idnits 2.17.1 draft-ietf-avtcore-aria-srtp-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 23, 2014) is 3502 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' == Outdated reference: A later version (-17) exists of draft-ietf-avtcore-srtp-aes-gcm-14 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Standards Track D. Kim 5 Expires: March 27, 2015 J. Park 6 D. Kwon 7 NSRI 8 September 23, 2014 10 The ARIA Algorithm and Its Use with the Secure Real-time Transport 11 Protocol(SRTP) 12 draft-ietf-avtcore-aria-srtp-07 14 Abstract 16 This document defines the use of the ARIA block cipher algorithm 17 within the Secure Real-time Transport Protocol (SRTP) for providing 18 confidentiality for the Real-time Transport Protocol (RTP) traffic 19 and for the control traffic for RTP, the RTP Control Protocol (RTCP). 20 It details three modes of operation (CTR, CCM, GCM) and a SRTP Key 21 Derivation Function for ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on March 27, 2015. 40 Copyright Notice 42 Copyright (c) 2014 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9 64 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 11 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 67 5.1. Security Descriptions (SDES) . . . . . . . . . . . . . . 12 68 5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 13 69 5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 14 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 71 6.1. Normative References . . . . . . . . . . . . . . . . . . 14 72 6.2. Informative References . . . . . . . . . . . . . . . . . 15 73 Appendix A. SRTP Parameters for DTLS-SRTP and MIKEY . . . . . . 17 74 A.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 17 75 A.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 21 76 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 22 77 B.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 22 78 B.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 79 B.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 80 B.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 24 81 B.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 25 82 B.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 26 83 B.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 26 84 B.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 27 85 B.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 27 86 B.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 28 87 B.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 28 88 B.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 29 89 B.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 29 90 B.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 29 91 B.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 30 92 B.4.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 30 93 B.4.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 31 94 B.4.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 33 96 1. Introduction 98 This document defines the use of the ARIA [RFC5794] block cipher 99 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 100 for providing confidentiality for the Real-time Transport Protocol 101 (RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP 102 Control Protocol (RTCP) [RFC3550]. 104 1.1. ARIA 106 ARIA is a general-purpose block cipher algorithm developed by Korean 107 cryptographers in 2003. It is an iterated block cipher with 128-, 108 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 109 rounds, depending on the key size. It is secure and suitable for 110 most software and hardware implementations on 32-bit and 8-bit 111 processors. It was established as a Korean standard block cipher 112 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 113 especially for government-to-public services. It was included in 114 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 115 identifiers are described in [RFC5794]. 117 1.2. Terminology 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 121 document are to be interpreted as described in [RFC2119]. 123 2. Cryptographic Transforms 125 Block ciphers ARIA and AES share common characteristics including 126 mode, key size, and block size. ARIA does not have any restrictions 127 for modes of operation that are used with this block cipher. We 128 define three modes of running ARIA within the SRTP protocol, (1) ARIA 129 in Counter Mode (ARIA-CTR), (2) ARIA in Counter with CBC-MAC Mode 130 (ARIA-CCM) and (3) ARIA in Galois/Counter Mode (ARIA-GCM). 132 2.1. ARIA-CTR 134 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 135 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 136 "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are 137 defined in the same manner except that each invocation of AES is 138 replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR, 139 ARIA_192_CTR and ARIA_256_CTR respectively, according to the key 140 lengths. The plaintext inputs to the block cipher are formed as in 141 AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs 142 are processed as in AES-CTR. 144 When ARIA-CTR is used, it MUST be used only in conjunction with an 145 authentication function. The ARIA-CTR crypto suites with HMAC-SHA1 146 as an authentication function are listed below. The authentication 147 key length of all crypto suites is 20 octets. 149 Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension 150 keystream generation. When ARIA-CTR is used, the header extension 151 keystream SHALL be generated in the same manner except that each 152 invocation of AES is replaced by that of ARIA [RFC5794]. 154 +---------------------------+-----------------+------------------+ 155 | Name | Enc. Key Length | Auth. Tag Length | 156 +---------------------------+-----------------+------------------+ 157 | ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets | 158 | ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets | 159 | ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets | 160 | ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets | 161 | ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets | 162 | ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets | 163 +---------------------------+-----------------+------------------+ 165 Table 1: ARIA-CTR Crypto Suites for SRTP/SRTCP 167 The parameters (from Table 2 to Table 7) in each crypto suite listed 168 in Table 1 are described for use with the SDP Security Descriptions 169 attributes [RFC4568]. 