idnits 2.17.1 draft-ietf-avtcore-srtp-aes-gcm-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 23 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 01, 2014) is 3677 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2675' is mentioned on line 1106, but not defined ** Downref: Normative reference to an Informational RFC: RFC 3610 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group D. McGrew 2 Internet Draft Cisco Systems, Inc. 3 Intended Status: Standards Track K. Igoe 4 Expires: October 03, 2014 National Security Agency 5 April 01, 2014 7 AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) 8 draft-ietf-avtcore-srtp-aes-gcm-11 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF). Note that other groups may also distribute 17 working documents as Internet-Drafts. The list of current Internet- 18 Drafts is at http://datatracker.ietf.org/drafts/current. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 This Internet-Draft will expire on October 03, 2014. 27 Copyright Notice 29 Copyright (c) 2014 IETF Trust and the persons identified as the 30 document authors. All rights reserved. 32 This document is subject to BCP 78 and the IETF Trust's Legal 33 Provisions Relating to IETF Documents 34 (http://trustee.ietf.org/license-info) in effect on the date of 35 publication of this document. Please review these documents 36 carefully, as they describe your rights and restrictions with respect 37 to this document. Code Components extracted from this document must 38 include Simplified BSD License text as described in Section 4.e of 39 the Trust Legal Provisions and are provided without warranty as 40 described in the Simplified BSD License. 42 Abstract 44 This document defines how AES-GCM and AES-CCM Authenticated 45 Encryption with Associated Data algorithms can be used to provide 46 confidentiality and data authentication in the SRTP protocol. 48 Table of Contents 50 1. Introduction.....................................................3 51 2. Conventions Used In This Document................................4 52 3. Overview of the SRTP/SRTCP AEAD security Architecture............4 53 4. Terminology......................................................5 54 5. Generic AEAD Processing..........................................5 55 5.1. Types of Input Data.........................................5 56 5.2. AEAD Invocation Inputs and Outputs..........................5 57 5.2.1. Encrypt Mode...........................................6 58 5.2.2. Decrypt Mode...........................................6 59 5.3. Handling of AEAD Authentication.............................7 60 6. Counter Mode Encryption..........................................7 61 7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12......................8 62 8. Unneeded SRTP/SRTCP Fields.......................................8 63 8.1. SRTP/SRTCP Authentication Field.............................9 64 8.2. RTP Padding.................................................9 65 9. AES-GCM/CCM processing for SRTP..................................9 66 9.1. SRTP IV formation for AES-GCM and AES-CCM...................9 67 9.2. Data Types in SRTP Packets.................................10 68 9.3. Handling Header Extensions.................................12 69 9.4. Prevention of SRTP IV Reuse................................13 70 10. AES-GCM/CCM Processing of SRTCP Compound Packets...............14 71 10.1. SRTCP IV formation for AES-GCM and AES-CCM................14 72 10.2. Data Types in Encrypted SRTCP Compound Packets............14 73 10.3. Data Types in Unencrypted SRTCP Compound Packets..........16 74 10.4. Prevention of SRTCP IV Reuse..............................17 75 11. Constraints on AEAD for SRTP and SRTCP.........................17 76 12. Key Derivation Functions.......................................18 77 13. Summary of Algorithm Characteristics...........................19 78 13.1. AES-GCM for SRTP/SRTCP....................................19 79 13.2. AES-CCM for SRTP/SRTCP....................................21 80 14. Security Considerations........................................24 81 14.1. Handling of Security Critical Parameters..................24 82 14.2. Size of the Authentication Tag............................25 83 15. IANA Considerations............................................26 84 15.1. SDES......................................................26 85 15.2. DTLS......................................................27 86 15.3. MIKEY.....................................................30 87 15.4. AEAD registry.............................................31 88 16. Parameters for use with MIKEY..................................31 89 17. Acknowledgements...............................................32 90 18. References.....................................................33 91 18.1. Normative References......................................33 92 18.2. Informative References....................................35 94 1. Introduction 96 The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile 97 of the Real-time Transport Protocol (RTP) [RFC3550], which can 98 provide confidentiality, message authentication, and replay 99 protection to the RTP traffic and to the control traffic for RTP, the 100 Real-time Transport Control Protocol (RTCP). It is important to note 101 that the outgoing SRTP packets from a single endpoint may be 102 originating from several independent data sources. 104 Authenticated encryption [BN00] is a form of encryption that, in 105 addition to providing confidentiality for the plaintext that is 106 encrypted, provides a way to check its integrity and authenticity. 107 Authenticated Encryption with Associated Data, or AEAD [R02], adds 108 the ability to check the integrity and authenticity of some 109 Associated Data (AD), also called "additional authenticated data", 110 that is not encrypted. This specification makes use of the interface 111 to a generic AEAD algorithm as defined in [RFC5116]. 113 The Advanced Encryption Standard (AES) is a block cipher that 114 provides a high level of security, and can accept different key 115 sizes. Two families of AEAD algorithm families, AES Galois/Counter 116 Mode (AES-GCM) [GCM] and AES Counter with Cipher Block 117 Chaining-Message Authentication Code (AES-CCM) [RFC3610] are based 118 upon AES. This specification makes use of the AES versions that use 119 128-bit and 256-bit keys, which we call AES-128 and AES-256, 120 respectively. 122 Any AEAD algorithm provides an intrinsic authentication tag. In many 123 applications the authentication tag is truncated to less than full 124 length. This document only allows three values for the length of the 125 authentication tag: the length of the authentication tags MUST be 126 either 8 octets, 12 octets, or 16 octets in length. As with the size 127 of the key, the length of the authentication tag size is set when the 128 session is initiated and SHOULD NOT be altered. Thus each algorithm 129 AEAD will have a total of six configurations, reflecting the two 130 choices for key size (either 128 or 256 bits) and the three choices 131 for the length of the authentication tag (either 8, 12 or 16 132 octets). 134 The Galois/Counter Mode of operation (GCM) and the Counter with 135 Cipher Block Chaining-Message Authentication Code mode of operation 136 (CCM) are both AEAD modes of operation for block ciphers. Both use 137 counter mode to encrypt the data, an operation that can be 138 efficiently pipelined. Further, GCM authentication uses operations 139 that are particularly well suited to efficient implementation in 140 hardware, making it especially appealing for high-speed 141 implementations, or for implementations in an efficient and compact 142 circuit. CCM is well suited for use in compact software 143 implementations. This specification uses GCM and CCM with both 144 AES-128 and AES-256. 