idnits 2.17.1 draft-ietf-avtcore-aria-srtp-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 30, 2017) is 2492 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Informational J. Park 5 Expires: January 1, 2018 D. Kwon 6 NSRI 7 D. Kim 8 Kookmin Univ. 9 June 30, 2017 11 The ARIA Algorithm and Its Use with the Secure Real-time Transport 12 Protocol(SRTP) 13 draft-ietf-avtcore-aria-srtp-10 15 Abstract 17 This document defines the use of the ARIA block cipher algorithm 18 within the Secure Real-time Transport Protocol (SRTP). It details 19 two modes of operation (CTR, GCM) and the SRTP Key Derivation 20 Functions for ARIA. Additionally, this document defines DTLS-SRTP 21 protection profiles and MIKEY parameter sets for the use with ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 1, 2018. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 64 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 67 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8 68 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 71 7.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12 73 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12 74 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 75 A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13 76 A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 14 77 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 15 78 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 16 79 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 16 80 A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 17 81 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 17 82 A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 18 83 A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 20 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 86 1. Introduction 88 This document defines the use of the ARIA [RFC5794] block cipher 89 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 90 for providing confidentiality for the Real-time Transport Protocol 91 (RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP) 92 [RFC3550] traffic. 94 1.1. ARIA 96 ARIA is a general-purpose block cipher algorithm developed by Korean 97 cryptographers in 2003. It is an iterated block cipher with 128-, 98 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 99 rounds, depending on the key size. It is secure and suitable for 100 most software and hardware implementations on 32-bit and 8-bit 101 processors. It was established as a Korean standard block cipher 102 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 103 especially for government-to-public services. It was included in 104 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 105 identifiers are described in [RFC5794]. 107 1.2. Terminology 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 111 document are to be interpreted as described in [RFC2119]. 113 2. Cryptographic Transforms 115 Block ciphers ARIA and AES share common characteristics including 116 mode, key size, and block size. ARIA does not have any restrictions 117 for modes of operation that are used with this block cipher. We 118 define two modes of running ARIA within the SRTP protocol, (1) ARIA 119 in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA- 120 GCM). 122 2.1. ARIA-CTR 124 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 125 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 126 "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are 127 defined in the same manner except that each invocation of AES is 128 replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR, 129 ARIA_192_CTR, and ARIA_256_CTR, respectively, according to the key 130 lengths. The plaintext inputs to the block cipher are formed as in 131 AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs 132 are processed as in AES-CTR. Note that, ARIA-CTR MUST be used only 133 in conjunction with an authentication transform. 135 Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension 136 keystream generation. When ARIA-CTR is used, the header extension 137 keystream SHALL be generated in the same manner except that each 138 invocation of AES is replaced by that of ARIA [RFC5794]. 