171 +---------------------------------+------------------------------+ 172 | Parameter | Value | 173 +---------------------------------+------------------------------+ 174 | Master key length | 128 bits | 175 | Master salt length | 112 bits | 176 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 177 | Default key lifetime | 2^31 packets | 178 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 179 | SRTP authentication function | HMAC-SHA1 | 180 | SRTP authentication key length | 160 bits | 181 | SRTP authentication tag length | 80 bits | 182 | SRTCP authentication function | HMAC-SHA1 | 183 | SRTCP authentication key length | 160 bits | 184 | SRTCP authentication tag length | 80 bits | 185 +---------------------------------+------------------------------+ 187 Table 2: The ARIA_128_CTR_HMAC_SHA1_80 Crypto Suite 189 +---------------------------------+------------------------------+ 190 | Parameter | Value | 191 +---------------------------------+------------------------------+ 192 | Master key length | 128 bits | 193 | Master salt length | 112 bits | 194 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 195 | Default key lifetime | 2^31 packets | 196 | Cipher (for SRTP and SRTCP) | ARIA_128_CTR | 197 | SRTP authentication function | HMAC-SHA1 | 198 | SRTP authentication key length | 160 bits | 199 | SRTP authentication tag length | 32 bits | 200 | SRTCP authentication function | HMAC-SHA1 | 201 | SRTCP authentication key length | 160 bits | 202 | SRTCP authentication tag length | 80 bits | 203 +---------------------------------+------------------------------+ 205 Table 3: The ARIA_128_CTR_HMAC_SHA1_32 Crypto Suite 207 +---------------------------------+------------------------------+ 208 | Parameter | Value | 209 +---------------------------------+------------------------------+ 210 | Master key length | 192 bits | 211 | Master salt length | 112 bits | 212 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 213 | Default key lifetime | 2^31 packets | 214 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 215 | SRTP authentication function | HMAC-SHA1 | 216 | SRTP authentication key length | 160 bits | 217 | SRTP authentication tag length | 80 bits | 218 | SRTCP authentication function | HMAC-SHA1 | 219 | SRTCP authentication key length | 160 bits | 220 | SRTCP authentication tag length | 80 bits | 221 +---------------------------------+------------------------------+ 223 Table 4: The ARIA_192_CTR_HMAC_SHA1_80 Crypto Suite 225 +---------------------------------+------------------------------+ 226 | Parameter | Value | 227 +---------------------------------+------------------------------+ 228 | Master key length | 192 bits | 229 | Master salt length | 112 bits | 230 | Key Derivation Function | ARIA_192_CTR_PRF (Section 3) | 231 | Default key lifetime | 2^31 packets | 232 | Cipher (for SRTP and SRTCP) | ARIA_192_CTR | 233 | SRTP authentication function | HMAC-SHA1 | 234 | SRTP authentication key length | 160 bits | 235 | SRTP authentication tag length | 32 bits | 236 | SRTCP authentication function | HMAC-SHA1 | 237 | SRTCP authentication key length | 160 bits | 238 | SRTCP authentication tag length | 80 bits | 239 +---------------------------------+------------------------------+ 241 Table 5: The ARIA_192_CTR_HMAC_SHA1_32 Crypto Suite 243 +---------------------------------+------------------------------+ 244 | Parameter | Value | 245 +---------------------------------+------------------------------+ 246 | Master key length | 256 bits | 247 | Master salt length | 112 bits | 248 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 249 | Default key lifetime | 2^31 packets | 250 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 251 | SRTP authentication function | HMAC-SHA1 | 252 | SRTP authentication key length | 160 bits | 253 | SRTP authentication tag length | 80 bits | 254 | SRTCP authentication function | HMAC-SHA1 | 255 | SRTCP authentication key length | 160 bits | 256 | SRTCP authentication tag length | 80 bits | 257 +---------------------------------+------------------------------+ 259 Table 6: The ARIA_256_CTR_HMAC_SHA1_80 Crypto Suite 261 +---------------------------------+------------------------------+ 262 | Parameter | Value | 263 +---------------------------------+------------------------------+ 264 | Master key length | 256 bits | 265 | Master salt length | 112 bits | 266 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 267 | Default key lifetime | 2^31 packets | 268 | Cipher (for SRTP and SRTCP) | ARIA_256_CTR | 269 | SRTP authentication function | HMAC-SHA1 | 270 | SRTP authentication key length | 160 bits | 271 | SRTP authentication tag length | 32 bits | 272 | SRTCP authentication function | HMAC-SHA1 | 273 | SRTCP authentication key length | 160 bits | 274 | SRTCP authentication tag length | 80 bits | 275 +---------------------------------+------------------------------+ 277 Table 7: The ARIA_256_CTR_HMAC_SHA1_32 Crypto Suite 279 2.2. ARIA-GCM 281 GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated 282 Encryption with Associated Data) block cipher mode. A detailed 283 description of ARIA-GCM is defined similarly as AES-GCM found in 284 [RFC5116][RFC5282]. 286 The document [I-D.ietf-avtcore-srtp-aes-gcm] describes the use of 287 AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with SRTP 288 is defined the same as that of AES-GCM except that each invocation of 289 AES is replaced by ARIA [RFC5794]. When [RFC6904] is in use, a 290 separate keystream to encrypt selected RTP header extension elements 291 MUST be generated in the same manner defined in 292 [I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by 293 ARIA-CTR. 295 The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP: 297 +----------------------+-----------------+------------------+ 298 | Name | Enc. Key Length | Auth. Tag Length | 299 +----------------------+-----------------+------------------+ 300 | AEAD_ARIA_128_GCM | 16 octets | 16 octets | 301 | AEAD_ARIA_256_GCM | 32 octets | 16 octets | 302 | AEAD_ARIA_128_GCM_12 | 16 octets | 12 octets | 303 | AEAD_ARIA_256_GCM_12 | 32 octets | 12 octets | 304 +----------------------+-----------------+------------------+ 306 Table 8: ARIA-GCM Crypto Suites for SRTP/SRTCP 308 The parameters (from Table 9 to Table 12) in each crypto suite listed 309 in Table 8 are described for use with the SDP Security Descriptions 310 attributes [RFC4568]. 