idnits 2.17.1 draft-ietf-avtcore-aria-srtp-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 8, 2017) is 2450 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore W. Kim 3 Internet-Draft J. Lee 4 Intended status: Informational J. Park 5 Expires: February 9, 2018 D. Kwon 6 NSRI 7 D. Kim 8 Kookmin Univ. 9 August 8, 2017 11 The ARIA Algorithm and Its Use with the Secure Real-time Transport 12 Protocol(SRTP) 13 draft-ietf-avtcore-aria-srtp-11 15 Abstract 17 This document defines the use of the ARIA block cipher algorithm 18 within the Secure Real-time Transport Protocol (SRTP). It details 19 two modes of operation (CTR, GCM) and the SRTP Key Derivation 20 Functions for ARIA. Additionally, this document defines DTLS-SRTP 21 protection profiles and MIKEY parameter sets for the use with ARIA. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 9, 2018. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 61 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 64 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 65 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 67 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 7 68 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 70 7.1. Normative References . . . . . . . . . . . . . . . . . . 8 71 7.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 73 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 11 74 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 11 75 A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 76 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 13 77 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 14 78 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 14 79 A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 15 80 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 15 81 A.3.2. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 16 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 84 1. Introduction 86 This document defines the use of the ARIA [RFC5794] block cipher 87 algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] 88 for providing confidentiality for the Real-time Transport Protocol 89 (RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP) 90 [RFC3550] traffic. 92 1.1. ARIA 94 ARIA is a general-purpose block cipher algorithm developed by Korean 95 cryptographers in 2003. It is an iterated block cipher with 128-, 96 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 97 rounds, depending on the key size. It is secure and suitable for 98 most software and hardware implementations on 32-bit and 8-bit 99 processors. It was established as a Korean standard block cipher 100 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 101 especially for government-to-public services. It was included in 102 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 103 identifiers are described in [RFC5794]. 105 1.2. Terminology 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in [RFC2119]. 111 2. Cryptographic Transforms 113 Block ciphers ARIA and AES share common characteristics including 114 mode, key size, and block size. ARIA does not have any restrictions 115 for modes of operation that are used with this block cipher. We 116 define two modes of running ARIA within the SRTP protocol, (1) ARIA 117 in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA- 118 GCM). 120 2.1. ARIA-CTR 122 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 123 which it refers to as "AES_CM". Section 2 of [RFC6188] defines 124 "AES_256_CM" in SRTP. ARIA counter modes are defined in the same 125 manner except that each invocation of AES is replaced by that of ARIA 126 [RFC5794], and are denoted by ARIA_128_CTR and ARIA_256_CTR, 127 respectively, according to the key lengths. The plaintext inputs to 128 the block cipher are formed as in AES-CTR(AES_CM, AES_256_CM) and the 129 block cipher outputs are processed as in AES-CTR. Note that, ARIA- 130 CTR MUST be used only in conjunction with an authentication 131 transform. 133 Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension 134 keystream generation. When ARIA-CTR is used, the header extension 135 keystream SHALL be generated in the same manner except that each 136 invocation of AES is replaced by that of ARIA [RFC5794]. 138 2.2. ARIA-GCM 140 GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated 141 Encryption with Associated Data) block cipher mode. A detailed 142 description of ARIA-GCM is defined similarly as AES-GCM found in 143 [RFC5116][RFC5282]. 