idnits 2.17.1 draft-nsri-avtcore-aria-srtp-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 22, 2012) is 4440 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' == Outdated reference: A later version (-04) exists of draft-mcgrew-tls-aes-ccm-03 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Standards Track D. Kim 5 Expires: August 25, 2012 J. Park 6 D. Kwon 7 NSRI 8 February 22, 2012 10 The ARIA Algorithm and Its Use with the Secure Real-time Transport 11 Protocol(SRTP) 12 draft-nsri-avtcore-aria-srtp-00 14 Abstract 16 This document describes the use of the ARIA block cipher algorithm 17 within the Secure Real-time Transport Protocol (SRTP) for providing 18 confidentiality for the Real-time Transport Protocol (RTP) traffic 19 and for the control traffic for RTP, the Real-time Transport Control 20 Protocol (RTCP). It details three modes of operation (CTR, CCM, GCM) 21 and a SRTP Key Derivation Function for ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 25, 2012. 40 Copyright Notice 42 Copyright (c) 2012 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-CCM and ARIA-GCM . . . . . . . . . . . . . . . . . . . 4 63 3. ARIA-CTR PRF . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 65 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 66 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 6.1. Normative References . . . . . . . . . . . . . . . . . . . 7 68 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 70 1. Introduction 72 This document describes the use of the ARIA [RFC5794] block cipher 73 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 74 for providing confidentiality for the Real-time Transport Protocol 75 (RTP) [RFC3550] traffic and for the control traffic for RTP, the 76 Real-time Transport Control Protocol (RTCP) [RFC3550]. 78 1.1. ARIA 80 ARIA is a general-purpose block cipher algorithm developed by Korean 81 cryptographers in 2003. It is an iterated block cipher with 128-, 82 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 83 rounds, depending on the key size. It is secure and suitable for 84 most software and hardware implementations on 32-bit and 8-bit 85 processors. It was established as a Korean standard block cipher 86 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 87 especially for government-to-public services. It was included in 88 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 89 identifiers are described in [RFC5794]. 91 1.2. Terminology 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in [RFC2119]. 97 2. Cryptographic Transforms 99 Block ciphers ARIA and AES share common characteristics including 100 mode, key size, and block size. ARIA does not have any restrictions 101 for modes of operation that are used with this block cipher. We 102 define three modes of running ARIA within the SRTP protocol, (1) ARIA 103 in Counter Mode, (2) ARIA in Counter with CBC-MAC (CCM) Mode and (3) 104 ARIA in Galois/Counter Mode (GCM). 106 2.1. ARIA-CTR 108 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 109 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 110 "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are 111 defined in a similar manner, and are denoted by ARIA_128_CTR, 112 ARIA_192_CTR and ARIA_256_CTR respectively, according to the key 113 lengths. The plaintext inputs to the block cipher are formed as in 114 AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs 115 are processed as in AES-CTR. The only difference in the processing 116 is that ARIA-CTR uses ARIA as the underlying encryption primitive. 117 When ARIA-CTR is used, it MUST be used only in conjunction with an 118 authentication function. 120 The ARIA-CTR ciphersuites with HMAC-SHA1 as an authentication 121 function are listed below. For each ciphersuites, the authentication 122 key size is 20 octets. 