312 +--------------------------------+------------------------------+ 313 | Parameter | Value | 314 +--------------------------------+------------------------------+ 315 | Master key length | 128 bits | 316 | Master salt length | 96 bits | 317 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 318 | Default key lifetime (SRTP) | 2^48 packets | 319 | Default key lifetime (SRTCP) | 2^31 packets | 320 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_128_GCM | 321 | AEAD authentication tag length | 128 bits | 322 +--------------------------------+------------------------------+ 324 Table 9: The AEAD_ARIA_128_GCM Crypto Suite 326 +--------------------------------+------------------------------+ 327 | Parameter | Value | 328 +--------------------------------+------------------------------+ 329 | Master key length | 256 bits | 330 | Master salt length | 96 bits | 331 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 332 | Default key lifetime (SRTP) | 2^48 packets | 333 | Default key lifetime (SRTCP) | 2^31 packets | 334 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_256_GCM | 335 | AEAD authentication tag length | 128 bits | 336 +--------------------------------+------------------------------+ 338 Table 10: The AEAD_ARIA_256_GCM Crypto Suite 340 +--------------------------------+------------------------------+ 341 | Parameter | Value | 342 +--------------------------------+------------------------------+ 343 | Master key length | 128 bits | 344 | Master salt length | 96 bits | 345 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 346 | Default key lifetime (SRTP) | 2^48 packets | 347 | Default key lifetime (SRTCP) | 2^31 packets | 348 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_128_GCM_12 | 349 | AEAD authentication tag length | 96 bits | 350 +--------------------------------+------------------------------+ 352 Table 11: The AEAD_ARIA_128_GCM_12 Crypto Suite 354 +--------------------------------+------------------------------+ 355 | Parameter | Value | 356 +--------------------------------+------------------------------+ 357 | Master key length | 256 bits | 358 | Master salt length | 96 bits | 359 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 360 | Default key lifetime (SRTP) | 2^48 packets | 361 | Default key lifetime (SRTCP) | 2^31 packets | 362 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_256_GCM_12 | 363 | AEAD authentication tag length | 96 bits | 364 +--------------------------------+------------------------------+ 366 Table 12: The AEAD_ARIA_256_GCM_12 Crypto Suite 368 2.3. ARIA-CCM 370 CCM (Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block 371 cipher mode. A detailed description of ARIA-CCM is defined similarly 372 as AES-CCM found in [RFC5116] [RFC6655] 373 [I-D.ietf-avtcore-srtp-aes-gcm]. 375 The document [I-D.ietf-avtcore-srtp-aes-gcm] describes the use of 376 AES-CCM with SRTP [RFC3711][RFC6904]. The use of ARIA-CCM with SRTP 377 is defined the same as that of AES-CCM except that each invocation of 378 AES is replaced by ARIA [RFC5794]. When [RFC6904] is in use, a 379 separate keystream to encrypt selected RTP header extension elements 380 MUST be generated in the same manner defined in 381 [I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by 382 ARIA-CTR. 384 The ARIA-CCM algorithms in Table 13 may be used with SRTP and SRTCP: 386 +----------------------+-----------------+------------------+ 387 | Name | Enc. Key Length | Auth. Tag Length | 388 +----------------------+-----------------+------------------+ 389 | AEAD_ARIA_128_CCM | 16 octets | 16 octets | 390 | AEAD_ARIA_256_CCM | 32 octets | 16 octets | 391 | AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets | 392 | AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets | 393 | AEAD_ARIA_128_CCM_12 | 16 octets | 12 octets | 394 | AEAD_ARIA_256_CCM_12 | 32 octets | 12 octets | 395 +----------------------+-----------------+------------------+ 397 Table 13: ARIA-CCM Crypto Suites for SRTP/SRTCP 399 The parameters (from Table 14 to Table 19) in each crypto suite 400 listed in Table 13 are described for use with the SDP Security 401 Descriptions attributes [RFC4568]. 403 +--------------------------------+------------------------------+ 404 | Parameter | Value | 405 +--------------------------------+------------------------------+ 406 | Master key length | 128 bits | 407 | Master salt length | 96 bits | 408 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 409 | Default key lifetime (SRTP) | 2^48 packets | 410 | Default key lifetime (SRTCP) | 2^31 packets | 411 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_128_CCM | 412 | AEAD authentication tag length | 128 bits | 413 +--------------------------------+------------------------------+ 415 Table 14: The AEAD_ARIA_128_CCM Crypto Suite 417 +--------------------------------+------------------------------+ 418 | Parameter | Value | 419 +--------------------------------+------------------------------+ 420 | Master key length | 256 bits | 421 | Master salt length | 96 bits | 422 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 423 | Default key lifetime (SRTP) | 2^48 packets | 424 | Default key lifetime (SRTCP) | 2^31 packets | 425 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_256_CCM | 426 | AEAD authentication tag length | 128 bits | 427 +--------------------------------+------------------------------+ 429 Table 15: The AEAD_ARIA_256_CCM Crypto Suite 431 +--------------------------------+------------------------------+ 432 | Parameter | Value | 433 +--------------------------------+------------------------------+ 434 | Master key length | 128 bits | 435 | Master salt length | 96 bits | 436 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 437 | Default key lifetime (SRTP) | 2^48 packets | 438 | Default key lifetime (SRTCP) | 2^31 packets | 439 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_128_CCM_8 | 440 | AEAD authentication tag length | 64 bits | 441 +--------------------------------+------------------------------+ 443 Table 16: The AEAD_ARIA_128_CCM_8 Crypto Suite 445 +--------------------------------+------------------------------+ 446 | Parameter | Value | 447 +--------------------------------+------------------------------+ 448 | Master key length | 256 bits | 449 | Master salt length | 96 bits | 450 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 451 | Default key lifetime (SRTP) | 2^48 packets | 452 | Default key lifetime (SRTCP) | 2^31 packets | 453 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_256_CCM_8 | 454 | AEAD authentication tag length | 64 bits | 455 +--------------------------------+------------------------------+ 457 Table 17: The AEAD_ARIA_256_CCM_8 Crypto Suite 459 +--------------------------------+------------------------------+ 460 | Parameter | Value | 461 +--------------------------------+------------------------------+ 462 | Master key length | 128 bits | 463 | Master salt length | 96 bits | 464 | Key Derivation Function | ARIA_128_CTR_PRF (Section 3) | 465 | Default key lifetime (SRTP) | 2^48 packets | 466 | Default key lifetime (SRTCP) | 2^31 packets | 467 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_128_CCM_12 | 468 | AEAD authentication tag length | 96 bits | 469 +--------------------------------+------------------------------+ 471 Table 18: The AEAD_ARIA_128_CCM_12 Crypto Suite 473 +--------------------------------+------------------------------+ 474 | Parameter | Value | 475 +--------------------------------+------------------------------+ 476 | Master key length | 256 