145 The document [RFC7714] describes the use of AES-GCM with SRTP 146 [RFC3711][RFC6904]. The use of ARIA-GCM with SRTP is defined the 147 same as that of AES-GCM except that each invocation of AES is 148 replaced by ARIA [RFC5794]. When encryption of header extensions 149 [RFC6904] is in use, a separate keystream to encrypt selected RTP 150 header extension elements MUST be generated in the same manner 151 defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR. 153 3. Key Derivation Functions 155 Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key 156 derivation function, which it refers to as "AES-CM PRF". Section 3 157 of [RFC6188] defines the AES-256 counter mode key derivation 158 function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR PRF 159 is defined in a same manner except that each invocation of AES is 160 replaced by that of ARIA. According to the key lengths of underlying 161 encryption algorithm, ARIA-CTR PRFs are denoted by "ARIA_128_CTR_PRF" 162 and "ARIA_256_CTR_PRF". The usage requirements of [RFC6188][RFC7714] 163 regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. 165 4. Protection Profiles 167 This section defines SRTP Protection Profiles that use the ARIA 168 transforms and key derivation functions defined in this document. 169 The following list indicates the SRTP transform parameters for each 170 protection profile. Those are described for use with DTLS-SRTP 171 [RFC5764]. 173 The parameters cipher_key_length, cipher_salt_length, 174 auth_key_length, and auth_tag_length express the number of bits in 175 the values to which they refer. The maximum_lifetime parameter 176 indicates the maximum number of packets that can be protected with 177 each single set of keys when the parameter profile is in use. All of 178 these parameters apply to both RTP and RTCP, unless the RTCP 179 parameters are separately specified. 181 SRTP_ARIA_128_CTR_HMAC_SHA1_80 182 cipher: ARIA_128_CTR 183 cipher_key_length: 128 bits 184 cipher_salt_length: 112 bits 185 key derivation function: ARIA_128_CTR_PRF 186 auth_function: HMAC-SHA1 187 auth_key_length: 160 bits 188 auth_tag_length: 80 bits 189 maximum_lifetime: at most 2^31 SRTCP packets and 190 at most 2^48 SRTP packets 192 SRTP_ARIA_128_CTR_HMAC_SHA1_32 193 cipher: ARIA_128_CTR 194 cipher_key_length: 128 bits 195 cipher_salt_length: 112 bits 196 key derivation function: ARIA_128_CTR_PRF 197 auth_function: HMAC-SHA1 198 auth_key_length: 160 bits 199 SRTP auth_tag_length: 32 bits 200 SRTCP auth_tag_length: 80 bits 201 maximum_lifetime: at most 2^31 SRTCP packets and 202 at most 2^48 SRTP packets 204 SRTP_ARIA_256_CTR_HMAC_SHA1_80 205 cipher: ARIA_256_CTR 206 cipher_key_length: 256 bits 207 cipher_salt_length: 112 bits 208 key derivation function: ARIA_256_CTR_PRF 209 auth_function: HMAC-SHA1 210 auth_key_length: 160 bits 211 auth_tag_length: 80 bits 212 maximum_lifetime: at most 2^31 SRTCP packets and 213 at most 2^48 SRTP packets 215 SRTP_ARIA_256_CTR_HMAC_SHA1_32 216 cipher: ARIA_256_CTR 217 cipher_key_length: 256 bits 218 cipher_salt_length: 112 bits 219 key derivation function: ARIA_256_CTR_PRF 220 auth_function: HMAC-SHA1 221 auth_key_length: 160 bits 222 SRTP auth_tag_length: 32 bits 223 SRTCP auth_tag_length: 80 bits 224 maximum_lifetime: at most 2^31 SRTCP packets and 225 at most 2^48 SRTP packets 227 SRTP_AEAD_ARIA_128_GCM 228 cipher: ARIA_128_GCM 229 cipher_key_length: 128 bits 230 cipher_salt_length: 96 bits 231 aead_auth_tag_length: 128 bits 232 auth_function: NULL 233 auth_key_length: N/A 234 auth_tag_length: N/A 235 key derivation function: ARIA_128_CTR_PRF 236 maximum_lifetime: at most 2^31 SRTCP packets and 237 at most 2^48 SRTP packets 239 SRTP_AEAD_ARIA_256_GCM 240 cipher: ARIA_256_GCM 241 cipher_key_length: 256 bits 242 cipher_salt_length: 96 bits 243 aead_auth_tag_length: 128 bits 244 auth_function: NULL 245 auth_key_length: N/A 246 auth_tag_length: N/A 247 key derivation function: ARIA_256_CTR_PRF 248 maximum_lifetime: at most 2^31 SRTCP packets and 249 at most 2^48 SRTP packets 251 The ARIA-CTR protection profiles use the same authentication 252 transform that is mandatory to implement in SRTP, HMAC-SHA1 with a 253 160-bit key. 255 Note that SRTP Protection Profiles that use AEAD algorithms do not 256 specify an auth_function, auth_key_length, or auth_tag_length, since 257 they do not use a separate auth_function, auth_key, or auth_tag. The 258 term aead_auth_tag_length is used to emphasize that this refers to 259 the authentication tag provided by the AEAD algorithm and that this 260 tag is not located in the authentication tag field provided by SRTP/ 261 SRTCP. 