140 2.2. ARIA-GCM 142 GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated 143 Encryption with Associated Data) block cipher mode. A detailed 144 description of ARIA-GCM is defined similarly as AES-GCM found in 145 [RFC5116][RFC5282]. 147 The document [RFC7714] describes the use of AES-GCM with SRTP 148 [RFC3711][RFC6904]. The use of ARIA-GCM with SRTP is defined the 149 same as that of AES-GCM except that each invocation of AES is 150 replaced by ARIA [RFC5794]. When encryption of header extensions 151 [RFC6904] is in use, a separate keystream to encrypt selected RTP 152 header extension elements MUST be generated in the same manner 153 defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR. 155 3. Key Derivation Functions 157 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 158 derivation function, which it refers to as "AES-CM PRF". Section 3 159 of [RFC6188] defines the AES-192 counter mode key derivation function 160 and the AES-256 counter mode key derivation function, which it refers 161 to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- 162 CTR PRF is defined in a same manner except that each invocation of 163 AES is replaced by that of ARIA. According to the key lengths of 164 underlying encryption algorithm, ARIA-CTR PRFs are denoted by 165 "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The 166 usage requirements of [RFC6188][RFC7714] regarding the AES-CM PRF 167 apply to the ARIA-CTR PRF as well. 169 4. Protection Profiles 171 This section defines SRTP Protection Profiles that use the ARIA 172 transforms and key derivation functions defined in this document. 173 The following list indicates the SRTP transform parameters for each 174 protection profile. Those are described for use with DTLS-SRTP 175 [RFC5764]. 177 The parameters cipher_key_length, cipher_salt_length, 178 auth_key_length, and auth_tag_length express the number of bits in 179 the values to which they refer. The maximum_lifetime parameter 180 indicates the maximum number of packets that can be protected with 181 each single set of keys when the parameter profile is in use. All of 182 these parameters apply to both RTP and RTCP, unless the RTCP 183 parameters are separately specified. 185 SRTP_ARIA_128_CTR_HMAC_SHA1_80 186 cipher: ARIA_128_CTR 187 cipher_key_length: 128 bits 188 cipher_salt_length: 112 bits 189 key derivation function: ARIA_128_CTR_PRF 190 auth_function: HMAC-SHA1 191 auth_key_length: 160 bits 192 auth_tag_length: 80 bits 193 maximum_lifetime: at most 2^31 SRTCP packets and 194 at most 2^48 SRTP packets 196 SRTP_ARIA_128_CTR_HMAC_SHA1_32 197 cipher: ARIA_128_CTR 198 cipher_key_length: 128 bits 199 cipher_salt_length: 112 bits 200 key derivation function: ARIA_128_CTR_PRF 201 auth_function: HMAC-SHA1 202 auth_key_length: 160 bits 203 SRTP auth_tag_length: 32 bits 204 SRTCP auth_tag_length: 80 bits 205 maximum_lifetime: at most 2^31 SRTCP packets and 206 at most 2^48 SRTP packets 208 SRTP_ARIA_192_CTR_HMAC_SHA1_80 209 cipher: ARIA_192_CTR 210 cipher_key_length: 192 bits 211 cipher_salt_length: 112 bits 212 key derivation function: ARIA_192_CTR_PRF 213 auth_function: HMAC-SHA1 214 auth_key_length: 160 bits 215 auth_tag_length: 80 bits 216 maximum_lifetime: at most 2^31 SRTCP packets and 217 at most 2^48 SRTP packets 219 SRTP_ARIA_192_CTR_HMAC_SHA1_32 220 cipher: ARIA_192_CTR 221 cipher_key_length: 192 bits 222 cipher_salt_length: 112 bits 223 key derivation function: ARIA_192_CTR_PRF 224 auth_function: HMAC-SHA1 225 auth_key_length: 160 bits 226 SRTP auth_tag_length: 32 bits 227 SRTCP auth_tag_length: 80 bits 228 maximum_lifetime: at most 2^31 SRTCP packets and 229 at most 2^48 SRTP packets 231 SRTP_ARIA_256_CTR_HMAC_SHA1_80 232 cipher: ARIA_256_CTR 233 cipher_key_length: 256 bits 234 cipher_salt_length: 112 bits 235 key derivation function: ARIA_256_CTR_PRF 236 auth_function: HMAC-SHA1 237 auth_key_length: 160 bits 238 auth_tag_length: 80 bits 239 maximum_lifetime: at most 2^31 SRTCP packets and 240 at most 2^48 SRTP packets 242 SRTP_ARIA_256_CTR_HMAC_SHA1_32 243 cipher: ARIA_256_CTR 244 cipher_key_length: 256 bits 245 cipher_salt_length: 112 bits 246 key derivation function: ARIA_256_CTR_PRF 247 auth_function: HMAC-SHA1 248 auth_key_length: 160 bits 249 SRTP auth_tag_length: 32 bits 250 SRTCP auth_tag_length: 80 bits 251 maximum_lifetime: at most 2^31 SRTCP packets and 252 at most 2^48 SRTP packets 254 SRTP_AEAD_ARIA_128_GCM 255 cipher: ARIA_128_GCM 256 cipher_key_length: 128 bits 257 cipher_salt_length: 96 bits 258 aead_auth_tag_length: 128 bits 259 auth_function: NULL 260 auth_key_length: N/A 261 auth_tag_length: N/A 262 key derivation function: ARIA_128_CTR_PRF 263 maximum_lifetime: at most 2^31 SRTCP packets and 264 at most 2^48 SRTP packets 266 SRTP_AEAD_ARIA_256_GCM 267 cipher: ARIA_256_GCM 268 cipher_key_length: 256 bits 269 cipher_salt_length: 96 bits 270 aead_auth_tag_length: 128 bits 271 auth_function: NULL 272 auth_key_length: N/A 273 auth_tag_length: N/A 274 key derivation function: ARIA_256_CTR_PRF 275 maximum_lifetime: at most 2^31 SRTCP packets and 276 at most 2^48 SRTP packets 278 The ARIA-CTR protection profiles use the same authentication 279 transform that is mandatory to implement in SRTP, HMAC-SHA1 with a 280 160-bit key. 282 Note that SRTP Protection Profiles that use AEAD algorithms do not 283 specify an auth_function, auth_key_length, or auth_tag_length, since 284 they do not use a separate auth_function, auth_key, or auth_tag. The 285 term aead_auth_tag_length is used to emphasize that this refers to 286 the authentication tag provided by the AEAD algorithm and that this 287 tag is not located in the authentication tag field provided by SRTP/ 288 SRTCP. 290 The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of 291 the equal key length with the encryption algorithm (see Section 2). 292 SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the 293 ARIA_128_CTR_PRF Key Derivation Function. SRTP_ARIA_192_CTR_HMAC 294 MUST use the ARIA_192_CTR_PRF Key Derivation Function. And 295 SRTP_ARIA_256_CTR_HMAC and SRTP_AEAD_ARIA_256_GCM MUST use the 296 ARIA_256_CTR_PRF Key Derivation Function. 298 MIKEY specifies the SRTP protection profile definition separately 299 from the key length (which is specified by the Session Encryption key 300 length) and the authentication tag length. The DTLS-SRTP [RFC5764] 301 protection profiles are mapped to MIKEY parameter sets as shown 302 below. 304 +--------------------------------------+ 305 | Encryption | Encryption | Auth. | 306 | Algorithm | Key Length | Tag Length | 307 +======================================+ 308 SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | 309 SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 310 SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | 311 SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | 312 SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | 313 SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 314 +======================================+ 316 Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm 318 +--------------------------------------+ 319 | Encryption | Encryption | AEAD Auth. | 320 | Algorithm | Key Length | Tag Length | 321 +======================================+ 322 SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | 323 SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 324 +======================================+ 326 Figure 2: Mapping MIKEY parameters to AEAD algorithm 328 5. Security Considerations 330 At the time of writing this document no security problem has been 331 found on ARIA. Previous security analysis results are summarized in 332 [ATY]. 334 The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188] 335 [RFC6904] [RFC7714] apply to this document as well. Protection 336 profiles with short tag length may be considered for specific 337 application environments stated in Section 7.5 of [RFC3711], but the 338 risk of weak authentication described in Section 9.5.1 of [RFC3711] 339 should be taken into account. 341 6. IANA Considerations 343 6.1. DTLS-SRTP 345 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 346 In order to allow the use of the algorithms defined in this document 347 in DTLS-SRTP, IANA is requested to add the protection profiles below 348 to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located 349 on the following IANA page at time of writing: 350 http://www.iana.org/assignments/srtp-protection/. 