bits | 477 | Master salt length | 96 bits | 478 | Key Derivation Function | ARIA_256_CTR_PRF (Section 3) | 479 | Default key lifetime (SRTP) | 2^48 packets | 480 | Default key lifetime (SRTCP) | 2^31 packets | 481 | Cipher (for SRTP and SRTCP) | AEAD_ARIA_256_CCM_12 | 482 | AEAD authentication tag length | 96 bits | 483 +--------------------------------+------------------------------+ 485 Table 19: The AEAD_ARIA_256_CCM_12 Crypto Suite 487 3. Key Derivation Functions 489 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 490 derivation function, which it refers to as "AES-CM PRF". Section 3 491 of [RFC6188] defines the AES-192 counter mode key derivation function 492 and the AES-256 counter mode key derivation function, which it refers 493 to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- 494 CTR PRF is defined in a same manner except that each invocation of 495 AES replaced by that of ARIA. According to the key lengths of 496 underlying encryption algorithm, ARIA-CTR PRFs are denoted by 497 "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The 498 usage requirements of [RFC6188][I-D.ietf-avtcore-srtp-aes-gcm] 499 regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. The PRFs 500 for ARIA crypto suites with SRTP are defined by ARIA-CTR PRF of the 501 equal key length with the encryption algorithm (see Section 2). 502 SRTP_ARIA_128_CTR_HMAC, SRTP_AEAD_ARIA_128_GCM, and 503 SRTP_AEAD_ARIA_128_CCM MUST use the ARIA_128_CTR_PRF Key Derivation 504 Function. SRTP_ARIA_192_CTR_HMAC MUST use that ARIA_192_CTR_PRF Key 505 Derivation Function. And SRTP_ARIA_256_CTR_HMAC, 506 SRTP_AEAD_ARIA_256_GCM, and SRTP_AEAD_ARIA_256_CCM MUST use the 507 ARIA_256_CTR_PRF Key Derivation Function. 509 4. Security Considerations 511 At the time of writing this document no security problem has been 512 found on ARIA (see [TSL]). 514 The security considerations in [RFC3610] [GCM] [RFC3711] [RFC5116] 515 [RFC6188] [RFC6904] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this 516 document as well. Ciphersuites with short tag length may be 517 considered for specific application environments stated in 518 Section 7.5 of [RFC3711], but the risk of weak authentication 519 described in Section 9.5.1 of [RFC3711] should be taken into account. 521 5. IANA Considerations 523 5.1. Security Descriptions (SDES) 525 SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". In 526 order to allow SDP to signal the use of the algorithms defined in 527 this document, IANA is requested to add the below crypto suites to 528 the "SRTP Crypto Suite Registrations" created by [RFC4568], at time 529 of writing located on the following IANA page: 530 http://www.iana.org/assignments/sdp-security-descriptions/ . 532 srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/ 533 "ARIA_128_CTR_HMAC_SHA1_32"/ 534 "ARIA_192_CTR_HMAC_SHA1_80"/ 535 "ARIA_192_CTR_HMAC_SHA1_32"/ 536 "ARIA_256_CTR_HMAC_SHA1_80"/ 537 "ARIA_256_CTR_HMAC_SHA1_32"/ 538 "AEAD_ARIA_128_GCM" / 539 "AEAD_ARIA_256_GCM" / 540 "AEAD_ARIA_128_GCM_12" / 541 "AEAD_ARIA_256_GCM_12" / 542 "AEAD_ARIA_128_CCM" / 543 "AEAD_ARIA_256_CCM" / 544 "AEAD_ARIA_128_CCM_8" / 545 "AEAD_ARIA_256_CCM_8" / 546 "AEAD_ARIA_128_CCM_12" / 547 "AEAD_ARIA_256_CCM_12" / 548 srtp-crypto-suite-ext 550 5.2. DTLS-SRTP 552 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 553 In order to allow the use of the algorithms defined in this document 554 in DTLS-SRTP, IANA is requested to add the below protection profiles 555 to the "DTLS-SRTP Protection Profiles" created by [RFC5764], at time 556 of writing located on the following IANA page: 557 http://www.iana.org/assignments/srtp-protection/ . 559 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} 560 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} 561 SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} 562 SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} 563 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} 564 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} 565 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} 566 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} 567 SRTP_AEAD_ARIA_128_GCM_12 = {TBD,TBD} 568 SRTP_AEAD_ARIA_256_GCM_12 = {TBD,TBD} 569 SRTP_AEAD_ARIA_128_CCM = {TBD,TBD} 570 SRTP_AEAD_ARIA_256_CCM = {TBD,TBD} 571 SRTP_AEAD_ARIA_128_CCM_8 = {TBD,TBD} 572 SRTP_AEAD_ARIA_256_CCM_8 = {TBD,TBD} 573 SRTP_AEAD_ARIA_128_CCM_12 = {TBD,TBD} 574 SRTP_AEAD_ARIA_256_CCM_12 = {TBD,TBD} 576 5.3. MIKEY 578 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 579 SRTP policy in MIKEY. In order to allow the use of the algorithms 580 defined in this document in MIKEY, IANA is requested to add the below 581 three encryption algorithms to the "MIKEY Security Protocol 582 Parameters SRTP Type 0 (Encryption algorithm)" and to add the below 583 PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo 584 Random Function)" created by [RFC3830], at time of writing located on 585 the following IANA page: http://www.iana.org/assignments/mikey- 586 payloads/ . 588 +---------------+-------+ 589 | SRTP Enc. alg | Value | 590 +---------------+-------+ 591 | ARIA-CTR | TBD | 592 | ARIA-CCM | TBD | 593 | ARIA-GCM | TBD | 594 +---------------+-------+ 596 Default session encryption key length is 16 octets. 598 +----------+-------+ 599 | SRTP PRF | Value | 600 +----------+-------+ 601 | ARIA-CTR | TBD | 602 +----------+-------+ 604 6. References 606 6.1. Normative References 608 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 609 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP 610 800-38D, November 2007. 612 [I-D.ietf-avtcore-srtp-aes-gcm] 613 McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated 614 Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp- 615 aes-gcm-14 (work in progress), July 2014. 617 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 618 Requirement Levels", BCP 14, RFC 2119, March 1997. 620 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 621 Jacobson, "RTP: A Transport Protocol for Real-Time 622 Applications", STD 64, RFC 3550, July 2003. 624 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 625 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 626 RFC 3711, March 2004. 628 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 629 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 630 August 2004. 632 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 633 Description Protocol (SDP) Security Descriptions for Media 634 Streams", RFC 4568, July 2006. 636 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 637 Encryption", RFC 5116, January 2008. 639 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 640 Algorithms with the Encrypted Payload of the Internet Key 641 Exchange version 2 (IKEv2) Protocol", RFC 5282, August 642 2008. 