263 The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of 264 the equal key length with the encryption algorithm (see Section 2). 265 SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the 266 ARIA_128_CTR_PRF Key Derivation Function. And SRTP_ARIA_256_CTR_HMAC 267 and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF Key 268 Derivation Function. 270 MIKEY specifies the SRTP protection profile definition separately 271 from the key length (which is specified by the Session Encryption key 272 length) and the authentication tag length. The DTLS-SRTP [RFC5764] 273 protection profiles are mapped to MIKEY parameter sets as shown 274 below. 276 +--------------------------------------+ 277 | Encryption | Encryption | Auth. | 278 | Algorithm | Key Length | Tag Length | 279 +======================================+ 280 SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | 281 SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | 282 SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | 283 SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | 284 +======================================+ 286 Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm 287 +--------------------------------------+ 288 | Encryption | Encryption | AEAD Auth. | 289 | Algorithm | Key Length | Tag Length | 290 +======================================+ 291 SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | 292 SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | 293 +======================================+ 295 Figure 2: Mapping MIKEY parameters to AEAD algorithm 297 5. Security Considerations 299 At the time of publication of this document no security problem has 300 been found on ARIA. Previous security analysis results are 301 summarized in [ATY]. 303 The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188] 304 [RFC6904] [RFC7714] apply to this document as well. This document 305 includes crypto suites with authentication tags of length less than 306 80 bits. These suites MAY be used for certain application contexts 307 where longer authentication tags may be undesirable, for example, 308 those mentioned in [RFC3711] section 7.5. Otherwise, short 309 authentication tags SHOULD NOT be used, since may reduce 310 authentication strength. See [RFC3711] section 9.5 for a discussion 311 of risks related to weak authentication in SRTP. 313 At the time of publication of this document, SRTP recommends HMAC- 314 SHA1 as the default and mandatory-to-implement MAC algorithm. All 315 currently registered SRTP crypto suites except the GCM based ones use 316 HMAC-SHA1 as their HMAC algorithm to provide message authentication. 317 Due to security concerns with SHA-1 [RFC6194], the IETF is gradually 318 moving away from SHA-1 and towards stronger hash algorithms such as 319 SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in 320 the calculation of an HMAC, and no security issue is known for this 321 usage at the time of this publication. 323 6. IANA Considerations 325 6.1. DTLS-SRTP 327 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 328 In order to allow the use of the algorithms defined in this document 329 in DTLS-SRTP, IANA is requested to add the protection profiles below 330 to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located 331 on the following IANA page at time of writing: 332 http://www.iana.org/assignments/srtp-protection/. 334 SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} 335 SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} 336 SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} 337 SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} 338 SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} 339 SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} 341 6.2. MIKEY 343 [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the 344 SRTP policy in MIKEY. In order to allow the use of the algorithms 345 defined in this document in MIKEY, IANA is requested to add the two 346 encryption algorithms below to the "MIKEY Security Protocol 347 Parameters SRTP Type 0 (Encryption algorithm)" and to add the PRF 348 below to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo 349 Random Function)" created by [RFC3830], located on the following IANA 350 page at time of writing: http://www.iana.org/assignments/mikey- 351 payloads/. 