146 In summary, this document defines how to use AEAD algorithms, 147 particularly AES-GCM and AES-CCM, to provide confidentiality and 148 message authentication within SRTP and SRTCP packets. 150 2. Conventions Used In This Document 152 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 153 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 154 "OPTIONAL" in this document are to be interpreted as described in 155 [RFC2119]. 157 3. Overview of the SRTP/SRTCP AEAD security Architecture 159 SRTP/SRTCP AEAD security is based upon the following principles: 161 a) Both privacy and authentication are based upon the use of 162 symmetric algorithms. An AEAD algorithm such as AES-CCM or 163 AES-GCM combines privacy and authentication into a single 164 process. 166 b) A secret master key is shared by all participating endpoints, 167 both those originating SRTP/SRTCP packets and those receiving 168 these packets. Any given master key MAY be used 169 simultaneously by several endpoints to originate SRTP/SRTCP 170 packets (as well one or more endpoints using this master key 171 to process inbound data). 173 c) A Key Derivation Function is applied to the shared master key 174 value to form separate encryption keys, authentication keys 175 and salting keys for SRTP and for SRTCP (a total of six 176 keys). This process is described in section 4.3 of 177 [RFC3711]. Since AEAD algorithms such as AES-CCM and AES-GCM 178 combine encryption and authentication into a single process, 179 AEAD algorithms do not make use of the authentication keys. 180 The master key MUST be at least as large as the encryption 181 key derived from it. 183 d) Aside from making modifications to IANA registries to allow 184 AES-GCM and AES-CCM to work with SDES, DTLS and MIKEY, the 185 details of how the master key is established and shared 186 between the participants are outside the scope of this 187 document. Similarly any mechanism for rekeying an existing 188 session is outside the scope of the document. 190 e) Each time an instantiation of AES-GCM or AES-CCM is invoked 191 to encrypt and authenticate an SRTP or SRTCP data packet a 192 new IV is used. SRTP combines the 4-octet synchronization 193 source (SSRC) identifier, the 4-octet rollover counter (ROC), 194 and the 2-octet sequence number (SEQ) with the 12-octet 195 encryption salt to form a 12-octet IV (see section 9.1). 196 SRTCP combines the SSRC and 31-bit SRTCP index with the 197 encryption salt to form a 12-octet IV (see section 10.1). 199 4. Terminology 201 The following terms have very specific meanings in the context of 202 this RFC: 204 Instantiation: In AEAD, an instantiation is an (Encryption_key, 205 salt) pair together with all of the data 206 structures (for example, counters) needed for it 207 to function properly. In SRTP/SRTCP, each 208 endpoint will need two instantiations of the AEAD 209 algorithm for each master key in its possession, 210 one instantiation for SRTP traffic and one 211 instantiation for SRTCP traffic. 213 Invocation: SRTP/SRTCP data streams are broken into packets. 214 Each packet is processed by a single invocation 215 of the appropriate instantiation of the AEAD 216 algorithm. 218 In many applications, each endpoint will have one master key for 219 processing outbound data but may have one or more separate master 220 keys for processing inbound data. 222 5. Generic AEAD Processing 224 5.1. Types of Input Data 226 Associated Data: This is data that is to be authenticated 227 but not encrypted. 229 Plaintext: Data that is to be both encrypted and 230 authenticated. 232 Raw Data: Data that is to be neither encrypted nor 233 authenticated. 235 Which portions of SRTP/SRTCP packets that are to be treated as 236 associated data, which are to be treated as plaintext, and which are 237 to be treated as raw data are covered in sections 9.2, 10.2 and 238 10.3. 240 5.2. AEAD Invocation Inputs and Outputs 241 5.2.1. Encrypt Mode 243 Inputs: 244 Encryption_key Octet string, either 16 or 32 245 octets long 246 Initialization_Vector Octet string, 12 octets long 247 Associated_Data Octet string of variable length 248 Plaintext Octet string of variable length 249 Tag_Size_Flag (CCM only*) One Octet 251 Outputs 252 Ciphertext Octet string, length = 253 length(Plaintext)+tag_length 255 (*) CCM mode requires tag length to be explicitly input to 256 the algorithm, whereas with GCM, the tag is simply truncated. 257 For GCM, the algorithm choice determines the tag size. 259 In both CCM and GCM, the algorithm negotiation selects what tag size 260 is to be used. In GCM, the authentication tag is simply truncated to 261 the appropriate length, but CCM requires that the tag length be an 262 explicitly input to the algorithm as the Tag_Size_Field. For the 263 three tag lengths allowed in this document the corresponding 264 Tag_Size_Flag values are as follows: 266 Tag Length | Tag_Size_Flag (hex) 267 ----------------------------------- 268 8 octets | 5A 269 12 octets | 6A 270 16 octets | 7A 272 Once an SRTP/SRTCP session has been initiated the length of the tag 273 is a fixed value and MUST NOT be altered. 275 5.2.2. Decrypt Mode 277 Inputs: 278 Encryption_key Octet string, either 16 or 32 279 octets long 280 Initialization_Vector Octet string, 12 octets long 281 Associated_Data Octet string of variable length 282 Ciphertext Octet string of variable length 283 Tag_Size_Flag (CCM only*) One octet 285 Outputs 286 Plaintext Octet string, length = 287 length(Ciphertext)-tag_length 288 Validity_Flag Boolean, TRUE if valid, 289 FALSE otherwise 291 (*) For GCM, the algorithm choice determines the tag size. 293 As mentioned in section 5.2.1, only three tag lengths are supported 294 for use in SRTP/SRTCP, namely 8 octets, 12 octets and 16 octets. 296 5.3. Handling of AEAD Authentication 298 AEAD requires that all incoming packets MUST pass AEAD authentication 299 before any other action takes place. Plaintext and associated data 300 MUST NOT be released until the AEAD authentication tag has been 301 validated. Further the ciphertext MUST NOT be decrypted until the 302 AEAD tag has been validated. 304 Should the AEAD tag prove to be invalid, the packet in question is to 305 be discarded and a Validation Error flag raised. Local policy 306 determines how this flag is to be handled and is outside the scope of 307 this document. 309 6. Counter Mode Encryption 311 In both GCM and CCM, each outbound packet uses a 12-octet IV and an 312 encryption key to form two outputs, a 16-octet first_key_block which 313 is used in forming the authentication tag and a keystream of octets 314 which is XORed to the plaintext to form cipher. 316 When GCM is used, the concatenation of a 12-octet IV (see sections 317 9.1 and 10.1) with a 4-octet block counter forms the input to AES. 318 This is used to build a key_stream as follows: 320 def GCM_keystream( Plaintext_len, IV, Encryption_key ): 321 assert Plaintext_len <= (2**36) - 32 ## measured in octets 322 key_stream = "" 323 block_counter = 1 324 first_key_block = AES_ENC( data=IV||block_counter, 325 key=Encryption_key ) 326 while len(key_stream) < Plaintext_len: 327 block_counter = block_counter + 1 328 key_block = AES_ENC( data=IV||block_counter, 329 key=Encryption_key ) 330 key_stream = key_stream || key_block 331 key_stream = truncate( key_stream, Plaintext_len ) 332 return (first_key_block, key_stream ) 334 In AES-CCM counter mode encryption, the AES data input consists of 335 the concatenation of a 1-octet flag, a 12-octet IV, and a 3-octet 336 block counter. Note that in this application the flag octet will 337 always have the value 0x02 (see section 2.3 of [RFC3610]). A 338 (first_key_block, key_stream) pair is formed as follows: 340 def CCM_keystream( Plaintext_len, IV, Encryption_key ): 341 assert Plaintext_len <= (2**28)-16 ## measured in octets 342 key_stream = "" 343 block_counter = 0 344 first_key_block = AES_ENC( data=0x02||IV||block_counter, 345 key=Encryption_key ) 346 while len(key_stream)(+) 430 +--+--+--+--+--+--+--+--+--+--+--+--+ | 431 | 432 +--+--+--+--+--+--+--+--+--+--+--+--+ | 433 | Initialization Vector |<--+ 434 +--+--+--+--+--+--+--+--+--+--+--+--+ 436 Figure 1: AES-GCM and AES-CCM SRTP 437 Initialization Vector formation. 439 9.2. Data Types in SRTP Packets 441 All SRTP packets MUST be both authenticated and encrypted. The data 442 fields within the SRTP packets are broken into Associated Data, 443 Plaintext and Raw Data as follows (see Figure 2): 445 Associated Data: The version V (2 bits), padding flag P (1 bit), 446 extension flag X (1 bit), CSRC count CC (4 bits), 447 marker M (1 bit), the Payload Type PT (8 bits), 448 the sequence number (16 bits), timestamp (32 449 bits), SSRC (32 bits), optional contributing 450 source identifiers (CSRCs, 32 bits each), and 451 optional RTP extension (variable length). 453 Plaintext: The RTP payload (variable length), RTP padding 454 (if used, variable length), and RTP pad count ( 455 if used, 1 octet). 457 Raw Data: The optional variable length SRTP MKI and SRTP 458 authentication tag (whose use is NOT 459 RECOMMENDED). These fields are appended after 460 encryption has been performed. 462 0 1 2 3 463 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 A |V=2|P|X| CC |M| PT | sequence number | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 A | timestamp | 468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 469 A | synchronization source (SSRC) identifier | 470 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 471 A | contributing source (CSRC) identifiers (optional) | 472 A | .... | 473 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 474 A | RTP extension (OPTIONAL) | 475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 476 P | payload ... | 477 P | +-------------------------------+ 478 P | | RTP padding | RTP pad count | 479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 481 P = Plaintext (to be encrypted and authenticated) 482 A = Associated Data (to be authenticated only) 484 Figure 2: Structure of an SRTP packet before Authenticated 485 Encryption 487 0 1 2 3 488 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 489 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 490 A |V=2|P|X| CC |M| PT | sequence number | 491 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 492 A | timestamp | 493 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 494 A | synchronization source (SSRC) identifier | 495 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 496 A | contributing source (CSRC) identifiers (optional) | 497 A | .... | 498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 499 A | RTP extension (OPTIONAL) | 500 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 501 C | cipher | 502 C | ... | 503 C | | 504 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 505 R : SRTP MKI (OPTIONAL) : 506 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 507 R : SRTP authentication tag (NOT RECOMMENDED) : 508 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 510 C = Cipertext (encrypted and authenticated) 511 A = Associated Data (authenticated only) 512 R = neither encrypted nor authenticated, added 513 after authenticated encryption completed 515 Figure 3: Structure of an SRTP packet after Authenticated 516 Encryption 518 Since the AEAD ciphertext is larger than the plaintext by exactly the 519 length of the AEAD authentication tag, the corresponding SRTP 520 encrypted packet replaces the plaintext field by a slightly larger 521 field containing the cipher. Even if the plaintext field is empty, 522 AEAD encryption must still be performed, with the resulting cipher 523 consisting solely of the authentication tag. This tag is to be 524 placed immediately before the optional SRTP MKI and SRTP 525 authentication tag fields. 527 9.3. Handling Header Extensions 529 RTP header extensions were first defined in RFC 3550. RFC 6904 530 [RFC6904] describes how these header extensions are to be encrypted 531 in SRTP. 533 When RFC 6904 is in use, a separate keystream is generated to encrypt 534 selected RTP header extension elements. For the AEAD_AES_128_GCM and 535 the AEAD_AES_128_CCM algorithms, this keystream MUST be generated in 536 the manner defined in [RFC6904] using the AES_128_CM transform. For 537 the AEAD_AES_256_GCM and the AEAD_AES_256_CCM algorithms, the 538 keystream MUST be generated in the manner defined for the AES_256_CM 539 transform. The originator must perform any required header extension 540 encryption before the AEAD algorithm is invoked. 542 As with the other fields contained within the RTP header, both 543 encrypted and unencrypted header extensions are to be treated by the 544 AEAD algorithm as Associated Data (AD). Thus the AEAD algorithm does 545 not provide any additional privacy for the header extensions, but 546 does provide integrity and authentication. 548 9.4. Prevention of SRTP IV Reuse 550 In order to prevent IV reuse, we must ensure that the (ROC,SEQ,SSRC) 551 triple is never used twice with the same master key. There are two 552 phases to this issue. 554 Counter Management: A rekey MUST be performed to establish a new 555 master key before the (ROC,SEQ) pair cycles 556 back to its original value. Note that 557 implicitly assumes that either the outgoing RTP 558 process is trusted to not attempt to repeat a 559 SEQ value, or that the encryption process 560 ensures that the SEQ number of the packets 561 presented to it are always incremented in the 562 proper fashion. This is particularly important 563 for GCM since using the same SEQ value twice 564 compromises the authentication mechanism. For 565 GCM, the SEQ and SSRC values used MUST either 566 be generated or checked by the SRTP 567 implementation, or by a module (e.g. the RTP 568 application) that can be considered equally 569 trusted as the SRTP implementation. While 570 [RFC3711] allows detecting SSRC collisions 571 after they happen, SRTP using GCM with shared 572 master keys MUST prevent SSRC collision from 573 happening even once. 575 SSRC Management: For a given master key, the set of all SSRC 576 values used with that master key must be 577 partitioned into disjoint pools, one pool for 578 each endpoint using that master key to 579 originate outbound data. Each such originating 580 endpoint MUST only issue SSRC values from the 581 pool it has been assigned. Further, each 582 originating endpoint MUST maintain a history of 583 outbound SSRC identifiers that it has issued 584 within the lifetime of the current master key, 585 and when a new synchronization source requests 586 an SSRC identifier it MUST NOT be given an 587 identifier that has been previously issued. A 588 rekey MUST be performed before any of the 589 originating endpoints using that master key 590 exhausts its pool of SSRC values. Further, the 591 identity of the entity giving out SSRC values 592 MUST be verified, and the SSRC signaling MUST 593 be integrity protected. 595 10. AES-GCM/CCM Processing of SRTCP Compound Packets 597 All SRTCP compound packets MUST be authenticated, but unlike SRTP, 598 SRTCP packet encryption is optional. A sender can select which 599 packets to encrypt, and indicates this choice with a 1-bit encryption 600 flag (located just before the 31-bit SRTCP index) 602 10.1. SRTCP IV formation for AES-GCM and AES-CCM 604 The 12-octet initialization vector used by both AES-GCM and AES-CCM 605 SRTCP is formed by first concatenating 2-octets of zeroes, the 606 4-octet Synchronization Source identifier (SSRC), 2-octets of zeroes, 607 a single zero bit, and the 31-bit SRTCP Index. The resulting 608 12-octet value is then XORed to the 12-octet salt to form the 609 12-octet IV. 611 0 1 2 3 4 5 6 7 8 9 10 11 612 +--+--+--+--+--+--+--+--+--+--+--+--+ 613 |00|00| SSRC |00|00|0+SRTCP Idx|---+ 614 +--+--+--+--+--+--+--+--+--+--+--+--+ | 615 | 616 +--+--+--+--+--+--+--+--+--+--+--+--+ | 617 | Encryption Salt |->(+) 618 +--+--+--+--+--+--+--+--+--+--+--+--+ | 619 | 620 +--+--+--+--+--+--+--+--+--+--+--+--+ | 621 | Initialization Vector |<--+ 622 +--+--+--+--+--+--+--+--+--+--+--+--+ 624 Figure 4: SRTCP Initialization Vector formation 626 10.2. Data Types in Encrypted SRTCP Compound Packets 628 When the encryption flag is set to 1, the SRTCP packet is broken into 629 plaintext, associated data, and raw (untouched) data as listed below 630 (see figure 5): 632 Associated Data: The packet version V (2 bits), padding flag P (1 633 bit), reception report count RC (5 bits), packet 634 type (8 bits), length (2 octets), SSRC (4 635 octets), encryption flag (1 bit) and SRTCP index 636 (31 bits). 638 Raw Data: The 32-bit optional SRTCP MKI index and 32-bit 639 SRTCP authentication tag (whose use is NOT 640 RECOMMENDED). 642 Plaintext: All other data. 644 Note that the plaintext comes in one contiguous field. Since the 645 AEAD cipher is larger than the plaintext by exactly the length of the 646 AEAD authentication tag, the corresponding SRTCP encrypted packet 647 replaces the plaintext field with a slightly larger field containing 648 the cipher. Even if the plaintext field is empty, AEAD encryption 649 must still be performed, with the resulting cipher consisting solely 650 of the authentication tag. This tag is to be placed immediately 651 before the encryption flag and SRTCP index. 653 0 1 2 3 654 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 655 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 656 A |V=2|P| RC | Packet Type | length | 657 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 658 A | synchronization source (SSRC) of Sender | 659 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 660 P | sender info : 661 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 662 P | report block 1 : 663 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 664 P | report block 2 : 665 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 666 P | ... : 667 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 668 P |V=2|P| SC | Packet Type | length | 669 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 670 P | SSRC/CSRC_1 | 671 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 672 P | SDES items : 673 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 674 P | ... : 675 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 676 A |1| SRTCP index | 677 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 R | SRTCP MKI (optional) index : 679 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 680 R : SRTCP authentication tag (NOT RECOMMENDED) : 681 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 P = Plaintext (to be encrypted and authenticated) 684 A = Associated Data (to be authenticated only) 685 R = neither encrypted nor authenticated, added after 686 encryption 688 Figure 5: AEAD SRTCP inputs when encryption flag = 1. 690 10.3. Data Types in Unencrypted SRTCP Compound Packets 692 When the encryption flag is set to 0, the SRTCP compound packet is 693 broken into plaintext, associated data, and raw (untouched) data as 694 follows (see figure 6): 696 Plaintext: None. 698 Raw Data: The variable length optional SRTCP MKI index and 699 SRTCP authentication tag (whose use is NOT 700 RECOMMENDED). 702 Associated Data: All other data. 704 Even though there is no plaintext in this RTCP packet, AEAD 705 encryption returns a cipher field which is precisely the length of 706 the AEAD authentication tag. This cipher is to be placed before the 707 Encryption flag and the SRTCP index in the authenticated SRTCP 708 packet. 710 0 1 2 3 711 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 712 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 713 A |V=2|P| RC | Packet Type | length | 714 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 715 A | synchronization source (SSRC) of Sender | 716 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 717 A | sender info : 718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 719 A | report block 1 : 720 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 721 A | report block 2 : 722 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 723 A | ... : 724 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 725 A |V=2|P| SC | Packet Type | length | 726 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 727 A | SSRC/CSRC_1 | 728 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 729 A | SDES items : 730 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 731 A | ... : 732 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 733 A |0| SRTCP index | 734 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 735 R | SRTCP MKI (optional)index : 736 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 737 R : authentication tag (NOT RECOMMENDED) : 738 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 740 A = Associated Data (to be authenticated only) 741 R = neither encrypted nor authenticated, added after 742 encryption 744 Figure 6: AEAD SRTCP inputs when encryption flag = 0 746 10.4. Prevention of SRTCP IV Reuse 748 A new master key MUST be established before the 31-bit SRTCP index 749 cycles back to its original value. Ideally, a rekey should be 750 performed and a new master key put in place well before the SRTCP 751 cycles back to the starting value. 753 The comments on SSRC management in section 9.4 also apply. 755 11. Constraints on AEAD for SRTP and SRTCP 756 In general, any AEAD algorithm can accept inputs with varying 757 lengths, but each algorithm can accept only a limited range of 758 lengths for a specific parameter. In this section, we describe the 759 constraints on the parameter lengths that any AEAD algorithm must 760 support to be used in AEAD-SRTP. Additionally, we specify a complete 761 parameter set for two specific AEAD algorithms, namely AES-GCM and 762 AES-CCM. 764 All AEAD algorithms used with SRTP/SRTCP MUST satisfy the three 765 constraints listed below: 767 PARAMETER Meaning Value 769 A_MAX maximum associated MUST be at least 12 octets. 770 data length 771 N_MIN minimum nonce (IV) MUST be 12 octets. 772 length 773 N_MAX maximum nonce (IV) MUST be 12 octets. 774 length 775 C_MAX maximum ciphertext GCM: MUST be <= 2^36-16 octets. 776 length per invocation CCM: MUST be <= 2^28 octets. 778 The values for C_MAX are based on purely cryptographic 779 considerations. 781 For sake of clarity we specify two additional parameters: 783 AEAD Authentication Tag Length MUST be either 8, 12, or 16 784 octets 785 Maximum number of invocations MUST be at most 2^48 for SRTP 786 for a given instantiation MUST be at most 2^31 for SRTCP 787 Block Counter size MUST be 24 bits for CCM, 788 MUST be 32 bits for GCM 790 The reader is reminded that the ciphertext is longer than the 791 plaintext by exactly the length of the AEAD authentication tag. 793 12. Key Derivation Functions 795 A Key Derivation Function (KDF) is used to derive all of the required 796 encryption and authentication keys from a secret value shared by the 797 endpoints. Both the AEAD_AES_128_GCM algorithms and the 798 AEAD_AES_128_CCM algorithms MUST use the (128-bit) AES_CM_PRF Key 799 Derivation Function described in [RFC3711]. Both the 800 AEAD_AES_256_GCM algorithms and the AEAD_AES_256_CCM algorithms MUST 801 use the AES_256_CM_PRF Key Derivation Function described in [RFC6188] 802 . 