644 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 645 Security (DTLS) Extension to Establish Keys for the Secure 646 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 648 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 649 RTP", RFC 6188, March 2011. 651 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 652 Transport Layer Security (TLS)", RFC 6655, July 2012. 654 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 655 Real-time Transport Protocol (SRTP)", RFC 6904, April 656 2013. 658 6.2. Informative References 660 [ARIAKS] Korean Agency for Technology and Standards, "128 bit block 661 encryption algorithm ARIA - Part 1: General (in Korean)", 662 KS X 1213-1:2009, December 2009. 664 [ARIAPKCS] 665 RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS 666 #11 v2.20 Amendment 3 Revision 1, January 2007. 668 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 669 CBC-MAC (CCM)", RFC 3610, September 2003. 671 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA 672 Registry Update for Support of the SEED Cipher Algorithm 673 in Multimedia Internet KEYing (MIKEY)", RFC 5748, August 674 2010. 676 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 677 Description of the ARIA Encryption Algorithm", RFC 5794, 678 March 2010. 680 [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- 681 the-middle attack on reduced-round ARIA", The Journal of 682 Systems and Software Vol.84(10), pp. 1685-1692, October 683 2011. 685 Appendix A. SRTP Parameters for DTLS-SRTP and MIKEY 687 A.1. DTLS-SRTP 689 The following list indicates the SRTP transform parameters for each 690 protection profile. The parameters cipher_key_length, 691 cipher_salt_length, auth_key_length, and auth_tag_length express the 692 number of bits in the values to which they refer. The 693 maximum_lifetime parameter indicates the maximum number of packets 694 that can be protected with each single set of keys when the parameter 695 profile is in use. All of these parameters apply to both RTP and 696 RTCP, unless the RTCP parameters are separately specified. 698 SRTP_ARIA_128_CTR_HMAC_SHA1_80 699 cipher: ARIA_128_CTR 700 cipher_key_length: 128 bits 701 cipher_salt_length: 112 bits 702 maximum_lifetime: 2^31 packets 703 key derivation function: ARIA_128_CTR_PRF 704 auth_function: HMAC-SHA1 705 auth_key_length: 160 bits 706 auth_tag_length: 80 bits 708 SRTP_ARIA_128_CTR_HMAC_SHA1_32 709 cipher: ARIA_128_CTR 710 cipher_key_length: 128 bits 711 cipher_salt_length: 112 bits 712 maximum_lifetime: 2^31 packets 713 key derivation function: ARIA_128_CTR_PRF 714 auth_function: HMAC-SHA1 715 auth_key_length: 160 bits 716 SRTP auth_tag_length: 32 bits 717 SRTCP auth_tag_length: 80 bits 719 SRTP_ARIA_192_CTR_HMAC_SHA1_80 720 cipher: ARIA_192_CTR 721 cipher_key_length: 192 bits 722 cipher_salt_length: 112 bits 723 maximum_lifetime: 2^31 packets 724 key derivation function: ARIA_192_CTR_PRF 725 auth_function: HMAC-SHA1 726 auth_key_length: 160 bits 727 auth_tag_length: 80 bits 729 SRTP_ARIA_192_CTR_HMAC_SHA1_32 730 cipher: ARIA_192_CTR 731 cipher_key_length: 192 bits 732 cipher_salt_length: 112 bits 733 maximum_lifetime: 2^31 packets 734 key derivation function: ARIA_192_CTR_PRF 735 auth_function: HMAC-SHA1 736 auth_key_length: 160 bits 737 SRTP auth_tag_length: 32 bits 738 SRTCP auth_tag_length: 80 bits 740 SRTP_ARIA_256_CTR_HMAC_SHA1_80 741 cipher: ARIA_256_CTR 742 cipher_key_length: 256 bits 743 cipher_salt_length: 112 bits 744 maximum_lifetime: 2^31 packets 745 key derivation function: ARIA_256_CTR_PRF 746 auth_function: HMAC-SHA1 747 auth_key_length: 160 bits 748 auth_tag_length: 80 bits 750 SRTP_ARIA_256_CTR_HMAC_SHA1_32 751 cipher: ARIA_256_CTR 752 cipher_key_length: 128 bits 753 cipher_salt_length: 112 bits 754 maximum_lifetime: 2^31 packets 755 key derivation function: ARIA_256_CTR_PRF 756 auth_function: HMAC-SHA1 757 auth_key_length: 160 bits 758 SRTP auth_tag_length: 32 bits 759 SRTCP auth_tag_length: 80 bits 761 SRTP_AEAD_ARIA_128_CCM 762 cipher: ARIA_128_CCM 763 cipher_key_length: 128 bits 764 cipher_salt_length: 96 bits 765 aead_auth_tag_length: 128 bits 766 auth_function: NULL 767 auth_key_length: N/A 768 auth_tag_length: N/A 769 key derivation function: ARIA_128_CTR_PRF 770 maximum_lifetime: at most 2^31 SRTCP packets and 771 at most 2^48 SRTP packets 773 SRTP_AEAD_ARIA_256_CCM 774 cipher: ARIA_256_CCM 775 cipher_key_length: 256 bits 776 cipher_salt_length: 96 bits 777 aead_auth_tag_length: 128 bits 778 auth_function: NULL 779 auth_key_length: N/A 780 auth_tag_length: N/A 781 key derivation function: ARIA_256_CTR_PRF 782 maximum_lifetime: at most 2^31 SRTCP packets and 783 at most 2^48 SRTP packets 785 SRTP_AEAD_ARIA_128_CCM_8 786 cipher: ARIA_128_CCM 787 cipher_key_length: 128 bits 788 cipher_salt_length: 96 bits 789 aead_auth_tag_length: 64 bits 790 auth_function: NULL 791 auth_key_length: N/A 792 auth_tag_length: N/A 793 key derivation function: ARIA_128_CTR_PRF 794 maximum_lifetime: at most 2^31 SRTCP packets and 795 at most 2^48 SRTP packets 797 SRTP_AEAD_ARIA_256_CCM_8 798 cipher: ARIA_256_CCM 799 cipher_key_length: 256 bits 800 cipher_salt_length: 96 bits 801 aead_auth_tag_length: 64 bits 802 auth_function: NULL 803 auth_key_length: N/A 804 auth_tag_length: N/A 805 key derivation function: ARIA_256_CTR_PRF 806 maximum_lifetime: at most 2^31 SRTCP packets and 807 at most 2^48 SRTP packets 809 SRTP_AEAD_ARIA_128_CCM_12 810 cipher: ARIA_128_CCM 811 cipher_key_length: 128 bits 812 cipher_salt_length: 96 bits 813 aead_auth_tag_length: 96 bits 814 auth_function: NULL 815 auth_key_length: N/A 816 auth_tag_length: N/A 817 key derivation function: ARIA_128_CTR_PRF 818 maximum_lifetime: at most 2^31 SRTCP packets and 819 at most 2^48 SRTP packets 821 SRTP_AEAD_ARIA_256_CCM_12 822 cipher: ARIA_256_CCM 823 cipher_key_length: 256 bits 824 cipher_salt_length: 96 bits 825 aead_auth_tag_length: 96 bits 826 auth_function: NULL 827 auth_key_length: N/A 828 auth_tag_length: N/A 829 key derivation function: ARIA_256_CTR_PRF 830 maximum_lifetime: at most 2^31 SRTCP packets and 831 at most 2^48 SRTP packets 833 SRTP_AEAD_ARIA_128_GCM 834 cipher: ARIA_128_GCM 835 cipher_key_length: 128 bits 836 cipher_salt_length: 96 bits 837 aead_auth_tag_length: 128 bits 838 auth_function: NULL 839 auth_key_length: N/A 840 auth_tag_length: N/A 841 key derivation function: ARIA_128_CTR_PRF 842 maximum_lifetime: at most 2^31 SRTCP packets and 843 at most 2^48 SRTP packets 845 SRTP_AEAD_ARIA_256_GCM 846 cipher: ARIA_256_GCM 847 cipher_key_length: 256 bits 848 cipher_salt_length: 96 bits 849 aead_auth_tag_length: 128 bits 850 auth_function: NULL 851 auth_key_length: N/A 852 auth_tag_length: N/A 853 key derivation function: ARIA_256_CTR_PRF 854 maximum_lifetime: at most 2^31 SRTCP packets and 855 at most 2^48 SRTP packets 857 SRTP_AEAD_ARIA_128_GCM_12 858 cipher: ARIA_128_GCM 