[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Re: [AVT] IESG Review of draft-ietf-srtp-08.txt - anotherset of comments

To: David Mcgrew <mcgrew@cisco.com>
Subject: Re: Fwd: Re: [AVT] IESG Review of draft-ietf-srtp-08.txt - anotherset of comments
From: Mats Näslund <mats.naslund@era.ericsson.se>
Date: Fri, 27 Jun 2003 19:09:24 +0200
Cc: Colin Perkins <csp@csperkins.org>, Allison Mankin <mankin@psg.com>, mbaugher@cisco.com, "Rolf Blom (EAB)" <rolf.blom@era.ericsson.se>, "ElisabettaCarrara (EAB)" <Elisabetta.Carrara@era.ericsson.se>, "Karl Norrman (EAB)"<Karl.Norrman@era.ericsson.se>, oran@cisco.com, avt@ietf.org
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/avt>,<mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/avt>,<mailto:avt-request@ietf.org?subject=unsubscribe>
References: <4.3.2.7.2.20030627081442.01ecd5a0@mira-sjcm-1.cisco.com>
Sender: avt-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Hi all,

David Mcgrew wrote:

Mats, Colin, and others,

I belatedly realized that there is another advantage to using the RTP padding over other schemes: compactness. If someone implements CBC without using the RTP padding, then the plaintext needs to be turned into a prefix-free code so that the receiver can unambiguously remove any padding that may be present. Because of this, AES CBC ciphertext will expand by an extra 16-octet block on messages for which no padding is needed, if the conventional method is used (see Appendix A of http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf for more detail). OTOH, if the RTP padding is used, then the padding bit indicates the presence of padding, and there is never need to further expand the ciphertext. Also, the NIST document cited above makes it clear that any suitable padding method is considered acceptable. So this makes me think that we should recommend RTP padding for use with modes that require padding.

Will someone concerned with compactness use a mode that requires
padding in the first place? Won't they rely on the pre-defined modes?

I honestly don't see how we can recommend a padding that we *know*
is "flawed", in particular when the flaw occurs in the absence
of integrity---something we had to fight allow at all!

I am fine with keeping the RTP padding as a sort of "default",
be honest about its pros and cons, but I would not go as far as
to *recommend* it.

As a side note, I would still prefer a CBC variant that doesn't use padding

Agreed, but that is for a future extension of SRTP.

as I'd mentioned before, but at any rate the compactness benefit of using RTP padding deserves to be mentioned.

Absolutely, but so does the security problems.

/M


_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt

References:
- Fwd: Re: [AVT] IESG Review of draft-ietf-srtp-08.txt - another set of comments
  - From: David Mcgrew

Prev by Date: Fwd: Re: [AVT] IESG Review of draft-ietf-srtp-08.txt - another set of comments
Next by Date: [AVT] IESG Review of draft-ietf-avt-mpeg4-simple-07.txt - Discuss Comments
Previous by thread: Fwd: Re: [AVT] IESG Review of draft-ietf-srtp-08.txt - another set of comments
Next by thread: [AVT] The Secure Real-time Transport Protocol : Padding/Bandwidth.
Index(es):
- Date
- Thread