353 +---------------+-------+ 354 | SRTP Enc. alg | Value | 355 +---------------+-------+ 356 | ARIA-CTR | TBD | 357 | ARIA-GCM | TBD | 358 +---------------+-------+ 360 Default session encryption key length is 16 octets. 362 +----------+-------+ 363 | SRTP PRF | Value | 364 +----------+-------+ 365 | ARIA-CTR | TBD | 366 +----------+-------+ 368 7. References 370 7.1. Normative References 372 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 373 Operation: Galois/Counter Mode (GCM) and GMAC", NIST 374 SP 800-38D, November 2007. 376 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 377 Requirement Levels", BCP 14, RFC 2119, 378 DOI 10.17487/RFC2119, March 1997, 379 . 381 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 382 Jacobson, "RTP: A Transport Protocol for Real-Time 383 Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, 384 July 2003, . 386 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 387 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 388 RFC 3711, DOI 10.17487/RFC3711, March 2004, 389 . 391 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 392 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 393 DOI 10.17487/RFC3830, August 2004, 394 . 396 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 397 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 398 . 400 [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption 401 Algorithms with the Encrypted Payload of the Internet Key 402 Exchange version 2 (IKEv2) Protocol", RFC 5282, 403 DOI 10.17487/RFC5282, August 2008, 404 . 406 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 407 Security (DTLS) Extension to Establish Keys for the Secure 408 Real-time Transport Protocol (SRTP)", RFC 5764, 409 DOI 10.17487/RFC5764, May 2010, 410 . 412 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A 413 Description of the ARIA Encryption Algorithm", RFC 5794, 414 DOI 10.17487/RFC5794, March 2010, 415 . 417 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 418 RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, 419 . 421 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 422 Real-time Transport Protocol (SRTP)", RFC 6904, 423 DOI 10.17487/RFC6904, April 2013, 424 . 426 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 427 in the Secure Real-time Transport Protocol (SRTP)", 428 RFC 7714, DOI 10.17487/RFC7714, December 2015, 429 . 431 7.2. Informative References 433 [ARIAKS] Korean Agency for Technology and Standards, "128 bit block 434 encryption algorithm ARIA - Part 1: General (in Korean)", 435 KS X 1213-1:2009, December 2009. 437 [ARIAPKCS] 438 RSA Laboratories, "Additional PKCS #11 Mechanisms", 439 PKCS #11 v2.20 Amendment 3 Revision 1, January 2007. 441 [ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved 442 linear cryptanalysis of round-reduced ARIA", Information 443 Security - ISC 2016, Lecture Notes in Computer Science 444 (LNCS) Vol. 9866, pp. 18-34, September 2016. 446 [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA 447 Registry Update for Support of the SEED Cipher Algorithm 448 in Multimedia Internet KEYing (MIKEY)", RFC 5748, 449 DOI 10.17487/RFC5748, August 2010, 450 . 452 [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security 453 Considerations for the SHA-0 and SHA-1 Message-Digest 454 Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, 455 . 457 Appendix A. Test Vectors 459 All values are in hexadecimal and represented by the network order 460 (called big endian). 462 A.1. ARIA-CTR Test Vectors 464 Common values are organized as follows: 466 Rollover Counter: 00000000 467 Sequence Number: 315e 468 SSRC: 20e8f5eb 469 Authentication Key: f93563311b354748c978913795530631 470 16452309 471 Session Salt: cd3a7c42c671e0067a2a2639b43a 472 Initialization Vector: cd3a7c42e69915ed7a2a263985640000 473 RTP header: 8008315ebf2e6fe020e8f5eb 474 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 475 5af5c5e5c5fdf5c55ad57a4a7272d572 476 62e9729566ed66e97ac54a4a5a7ad5e1 477 5ae5fdd5fd5ac5d56ae56ad5c572d54a 478 e54ac55a956afd6aed5a4ac562957a95 479 16991691d572fd14e97ae962ed7a9f4a 480 955af572e162f57a956666e17ae1f54a 481 95f566d54a66e16e4afd6a9f7ae1c5c5 482 5ae5d56afde916c5e94a6ec56695e14a 483 fde1148416e94ad57ac5146ed59d1cc5 485 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 486 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 488 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 489 a6ccdcb463fbed9cfb3de2fb76fdffa9 490 e481f5efb64c92487f59dabbc7cc72da 491 