352 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} 353 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} 354 SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} 355 SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} 356 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} 357 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} 358 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} 359 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} 361 6.2. MIKEY 363 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 364 SRTP policy in MIKEY. In order to allow the use of the algorithms 365 defined in this document in MIKEY, IANA is requested to add the two 366 encryption algorithms below to the "MIKEY Security Protocol 367 Parameters SRTP Type 0 (Encryption algorithm)" and to add the PRF 368 below to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo 369 Random Function)" created by [RFC3830], located on the following IANA 370 page at time of writing: http://www.iana.org/assignments/mikey- 371 payloads/. 373 +---------------+-------+ 374 | SRTP Enc. alg | Value | 375 +---------------+-------+ 376 | ARIA-CTR | TBD | 377 | ARIA-GCM | TBD | 378 +---------------+-------+ 380 Default session encryption key length is 16 octets. 382 +----------+-------+ 383 | SRTP PRF | Value | 384 +----------+-------+ 385 | ARIA-CTR | TBD | 386 +----------+-------+ 388 7. References 390 7.1. Normative References 392 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 393 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 394 SP 800-38D, November 2007. 396 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 397 Requirement Levels", BCP 14, RFC 2119, 398 DOI 10.17487/RFC2119, March 1997, 399 . 401 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 402 Jacobson, "RTP: A Transport Protocol for Real-Time 403 Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, 404 July 2003, . 406 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 407 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 408 RFC 3711, DOI 10.17487/RFC3711, March 2004, 409 . 411 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 412 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 413 DOI 10.17487/RFC3830, August 2004, 414 . 416 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 417 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 418 . 420 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 421 Algorithms with the Encrypted Payload of the Internet Key 422 Exchange version 2 (IKEv2) Protocol", RFC 5282, 423 DOI 10.17487/RFC5282, August 2008, 424 . 426 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 427 Security (DTLS) Extension to Establish Keys for the Secure 428 Real-time Transport Protocol (SRTP)", RFC 5764, 429 DOI 10.17487/RFC5764, May 2010, 430 . 432 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 433 Description of the ARIA Encryption Algorithm", RFC 5794, 434 DOI 10.17487/RFC5794, March 2010, 435 . 437 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 438 RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, 439 . 441 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 442 Real-time Transport Protocol (SRTP)", RFC 6904, 443 DOI 10.17487/RFC6904, April 2013, 444 . 446 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 447 in the Secure Real-time Transport Protocol (SRTP)", 448 RFC 7714, DOI 10.17487/RFC7714, December 2015, 449 . 451 7.2. Informative References 453 [ARIAKS] Korean Agency for Technology and Standards, "128 bit block 454 encryption algorithm ARIA - Part 1: General (in Korean)", 455 KS X 1213-1:2009, December 2009. 457 [ARIAPKCS] 458 RSA Laboratories, "Additional PKCS #11 Mechanisms", 459 PKCS #11 v2.20 Amendment 3 Revision 1, January 2007. 461 [ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved 462 linear cryptanalysis of round-reduced ARIA", Information 463 Security - ISC 2016, Lecture Notes in Computer Science 464 (LNCS) Vol. 9866, pp. 18-34, September 2016. 466 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA 467 Registry Update for Support of the SEED Cipher Algorithm 468 in Multimedia Internet KEYing (MIKEY)", RFC 5748, 469 DOI 10.17487/RFC5748, August 2010, 470 . 472 Appendix A. Test Vectors 474 All values are in hexadecimal and represented by the network order 475 (called big endian). 