859 cipher_key_length: 128 bits 860 cipher_salt_length: 96 bits 861 aead_auth_tag_length: 96 bits 862 auth_function: NULL 863 auth_key_length: N/A 864 auth_tag_length: N/A 865 key derivation function: ARIA_128_CTR_PRF 866 maximum_lifetime: at most 2^31 SRTCP packets and 867 at most 2^48 SRTP packets 869 SRTP_AEAD_ARIA_256_GCM_12 870 cipher: ARIA_256_GCM 871 cipher_key_length: 256 bits 872 cipher_salt_length: 96 bits 873 aead_auth_tag_length: 96 bits 874 auth_function: NULL 875 auth_key_length: N/A 876 auth_tag_length: N/A 877 key derivation function: ARIA_256_CTR_PRF 878 maximum_lifetime: at most 2^31 SRTCP packets and 879 at most 2^48 SRTP packets 881 Note that SRTP Protection Profiles which use AEAD algorithms do not 882 specify an auth_function, auth_key_length, or auth_tag_length, since 883 they do not use a separate auth_function, auth_key, or auth_tag. The 884 term aead_auth_tag_length is used to emphasize that this refers to 885 the authentication tag provided by the AEAD algorithm and that this 886 tag is not located in the authentication tag field provided by SRTP/ 887 SRTCP. 889 A.2. MIKEY 891 MIKEY specifies the algorithm family separately from the key length 892 (which is specified by the Session Encryption key length) and the 893 authentication tag length. The SDP Security Descriptions [RFC4568] 894 crypto suits and corresponding DTLS-SRTP [RFC5764] protection 895 profiles are mapped to MIKEY parameter sets as shown below. 897 +--------------------------------------+ 898 | Encryption | Encryption | Auth. | 899 | Algorithm | Key Length | Tag Length | 900 +======================================+ 901 SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | 902 SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 903 SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | 904 SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | 905 SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | 906 SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 907 +======================================+ 909 Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm 910 +--------------------------------------+ 911 | Encryption | Encryption | AEAD Auth. | 912 | Algorithm | Key Length | Tag Length | 913 +======================================+ 914 SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | 915 SRTP_AEAD_ARIA_128_CCM | ARIA-CCM | 16 octets | 16 octets | 916 SRTP_AEAD_ARIA_128_GCM_12 | ARIA-GCM | 16 octets | 12 octets | 917 SRTP_AEAD_ARIA_128_CCM_12 | ARIA-CCM | 16 octets | 12 octets | 918 SRTP_AEAD_ARIA_128_CCM_8 | ARIA-CCM | 16 octets | 8 octets | 919 SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 920 SRTP_AEAD_ARIA_256_CCM | ARIA-CCM | 32 octets | 16 octets | 921 SRTP_AEAD_ARIA_256_GCM_12 | ARIA-GCM | 32 octets | 12 octets | 922 SRTP_AEAD_ARIA_256_CCM_12 | ARIA-CCM | 32 octets | 12 octets | 923 SRTP_AEAD_ARIA_256_CCM_8 | ARIA-CCM | 32 octets | 8 octets | 924 +======================================+ 926 Figure 2: Mapping MIKEY parameters to AEAD algorithm 928 Appendix B. Test Vectors 930 All values are in hexadecimal and represented by the network order 931 (called big endian). 933 B.1. ARIA-CTR Test Vectors 935 Common values are organized as follows: 937 Rollover Counter: 00000000 938 Sequence Number: 315e 939 SSRC: 20e8f5eb 940 Authentication Key: f93563311b354748c978913795530631 941 16452309 942 Session Salt: cd3a7c42c671e0067a2a2639b43a 943 Initialization Vector: cd3a7c42e69915ed7a2a263985640000 944 RTP header: 8008315ebf2e6fe020e8f5eb 945 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 946 5af5c5e5c5fdf5c55ad57a4a7272d572 947 62e9729566ed66e97ac54a4a5a7ad5e1 948 5ae5fdd5fd5ac5d56ae56ad5c572d54a 949 e54ac55a956afd6aed5a4ac562957a95 950 16991691d572fd14e97ae962ed7a9f4a 951 955af572e162f57a956666e17ae1f54a 952 95f566d54a66e16e4afd6a9f7ae1c5c5 953 5ae5d56afde916c5e94a6ec56695e14a 954 fde1148416e94ad57ac5146ed59d1cc5 956 B.1.1. ARIA_128_CTR_HMAC_SHA1_80 958 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 960 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 961 a6ccdcb463fbed9cfb3de2fb76fdffa9 962 e481f5efb64c92487f59dabbc7cc72da 963 092485f3fbad87888820b86037311fa4 964 4330e18a59a1e1338ba2c21458493a57 965 463475c54691f91cec785429119e0dfc 966 d9048f90e07fecd50b528e8c62ee6e71 967 445de5d7f659405135aff3604c2ca4ff 968 4aaca40809cb9eee42cc4ad232307570 969 81ca289f2851d3315e9568b501fdce6d 971 Authenticated portion || Rollover Counter: 972 8008315ebf2e6fe020e8f5eb1bf753f4 973 12e6f35058cc398dc851aae3a6ccdcb4 974 63fbed9cfb3de2fb76fdffa9e481f5ef 975 b64c92487f59dabbc7cc72da092485f3 976 fbad87888820b86037311fa44330e18a 977 59a1e1338ba2c21458493a57463475c5 978 4691f91cec785429119e0dfcd9048f90 979 e07fecd50b528e8c62ee6e71445de5d7 980 f659405135aff3604c2ca4ff4aaca408 981 09cb9eee42cc4ad23230757081ca289f 982 2851d3315e9568b501fdce6d00000000 984 Authentication Tag: f9de4e729054672b0e35 986 B.1.2. ARIA_192_CTR_HMAC_SHA1_80 987 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 988 3e8cd5671a00fe32 990 Encrypted RTP Payload: 86f4556486642caa67e9b40fef2acda0 991 6d442517d8d58c15e3e0b5c13a78b8b2 992 838b7b96961e11acb2af81348272888c 993 fd9d168ba091fe3e4f7f83c7871570a9 994 aa9f995036e44c35cb742b601e8d8d08 995 48320bad732929103f1bfbb1ae873178 996 0479c5df2d4d41f78f6b96d6832db3db 997 6af8b3612b27e18a0a29a8a1d280437e 998 b8dad58e78658ec3b069d7329431c356 999 c5e612b3dde5bd3f6c9f42f39cf35d3a 1001 Authenticated portion || Rollover Counter: 1002 8008315ebf2e6fe020e8f5eb86f45564 1003 86642caa67e9b40fef2acda06d442517 1004 d8d58c15e3e0b5c13a78b8b2838b7b96 1005 961e11acb2af81348272888cfd9d168b 1006 a091fe3e4f7f83c7871570a9aa9f9950 1007 36e44c35cb742b601e8d8d0848320bad 1008 732929103f1bfbb1ae8731780479c5df 1009 2d4d41f78f6b96d6832db3db6af8b361 1010 2b27e18a0a29a8a1d280437eb8dad58e 1011 78658ec3b069d7329431c356c5e612b3 1012 dde5bd3f6c9f42f39cf35d3a00000000 1014 Authentication Tag: 3935fa37ee96dbc550d5 1016 B.1.3. ARIA_256_CTR_HMAC_SHA1_80 1017 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 1018 3e8cd5671a00fe3216aa5eb105783b54 1020 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 1021 17ccd7471088af9debf07b55c750f804 1022 a5ac2b737be48140958a9b420524112a 1023 e72e4da5bca59d2b1019ddd7dbdc30b4 1024 3d5f046152ced40947d62d2c93e7b8e5 1025 0f02db2b6b61b010e4c1566884de1fa9 1026 702cdf8157e8aedfe3dd77c76bb50c25 1027 ae4d624615c15acfdeeb5f79482aaa01 1028 d3e4c05eb601eca2bd10518e9d46b021 1029 16359232e9eac0fabd05235dd09e6dea 1031 Authenticated portion || Rollover Counter: 1032 8008315ebf2e6fe020e8f5ebc424c59f 1033 d5696305e5b13d8e8ca7656617ccd747 1034 1088af9debf07b55c750f804a5ac2b73 1035 7be48140958a9b420524112ae72e4da5 1036 bca59d2b1019ddd7dbdc30b43d5f0461 1037 52ced40947d62d2c93e7b8e50f02db2b 1038 6b61b010e4c1566884de1fa9702cdf81 1039 57e8aedfe3dd77c76bb50c25ae4d6246 1040 