804 13. Summary of Algorithm Characteristics 806 For convenience, much of the information about the use of AES-GCM and 807 AES-CCM algorithms in SRTP is collected in the tables contained in 808 this section. 810 13.1. AES-GCM for SRTP/SRTCP 812 AES-GCM is a family of AEAD algorithms built around the AES block 813 cipher algorithm. AES-GCM uses AES counter mode for encryption and 814 Galois Message Authentication Code (GMAC) for authentication. A 815 detailed description of the AES-GCM family can be found in 816 [RFC5116]. The following members of the AES-GCM family may be used 817 with SRTP/SRTCP: 819 Name Key Size AEAD Tag Size Reference 820 ================================================================ 821 AEAD_AES_128_GCM 16 octets 16 octets [RFC5116] 822 AEAD_AES_256_GCM 32 octets 16 octets [RFC5116] 823 AEAD_AES_128_GCM_8 16 octets 8 octets [RFC5282] 824 AEAD_AES_256_GCM_8 32 octets 8 octets [RFC5282] 825 AEAD_AES_128_GCM_12 16 octets 12 octets [RFC5282] 826 AEAD_AES_256_GCM_12 32 octets 12 octets [RFC5282] 828 Table 1: AES-GCM algorithms for SRTP/SRTCP 830 Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM 831 and AEAD_AES_256_GCM (the versions with 16 octet AEAD authentication 832 tags), and it MAY support the four other variants shown in table 1. 833 Below we summarize parameters associated with these six GCM 834 algorithms: 836 +--------------------------------+------------------------------+ 837 | Parameter | Value | 838 +--------------------------------+------------------------------+ 839 | Master key length | 128 bits | 840 | Master salt length | 96 bits | 841 | Key Derivation Function | AES_CM_PRF [RFC3711] | 842 | Default key lifetime (SRTP) | 2^48 packets | 843 | Default key lifetime (SRTCP) | 2^31 packets | 844 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_8 | 845 | AEAD authentication tag length | 64 bits | 846 +--------------------------------+------------------------------+ 848 Table 2: The AEAD_AES_128_GCM_8 Crypto Suite 850 +--------------------------------+------------------------------+ 851 | Parameter | Value | 852 +--------------------------------+------------------------------+ 853 | Master key length | 128 bits | 854 | Master salt length | 96 bits | 855 | Key Derivation Function | AES_CM_PRF [RFC3711] | 856 | Default key lifetime (SRTP) | 2^48 packets | 857 | Default key lifetime (SRTCP) | 2^31 packets | 858 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_12 | 859 | AEAD authentication tag length | 96 bits | 860 +--------------------------------+------------------------------+ 862 Table 3: The AEAD_AES_128_GCM_12 Crypto Suite 864 +--------------------------------+------------------------------+ 865 | Parameter | Value | 866 +--------------------------------+------------------------------+ 867 | Master key length | 128 bits | 868 | Master salt length | 96 bits | 869 | Key Derivation Function | AES_CM_PRF [RFC3711] | 870 | Default key lifetime (SRTP) | 2^48 packets | 871 | Default key lifetime (SRTCP) | 2^31 packets | 872 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM | 873 | AEAD authentication tag length | 128 bits | 874 +--------------------------------+------------------------------+ 876 Table 4: The AEAD_AES_128_GCM Crypto Suite 878 +--------------------------------+------------------------------+ 879 | Parameter | Value | 880 +--------------------------------+------------------------------+ 881 | Master key length | 256 bits | 882 | Master salt length | 96 bits | 883 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 884 | Default key lifetime (SRTP) | 2^17 packets | 885 | Default key lifetime (SRTCP) | 2^17 packets | 886 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_8 | 887 | AEAD authentication tag length | 64 bits | 888 +--------------------------------+------------------------------+ 890 Table 5: The AEAD_AES_256_GCM_8 Crypto Suite 892 +--------------------------------+------------------------------+ 893 | Parameter | Value | 894 +--------------------------------+------------------------------+ 895 | Master key length | 256 bits | 896 | Master salt length | 96 bits | 897 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 898 | Default key lifetime (SRTP) | 2^48 packets | 899 | Default key lifetime (SRTCP) | 2^31 packets | 900 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_12 | 901 | AEAD authentication tag length | 96 bits | 902 +--------------------------------+------------------------------+ 904 Table 6: The AEAD_AES_256_GCM_12 Crypto Suite 906 +--------------------------------+------------------------------+ 907 | Parameter | Value | 908 +--------------------------------+------------------------------+ 909 | Master key length | 256 bits | 910 | Master salt length | 96 bits | 911 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 912 | Default key lifetime (SRTP) | 2^48 packets | 913 | Default key lifetime (SRTCP) | 2^31 packets | 914 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM | 915 | AEAD authentication tag length | 128 bits | 916 +--------------------------------+------------------------------+ 917 Table 7: The AEAD_AES_256_GCM Crypto Suite 919 13.2. AES-CCM for SRTP/SRTCP 921 AES-CCM is another family of AEAD algorithms built around the AES 922 block cipher algorithm. AES-CCM uses AES counter mode for encryption 923 and AES Cipher Block Chaining Message Authentication Code (CBC-MAC) 924 for authentication. A detailed description of the AES-CCM family can 925 be found in [RFC5116]. Four of the six CCM algorithms used in this 926 document are defined in previous RFCs, while two, AEAD_AES_128_CCM_12 927 and AEAD_AES_256_CCM_12, are defined in section 7 of this document. 929 Name Key Size AEAD Tag Size Reference 930 ================================================================ 931 AEAD_AES_128_CCM 128 bits 16 octets [RFC5116] 932 AEAD_AES_256_CCM 256 bits 16 octets [RFC5116] 933 AEAD_AES_128_CCM_12 128 bits 12 octets see section 7 934 AEAD_AES_256_CCM_12 256 bits 12 octets see section 7 935 AEAD_AES_128_CCM_8 128 bits 8 octets [RFC6655] 936 AEAD_AES_256_CCM_8 256 bits 8 octets [RFC6655] 937 Table 8: AES-CCM algorithms for SRTP/SRTCP 939 Any implementation of AES-CCM SRTP/SRTCP MUST support both 940 AEAD_AES_128_CCM and AEAD_AES_256_CCM (the versions with 16 octet 941 AEAD authentication tags), and MAY support the other four variants. 943 In addition to the flag octet used in counter mode encryption, 944 AES-CCM authentications also uses a flag octet that conveys 945 information about the length of the authentication tag, length of the 946 block counter, and presence of additional authenticated data (see 947 section 2.2 of [RFC3610]). For AES-CCM in SRTP/SRTCP, the flag octet 948 has the hex value 5A if an 8-octet AEAD authentication tag is used, 949 6A if a 12-octet AEAD authentication tag is used, and 7A if a 950 16-octet AEAD authentication tag is used. The flag octet is one of 951 the inputs to AES during the counter mode encryption of the 952 plaintext. 954 +--------------------------------+------------------------------+ 955 | Parameter | Value | 956 +--------------------------------+------------------------------+ 957 | Master key length | 128 bits | 958 | Master salt length | 96 bits | 959 | Key Derivation Function | AES_CM_PRF [RFC3711] | 960 | Maximum key lifetime (SRTP) | 2^48 packets | 961 | Maximum key lifetime (SRTCP) | 2^31 packets | 962 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_8 | 963 | AEAD authentication tag length | 64 bits | 964 +--------------------------------+------------------------------+ 966 Table 9: The AEAD_AES_128_CCM_8 Crypto Suite 968 +--------------------------------+------------------------------+ 969 | Parameter | Value | 970 +--------------------------------+------------------------------+ 971 | Master key length | 128 bits | 972 | Master salt length | 96 bits | 973 | Key Derivation Function | AES_CM_PRF [RFC3711] | 974 | Maximum key lifetime (SRTP) | 2^48 packets | 975 | Maximum key lifetime (SRTCP) | 2^31 packets | 976 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_12 | 977 | AEAD authentication tag length | 96 bits | 978 +--------------------------------+------------------------------+ 980 Table 10: The AEAD_AES_128_CCM_12 Crypto Suite 982 +--------------------------------+------------------------------+ 983 | Parameter | Value | 984 +--------------------------------+------------------------------+ 985 | Master key length | 128 bits | 986 | Master salt length | 96 bits | 987 | Key Derivation Function | AES_CM_PRF [RFC3711] | 988 | Maximum key lifetime (SRTP) | 2^48 packets | 989 | Maximum key lifetime (SRTCP) | 2^31 packets | 990 | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM | 991 | AEAD authentication tag length | 128 bits | 992 +--------------------------------+------------------------------+ 994 Table 11: The AEAD_AES_128_CCM Crypto Suite 996 +--------------------------------+------------------------------+ 997 | Parameter | Value | 998 +--------------------------------+------------------------------+ 999 | Master key length | 256 bits | 1000 | Master salt length | 96 bits | 1001 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 1002 | Maximum key lifetime (SRTP) | 2^48 packets | 1003 | Maximum key lifetime (SRTCP) | 2^31 packets | 1004 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_8 | 1005 | AEAD authentication tag length | 64 bits | 1006 +--------------------------------+------------------------------+ 1008 Table 12: The AEAD_AES_256_CCM_8 Crypto Suite 1010 +--------------------------------+------------------------------+ 1011 | Parameter | Value | 1012 +--------------------------------+------------------------------+ 1013 | Master key length | 256 bits | 1014 | Master salt length | 96 bits | 1015 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 1016 | Maximum key lifetime (SRTP) | 2^48 packets | 1017 | Maximum key lifetime (SRTCP) | 2^31 packets | 1018 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_12 | 1019 | AEAD authentication tag length | 96 bits | 1020 +--------------------------------+------------------------------+ 1022 Table 13: The AEAD_AES_256_CCM_12 Crypto Suite 1024 +--------------------------------+------------------------------+ 1025 | Parameter | Value | 1026 +--------------------------------+------------------------------+ 1027 | Master key length | 256 bits | 1028 | Master salt length | 96 bits | 1029 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 1030 | Maximum key lifetime (SRTP) | 2^48 packets | 1031 | Maximum key lifetime (SRTCP) | 2^31 packets | 1032 | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM | 1033 | AEAD authentication tag length | 128 bits | 1034 +--------------------------------+------------------------------+ 1036 Table 14: The AEAD_AES_256_CCM Crypto Suite 1038 14. Security Considerations 1040 14.1. Handling of Security Critical Parameters 1042 As with any security process, the implementer must take care to 1043 ensure cryptographically sensitive parameters are properly handled. 1044 Many of these recommendations hold for all SRTP cryptographic 1045 algorithms, but we include them here to emphasize their importance. 1047 - If the master salt is to be kept secret, it MUST be properly 1048 erased when no longer needed. 1049 - The secret master key and all keys derived from it MUST be kept 1050 secret. All keys MUST be properly erased when no longer 1051 needed. 1052 - At the start of each packet, the block counter MUST be reset (to 1053 0 for CCM, to 1 for GCM). The block counter is incremented 1054 after each block key has been produced, but it MUST NOT be 1055 allowed to exceed 2^32-1 for GCM and 2^24-1 for CCM. Note that 1056 even though the block counter is reset at the start of each 1057 packet, IV uniqueness is ensured by the inclusion of 1058 SSRC/ROC/SEQ or SRTCP Index in the IV. (The reader is reminded 1059 that in both GCM and CCM the first block of key produced is 1060 reserved for use in authenticating the packet and is not used to 1061 encrypt plaintext.) 1062 - Each time a rekey occurs, the initial values of the SRTCP index 1063 and the SRTP packet indices MUST be saved in order to prevent IV 1064 reuse. 1065 - Processing MUST cease if the 31-bit SRTCP index or any of the 1066 48-bit packet indices cycle back their initial values . 1067 Processing MUST NOT resume until a new SRTP/SRTCP session has 1068 been established using a new SRTP master key. Ideally, a rekey 1069 should be done well before any of these counters cycle. 1071 14.2. Size of the Authentication Tag 1073 We require that the AEAD authentication tag must be at least 8 1074 octets, significantly reducing the probability of an adversary 1075 successfully introducing fraudulent data. The goal of an 1076 authentication tag is to reduce the probability of a successful 1077 forgery occurring anywhere in the network we are attempting to 1078 defend. There are three relevant factors: how low we wish the 1079 probability of successful forgery to be (prob_success), how many 1080 attempts the adversary can make (N_tries) and the size of the 1081 authentication tag in bits (N_tag_bits). Then 1083 prob_success <= expected number of successes 1084 = N_tries * 2^-N_tag_bits. 1086 When the expected number of successes is much less than one, the 1087 probability of success is well approximated by the expected number of 1088 successes. 1090 Suppose an adversary wishes to introduce a forged or altered packet 1091 into a target network by randomly selecting an authentication value 1092 until by chance they hit a valid authentication tag. The table below 1093 summarizes the relationship between the number of forged packets the 1094 adversary has tried, the size of the authentication tag, and the 1095 probability of a compromise occurring (i.e. at least one of the 1096 attempted forgeries having a valid authentication tag). The reader 1097 is reminded that the forgery attempts can be made over the entire 1098 network, not just a single link, and that frequently changing the key 1099 does not decrease the probability of a compromise occurring. 