092485f3fbad87888820b86037311fa4 492 4330e18a59a1e1338ba2c21458493a57 493 463475c54691f91cec785429119e0dfc 494 d9048f90e07fecd50b528e8c62ee6e71 495 445de5d7f659405135aff3604c2ca4ff 496 4aaca40809cb9eee42cc4ad232307570 497 81ca289f2851d3315e9568b501fdce6d 499 Authenticated portion || Rollover Counter: 500 8008315ebf2e6fe020e8f5eb1bf753f4 501 12e6f35058cc398dc851aae3a6ccdcb4 502 63fbed9cfb3de2fb76fdffa9e481f5ef 503 b64c92487f59dabbc7cc72da092485f3 504 fbad87888820b86037311fa44330e18a 505 59a1e1338ba2c21458493a57463475c5 506 4691f91cec785429119e0dfcd9048f90 507 e07fecd50b528e8c62ee6e71445de5d7 508 f659405135aff3604c2ca4ff4aaca408 509 09cb9eee42cc4ad23230757081ca289f 510 2851d3315e9568b501fdce6d00000000 512 Authentication Tag: f9de4e729054672b0e35 514 A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 515 Session Key: 0c5ffd37a11edc42c325287fc0604f2e 516 3e8cd5671a00fe3216aa5eb105783b54 518 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 519 17ccd7471088af9debf07b55c750f804 520 a5ac2b737be48140958a9b420524112a 521 e72e4da5bca59d2b1019ddd7dbdc30b4 522 3d5f046152ced40947d62d2c93e7b8e5 523 0f02db2b6b61b010e4c1566884de1fa9 524 702cdf8157e8aedfe3dd77c76bb50c25 525 ae4d624615c15acfdeeb5f79482aaa01 526 d3e4c05eb601eca2bd10518e9d46b021 527 16359232e9eac0fabd05235dd09e6dea 529 Authenticated portion || Rollover Counter: 530 8008315ebf2e6fe020e8f5ebc424c59f 531 d5696305e5b13d8e8ca7656617ccd747 532 1088af9debf07b55c750f804a5ac2b73 533 7be48140958a9b420524112ae72e4da5 534 bca59d2b1019ddd7dbdc30b43d5f0461 535 52ced40947d62d2c93e7b8e50f02db2b 536 6b61b010e4c1566884de1fa9702cdf81 537 57e8aedfe3dd77c76bb50c25ae4d6246 538 15c15acfdeeb5f79482aaa01d3e4c05e 539 b601eca2bd10518e9d46b02116359232 540 e9eac0fabd05235dd09e6dea00000000 542 Authentication Tag: 192f515fab04bbb4e62c 544 A.2. ARIA-GCM Test Vectors 546 Common values are organized as follows: 548 Rollover Counter: 00000000 549 Sequence Number: 315e 550 SSRC: 20e8f5eb 551 Encryption Salt: 000000000000000000000000 553 Initialization Vector: 000020e8f5eb00000000315e 554 RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 555 5af5c5e5c5fdf5c55ad57a4a7272d572 556 62e9729566ed66e97ac54a4a5a7ad5e1 557 5ae5fdd5fd5ac5d56ae56ad5c572d54a 558 e54ac55a956afd6aed5a4ac562957a95 559 16991691d572fd14e97ae962ed7a9f4a 560 955af572e162f57a956666e17ae1f54a 561 95f566d54a66e16e4afd6a9f7ae1c5c5 562 5ae5d56afde916c5e94a6ec56695e14a 563 fde1148416e94ad57ac5146ed59d1cc5 564 Associated Data: 8008315ebf2e6fe020e8f5eb 566 The length of encrypted payload is larger than that of payload by 16 567 octets that is the length of the tag from GCM. 569 A.2.1. SRTP_AEAD_ARIA_128_GCM 571 Key: e91e5e75da65554a48181f3846349562 573 Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c 574 d6f7da34f2fe1b3db7cb3dfb9697102e 575 a0f3c1fc2dbc873d44bceeae8e444297 576 4ba21ff6789d3272613fb9631a7cf3f1 577 4bacbeb421633a90ffbe58c2fa6bdca5 578 34f10d0de0502ce1d531b6336e588782 579 78531e5c22bc6c85bbd784d78d9e680a 580 a19031aaf89101d669d7a3965c1f7e16 581 229d7463e0535f4e253f5d18187d40b8 582 ae0f564bd970b5e7e2adfb211e89a953 583 5abace3f37f5a736f4be984bbffbedc1 585 A.2.2. SRTP_AEAD_ARIA_256_GCM 586 Key: 0c5ffd37a11edc42c325287fc0604f2e 587 3e8cd5671a00fe3216aa5eb105783b54 589 Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 590 932ff74581f54fc013dd054b19f99371 591 425b352d97d3f337b90b63d1b082adee 592 ea9d2d7391897d591b985e55fb50cb53 593 50cf7d38dc27dda127c078a149c8eb98 594 083d66363a46e3726af217d3a00275ad 595 5bf772c7610ea4c23006878f0ee69a83 596 97703169a419303f40b72e4573714d19 597 e2697df61e7c7252e5abc6bade876ac4 598 961bfac4d5e867afca351a48aed52822 599 e210d6ced2cf430ff841472915e7ef48 601 A.3. Key Derivation Test Vector 603 This section provides test vectors for the default key derivation 604 function that uses ARIA in Counter Mode. In the following, we walk 605 through the initial key derivation for the ARIA Counter Mode cipher 606 that requires a 16/24/32 octet session encryption key according to 607 the session encryption key length and a 14 octet session salt, and an 608 authentication function that requires a 94 octet session 609 authentication key. These values are called the cipher key, the 610 cipher salt, and the auth key in the following. The test vectors are 611 generated in the same way with the test vectors of key derivation 612 functions in [RFC3711] and [RFC6188] but with each invocation of AES 613 replaced with an invocation of ARIA. 615 A.3.1. ARIA_128_CTR_PRF 617 The inputs to the key derivation function