15c15acfdeeb5f79482aaa01d3e4c05e 1041 b601eca2bd10518e9d46b02116359232 1042 e9eac0fabd05235dd09e6dea00000000 1044 Authentication Tag: 192f515fab04bbb4e62c 1046 B.2. ARIA-GCM Test Vectors 1048 Common values are organized as follows: 1050 Rollover Counter: 00000000 1051 Sequence Number: 315e 1052 SSRC: 20e8f5eb 1053 Encryption Salt: 000000000000000000000000 1055 Initialization Vector: 000020e8f5eb00000000315e 1056 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1057 5af5c5e5c5fdf5c55ad57a4a7272d572 1058 62e9729566ed66e97ac54a4a5a7ad5e1 1059 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1060 e54ac55a956afd6aed5a4ac562957a95 1061 16991691d572fd14e97ae962ed7a9f4a 1062 955af572e162f57a956666e17ae1f54a 1063 95f566d54a66e16e4afd6a9f7ae1c5c5 1064 5ae5d56afde916c5e94a6ec56695e14a 1065 fde1148416e94ad57ac5146ed59d1cc5 1066 Associated Data: 8008315ebf2e6fe020e8f5eb 1068 The length of encrypted payload is larger than that of payload by 16 1069 octets which the length of the tag from GCM. For other GCM 1070 ciphersuites with shorter tag length than 16 octets, test vectors can 1071 be obtained by truncation from ARIA-GCM test verctors. 1073 B.2.1. ARIA_128_GCM 1075 Key: e91e5e75da65554a48181f3846349562 1077 Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c 1078 d6f7da34f2fe1b3db7cb3dfb9697102e 1079 a0f3c1fc2dbc873d44bceeae8e444297 1080 4ba21ff6789d3272613fb9631a7cf3f1 1081 4bacbeb421633a90ffbe58c2fa6bdca5 1082 34f10d0de0502ce1d531b6336e588782 1083 78531e5c22bc6c85bbd784d78d9e680a 1084 a19031aaf89101d669d7a3965c1f7e16 1085 229d7463e0535f4e253f5d18187d40b8 1086 ae0f564bd970b5e7e2adfb211e89a953 1087 5abace3f37f5a736f4be984bbffbedc1 1089 B.2.2. ARIA_256_GCM 1090 Key: 0c5ffd37a11edc42c325287fc0604f2e 1091 3e8cd5671a00fe3216aa5eb105783b54 1093 Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 1094 932ff74581f54fc013dd054b19f99371 1095 425b352d97d3f337b90b63d1b082adee 1096 ea9d2d7391897d591b985e55fb50cb53 1097 50cf7d38dc27dda127c078a149c8eb98 1098 083d66363a46e3726af217d3a00275ad 1099 5bf772c7610ea4c23006878f0ee69a83 1100 97703169a419303f40b72e4573714d19 1101 e2697df61e7c7252e5abc6bade876ac4 1102 961bfac4d5e867afca351a48aed52822 1103 e210d6ced2cf430ff841472915e7ef48 1105 B.3. ARIA-CCM Test Vectors 1107 Common values are organized as follows: 1109 Rollover Counter: 00000000 1110 Sequence Number: 315e 1111 SSRC: 20e8f5eb 1112 Encryption Salt: 000000000000000000000000 1114 Initialization Vector: 000020e8f5eb00000000315e 1115 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 1116 5af5c5e5c5fdf5c55ad57a4a7272d572 1117 62e9729566ed66e97ac54a4a5a7ad5e1 1118 5ae5fdd5fd5ac5d56ae56ad5c572d54a 1119 e54ac55a956afd6aed5a4ac562957a95 1120 16991691d572fd14e97ae962ed7a9f4a 1121 955af572e162f57a956666e17ae1f54a 1122 95f566d54a66e16e4afd6a9f7ae1c5c5 1123 5ae5d56afde916c5e94a6ec56695e14a 1124 fde1148416e94ad57ac5146ed59d1cc5 1125 Associated Data: 8008315ebf2e6fe020e8f5eb 1127 The length of encrypted payload is larger than that of payload by the 1128 tag length defined for each ciphersuite. 1130 B.3.1. ARIA_128_CCM 1131 Key: 974bee725d44fc3992267b284c3c6750 1133 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1134 daabbd6d670abc4e42f2fd2fca263f09 1135 4f4683e6fb0b10c5093d42b69dce0ba5 1136 46520e7c4400975713f3bde93ef13116 1137 0b9cbcd6df78a1502be7c6ea8d395b9e 1138 d0078819c3105c0ab92cb67b16ba51bb 1139 1f53508738bf7a37c9a905439b88b7af 1140 9d51a407916fdfea8d43bf253721846d 1141 c1671391225fc58d9d0693c8ade6a4ff 1142 b034ee6543dd4e651b7a084eae60f855 1143 40f04b6467e300f6b336aedf9df4185b 1145 B.3.2. ARIA_256_CCM 1147 Key: 0c5ffd37a11edc42c325287fc0604f2e 1148 3e8cd5671a00fe3216aa5eb105783b54 1150 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1151 67fbd09d3a4c38aa32f6d306d3fdda37 1152 8e459b83ed005507449d6cd981a4c1e3 1153 ff4193870c276ef09b6317a01a228320 1154 6ae4b4be0d0b235422c8abb001224106 1155 56b75e1ffc7fb49c0d0c5d6169aa7623 1156 610579968037aee8e83fc26264ea8665 1157 90fd620aa3c0a5f323d953aa7f8defb0 1158 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1159 0594154f405fd630aa4c4d5603efdfa1 1160 87b6bd222c55365a9c7d0b215b77ea41 1162 B.3.3. ARIA_128_CCM_8 1164 Key: 974bee725d44fc3992267b284c3c6750 1166 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1167 daabbd6d670abc4e42f2fd2fca263f09 1168 4f4683e6fb0b10c5093d42b69dce0ba5 1169 46520e7c4400975713f3bde93ef13116 1170 0b9cbcd6df78a1502be7c6ea8d395b9e 1171 d0078819c3105c0ab92cb67b16ba51bb 1172 1f53508738bf7a37c9a905439b88b7af 1173 9d51a407916fdfea8d43bf253721846d 1174 c1671391225fc58d9d0693c8ade6a4ff 1175 b034ee6543dd4e651b7a084eae60f855 1176 dd2282c93a67fe4b 1178 B.3.4. ARIA_256_CCM_8 1180 Key: 0c5ffd37a11edc42c325287fc0604f2e 1181 3e8cd5671a00fe3216aa5eb105783b54 1183 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1184 67fbd09d3a4c38aa32f6d306d3fdda37 1185 8e459b83ed005507449d6cd981a4c1e3 1186 ff4193870c276ef09b6317a01a228320 1187 6ae4b4be0d0b235422c8abb001224106 1188 56b75e1ffc7fb49c0d0c5d6169aa7623 1189 610579968037aee8e83fc26264ea8665 1190 90fd620aa3c0a5f323d953aa7f8defb0 1191 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1192 0594154f405fd630aa4c4d5603efdfa1 1193 828dc0088f99a7ef 1195 B.3.5. ARIA_128_CCM_12 1197 Key: 974bee725d44fc3992267b284c3c6750 1199 Encrypted RTP Payload: 621e408a2e455505b39f704dcbac4307 1200 daabbd6d670abc4e42f2fd2fca263f09 1201 4f4683e6fb0b10c5093d42b69dce0ba5 1202 46520e7c4400975713f3bde93ef13116 1203 0b9cbcd6df78a1502be7c6ea8d395b9e 1204 d0078819c3105c0ab92cb67b16ba51bb 1205 1f53508738bf7a37c9a905439b88b7af 1206 9d51a407916fdfea8d43bf253721846d 1207 c1671391225fc58d9d0693c8ade6a4ff 1208 b034ee6543dd4e651b7a084eae60f855 1209 01f3dedd15238da5ebfb1590 1211 B.3.6. ARIA_256_CCM_12 1212 Key: 0c5ffd37a11edc42c325287fc0604f2e 1213 3e8cd5671a00fe3216aa5eb105783b54 1215 Encrypted RTP Payload: ff78128ee18ee3cb9fb0d20726a017ff 1216 67fbd09d3a4c38aa32f6d306d3fdda37 1217 8e459b83ed005507449d6cd981a4c1e3 1218 ff4193870c276ef09b6317a01a228320 1219 6ae4b4be0d0b235422c8abb001224106 1220 56b75e1ffc7fb49c0d0c5d6169aa7623 1221 610579968037aee8e83fc26264ea8665 1222 90fd620aa3c0a5f323d953aa7f8defb0 1223 d0d60ab5a9de44dbaf8eae74ea3ab5f3 1224 0594154f405fd630aa4c4d5603efdfa1 1225 3615b7f90a651de15da20fb6 1227 B.4. Key Derivation Test Vector 1229 This section provides test vectors for the default key derivation 1230 function, which uses ARIA in Counter Mode. In the following, we walk 1231 through the initial key derivation for the ARIA Counter Mode cipher, 1232 which requires a 16/24/32 octet session encryption key according to 1233 the session encryption key length and a 14 octet session salt, and an 1234 authentication function which requires a 94 octet session 1235 authentication key. These values are called the cipher key, the 1236 cipher salt, and the auth key in the following. The test vectors are 1237 generated in the same way with