1101 It should be noted that the cryptographic properties of the GHASH 1102 algorithm used in GCM reduces the effective authentication tag size 1103 (in bits) by the log base 2 of the of blocks of encrypted and/or 1104 authenticated data in a packet. In practice an SRTP payload will be 1105 less than 2^16 bytes, because of the 16-bit IPv4 and UDP length 1106 fields. The exception to this case is IPv6 jumbograms [RFC2675], 1107 which is unlikely to be used for RTP-based multimedia traffic 1108 [RFC3711]. This corresponds to 2^12 blocks of data, so the effective 1109 GCM authentication tag size is reduced by at most 12 bits. 1111 +===========+=============+========================================+ 1112 | Auth. Tag | Eff. Tag | Number of Forgery Attempts | 1113 | Size | Tag Size | Needed to Achieve a Given | 1114 | (bytes) | (bits) | Probability of Success | 1115 |-----------+-------------+------------+-------------+-------------| 1116 | | prob=2^-30 | prob=2^-20 | prob=2^-10 | 1117 |===========+=============+=============+============+=============| 1118 | | 32 (CCM) | 2^2 tries | 2^12 tries | 2^22 tries | 1119 | 4 +-------------+------------+-------------+-------------| 1120 | | 20 (GCM) | 1 try | 1 try | 2^10 tries | 1121 |===========+=============+============+=============+=============| 1122 | | 64 (CCM) | 2^34 tries | 2^44 tries | 2^54 tries | 1123 | 8 +-------------+------------+-------------+-------------| 1124 | | 52 (GCM) | 2^22 tries | 2^32 tries | 2^42 tries | 1125 |===========+=============+============+=============+=============| 1126 | | 96 (CCM) | 2^66 tries | 2^76 tries | 2^86 tries | 1127 | 12 +-------------+------------+-------------+-------------| 1128 | | 84 (GCM) | 2^54 tries | 2^64 tries | 2^74 tries | 1129 |===========+=============+============+=============+=============| 1130 | | 128 (CCM) | 2^86 tries | 2^96 tries | 2^106 tries | 1131 | 16 +-------------+------------+-------------+-------------| 1132 | | 116 (GCM) | 2^98 tries | 2^108 tries | 2^118 tries | 1133 |===========+=============+============+=============+=============| 1135 Table 15: Number of forgery attempts needed to achieve a given 1136 probability of success for various tag sizes. 1138 15. IANA Considerations 1140 15.1. SDES 1142 SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A 1143 crypto suite corresponds to a particular AEAD algorithm in SRTP. In 1144 order to allow Security Descriptions to signal the use of the 1145 algorithms defined in this document, IANA will register the following 1146 crypto suites into the "SRTP Crypto Suite Registrations" subregistry 1147 of the "Session Description Protocol (SDP) Security Descriptions" 1148 registry. 1150 srtp-crypto-suite-ext = "AEAD_AES_128_GCM" / 1151 "AEAD_AES_256_GCM" / 1152 "AEAD_AES_128_GCM_8" / 1153 "AEAD_AES_256_GCM_8" / 1154 "AEAD_AES_128_GCM_12" / 1155 "AEAD_AES_256_GCM_12" / 1156 "AEAD_AES_128_CCM" / 1157 "AEAD_AES_256_CCM" / 1158 "AEAD_AES_128_CCM_8" / 1159 "AEAD_AES_256_CCM_8" / 1160 "AEAD_AES_128_CCM_12" / 1161 "AEAD_AES_256_CCM_12" / 1162 srtp-crypto-suite-ext 1164 15.2. DTLS 1166 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 1167 These also correspond to the use of an AEAD algorithm in SRTP. In 1168 order to allow the use of the algorithms defined in this document in 1169 DTLS-SRTP, we request IANA register the following SRTP Protection 1170 Profiles: 1172 AEAD_AES_128_GCM = {TBD, TBD } 1173 AEAD_AES_256_GCM = {TBD, TBD } 1174 AEAD_AES_128_GCM_8 = {TBD, TBD } 1175 AEAD_AES_256_GCM_8 = {TBD, TBD } 1176 AEAD_AES_128_GCM_12 = {TBD, TBD } 1177 AEAD_AES_256_GCM_12 = {TBD, TBD } 1178 AEAD_AES_128_CCM = {TBD, TBD } 1179 AEAD_AES_256_CCM = {TBD, TBD } 1180 AEAD_AES_128_CCM_8 = {TBD, TBD } 1181 AEAD_AES_256_CCM_8 = {TBD, TBD } 1182 AEAD_AES_128_CCM_12 = {TBD, TBD } 1183 AEAD_AES_256_CCM_12 = {TBD, TBD } 1185 Below we list the SRTP transform parameters for each of these 1186 protection profile. Unless separate parameters for SRTCP and SRTCP 1187 are explicitly listed, these parameters apply to both SRTP and 1188 SRTCP. Note that GCM with an 8 octet auth_tag_length has a smaller 1189 than anticipated maximum lifetime due to the constraints imposed by 1190 NIST SP 800-38D appendix C. 1192 AEAD_AES_128_CCM 1193 cipher: AES_128_CCM 1194 cipher_key_length: 128 bits 1195 cipher_salt_length: 96 bits 1196 aead_auth_tag_length: 16 octets 1197 auth_function: NULL 1198 auth_key_length: N/A 1199 auth_tag_length: N/A 1200 maximum lifetime: at most 2^31 SRTCP packets and 1201 at most 2^48 SRTP packets 1203 AEAD_AES_256_CCM 1204 cipher: AES_256_CCM 1205 cipher_key_length: 256 bits 1206 cipher_salt_length: 96 bits 1207 aead_auth_tag_length: 16 octets 1208 auth_function: NULL 1209 auth_key_length: N/A 1210 auth_tag_length: N/A 1211 maximum lifetime: at most 2^31 SRTCP packets and 1212 at most 2^48 SRTP packets 1214 AEAD_AES_128_CCM_8 1215 cipher: AES_128_CCM 1216 cipher_key_length: 128 bits 1217 cipher_salt_length: 96 bits 1218 aead_auth_tag_length: 8 octets 1219 auth_function: NULL 1220 auth_key_length: N/A 1221 auth_tag_length: N/A 1222 maximum lifetime: at most 2^31 SRTCP packets and 1223 at most 2^48 SRTP packets 1225 AEAD_AES_256_CCM_8 1226 cipher: AES_256_CCM 1227 cipher_key_length: 256 bits 1228 cipher_salt_length: 96 bits 1229 aead_auth_tag_length: 8 octets 1230 auth_function: NULL 1231 auth_key_length: N/A 1232 auth_tag_length: N/A 1233 maximum lifetime: at most 2^31 SRTCP packets and 1234 at most 2^48 SRTP packets 1236 AEAD_AES_128_CCM_12 1237 cipher: AES_128_CCM 1238 cipher_key_length: 128 bits 1239 cipher_salt_length: 96 bits 1240 aead_auth_tag_length: 12 octets 1241 auth_function: NULL 1242 auth_key_length: N/A 1243 auth_tag_length: N/A 1244 maximum lifetime: at most 2^31 SRTCP packets and 1245 at most 2^48 SRTP packets 1247 AEAD_AES_256_CCM_12 1248 cipher: AES_256_CCM 1249 cipher_key_length: 256 bits 1250 cipher_salt_length: 96 bits 1251 aead_auth_tag_length: 12 octets 1252 auth_function: NULL 1253 auth_key_length: N/A 1254 auth_tag_length: N/A 1255 maximum lifetime: at most 2^31 SRTCP packets and 1256 at most 2^48 SRTP packets 1258 AEAD_AES_128_GCM 1259 cipher: AES_128_GCM 1260 cipher_key_length: 128 bits 1261 cipher_salt_length: 96 bits 1262 aead_auth_tag_length: 16 octets 1263 auth_function: NULL 1264 auth_key_length: N/A 1265 auth_tag_length: N/A 1266 maximum lifetime: at most 2^31 SRTCP packets and 1267 at most 2^48 SRTP packets 1269 AEAD_AES_256_GCM 1270 cipher: AES_256_GCM 1271 cipher_key_length: 256 bits 1272 cipher_salt_length: 96 bits 1273 aead_auth_tag_length: 16 octets 1274 auth_function: NULL 1275 auth_key_length: N/A 1276 auth_tag_length: N/A 1277 maximum lifetime: at most 2^31 SRTCP packets and 1278 at most 2^48 SRTP packets 1280 AEAD_AES_128_GCM_8 1281 cipher: AES_128_GCM 1282 cipher_key_length: 128 bits 1283 cipher_salt_length: 96 bits 1284 aead_auth_tag_length: 8 octets 1285 auth_function: NULL 1286 auth_key_length: N/A 1287 auth_tag_length: N/A 1288 maximum lifetime: at most 2^17 SRTCP packets and 1289 at most 2^17 SRTP packets 1291 AEAD_AES_256_GCM_8 1292 cipher: AES_256_GCM 1293 cipher_key_length: 256 bits 1294 cipher_salt_length: 96 bits 1295 aead_auth_tag_length: 8 octets 1296 auth_function: NULL 1297 auth_key_length: N/A 1298 auth_tag_length: N/A 1299 maximum lifetime: at most 2^17 SRTCP packets and 1300 at most 2^17 SRTP packets 1302 AEAD_AES_128_GCM_12 1303 cipher: AES_128_GCM 1304 cipher_key_length: 128 bits 1305 cipher_salt_length: 96 bits 1306 aead_auth_tag_length: 12 octets 1307 auth_function: NULL 1308 auth_key_length: N/A 1309 auth_tag_length: N/A 1310 maximum lifetime: at most 2^31 SRTCP packets and 1311 at most 2^48 SRTP packets 1313 AEAD_AES_256_GCM_12 1314 cipher: AES_256_GCM 1315 cipher_key_length: 256 bits 1316 cipher_salt_length: 96 bits 1317 aead_auth_tag_length: 12 octets 1318 auth_function: NULL 1319 auth_key_length: N/A 1320 auth_tag_length: N/A 1321 maximum lifetime: at most 2^31 SRTCP packets and 1322 at most 2^48 SRTP packets 1324 Note that these SRTP Protection Profiles do not specify an 1325 auth_function, auth_key_length, or auth_tag_length because all of 1326 these profiles use AEAD algorithms, and thus do not use a separate 1327 auth_function, auth_key, or auth_tag. The term aead_auth_tag_length 1328 is used to emphasize that this refers to the authentication tag 1329 provided by the AEAD algorithm and that this tag is not located in 1330 the authentication tag field provided by SRTP/SRTCP. 1332 15.3. MIKEY 1334 In accordance with "MIKEY: Multimedia Internet KEYing" [RFC3830], 1335 IANA maintains several subregitries under "Multimedia Internet KEYing 1336 (MIKEY) Payload Name Spaces". This document requires additions to 1337 two of the MIKEY subregistries. 