are the 16 octet master key 618 and the 14 octet master salt: 620 master key: e1f97a0d3e018be0d64fa32c06de4139 621 master salt: 0ec675ad498afeebb6960b3aabe6 623 index DIV kdr: 000000000000 624 label: 00 625 master salt: 0ec675ad498afeebb6960b3aabe6 626 ----------------------------------------------- 627 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 629 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 631 cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) 633 ARIA-CTR protection profile requires a 14 octet cipher salt while 634 ARIA-GCM protection profile requires a 12 octet cipher salt. 636 index DIV kdr: 000000000000 637 label: 02 638 master salt: 0ec675ad498afeebb6960b3aabe6 639 ---------------------------------------------- 640 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 642 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 644 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 646 cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR profile) 647 9700657f5f34161830d7d85f (ARIA-GCM profile) 648 index DIV kdr: 000000000000 649 label: 01 650 master salt: 0ec675ad498afeebb6960b3aabe6 651 ----------------------------------------------- 652 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 654 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 656 Below, the auth key is shown on the left, while the corresponding 657 ARIA input blocks are shown on the right. 659 auth key ARIA input blocks 661 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 662 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 663 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 664 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 665 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 666 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 668 A.3.2. ARIA_256_CTR_PRF 670 The inputs to the key derivation function are the 32 octet master key 671 and the 14 octet master salt: 673 master key: 0c5ffd37a11edc42c325287fc0604f2e 674 3e8cd5671a00fe3216aa5eb105783b54 675 master salt: 0ec675ad498afeebb6960b3aabe6 677 index DIV kdr: 000000000000 678 label: 00 679 master salt: 0ec675ad498afeebb6960b3aabe6 680 ----------------------------------------------- 681 xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) 683 x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) 685 cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) 686 f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) 688 ARIA-CTR protection profile requires a 14 octet cipher salt while 689 ARIA-GCM protection profile requires a 12 octet cipher salt. 691 index DIV kdr: 000000000000 692 label: 02 693 master salt: 0ec675ad498afeebb6960b3aabe6 694 ---------------------------------------------- 695 xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) 697 x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) 699 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 701 cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR profile) 702 194abaa8553a8eba8a413a34 (ARIA-GCM profile) 704 index DIV kdr: 000000000000 705 label: 01 706 master salt: 0ec675ad498afeebb6960b3aabe6 707 ----------------------------------------------- 708 xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) 710 x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) 712 Below, the auth key is shown on the left, while the corresponding 713 ARIA input blocks are shown on the right. 715 auth key ARIA input blocks 717 e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 718 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 719 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 720 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 721 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 722 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 724 Authors' Addresses 726 Woo-Hwan Kim 727 National Security Research Institute 728 P.O.Box 1, Yuseong 729 Daejeon 34188 730 Korea 732 EMail: whkim5@nsr.re.kr 734 Jungkeun Lee 735 National Security Research Institute 736 P.O.Box 1, Yuseong 737 Daejeon 34188 738 Korea 740 EMail: jklee@nsr.re.kr 742 Je-Hong Park 743 National Security Research Institute 744 P.O.Box 1, Yuseong 745 Daejeon 34188 746 Korea 748 EMail: jhpark@nsr.re.kr 750 Daesung Kwon 751 National Security Research Institute 752 P.O.Box 1, Yuseong 753 Daejeon 34188 754 Korea 756 EMail: ds_kwon@nsr.re.kr 757 Dong-Chan Kim 758 Kookmin University 759 77 Jeongneung-ro, Seongbuk-gu 760 Seoul 02707 761 Korea 763 EMail: dckim@kookmin.ac.kr