the test vectors of key derivation 1238 functions in [RFC3711] and [RFC6188] but with each invocation of AES 1239 replaced with an invocation of ARIA. 1241 B.4.1. ARIA_128_CTR_PRF 1243 The inputs to the key derivation function are the 16 octet master key 1244 and the 14 octet master salt: 1246 master key: e1f97a0d3e018be0d64fa32c06de4139 1247 master salt: 0ec675ad498afeebb6960b3aabe6 1249 index DIV kdr: 000000000000 1250 label: 00 1251 master salt: 0ec675ad498afeebb6960b3aabe6 1252 ----------------------------------------------- 1253 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1255 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1257 cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) 1259 ARIA-CTR crypto suite requires 14 octet cipher salt while ARIA-CCM 1260 and ARIA-GCM crypto suites require 12 octet cipher salt. 1262 index DIV kdr: 000000000000 1263 label: 02 1264 master salt: 0ec675ad498afeebb6960b3aabe6 1265 ---------------------------------------------- 1266 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1268 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1270 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 1272 cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR cipher 1273 suite) 1274 9700657f5f34161830d7d85f (ARIA-CCM or 1275 ARIA-GCM cipher suite) 1276 index DIV kdr: 000000000000 1277 label: 01 1278 master salt: 0ec675ad498afeebb6960b3aabe6 1279 ----------------------------------------------- 1280 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1282 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1284 Below, the auth key is shown on the left, while the corresponding 1285 ARIA input blocks are shown on the right. 1287 auth key ARIA input blocks 1289 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 1290 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 1291 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 1292 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 1293 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 1294 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 1296 B.4.2. ARIA_192_CTR_PRF 1298 The inputs to the key derivation function are the 24 octet master key 1299 and the 14 octet master salt: 1301 master key: 0c5ffd37a11edc42c325287fc0604f2e3e8cd5671a00fe32 1302 master salt: 0ec675ad498afeebb6960b3aabe6 1304 index DIV kdr: 000000000000 1305 label: 00 1306 master salt: 0ec675ad498afeebb6960b3aabe6 1307 ----------------------------------------------- 1308 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1310 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1312 cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output) 1313 d13cbe548b627649 (ARIA-CTR 2nd Output) 1315 ARIA-CTR cipher suite requires 14 octet cipher salt. 1317 index DIV kdr: 000000000000 1318 label: 02 1319 master salt: 0ec675ad498afeebb6960b3aabe6 1320 ---------------------------------------------- 1321 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1323 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1325 55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output) 1327 cipher salt: 55c7e3555baf0fdc91c589cfb871 (ARIA-CTR cipher 1328 suite) 1330 index DIV kdr: 000000000000 1331 label: 01 1332 master salt: 0ec675ad498afeebb6960b3aabe6 1333 ----------------------------------------------- 1334 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1336 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1338 Below, the auth key is shown on the left, while the corresponding 1339 ARIA input blocks are shown on the right. 1341 auth key ARIA input blocks 1343 116902524517f7e767a979ad7678d53a 0ec675ad498afeeab6960b3aabe60000 1344 8cae05a5c9a315d1304f634c81a06617 0ec675ad498afeeab6960b3aabe60001 1345 31fe099d4dcd2202421fe01fc12c65ad 0ec675ad498afeeab6960b3aabe60002 1346 009e920031654855af5d9e820a7831e0 0ec675ad498afeeab6960b3aabe60003 1347 bc2b4744d2a33053eb685138252f2d82 0ec675ad498afeeab6960b3aabe60004 1348 9a89f4a9aa4f97fde0cce9bad3d5 0ec675ad498afeeab6960b3aabe60005 1350 B.4.3. ARIA_256_CTR_PRF 1352 The inputs to the key derivation function are the 32 octet master key 1353 and the 14 octet master salt: 1355 master key: 0c5ffd37a11edc42c325287fc0604f2e 1356 3e8cd5671a00fe3216aa5eb105783b54 1357 master salt: 0ec675ad498afeebb6960b3aabe6 1359 index DIV kdr: 000000000000 1360 label: 00 1361 master salt: 0ec675ad498afeebb6960b3aabe6 1362 ----------------------------------------------- 1363 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 1365 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 1367 cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) 1368 f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) 1370 ARIA-CTR cipher suite requires 14 octet cipher salt while ARIA-CCM 1371 and ARIA-GCM cipher suites require 12 octet cipher salt. 1373 index DIV kdr: 000000000000 1374 label: 02 1375 master salt: 0ec675ad498afeebb6960b3aabe6 1376 ---------------------------------------------- 1377 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 1379 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 1381 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 1383 cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR cipher 1384 suite) 1385 194abaa8553a8eba8a413a34 (ARIA-CCM or 1386 ARIA-GCM cipher suite) 1388 index DIV kdr: 000000000000 1389 label: 01 1390 master salt: 0ec675ad498afeebb6960b3aabe6 1391 ----------------------------------------------- 1392 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 1394 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 1396 Below, the auth key is shown on the left, while the corresponding 1397 ARIA input blocks are shown on the right. 1399 auth key ARIA input blocks 1401 e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 1402 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 1403 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 1404 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 1405 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 1406 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 1408 Authors' Addresses 1410 Woo-Hwan Kim 1411 National Security Research Institute 1412 P.O.Box 1, Yuseong 1413 Daejeon 305-350 1414 Korea 1416 EMail: whkim5@ensec.re.kr 1418 Jungkeun Lee 1419 National Security Research Institute 1420 P.O.Box 1, Yuseong 1421 Daejeon 305-350 1422 Korea 1424 EMail: jklee@ensec.re.kr 1426 Dong-Chan Kim 1427 National Security Research Institute 1428 P.O.Box 1, Yuseong 1429 Daejeon 305-350 1430 Korea 1432 EMail: dongchan@ensec.re.kr 1434 Je-Hong Park 1435 National Security Research Institute 1436 P.O.Box 1, Yuseong 1437 Daejeon 305-350 1438 Korea 1440 EMail: jhpark@ensec.re.kr 1441 Daesung Kwon 1442 National Security Research Institute 1443 P.O.Box 1, Yuseong 1444 Daejeon 305-350 1445 Korea 1447 EMail: ds_kwon@ensec.re.kr