In Section 9.1 of the RTP spec on Confidentiality, I added "redrawn
for each unit" to clarify that RTCP packets can't use just one random
number for all packets. In addition, I've added two statements
requested by the IESG.
-- Steve
OLD:
For RTCP, a 32-bit random number MUST be
prepended to the unit before encryption to deter known plaintext
attacks. For RTP, no prefix is required because the sequence number
and timestamp fields are initialized with random offsets.
NEW:
For RTCP, a 32-bit random number redrawn for
each unit MUST be prepended to the unit before encryption to deter
known plaintext attacks. For RTP, no prefix is required because the
sequence number and timestamp fields are initialized with random
offsets. This is considered to be a weak initialization vector (IV),
because of poor randomness properties. In addition, if the
subsequent field, the SSRC, can be manipulated by an enemy, there is
further weakness of the encryption method.
OLD:
Other encryption algorithms MAY be
specified dynamically for a session by non-RTP means. It is
RECOMMENDED that stronger encryption algorithms such as Triple-DES be
used in place of the default algorithm.
NEW ADDITION:
In particular, an AES
profile taking into account known plaintext and CBC plaintext
manipulation concerns will be the correct choice in future.
_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt