption
Overview
Dante media encryption extends the security benefits of using Dante on your network by concealing the media content during transmission between devices. Dante utilises the Advanced Encryption Standard (AES) with a 256-bit key to provide industry-leading media protection. Concealing the contents of media packets prevents malicious or unauthorised users eavesdropping or interfering with Dante media traffic.
Media encryption does not affect flow latency, and no action is required by users to manage encryption keys. Keys are automatically rotated regularly for additional security.
Media encryption is automatically enabled by Dante Director when supporting devices are enrolled into a Site.
Encryption Policies
Transmit channel encryption policies can be set on a per-device or per-channel basis in Dante Director. Dante provides two policies which can be applied to transmit channels: Strict and Compatible.
-
Strict policy requires the channel to be transmitted within an encrypted flow and is the recommended setting for the highest level of security.
New subscriptions to a Strict channel will successfully be created only if the receiving device also supports Dante media encryption. If the receiver is not capable of encryption, the subscription will fail, and Dante Controller will present an error message to the user.
-
Compatible policy enables an interoperable behaviour that supports unencrypted flows when transmitting to legacy devices.
When a transmit channel is configured with a Compatible policy, Dante will first attempt to create a subscription as an encrypted flow. This ensures networks naturally become more secure as new device firmware is made available. However, if the receiving device is incapable of encryption, the subscription will resolve as an unencrypted flow.
Transmit channel encryption policy can only be configured through Dante Director.
Device media encryption configuration persists across device reboots, and does not require management applications such as Dante Director or Dante Domain Manager to be online (subsequent to initial configuration).
Encryption Icons
Devices that support media encryption (with any mix of Strict or Compatible policy channels) are identified in the Network Status View of Dante Controller using this icon:
Transmit channels set to Strict policy (they require encryption support from the receiving device) are identified in the Network Status View and Device View > Transmit tab using this icon:
Receive channels that are currently subscribed to an encrypted flow are identified in the Network Status View using this icon:
Subscriptions to an encrypted flow are identified in the Network Status View and Device View > Receive tab using this icon:
You can hover over a subscription icon in the Network Status view to see more information about the subscription.
Encryption status icons also appear in some other tabs. Exact colours vary between light and dark mode interface settings.
An example of how the icons might appear in the Network Status View is shown below.
Receive and Transmit Tabs
In Device View for supported devices, the Receive and Transmit tabs also show signal status icons for encrypted subscriptions (shown in the table below), indicating the signal status at each end of the subscription.
|
Subscription Summary |
Signal Icons | Audio Availability | Receiver | Transmitter |
|---|---|---|---|---|
|
|
Available | Active | Active |
|
|
|
Not available (audio presence cannot be ascertained) |
Active | Active |
|
|
|
Silence (no active audio on the subscription) |
Active | Active |
|
|
|
Muted | Active | Active |
|
|
Pending / none | Pending / none | |
|
|
|
Active | Pending / none | |
|
|
Error | Error | |
|
|
|
Active | Error | |
|
|
|
Error | Pending / none | |
|
|
|
Pending / none | Error |
For the signal icons:
-
Green indicates a good signal
-
Orange indicates a pending signal
-
Red indicates an error
You can hover over the icon for subscriptions with errors to see more information about the subscription issue - for example:
-
The session key ID does not match the media flow key ID
-
The flow ID in packet is incorrect in the current flow context
-
The sentinel check failed
-
The data encrypt/decrypt subsystem has returned an error
-
Invalid packet data
If you encounter any persistent encrypted subscription errors, please contact Audinate technical support for more information.
An example Device View > Receive tab is shown below:
Multicast Transmit Flow Encryption
Encryption is supported for multicast flows. If a multicast flow includes any Strict policy encrypted channels, the entire flow will be encrypted. This means that receivers must support encryption in order to subscribe to a multicast flow containing any Strict policy encrypted channels.
Multicast flows containing only Compatible policy channels will not be encrypted.
Strict policy encrypted channels cannot be added to AES67 or SMPTE ST-2110 multicast transmit flows.