[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Srtp-users] RE: [AVT] <From, To> and MKI, FRC 3711

To: "Sylvain Latulippe" <slatulippe at m5t.com>
Subject: Re: [Srtp-users] RE: [AVT] <From, To> and MKI, FRC 3711
From: Mark Baugher <mbaugher at cisco.com>
Date: Tue, 11 May 2004 08:28:29 -0700
Cc: "Ofer Goren" <oferg at radvision.com>, <avt at ietf.org>, <srtp-users at lists.sourceforge.net>
In-reply-to: <AB5AF73EAF23304EA1B932174137CED70322DF@m5tmail.m5t.com>
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/avt>,<mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/avt>,<mailto:avt-request@ietf.org?subject=unsubscribe>
References: <AB5AF73EAF23304EA1B932174137CED70322DF@m5tmail.m5t.com>
Sender: avt-admin at ietf.org

hi
Using both mechanisms is a lot of complexity and I'm hard pressed to find examples of when we would need two mechanisms, which do the same thing. I don't like that final sentence in 8.1.1 in RFC 3711 because complexity undermines security and using both mechanisms is complex.

From/To has the advantage of not adding a field to the packet, but it has the disadvantage of insecure interactions with the AES counter mode transform. MKI adds a field but does not suffer from this problem. I would choose one or the other but not both.

As it is described below, use of both mechanisms is superfluous AFAICT.

Mark

At 05:56 AM 5/11/2004, Sylvain Latulippe wrote:

Hi,

My understanding is the following:

Both mechanisms can be used whitin the same session. When using MKI, <From, To> mechanism can be used by the sender side for synchronizing key transitions (re-keying).

For example:

A session is started and 2 keys (KEY_1 and KEY_2) are given to the session.

Session parameters:
KEY FROM TO MKI
KEY_1 0 10 1
KEY_2 11 x 2

The sender uses KEY_1 to encrypt packets with index 0 to 10. MKI = 1 is also appended to packets 0 to 10. When building packet with index 11, the sender switches to KEY_2 and appends MKI = 2 to the packet.

On the receiver side, <From, To> is not required in this scenario. MKI is extracted from the received packet and used to retrieve the right key.

Sylvain

-----Original Message-----
From: avt-admin@ietf.org [mailto:avt-admin@ietf.org]On Behalf Of Ofer Goren
Sent: 11 mai, 2004 07:35
To: avt@ietf.org; srtp-users@lists.sourceforge.net
Subject: [AVT] <From, To> and MKI, FRC 3711

Hi.

In RFC 3711, section 8.1.1, it says that "using the MKI does not exclude using <From, To> key
lifetime simultaneously".

As I understand it, both mechanisms can be used for the same session simultaneously. However, does the <From, To> mechanism is MANDATORY to be used every time (whether <From, To> is used or not), or can I omit it if I'm using MKI?

Thanks,

Ofer.

-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?Fromdnemail3
_______________________________________________
Srtp-users mailing list
Srtp-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/srtp-users



_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt

Follow-Ups:
- Re: [Srtp-users] RE: [AVT] <From, To> and MKI, FRC 3711
  - From: Mats Näslund

References:
- RE: [AVT] <From, To> and MKI, FRC 3711
  - From: Sylvain Latulippe

Prev by Date: RE: [AVT] <From, To> and MKI, FRC 3711
Next by Date: RE: [avt] Comments/questions on draft-ietf-avt-rfc2793bis-04
Previous by thread: RE: [AVT] <From, To> and MKI, FRC 3711
Next by thread: Re: [Srtp-users] RE: [AVT] <From, To> and MKI, FRC 3711
Index(es):
- Date
- Thread