477 A.1. ARIA-CTR Test Vectors 479 Common values are organized as follows: 481 Rollover Counter: 00000000 482 Sequence Number: 315e 483 SSRC: 20e8f5eb 484 Authentication Key: f93563311b354748c978913795530631 485 16452309 486 Session Salt: cd3a7c42c671e0067a2a2639b43a 487 Initialization Vector: cd3a7c42e69915ed7a2a263985640000 488 RTP header: 8008315ebf2e6fe020e8f5eb 489 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 490 5af5c5e5c5fdf5c55ad57a4a7272d572 491 62e9729566ed66e97ac54a4a5a7ad5e1 492 5ae5fdd5fd5ac5d56ae56ad5c572d54a 493 e54ac55a956afd6aed5a4ac562957a95 494 16991691d572fd14e97ae962ed7a9f4a 495 955af572e162f57a956666e17ae1f54a 496 95f566d54a66e16e4afd6a9f7ae1c5c5 497 5ae5d56afde916c5e94a6ec56695e14a 498 fde1148416e94ad57ac5146ed59d1cc5 500 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 501 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 503 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 504 a6ccdcb463fbed9cfb3de2fb76fdffa9 505 e481f5efb64c92487f59dabbc7cc72da 506 092485f3fbad87888820b86037311fa4 507 4330e18a59a1e1338ba2c21458493a57 508 463475c54691f91cec785429119e0dfc 509 d9048f90e07fecd50b528e8c62ee6e71 510 445de5d7f659405135aff3604c2ca4ff 511 4aaca40809cb9eee42cc4ad232307570 512 81ca289f2851d3315e9568b501fdce6d 514 Authenticated portion || Rollover Counter: 515 8008315ebf2e6fe020e8f5eb1bf753f4 516 12e6f35058cc398dc851aae3a6ccdcb4 517 63fbed9cfb3de2fb76fdffa9e481f5ef 518 b64c92487f59dabbc7cc72da092485f3 519 fbad87888820b86037311fa44330e18a 520 59a1e1338ba2c21458493a57463475c5 521 4691f91cec785429119e0dfcd9048f90 522 e07fecd50b528e8c62ee6e71445de5d7 523 f659405135aff3604c2ca4ff4aaca408 524 09cb9eee42cc4ad23230757081ca289f 525 2851d3315e9568b501fdce6d00000000 527 Authentication Tag: f9de4e729054672b0e35 529 A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 530 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 531 3e8cd5671a00fe32 533 Encrypted RTP Payload: 86f4556486642caa67e9b40fef2acda0 534 6d442517d8d58c15e3e0b5c13a78b8b2 535 838b7b96961e11acb2af81348272888c 536 fd9d168ba091fe3e4f7f83c7871570a9 537 aa9f995036e44c35cb742b601e8d8d08 538 48320bad732929103f1bfbb1ae873178 539 0479c5df2d4d41f78f6b96d6832db3db 540 6af8b3612b27e18a0a29a8a1d280437e 541 b8dad58e78658ec3b069d7329431c356 542 c5e612b3dde5bd3f6c9f42f39cf35d3a 544 Authenticated portion || Rollover Counter: 545 8008315ebf2e6fe020e8f5eb86f45564 546 86642caa67e9b40fef2acda06d442517 547 d8d58c15e3e0b5c13a78b8b2838b7b96 548 961e11acb2af81348272888cfd9d168b 549 a091fe3e4f7f83c7871570a9aa9f9950 550 36e44c35cb742b601e8d8d0848320bad 551 732929103f1bfbb1ae8731780479c5df 552 2d4d41f78f6b96d6832db3db6af8b361 553 2b27e18a0a29a8a1d280437eb8dad58e 554 78658ec3b069d7329431c356c5e612b3 555 dde5bd3f6c9f42f39cf35d3a00000000 557 Authentication Tag: 3935fa37ee96dbc550d5 559 A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 560 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 561 3e8cd5671a00fe3216aa5eb105783b54 563 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 564 17ccd7471088af9debf07b55c750f804 565 a5ac2b737be48140958a9b420524112a 566 e72e4da5bca59d2b1019ddd7dbdc30b4 567 3d5f046152ced40947d62d2c93e7b8e5 568 0f02db2b6b61b010e4c1566884de1fa9 569 702cdf8157e8aedfe3dd77c76bb50c25 570 ae4d624615c15acfdeeb5f79482aaa01 571 d3e4c05eb601eca2bd10518e9d46b021 572 16359232e9eac0fabd05235dd09e6dea 574 Authenticated portion || Rollover Counter: 575 8008315ebf2e6fe020e8f5ebc424c59f 576 d5696305e5b13d8e8ca7656617ccd747 577 1088af9debf07b55c750f804a5ac2b73 578 7be48140958a9b420524112ae72e4da5 579 bca59d2b1019ddd7dbdc30b43d5f0461 580 52ced40947d62d2c93e7b8e50f02db2b 581 6b61b010e4c1566884de1fa9702cdf81 582 57e8aedfe3dd77c76bb50c25ae4d6246 583 15c15acfdeeb5f79482aaa01d3e4c05e 584 b601eca2bd10518e9d46b02116359232 585 e9eac0fabd05235dd09e6dea00000000 587 Authentication Tag: 192f515fab04bbb4e62c 589 A.2. ARIA-GCM Test Vectors 591 Common values are organized as follows: 593 Rollover Counter: 00000000 594 Sequence Number: 315e 595 SSRC: 20e8f5eb 596 Encryption Salt: 000000000000000000000000 598 Initialization Vector: 000020e8f5eb00000000315e 599 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 600 5af5c5e5c5fdf5c55ad57a4a7272d572 601 62e9729566ed66e97ac54a4a5a7ad5e1 602 5ae5fdd5fd5ac5d56ae56ad5c572d54a 603 e54ac55a956afd6aed5a4ac562957a95 604 16991691d572fd14e97ae962ed7a9f4a 605 955af572e162f57a956666e17ae1f54a 606 