124 Name Enc. Key Size Auth. Tag Size 125 ========================================================= 126 ARIA_128_CTR_HMAC_SHA1_80 16 octets 10 octets 127 ARIA_128_CTR_HMAC_SHA1_32 16 octets 4 octets 128 ARIA_192_CTR_HMAC_SHA1_80 24 octets 10 octets 129 ARIA_192_CTR_HMAC_SHA1_32 24 octets 4 octets 130 ARIA_256_CTR_HMAC_SHA1_80 32 octets 10 octets 131 ARIA_256_CTR_HMAC_SHA1_32 32 octets 4 octets 133 Figure 1: ARIA-CTR algorithms for SRTP/SRTCP 135 2.2. ARIA-CCM and ARIA-GCM 137 CCM(Counter with CBC-MAC) [RFC3610] and GCM(Galois Counter Mode) 138 [GCM] are AEAD(authenticated encryption with associated data) block 139 cipher modes. ARIA-CCM and ARIA-GCM are defined similarly as AES-CCM 140 and AES-GCM. 142 The internet draft [I-D.mcgrew-tls-aes-ccm] describes the use of AES- 143 GCM and AES-CCM with SRTP. The use of ARIA-CCM and ARIA-GCM with 144 SRTP is defined the same as that of AES-CCM and AES-GCM. 146 The following members of the ARIA-GCM family may be used with SRTP/ 147 SRTCP: 149 Name Key Size Auth. Tag Size 150 ==================================================== 151 AEAD_ARIA_128_GCM 16 octets 16 octets 152 AEAD_ARIA_256_GCM 32 octets 16 octets 153 AEAD_ARIA_128_GCM_8 16 octets 8 octets 154 AEAD_ARIA_256_GCM_8 32 octets 8 octets 155 AEAD_ARIA_128_GCM_12 16 octets 12 octets 156 AEAD_ARIA_256_GCM_12 32 octets 12 octets 158 Figure 2: ARIA-GCM algorithms for SRTP/SRTCP 160 The following members of the ARIA-CCM family may be used with SRTP/ 161 SRTCP: 163 Name Key Size Auth. Tag Size 164 ==================================================== 165 AEAD_ARIA_128_CCM 16 octets 16 octets 166 AEAD_ARIA_256_CCM 32 octets 16 octets 168 Figure 3: ARIA-CCM algorithms for SRTP/SRTCP 170 3. ARIA-CTR PRF 172 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 173 derivation function, which it refers to as "AES-CM PRF". Section 3 174 of [RFC6188] defines the AES-192 counter mode key derivation function 175 and the AES-256 counter mode key derivation function, which it refers 176 to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- 177 CTR PRF is defined in a similar manner, but with each invocation of 178 AES replaced with an invocation of ARIA. According to the key 179 lengths of underlying encryption algorithm, ARIA-CTR PRFs are denoted 180 by "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". 181 The usage requirements of [RFC6188] regarding the AES-CM PRF apply to 182 the ARIA-CTR PRF as well. The PRFs for ARIA ciphersuites with SRTP 183 are defined by ARIA-CTR PRF of the equal key length with the 184 encryption algorithm. 186 4. Security Considerations 188 At the time of writing this document no security problem has been 189 found on ARIA (see [TSL]). 191 The security considerations in [RFC3610] [GCM] [RFC3711] [RFC6188] 192 [I-D.mcgrew-tls-aes-ccm] apply to this document as well. 194 5. IANA Considerations 196 [RFC4568] defines SRTP "crypto suites". In order to allow SDP to 197 signal the use of the algorithms defined in this document, IANA is 198 requested to register the following crypto suites into the sub- 199 registry for SRTP crypto suites under the SRTP transport of the SDP 200 Security Descriptions: 202 srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/ 203 "ARIA_128_CTR_HMAC_SHA1_32"/ 204 "ARIA_192_CTR_HMAC_SHA1_80"/ 205 "ARIA_192_CTR_HMAC_SHA1_32"/ 206 "ARIA_256_CTR_HMAC_SHA1_80"/ 207 "ARIA_256_CTR_HMAC_SHA1_32"/ 208 "AEAD_ARIA_128_GCM" / 209 "AEAD_ARIA_256_GCM" / 210 "AEAD_ARIA_128_GCM_8" / 211 "AEAD_ARIA_256_GCM_8" / 212 "AEAD_ARIA_128_GCM_12" / 213 "AEAD_ARIA_256_GCM_12" / 214 "AEAD_ARIA_128_CCM" / 215 "AEAD_ARIA_256_CCM" / 216 srtp-crypto-suite-ext 218 DTLS-SRTP[RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". In 219 order to allow the use of the algorithms defined in this document in 220 DTLS-SRTP, IANA will also register the following SRTP Protection 221 Profiles: 223 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD}; 224 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD}; 225 SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD}; 226 SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD}; 227 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD}; 228 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD}; 229 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD}; 230 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD}; 231 SRTP_AEAD_ARIA_128_GCM_8 = {TBD,TBD}; 232 SRTP_AEAD_ARIA_256_GCM_8 = {TBD,TBD}; 233 SRTP_AEAD_ARIA_128_GCM_12 = {TBD,TBD}; 234 SRTP_AEAD_ARIA_256_GCM_12 = {TBD,TBD}; 235 SRTP_AEAD_ARIA_128_CCM = {TBD,TBD}; 236 SRTP_AEAD_ARIA_256_CCM = {TBD,TBD}; 238 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 239 SRTP policy in MIKEY. In order to allow the use of the algorithms 240 defined in this document in MIKEY, IANA is requested to allocate the 241 following numbers in the MIKEY sub-registries. 243 SRTP Enc. alg | Value 244 ---------------------- 245 NULL | 0 246 AES-CM | 1 247 AES-F8 | 2 248 SEED-CTR | 3 249 SEED-CCM | 4 250 SEED-GCM | 5 251 ARIA-128-CTR | 6 (NEW) 252 ARIA-128-CCM | 7 (NEW) 253 ARIA-128-GCM | 8 (NEW) 254 ARIA-128-GCM-8 | 9 (NEW) 255 ARIA-128-GCM-12| 10 (NEW) 257 Figure 4: Figure 1 from RFC 5748 (revised) 259 SRTP PRF | Value 260 --------------------- 261 AES-CM | 0 262 SEED-CTR | 1 263 ARIA-128-CTR | 2 (NEW) 265 Figure 5: Figure 2 from RFC 5748 (revised) 267 6. References 269 6.1. Normative References 271 [GCM] Dworkin, M., "Recommendation for Block 272 Cipher Modes of Operation: Galois/Counter 273 Mode (GCM) and GMAC", NIST SP 800-38D, 274 November 2007. 276 [RFC2119] Bradner, S., "Key words for use in RFCs to 277 Indicate Requirement Levels", BCP 14, 278 RFC 2119, March 1997. 280 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., 281 and V. Jacobson, "RTP: A Transport Protocol 282 for Real-Time Applications", STD 64, 283 RFC 3550, July 2003. 285 [RFC3711] Baugher, M., McGrew, D., Naslund, M., 286 Carrara, E., and K. Norrman, "The Secure 287 Real-time Transport Protocol (SRTP)", 288 RFC 3711, March 2004. 290 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., 291 Naslund, M., and K. Norrman, "MIKEY: 292 Multimedia Internet KEYing", RFC 3830, 293 August 2004. 295 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, 296 "Session Description Protocol (SDP) 297 Security Descriptions for Media Streams", 298 RFC 4568, July 2006. 300 [RFC5764] McGrew, D. and E. Rescorla, "Datagram 301 Transport Layer Security (DTLS) Extension 302 to Establish Keys for the Secure Real-time 303 Transport Protocol (SRTP)", RFC 5764, 304 May 2010. 306 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 307 in Secure RTP", RFC 6188, March 2011. 309 6.2. Informative References 311 [ARIAKS] Korean Agency for Technology and Standards, 312 "128 bit block encryption algorithm ARIA - 313 Part 1: General (in Korean)", KS X 1213- 314 1:2009, December 2009. 316 [ARIAPKCS] RSA Laboratories, "Additional PKCS #11 317 Mechanisms", PKCS #11 v2.20 Amendment 3 318 Revision 1, January 2007. 320 [I-D.mcgrew-tls-aes-ccm] McGrew, D. and D. Bailey, "AES-CCM Cipher 321 Suites for TLS", 322 draft-mcgrew-tls-aes-ccm-03 (work in 323 progress), February 2012. 325 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, 326 "Counter with CBC-MAC (CCM)", RFC 3610, 327 September 2003. 329 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., 330 and Y. Won, "IANA Registry Update for 331 Support of the SEED Cipher Algorithm in 332 Multimedia Internet KEYing (MIKEY)", 333 RFC 5748, August 2010. 335 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. 336 Kim, "A Description of the ARIA Encryption 337 Algorithm", RFC 5794, March 2010. 339 [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. 340 Yin, "A meet-in-the-middle attack on 341 reduced-round ARIA", The Journal of Systems 342 and Software Vol.84(10), pp. 1685-1692, 343 October 2011. 345 Authors' Addresses 347 Woo-Hwan Kim 348 National Security Research Institute 349 P.O.Box 1, Yuseong 350 Daejeon 305-350 351 Korea 353 EMail: whkim5@ensec.re.kr 355 Jungkeun Lee 356 National Security Research Institute 357 P.O.Box 1, Yuseong 358 Daejeon 305-350 359 Korea 361 EMail: jklee@ensec.re.kr 363 Dong-Chan Kim 364 National Security Research Institute 365 P.O.Box 1, Yuseong 366 Daejeon 305-350 367 Korea 369 EMail: dongchan@ensec.re.kr 370 Je-Hong Park 371 National Security Research Institute 372 P.O.Box 1, Yuseong 373 Daejeon 305-350 374 Korea 376 EMail: jhpark@ensec.re.kr 378 Daesung Kwon 379 National Security Research Institute 380 P.O.Box 1, Yuseong 381 Daejeon 305-350 382 Korea 384 EMail: ds_kwon@ensec.re.kr