Re: [AVT] RTP: Confidentiality mechanisms

[Colin Perkins <csp@csperkins.org>]

--> Stephen Casner writes:
>In Section 9.1 of the RTP spec on Confidentiality, I added "redrawn
>for each unit" to clarify that RTCP packets can't use just one random
>number for all packets.  In addition, I've added two statements
>requested by the IESG.

Looks reasonable. I suggest a small addition to the second change, to
indicate that stronger security is under development. 

>OLD:
>   For RTCP, a 32-bit random number MUST be
>   prepended to the unit before encryption to deter known plaintext
>   attacks. For RTP, no prefix is required because the sequence number
>   and timestamp fields are initialized with random offsets.
>
>NEW:
>   For RTCP, a 32-bit random number redrawn for
>   each unit MUST be prepended to the unit before encryption to deter
>   known plaintext attacks.  For RTP, no prefix is required because the
>   sequence number and timestamp fields are initialized with random
>   offsets.  This is considered to be a weak initialization vector (IV),
>   because of poor randomness properties.  In addition, if the
>   subsequent field, the SSRC, can be manipulated by an enemy, there is
>   further weakness of the encryption method.
>
>
>
>OLD:
>   Other encryption algorithms MAY be
>   specified dynamically for a session by non-RTP means.  It is
>   RECOMMENDED that stronger encryption algorithms such as Triple-DES be
>   used in place of the default algorithm.
>NEW ADDITION:
>   In particular, an AES
>   profile taking into account known plaintext and CBC plaintext
>   manipulation concerns will be the correct choice in future.
                         ^ is under development, and 

Colin
_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt