< draft-ietf-msec-srtp-tesla-03.txt   draft-ietf-msec-srtp-tesla-04.txt >
Internet Engineering Task Force Baugher (Cisco) Internet Engineering Task Force Baugher (Cisco)
MSEC Working Group Carrara (Ericsson) MSEC Working Group Carrara (Ericsson)
INTERNET-DRAFT INTERNET-DRAFT
EXPIRES: August 2005 February 2005 EXPIRES: March 2006 September 2005
The Use of TESLA in SRTP The Use of TESLA in SRTP
<draft-ietf-msec-srtp-tesla-03.txt> <draft-ietf-msec-srtp-tesla-04.txt>
Status of this memo Status of this memo
By submitting this Internet-Draft, the authors certify that any By submitting this Internet-Draft, each author represents
applicable patent or other IPR claims of which I am (we are) aware that any applicable patent or other IPR claims of which he
have been disclosed, and any of which I (we) become aware will be or she is aware have been or will be disclosed, and any of
disclosed, in accordance with RFC 3668 (BCP 79). which he or she becomes aware will be disclosed, in
accordance with Section 6 of BCP 79.
By submitting this Internet-Draft, the authors accept the provisions
of Section 3 of RFC 3667 (BCP 78).
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or cite them other than as "work in progress". reference material or cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved.
Abstract Abstract
This memo describes the use of the Timed Efficient Stream loss- This memo describes the use of the Timed Efficient Stream loss-
tolerant Authentication (TESLA) transform within the Secure Real- tolerant Authentication (TESLA) transform within the Secure Real-
time Transport Protocol (SRTP), to provide data origin time Transport Protocol (SRTP), to provide data origin
authentication for multicast and broadcast data streams. authentication for multicast and broadcast data streams.
TABLE OF CONTENTS TABLE OF CONTENTS
1. Introduction...................................................2 1. Introduction...................................................2
1.1. Notational Conventions.......................................3 1.1. Notational Conventions.......................................3
2. SRTP...........................................................3 2. SRTP...........................................................3
3. TESLA..........................................................4 3. TESLA..........................................................4
4. Usage of TESLA within SRTP.....................................4 4. Usage of TESLA within SRTP.....................................4
4.1. The TESLA extension..........................................4 4.1. The TESLA extension..........................................4
4.2. SRTP Packet Format...........................................5 4.2. SRTP Packet Format...........................................5
4.3. Extension of the SRTP Cryptographic Context..................7 4.3. Extension of the SRTP Cryptographic Context..................7
4.4. SRTP Processing..............................................8 4.4. SRTP Processing..............................................8
4.4.1 Sender Processing...........................................8 4.4.1 Sender Processing...........................................9
4.4.2 Receiver Processing.........................................9 4.4.2 Receiver Processing.........................................9
4.5. SRTCP Packet Format.........................................10 4.5. SRTCP Packet Format.........................................10
4.6. TESLA MAC...................................................12 4.6. TESLA MAC...................................................12
4.7. PRFs........................................................12 4.7. PRFs........................................................13
5. TESLA Bootstrapping and Cleanup...............................13 5. TESLA Bootstrapping and Cleanup...............................13
6. SRTP TESLA Default parameters.................................13 6. SRTP TESLA Default parameters.................................13
6.2 Transform-dependent Parameters for TESLA MAC.................14 6.2 Transform-dependent Parameters for TESLA MAC.................14
7. Security Considerations.......................................15 7. Security Considerations.......................................15
8. IANA Considerations...........................................15 8. IANA Considerations...........................................16
9. Acknowledgements..............................................15 9. Acknowledgements..............................................16
10. Author's Addresses...........................................15 10. Author's Addresses...........................................16
11. References...................................................16 11. References...................................................16
1. Introduction 1. Introduction
Multicast and broadcast communications introduce some new security Multicast and broadcast communications introduce some new security
challenges compared to unicast communication. Many multicast and challenges compared to unicast communication. Many multicast and
broadcast applications need "data origin authentication" (DOA), or broadcast applications need "data origin authentication" (DOA), or
"source authentication", in order to guarantee that a received "source authentication", in order to guarantee that a received
message had originated from a given source, and was not manipulated message had originated from a given source, and was not manipulated
during the transmission. In unicast communication, a pairwise during the transmission. In unicast communication, a pairwise
skipping to change at page 7, line 6 skipping to change at page 7, line 6
As in SRTP, the "Encrypted Portion" of an SRTP packet consists of As in SRTP, the "Encrypted Portion" of an SRTP packet consists of
the encryption of the RTP payload (including RTP padding when the encryption of the RTP payload (including RTP padding when
present) of the equivalent RTP packet. present) of the equivalent RTP packet.