1339 In the "MIKEY Security Protocol Parameters" subregistry we request 1340 the following addition: 1342 Type | Meaning | Possible values 1343 ---------------------------------------------------------------- 1344 TBD | AEAD authentication tag length | 8, 12, or 16 (in octets) 1346 This list is, of course, intended for use with CM and GCM. It is 1347 conceivable that new AEAD algorithms introduced at some point in the 1348 future may require a different set of Authentication tag lengths. 1350 In the "Encryption Algorithm" subregistry (derived from Table 1351 6.10.1.b of [RFC3830]) we request the following additions: 1353 SRTP encr | Value | Default Session | Default Auth. 1354 Algorithm | | Encr. Key Length | Tag Length 1355 ----------------------------------------------------------- 1356 AES-CCM | TBD | 16 octets | 16 octets 1357 AES-GCM | TBD | 16 octets | 16 octets 1359 The SRTP encryption algorithm, session encryption key length, and 1360 AEAD authentication tag values received from MIKEY fully determine 1361 the AEAD algorithm (e.g., AEAD_AES_256_GCM_8). The exact mapping is 1362 described in section 16. 1364 15.4. AEAD registry 1366 We request that IANA make the following additions to the IANA 1367 "Authenticated Encryption with Associated Data (AEAD) Parameters" 1368 page's registry for "AEAD Algorithms": 1370 AEAD_AES_128_CCM_12 = TBD 1371 AEAD_AES_256_CCM_12 = TBD 1373 16. Parameters for use with MIKEY 1375 MIKEY specifies the algorithm family separately from the key length 1376 (which is specified by the Session Encryption key length) and the 1377 authentication tag length (specified by AEAD Auth. tag length). 1379 +------------+-------------+-------------+ 1380 | Encryption | Encryption | AEAD Auth. | 1381 | Algorithm | Key Length | Tag Length | 1382 +============+=============+=============+ 1383 AEAD_AES_128_GCM | AES-GCM | 16 octets | 16 octets | 1384 +------------+-------------+-------------+ 1385 AEAD_AES_128_CCM | AES-CCM | 16 octets | 16 octets | 1386 +------------+-------------+-------------+ 1387 AEAD_AES_128_GCM_12 | AES-GCM | 16 octets | 12 octets | 1388 +------------+-------------+-------------+ 1389 AEAD_AES_128_CCM_12 | AES-CCM | 16 octets | 12 octets | 1390 +------------+-------------+-------------+ 1391 AEAD_AES_128_GCM_8 | AES-GCM | 16 octets | 8 octets | 1392 +------------+-------------+-------------+ 1393 AEAD_AES_128_CCM_8 | AES-CCM | 16 octets | 8 octets | 1394 +------------+-------------+-------------+ 1395 AEAD_AES_256_GCM | AES-GCM | 32 octets | 16 octets | 1396 +------------+-------------+-------------+ 1397 AEAD_AES_256_CCM | AES-CCM | 32 octets | 16 octets | 1398 +------------+-------------+-------------+ 1399 AEAD_AES_256_GCM_12 | AES-GCM | 32 octets | 12 octets | 1400 +------------+-------------+-------------+ 1401 AEAD_AES_256_CCM_12 | AES-CCM | 32 octets | 12 octets | 1402 +------------+-------------+-------------+ 1403 AEAD_AES_256_GCM_8 | AES-GCM | 32 octets | 8 octets | 1404 +------------+-------------+-------------+ 1405 AEAD_AES_256_CCM_8 | AES-CCM | 32 octets | 8 octets | 1406 +============+=============+=============+ 1408 Table 16: Mapping MIKEY parameters to AEAD algorithm 1410 Section 12 in this document restricts the choice of Key Derivation 1411 Function for AEAD algorithms. To enforce this restriction in MIKEY, 1412 we require that the SRTP PRF has value AES-CM whenever an AEAD 1413 algorithm is used. Note that, according to Section 6.10.1 in 1414 [RFC3830], the input key length of the Key Derivation Function (i.e. 1415 the SRTP master key length) is always equal to the session encryption 1416 key length. This means, for example, that AEAD_AES_256_GCM will use 1417 AES_256_CM_PRF as the Key Derivation Function. 1419 17. Acknowledgements 1421 The authors would like to thank Michael Peck, Michael Torla, Qin Wu, 1422 Magnus Westerland, Oscar Ohllson, Woo-Hwan Kim, John Mattsson, 1423 Richard Barnes and many other reviewers who provided valuable 1424 comments on earlier drafts of this document. 1426 18. References 1428 18.1. Normative References 1430 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1431 Requirement Levels", BCP 14, RFC 2119, March 1997. 1433 [RFC3550] Casner, S., Frederick, R., and V. Jacobson, "RTP: A 1434 Transport Protocol for Real-Time Applications", RFC 3550, 1435 July 2003. 1437 [RFC3610] Whiting,D., Housley, R., and N. Ferguson, "Counter with 1438 CBC-MAC (CCM)", RFC 3610, March 2004. 1440 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and 1441 K. Norrman, "The Secure Real-time Transport Protocol 1442 (SRTP)", RFC 3711, September 2003. 1444 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M.,and 1445 Norrman, K, "MIKEY: Multimedia Internet KEYing", RFC 3830, 1446 August 2004. 1448 [RFC4568] Andreasen, F., Baugher, M., and D.Wing, "Session 1449 Description Protocol (SDP): Security Descriptions for 1450 Media Streams", RFC 4568, July 2006. 1452 [RFC5116] McGrew, D., "An Interface and Algorithms for 1453 Authenticated Encryption with Associated Data", RFC 5116, 1454 January 2008. 1456 [RFC5282] McGrew, D. and D. Black, "Using Authenticated Encryption 1457 Algorithms with the Encrypted Payload of the Internet Key 1458 Exchange version 2 (IKEv2) Protocol", RFC 5282, 1459 August 2008. 1461 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 1462 Security (DTLS) Extension to Establish Keys for the Secure 1463 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 1465 [RFC6188] D. McGrew, "The Use of AES-192 and AES-256 in Secure 1466 RTP", RFC 6188, March 2011. 1468 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 1469 Transport Layer Security (TLS)", RFC 6655, July 2012. 1471 [RFC6904] J. Lennox, "Encryption of Header Extensions in the Secure 1472 Real-Time Transport Protocol (SRTP)", January 2013. 1474 , January 2013. 1476 [RFC6904] J. Lennox, "Encryption of Header Extensions in the Secure 1477 Real-Time Transport Protocol (SRTP)", January 2013. 1479 18.2. Informative References 1481 [BN00] Bellare, M. and C. Namprempre, "Authenticated encryption: 1482 Relations among notions and analysis of the generic 1483 composition paradigm", Proceedings of ASIACRYPT 2000, 1484 Springer-Verlag, LNCS 1976, pp. 531-545 http:// 1485 www-cse.ucsd.edu/users/mihir/papers/oem.html. 1487 [GCM] Dworkin, M., "NIST Special Publication 800-38D: 1488 Recommendation for Block Cipher Modes of Operation: 1489 Galois/Counter Mode (GCM) and GMAC.", U.S. National 1490 Institute of Standards and Technology http:// 1491 csrc.nist.gov/publications/nistpubs/800-38D/SP800-38D.pdf. 1493 [R02] Rogaway, P., "Authenticated encryption with Associated- 1494 Data", ACM Conference on Computer and Communication 1495 Security (CCS'02), pp. 98-107, ACM Press, 1496 2002. http://www.cs.ucdavis.edu/~rogaway/papers/ad.html. 1498 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 1499 Jacobson, "RTP: A Transport Protocol for Real-Time 1500 Applications", STD 64, RFC 3550, July 2003. 1502 [RFC4771] Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity 1503 Transform Carrying Roll-Over Counter for the Secure Real- 1504 time Transport Protocol (SRTP)", RFC 4771, January 2007. 1506 Author's Address 1508 David A. McGrew 1509 Cisco Systems, Inc. 1510 510 McCarthy Blvd. 1511 Milpitas, CA 95035 1512 US 1513 Phone: (408) 525 8651 1514 Email: mcgrew@cisco.com 1515 URI: http://www.mindspring.com/~dmcgrew/dam.htm 1517 Kevin M. Igoe 1518 NSA/CSS Commercial Solutions Center 1519 National Security Agency 1520 EMail: kmigoe@nsa.gov 1522 Acknowledgement 1524 Funding for the RFC Editor function is provided by the IETF 1525 Administrative Support Activity (IASA).