95f566d54a66e16e4afd6a9f7ae1c5c5 607 5ae5d56afde916c5e94a6ec56695e14a 608 fde1148416e94ad57ac5146ed59d1cc5 609 Associated Data: 8008315ebf2e6fe020e8f5eb 611 The length of encrypted payload is larger than that of payload by 16 612 octets that is the length of the tag from GCM. 614 A.2.1. SRTP_AEAD_ARIA_128_GCM 616 Key: e91e5e75da65554a48181f3846349562 618 Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c 619 d6f7da34f2fe1b3db7cb3dfb9697102e 620 a0f3c1fc2dbc873d44bceeae8e444297 621 4ba21ff6789d3272613fb9631a7cf3f1 622 4bacbeb421633a90ffbe58c2fa6bdca5 623 34f10d0de0502ce1d531b6336e588782 624 78531e5c22bc6c85bbd784d78d9e680a 625 a19031aaf89101d669d7a3965c1f7e16 626 229d7463e0535f4e253f5d18187d40b8 627 ae0f564bd970b5e7e2adfb211e89a953 628 5abace3f37f5a736f4be984bbffbedc1 630 A.2.2. SRTP_AEAD_ARIA_256_GCM 631 Key: 0c5ffd37a11edc42c325287fc0604f2e 632 3e8cd5671a00fe3216aa5eb105783b54 634 Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 635 932ff74581f54fc013dd054b19f99371 636 425b352d97d3f337b90b63d1b082adee 637 ea9d2d7391897d591b985e55fb50cb53 638 50cf7d38dc27dda127c078a149c8eb98 639 083d66363a46e3726af217d3a00275ad 640 5bf772c7610ea4c23006878f0ee69a83 641 97703169a419303f40b72e4573714d19 642 e2697df61e7c7252e5abc6bade876ac4 643 961bfac4d5e867afca351a48aed52822 644 e210d6ced2cf430ff841472915e7ef48 646 A.3. Key Derivation Test Vector 648 This section provides test vectors for the default key derivation 649 function that uses ARIA in Counter Mode. In the following, we walk 650 through the initial key derivation for the ARIA Counter Mode cipher 651 that requires a 16/24/32 octet session encryption key according to 652 the session encryption key length and a 14 octet session salt, and an 653 authentication function that requires a 94 octet session 654 authentication key. These values are called the cipher key, the 655 cipher salt, and the auth key in the following. The test vectors are 656 generated in the same way with the test vectors of key derivation 657 functions in [RFC3711] and [RFC6188] but with each invocation of AES 658 replaced with an invocation of ARIA. 660 A.3.1. ARIA_128_CTR_PRF 662 The inputs to the key derivation function are the 16 octet master key 663 and the 14 octet master salt: 665 master key: e1f97a0d3e018be0d64fa32c06de4139 666 master salt: 0ec675ad498afeebb6960b3aabe6 668 index DIV kdr: 000000000000 669 label: 00 670 master salt: 0ec675ad498afeebb6960b3aabe6 671 ----------------------------------------------- 672 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 674 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 676 cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) 678 ARIA-CTR protection profile requires a 14 octet cipher salt while 679 ARIA-GCM protection profile requires a 12 octet cipher salt. 681 index DIV kdr: 000000000000 682 label: 02 683 master salt: 0ec675ad498afeebb6960b3aabe6 684 ---------------------------------------------- 685 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 687 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 689 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 691 cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR profile) 692 9700657f5f34161830d7d85f (ARIA-GCM profile) 693 index DIV kdr: 000000000000 694 label: 01 695 master salt: 0ec675ad498afeebb6960b3aabe6 696 ----------------------------------------------- 697 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 699 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 701 Below, the auth key is shown on the left, while the corresponding 702 ARIA input blocks are shown on the right. 704 auth key ARIA input blocks 706 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 707 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 708 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 709 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 710 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 711 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 713 A.3.2. ARIA_192_CTR_PRF 715 The inputs to the key derivation function are the 24 octet master key 716 and the 14 octet master salt: 718 master key: 0c5ffd37a11edc42c325287fc0604f2e3e8cd5671a00fe32 719 master salt: 0ec675ad498afeebb6960b3aabe6 721 index DIV kdr: 000000000000 722 label: 00 723 master salt: 0ec675ad498afeebb6960b3aabe6 724 ----------------------------------------------- 725 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 727 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 729 cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output) 730 d13cbe548b627649 (ARIA-CTR 2nd Output) 732 ARIA-CTR protection profile requires a 14 octet cipher salt. 734 index DIV kdr: 000000000000 735 label: 02 736 master salt: 0ec675ad498afeebb6960b3aabe6 737 ---------------------------------------------- 738 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 740 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 742 55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output) 744 cipher salt: 55c7e3555baf0fdc91c589cfb871 (ARIA-CTR profile) 746 index DIV kdr: 000000000000 747 label: 01 748 master salt: 0ec675ad498afeebb6960b3aabe6 749 ----------------------------------------------- 750 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 752 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 754 Below, the auth key is shown on the left, while the corresponding 755 ARIA input blocks are shown on the right. 757 auth key ARIA input blocks 759 116902524517f7e767a979ad7678d53a 0ec675ad498afeeab6960b3aabe60000 760 8cae05a5c9a315d1304f634c81a06617 0ec675ad498afeeab6960b3aabe60001 761 31fe099d4dcd2202421fe01fc12c65ad 0ec675ad498afeeab6960b3aabe60002 762 009e920031654855af5d9e820a7831e0 0ec675ad498afeeab6960b3aabe60003 763 bc2b4744d2a33053eb685138252f2d82 0ec675ad498afeeab6960b3aabe60004 764 9a89f4a9aa4f97fde0cce9bad3d5 0ec675ad498afeeab6960b3aabe60005 766 A.3.3. ARIA_256_CTR_PRF 768 The inputs to the key derivation function are the 32 octet master key 769 and the 14 octet master salt: 771 master key: 0c5ffd37a11edc42c325287fc0604f2e 772 3e8cd5671a00fe3216aa5eb105783b54 773 master salt: 0ec675ad498afeebb6960b3aabe6 775 index DIV kdr: 000000000000 776 label: 00 777 master salt: 0ec675ad498afeebb6960b3aabe6 778 ----------------------------------------------- 779 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 781 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 783 cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) 784 f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) 786 ARIA-CTR protection profile requires a 14 octet cipher salt while 787 ARIA-GCM protection profile requires a 12 octet cipher salt. 789 index DIV kdr: 000000000000 790 label: 02 791 master salt: 0ec675ad498afeebb6960b3aabe6 792 ---------------------------------------------- 793 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 795 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 797 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 799 cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR profile) 800 194abaa8553a8eba8a413a34 (ARIA-GCM profile) 802 index DIV kdr: 000000000000 803 label: 01 804 master salt: 0ec675ad498afeebb6960b3aabe6 805 ----------------------------------------------- 806 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 808 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 810 Below, the auth key is shown on the left, while the corresponding 811 ARIA input blocks are shown on the right. 813 auth key ARIA input blocks 815 e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 816 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 817 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 818 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 819 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 820 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 822 Authors' Addresses 824 Woo-Hwan Kim 825 National Security Research Institute 826 P.O.Box 1, Yuseong 827 Daejeon 34188 828 Korea 830 EMail: whkim5@nsr.re.kr 832 Jungkeun Lee 833 National Security Research Institute 834 P.O.Box 1, Yuseong 835 Daejeon 34188 836 Korea 838 EMail: jklee@nsr.re.kr 840 Je-Hong Park 841 National Security Research Institute 842 P.O.Box 1, Yuseong 843 Daejeon 34188 844 Korea 846 EMail: jhpark@nsr.re.kr 848 Daesung Kwon 849 National Security Research Institute 850 P.O.Box 1, Yuseong 851 Daejeon 34188 852 Korea 854 EMail: ds_kwon@nsr.re.kr 855 Dong-Chan Kim 856 Kookmin University 857 77 Jeongneung-ro, Seongbuk-gu 858 Seoul 02707 859 Korea 861 EMail: dckim@kookmin.ac.kr