The "Authenticated Portion" of an SRTP packet consists of the RTP The "Authenticated Portion" of an SRTP packet consists of the RTP
header, the Encrypted Portion of the SRTP packet, and the TESLA header, the Encrypted Portion of the SRTP packet, and the TESLA
authentication extension. Note that the definition is extended from authentication extension. Note that the definition is extended from
[RFC3711] by the inclusion of the TESLA authentication extension. [RFC3711] by the inclusion of the TESLA authentication extension.
The "TESLA Authenticated Portion" of an SRTP packet consists of the The "TESLA Authenticated Portion" of an SRTP packet consists of the
RTP header and the Encrypted Portion of the SRTP packet. RTP header and the Encrypted Portion of the SRTP packet. As shown in
Figure 2, SRTP HMAC-SHA1 covers up to the MKI field but does not
include MKI. SRTP does not cover the MKI field (because it does not
need to be covered for SRTP packet integrity). In order to make the
two tags (SRTP-TESLA and SRTP-HMAC_SHA1) contiguous, we would need
to redefine the SRTP specification to include the MKI in HMAC-SHA1
coverage. This change is impossible and so the MKI field separates
the TESLA MAC from the SRTP MAC in the packet layout of Figure 2.
This change to the packet format presents no problem to an
implementation that supports the new SRTP-TESLA authentication
transform.
4.3. Extension of the SRTP Cryptographic Context 4.3. Extension of the SRTP Cryptographic Context
When TESLA is used, the definition of cryptographic context in When TESLA is used, the definition of cryptographic context in
Section 3.2 of SRTP SHALL include the following extensions. Section 3.2 of SRTP SHALL include the following extensions.
Transform-independent Parameter
a flag indicating the use of TESLA in SRTP. When this bit is set,
the following TESLA transform-dependent parameters define the
particular TESLA configuration (see [TESLA] for the TESLA-
parameter definition).
Transform-dependent Parameters Transform-dependent Parameters
1. an identifier for the PRF, f, implementing the one-way function 1. an identifier for the PRF, f, implementing the one-way function
F(x) in TESLA (to derive the keys in the chain), e.g. to F(x) in TESLA (to derive the keys in the chain), e.g. to
indicate HMAC-SHA1, see Section 6.2 for the default value. indicate HMAC-SHA1, see Section 6.2 for the default value.
2. a non-negative integer n_p, determining the length of the F 2. a non-negative integer n_p, determining the length of the F
output, i.e. the length of the keys in the chain (that is also output, i.e. the length of the keys in the chain (that is also
the key disclosed in an SRTP packet), see Section 6.2 for the the key disclosed in an SRTP packet), see Section 6.2 for the
default value. default value.
skipping to change at page 15, line 13 skipping to change at page 15, line 26
where M' is as specified in Section 4.6. where M' is as specified in Section 4.6.
7. Security Considerations 7. Security Considerations
Denial of Service (DoS) attacks on delayed authentication are Denial of Service (DoS) attacks on delayed authentication are
discussed in [PCST]. TESLA requires receiver buffering before discussed in [PCST]. TESLA requires receiver buffering before
authentication, therefore the receiver can suffer a denial of authentication, therefore the receiver can suffer a denial of
service attack due to a flood of bogus packets. To address this service attack due to a flood of bogus packets. To address this
problem, the external SRTP MAC, based on the group key, MAY be used problem, the external SRTP MAC, based on the group key, MAY be used
in addition to the TESLA MAC. The short size of the SRTP MAC in addition to the TESLA MAC. The short size of the SRTP MAC
(default 32 bits) is here motivated by the fact that that MAC served (default 32 bits) is here motivated by the fact that that MAC serves
purely for DoS prevention from attackers external to the group. purely for DoS prevention from attackers external to the group.
[TESLA] describes other mechanisms that can be used to prevent DoS, [TESLA] describes other mechanisms that can be used to prevent DoS,
in alternative to the external group-key MAC. Where these are used, in place of the external group-key MAC. If used, they need to be
they need to be add as processing steps (following the guidelines of added as processing steps (following the guidelines of [TESLA]).
[TESLA]).
The use of TESLA in SRTP defined in this specification is subject to The use of TESLA in SRTP defined in this specification is subject to
the security considerations discussed in the SRTP specification the security considerations discussed in the SRTP specification
[RFC3711] and in the TESLA specification [TESLA]. In particular, the [RFC3711] and in the TESLA specification [TESLA]. In particular, the
TESLA security is dependent on the computation of the "safety TESLA security is dependent on the computation of the "safety
condition" as defined in Section 3.5 of [TESLA]. condition" as defined in Section 3.5 of [TESLA].
SRTP TESLA depends on the effective security of the systems that SRTP TESLA depends on the effective security of the systems that
perform bootstrapping (time synchronization) and key management. perform bootstrapping (time synchronization) and key management.
These systems are external to SRTP and are not considered in this These systems are external to SRTP and are not considered in this
specification. specification.
The length of the TESLA MAC is by default 80 bits. RFC 2104 requires
the MAC length to be at least 80 bits and at least half the output
size of the underlying hash function. The SHA-1 output size is 160
bits, so both of these requirements are met with the 80 bit MAC
specified in this document. Note that IPsec implementations tend to
use 96 bits for their MAC values to align the header with a 64 bit
boundary. Both MAC sizes are well beyond the reach of current
cryptanalytic techniques.
8. IANA Considerations 8. IANA Considerations
No IANA registration is required. No IANA registration is required.
Note that it is the task of each particular key management protocol
to register the cryptographic transforms (here, TESLA, as value in
the identifier for the message authentication algorithm in the SRTP
crypto context) and related parameters.
9. Acknowledgements 9. Acknowledgements
The authors would like to thanks Ran Canetti, Karl Norrman, Mats The authors would like to thanks Ran Canetti, Karl Norrman, Mats
N„slund, Fredrik Lindholm, David McGrew, and Bob Briscoe for their N„slund, Fredrik Lindholm, David McGrew, and Bob Briscoe for their
valuable help. valuable help.
10. Author's Addresses 10. Author's Addresses
Questions and comments should be directed to the authors and Questions and comments should be directed to the authors and
msec@ietf.org: msec@ietf.org:
Mark Baugher Mark Baugher
Cisco Systems, Inc. Cisco Systems, Inc.
5510 SW Orchid Street Phone: +1 408-853-4418 5510 SW Orchid Street Phone: +1 408-853-4418
Portland, OR 97219 USA Email: mbaugher@cisco.com Portland, OR 97219 USA Email: mbaugher@cisco.com
Elisabetta Carrara Elisabetta Carrara
Ericsson Research Ericsson
SE-16480 Stockholm Phone: +46 8 50877040 SE-16480 Stockholm Phone: +46 8 50877040
Sweden EMail: elisabetta.carrara@ericsson.com Sweden EMail: elisabetta.carrara@ericsson.com
11. References 11. References
Normative Normative
[PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and [PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and
Secure Source Authentication for Multicast", in Proc. of Network and Secure Source Authentication for Multicast", in Proc. of Network and
Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001. Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001.
[RFC1305] Mills D., Network Time Protocol (Version 3) Specification, [RFC1305] Mills D., Network Time Protocol (Version 3) Specification,
Implementation and Analysis, RFC 1305, March, 1992. Implementation and Analysis, RFC 1305, March, 1992.
[RFC3711] Baugher, McGrew, Naslund, Carrara, Norrman, "The Secure [RFC3711] Baugher, McGrew, Naslund, Carrara, Norrman, "The Secure
Real-time Transport Protocol", RFC 3711, March 2004. Real-time Transport Protocol", RFC 3711, March 2004.
[TESLA] Perrig, Canetti, Song, Tygar, Briscoe, "TESLA: Multicast [TESLA] Perrig, Song, Canetti, Tygar, Briscoe, "TESLA: Multicast
Source Authentication Transform Introduction", December 2004, draft- Source Authentication Transform Introduction", RFC 4082, June 2005.
ietf-msec-tesla-intro-04.txt.
Informative Informative
[gkmarch] Baugher, Canetti, Dondeti, Lindholm, "MSEC Group Key [gkmarch] Baugher, Canetti, Dondeti, Lindholm, "MSEC Group Key
Management Architecture", June 2004, <draft-ietf-msec-gkmarch- Management Architecture", May 2005, work in progress.
08.txt>.
[GDOI] Baugher, Weis, Hardjono, Harney, "The Group Domain of [GDOI] Baugher, Weis, Hardjono, Harney, "The Group Domain of
Interpretation", RFC 3547, July 2003. Interpretation", RFC 3547, July 2003.
[RFC3830] Arkko et al., "MIKEY: Multimedia Internet KEYing", [RFC3830] Arkko et al., "MIKEY: Multimedia Internet KEYing",
December 2003, RFC 3830, August 2004. December 2003, RFC 3830, August 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). This document is subject Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Disclaimer of Validity Disclaimer of Validity
This document and the information contained herein are provided on This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
This draft expires in August 2005. This draft expires in March 2006.
 End of changes. 19 change blocks. 
33 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/