Re: [AVT] RTP: Confidentiality mechanisms

[Mats Näslund <mats.naslund@era.ericsson.se>]

Hi,

Stephen Casner wrote:
> In Section 9.1 of the RTP spec on Confidentiality, I added "redrawn
> for each unit" to clarify that RTCP packets can't use just one random
> number for all packets.  In addition, I've added two statements
> requested by the IESG.
>
>                                                         -- Steve
>
> OLD:
>    For RTCP, a 32-bit random number MUST be
>    prepended to the unit before encryption to deter known plaintext
>    attacks. For RTP, no prefix is required because the sequence number
>    and timestamp fields are initialized with random offsets.
>
> NEW:
>    For RTCP, a 32-bit random number redrawn for
>    each unit MUST be prepended to the unit before encryption to deter
>    known plaintext attacks.  For RTP, no prefix is required because the
>    sequence number and timestamp fields are initialized with random
>    offsets.  This is considered to be a weak initialization vector (IV),
>    because of poor randomness properties.  In addition, if the
>    subsequent field, the SSRC, can be manipulated by an enemy, there is
>    further weakness of the encryption method.
I have some problem with this wording. I assume we are talking CBC
mode(?) I think the text confuses the real issues with using CBC.

First:

> each unit MUST be prepended to the unit before encryption to deter
>    known plaintext attacks.

This might signal: "It's okay to use a cipher that does not
resist known plaintext attacks, as long as a rand is prepended".¨

It is *not* ok to use such a cipher, neither does the prepend fix
that problem: the next input block, p2,  *might* still be known and
the previous cipher text block, c1, is certainly known too, so the
input to the 2nd block, c1 XOR p2, will be known anyway.

However, the issue with CBC is that the initial IV must be random
for existing security arguments to hold. Therefore, I assume that
what we really want to say is that in the absence of a truly random
IV, we must randomize the first plaintext block. This is indeed
indicated in the sequel of the above text, but has nothing to do with 
known plaintext attacks: even with a random IV, that IV will in
typical CBC appl. be known to an attacker anyway, and is not the
issue. The only issue is to (sufficiently) "randomize the starting
point".

Next,

> For RTP, no prefix is required because the
>    sequence number and timestamp fields are initialized with random
>    offsets.

This is (strictly speaking) not true. The existing security arguments
for CBC fail if a "counter" type value is used for the IV: even if
the first IV is random, following packet IVs may be highly correlated
to the first one. This does not mean that there is an "attack" on what
you propose (you are probably helped by the fact that the "IV" is
never seen by the attacker), I merely claim that it is not clear that
it is a "sound" way of doing it. At the very least, the caveats
should be pointed out.

Best,

/Mats

_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt