idnits 2.17.1 draft-ietf-avtcore-srtp-aes-gcm-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 26, 2013) is 3889 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group D. McGrew 2 Internet Draft Cisco Systems, Inc. 3 Intended Status: Standards Track K. Igoe 4 Expires: February 27, 2014 National Security Agency 5 August 26, 2013 7 AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) 8 draft-ietf-avtcore-srtp-aes-gcm-08 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF). Note that other groups may also distribute 17 working documents as Internet-Drafts. The list of current Internet- 18 Drafts is at http://datatracker.ietf.org/drafts/current. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 This Internet-Draft will expire on February 27, 2014. 27 Copyright Notice 29 Copyright (c) 2013 IETF Trust and the persons identified as the 30 document authors. All rights reserved. 32 This document is subject to BCP 78 and the IETF Trust's Legal 33 Provisions Relating to IETF Documents 34 (http://trustee.ietf.org/license-info) in effect on the date of 35 publication of this document. Please review these documents 36 carefully, as they describe your rights and restrictions with respect 37 to this document. Code Components extracted from this document must 38 include Simplified BSD License text as described in Section 4.e of 39 the Trust Legal Provisions and are provided without warranty as 40 described in the Simplified BSD License. 42 Abstract 44 This document defines how AES-GCM and AES-CCM Authenticated 45 Encryption with Associated Data algorithms can be used to provide 46 confidentiality and data authentication in the SRTP protocol. 48 Table of Contents 50 1. Introduction.....................................................3 51 2. Conventions Used In This Document................................4 52 3. Overview of the SRTP/SRTCP Security Architecture.................4 53 4. Terminology......................................................4 54 5. Generic AEAD Processing..........................................5 55 5.1. Types of Input Data.........................................5 56 5.2. AEAD Invocation Inputs and Outputs..........................6 57 5.2.1. Encrypt Mode...........................................6 58 5.2.2. Decrypt Mode...........................................6 59 5.3. Handling of AEAD Authentication.............................7 60 6. Counter Mode Encryption..........................................7 61 7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12......................8 62 8. Unneeded SRTP/SRTCP Fields.......................................8 63 8.1. SRTP/SRTCP Authentication Field.............................9 64 8.2. RTP Padding.................................................9 65 9. AES-GCM/CCM processing for SRTP..................................9 66 9.1. SRTP IV formation for AES-GCM and AES-CCM...................9 67 9.2. Data Types in SRTP Packets.................................10 68 9.3. Handling Header Extensions.................................11 69 9.4. Prevention of SRTP IV Reuse................................12 70 10. AES-GCM/CCM Processing of SRTCP Compound Packets...............12 71 10.1. SRTCP IV formation for AES-GCM and AES-CCM................12 72 10.2. Data Types in Encrypted SRTCP Compound Packets............13 73 10.3. Data Types in Unencrypted SRTCP Compound Packets..........14 74 10.4. Prevention of SRTCP IV Reuse..............................15 75 11. Constraints on AEAD for SRTP and SRTCP.........................15 76 12. Key Derivation Functions.......................................16 77 13. Summary of Algorithm Characteristics...........................16 78 13.1. AES-GCM for SRTP/SRTCP....................................17 79 13.2. AES-CCM for SRTP/SRTCP....................................19 80 14. Security Considerations........................................22 81 14.1. Handling of Security Critical Parameters..................22 82 14.2. Size of the Authentication Tag............................22 83 15. IANA Considerations............................................23 84 15.1. SDES......................................................23 85 15.2. DTLS......................................................24 86 15.3. MIKEY.....................................................27 87 15.4. AEAD registry.............................................28 88 16. Parameters for use with MIKEY..................................28 89 17. Acknowledgements...............................................29 90 18. References.....................................................30 91 18.1. Normative References......................................30 92 18.2. Informative References....................................32 94 1. Introduction 96 The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile 97 of the Real-time Transport Protocol (RTP) [RFC3550], which can 98 provide confidentiality, message authentication, and replay 99 protection to the RTP traffic and to the control traffic for RTP, the 100 Real-time Transport Control Protocol (RTCP). It is important to note 101 that the outgoing SRTP packets from a single endpoint may be 102 originating from several independent data sources. 104 Authenticated encryption [BN00] is a form of encryption that, in 105 addition to providing confidentiality for the plaintext that is 106 encrypted, provides a way to check its integrity and authenticity. 107 Authenticated Encryption with Associated Data, or AEAD [R02], adds 108 the ability to check the integrity and authenticity of some 109 Associated Data (AD), also called "additional authenticated data", 110 that is not encrypted. This specification makes use of the interface 111 to a generic AEAD algorithm as defined in [RFC5116]. 113 The Advanced Encryption Standard (AES) is a block cipher that 114 provides a high level of security, and can accept different key 115 sizes. Two families of AEAD algorithm families, AES Galois/Counter 116 Mode (AES-GCM) [GCM] and AES Counter with Cipher Block 117 Chaining-Message Authentication Code (AES-CCM) [RFC3610] are based 118 upon AES. This specification makes use of the AES versions that use 119 128-bit and 256-bit keys, which we call AES-128 and AES-256, 120 respectively. 122 Any AEAD algorithm provides an intrinsic authentication tag. In many 123 applications the authentication tag is truncated to less than full 124 length. This document only allows three values for the length of the 125 authentication tag: the length of the authentication tags MUST be 126 either 8 octets, 12 octets, or 16 octets in length. As with the size 127 of the key, the length of the authentication tag size is set when the 128 session is initiated and SHOULD NOT be altered. Thus each AEAD will 129 have a total of six configurations, reflecting the two choices for 130 key size (either 128 or 256 bits) and the three choices for the 131 length of the authentication tag (either 8, 12 or 16 octets). 133 The Galois/Counter Mode of operation (GCM) and the Counter with 134 Cipher Block Chaining-Message Authentication Code mode of operation 135 (CCM) are both AEAD modes of operation for block ciphers. Both use 136 counter mode to encrypt the data, an operation that can be 137 efficiently pipelined. Further, GCM authentication uses operations 138 that are particularly well suited to efficient implementation in 139 hardware, making it especially appealing for high-speed 140 implementations, or for implementations in an efficient and compact 141 circuit. CCM is well suited for use in compact software 142 implementations. This specification uses GCM and CCM with both 143 AES-128 and AES-256. 145 In summary, this document defines how to use AEAD algorithms, 146 particularly AES-GCM and AES-CCM, to provide confidentiality and 147 message authentication within SRTP and SRTCP packets. 149 2. Conventions Used In This Document 151 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 153 "OPTIONAL" in this document are to be interpreted as described in 154 [RFC2119]. 156 3. Overview of the SRTP/SRTCP Security Architecture 158 SRTP/SRTCP security is based upon the following principles: 160 a) Both privacy and authentication are based upon the use of 161 symmetric algorithms. An AEAD algorithm such as AES-CCM or 162 AES-GCM combines privacy and authentication into a single 163 process. 165 b) A secret master key is shared by all participating endpoints, 166 both those originating SRTP/SRTCP packets and those receiving 167 these packets. Any given master key MAY be used 168 simultaneously by several endpoints to originate SRTP/SRTCP 169 packets (as well one or more endpoints using this master key 170 to process inbound data). 172 c) A Key Derivation Function is applied to the shared master key 173 value to form separate encryption keys, authentication keys 174 and salting keys for SRTP and for SRTCP (a total of six 175 keys). This process is described in sections 4.3.1 and 4.3.3 176 of [RFC3711]. Since AEAD algorithms such as AES-CCM and 177 AES-GCM combine encryption and authentication into a single 178 process, AEAD algorithms do not make use of the 179 authentication keys. The master key MUST be at least as 180 large as the encryption key derived from it. 182 d) Each time an instantiation of AES-GCM or AES-CCM is invoked 183 to encrypt and authenticate an SRTP or SRTCP data packet a 184 new IV is used. SRTP combines the 4-octet synchronization 185 source (SSRC) identifier, the 4-octet rollover counter (ROC), 186 and the 2-octet sequence number(SEQ) with the 12-octet 187 encryption salt to form a 12-octet IV (see section 9.1). 188 SRTCP combines the SSRC and 31-bit SRTCP index with the 189 encryption salt to form a 12-octet IV (see section 10.1). 191 4. Terminology 193 The following terms have very specific meanings in the context of 194 this RFC: 196 Crypto Context: For the purposes of this document, a crypto 197 context is the outcome of any process which 198 results in authentication of each endpoint in the 199 SRTP session and possession by each endpoint of a 200 shared secret master key. Various encryption 201 keys, authentication keys and salts are derived 202 from the master key. Aside from making 203 modifications to IANA registries to allow AES-GCM 204 and AES-CCM to work with SDES, DTLS and MIKEY, 205 the details of how the master key is established 206 are outside the scope of this document. 207 Similarly any mechanism for rekeying an existing 208 Cipher Context is outside the scope of the 209 document. 211 Instantiation: In AEAD, an instantiation is an (Encryption_key, 212 salt) pair together with all of the data 213 structures (for example, counters) needed for it 214 to function properly. In SRTP/SRTCP, each 215 endpoint will need two instantiations of the AEAD 216 algorithm for each master key in its possession, 217 one instantiation for SRTP traffic and one 218 instantiation for SRTCP traffic. 220 Invocation: SRTP/SRTCP data streams are broken into packets. 221 Each packet is processed by a single invocation 222 of the appropriate instantiation of the AEAD 223 algorithm. 225 In many applications, each endpoint will have one master key for 226 processing outbound data but may have one or more separate master 227 keys for processing inbound data. 229 5. Generic AEAD Processing 231 5.1. Types of Input Data 233 Associated Data: This is data that is to be authenticated 234 but not encrypted. 236 Plaintext: Data that is to be both encrypted and 237 authenticated. 239 Raw Data: Data that is to be neither encrypted nor 240 authenticated. 242 Which portions of SRTP/SRTCP packets that are to be treated as 243 associated data, which are to be treated as plaintext, and which are 244 to be treated as raw data are covered in sections 9.2, 10.2 and 245 10.3. 247 5.2. AEAD Invocation Inputs and Outputs 249 5.2.1. Encrypt Mode 251 Inputs: 252 Encryption_key Octet string, either 16 or 32 253 octets long 254 Initialization_Vector Octet string, 12 octets long 255 Associated_Data Bit string of variable length 256 Plaintext Bit string of variable length 257 Tag_Size_Flag (CCM only*) One Octet 259 Outputs 260 Ciphertext Bit string, length = 261 length(Plaintext)+tag_length 263 (*) For GCM, the algorithm choice determines the tag size. 265 As defined in [RFC3610], AES-CCM authentication uses a Tag_Size_Flag 266 to specify the length of the intrinsic authentication tag provided by 267 AES-CCM authentication. For the three tag lengths allowed in this 268 document the corresponding Tag_Size_Flag values are as follows: 270 Tag Length | Tag_Size_Flag (hex) 271 ---------------------------------- 272 8 bytes | 5A 273 12 bytes | 6A 274 16 bytes | 7A 276 Once an SRTP/SRTCP session has been initiated the length of the tag 277 is a fixed value and cannot be altered. 279 5.2.2. Decrypt Mode 281 Inputs: 282 Encryption_key Octet string, either 16 or 32 283 Octets long 284 Initialization_Vector Octet string, 12 octets long 285 Associated_Data Octet string of variable length 286 Ciphertext Octet string of variable length 287 Tag_Size_Flag (CCM only*) One octet 289 Outputs 290 Plaintext Bit string, length = 291 length(Ciphertext)-tag_length 293 Validity_Flag Boolean, TRUE if valid, 294 FALSE otherwise 296 (*) For GCM, the algorithm choice determines the tag size. 298 As mentioned in section 5.2.1, only three tag lengths are supported 299 for use in SRTP/SRTCP, namely 8 octets, 12 octets and 16 octets. 301 5.3. Handling of AEAD Authentication 303 AEAD requires that all incoming packets MUST pass AEAD authentication 304 before any other action takes place. Plaintext and associated data 305 MUST NOT be released until the AEAD authentication tag has been 306 validated. Further, when GCM is being used, the ciphertext MUST NOT 307 be decrypted until the AEAD tag has been validated. 309 Should the AEAD tag prove to be invalid, the packet in question is to 310 be discarded and a Validation Error flag raised. Local policy 311 determines how this flag is to be handled and is outside the scope of 312 this document. 314 6. Counter Mode Encryption 316 In both GCM and CCM, each outbound packet uses a 12-octet IV and an 317 encryption key to form two outputs, a 16-octet first_key_block which 318 is used in forming the authentication tag and a keystream of octets 319 which is XORed to the plaintext to form cipher. 321 When GCM is used, the concatenation of a 12-octet IV (see sections 322 9.1 and 10.1)with a 4-octet block counter forms the input to AES. 323 This is used to build a key_stream as follows: 325 def GCM_keystream( Plaintext, IV, Encryption_key ): 326 assert len(plaintext) <= (2**36) - 32 ## measured in octets 327 key_stream = "" 328 block_counter = 1 329 first_key_block = AES_ENC( data=IV||block_counter, 330 key=Encryption_key ) 331 while len(key_stream) < len(Plaintext): 332 block_counter = block_counter + 1 333 key_block = AES_ENC( data=IV||block_counter, 334 key=Encryption_key ) 335 key_stream = key_stream || key_block 336 key_stream = truncate( key_stream, len(Plaintext) ) 337 return (first_key_block, key_stream ) 339 In AES-CCM counter mode encryption, the AES data input consists of 340 the concatenation of a 1-octet flag, a 12-octet IV, and a 3-octet 341 block counter. Note that in this application the flag octet will 342 always have the value 0x02 (see section 2.3 of [RFC3610]). A 343 (first_key_block, key_stream) pair is formed as follows: 345 def CCM_keystream( Plaintext, IV, Encryption_key ): 346 assert len(Plaintext) <= (2**28)-16 ## measured in octets 347 key_stream = "" 348 block_counter = 0 349 first_key_block = AES_ENC( data=0x02||IV||block_counter, 350 key=Encryption_key ) 351 while len(key_stream)(+) 432 +--+--+--+--+--+--+--+--+--+--+--+--+ | 433 | 434 +--+--+--+--+--+--+--+--+--+--+--+--+ | 435 | Initialization Vector |<--+ 436 +--+--+--+--+--+--+--+--+--+--+--+--+ 438 Figure 1: AES-GCM and AES-CCM SRTP 439 Initialization Vector formation. 441 9.2. Data Types in SRTP Packets 443 All SRTP packets MUST be both authenticated and encrypted. The data 444 fields within the SRTP packets are broken into Associated Data, 445 Plaintext and Raw Data as follows (see figure 2): 447 Associated Data: The version (2 bits), padding flag (1 bit), 448 extension flag (1 bit), CSRC count (4 bits), 449 sequence number (16 bits), timestamp (32 bits), 450 SSRC (32 bits), optional contributing source 451 identifiers (CSRCs, 32 bits each), and optional 452 RTP extension (variable length). 454 Plaintext: The RTP payload (variable length), RTP padding 455 (if used, variable length), and RTP pad count ( 456 if used, 1 octet). 458 Raw Data: The optional 32-bit SRTP MKI and the 32-bit SRTP 459 authentication tag (whose use is NOT 460 RECOMMENDED). 462 0 1 2 3 463 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 A |V=2|P|X| CC |M| Packet Type | sequence number | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 A | timestamp | 468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 469 A | synchronization source (SSRC) identifier | 470 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 471 A | contributing source (CSRC) identifiers (optional) | 472 A | .... | 473 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 474 A | RTP extension (OPTIONAL) | 475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 476 P | payload ... | 477 P | +-------------------------------+ 478 P | | RTP padding | RTP pad count | 479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 480 R : SRTP MKI (optional) : 481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 R : authentication tag (NOT RECOMMENDED) : 483 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 485 P = Plaintext (to be encrypted and authenticated) 486 A = Associated Data (to be authenticated only) 487 R = neither encrypted nor authenticated 489 Note: The RTP padding and RTP padding count fields are optional 490 and are not recommended 492 Figure 2: AEAD inputs from an SRTP packet 494 Since the AEAD cipher is larger than the plaintext by exactly the 495 length of the AEAD authentication tag, the corresponding SRTP 496 encrypted packet replaces the plaintext field by a slightly larger 497 field containing the cipher. Even if the plaintext field is empty, 498 AEAD encryption must still be performed, with the resulting cipher 499 consisting solely of the authentication tag. This tag is to be 500 placed immediately before the optional SRTP MKI and SRTP 501 authentication tag fields. 503 9.3. Handling Header Extensions 505 RTP header extensions were first defined in RFC 3550. RFC 6904 506 [RFC6904] describes how these header extensions are to be encrypted 507 in SRTP. 509 When RFC 6904 is in use, a separate keystream is generated to encrypt 510 selected RTP header extension elements. For the AEAD_AES_128_GCM and 511 the AEAD_AES_128_CCM algorithms, this keystream MUST be generated in 512 the manner defined in [RFC6904] using the AES_128_CM transform. For 513 the AEAD_AES_256_GCM and the AEAD_AES_256_CCM algorithms, the 514 keystream MUST be generated in the manner defined for the AES_256_CM 515 transform. The originator must perform any required header extension 516 encryption before the AEAD algorithm is invoked. 518 As with the other fields contained within the RTP header, both 519 encrypted and unencrypted header extensions are to be treated by the 520 AEAD algorithm as Additional Authenticated Data (AAD). Thus the AEAD 521 algorithm does not provide any additional privacy for the header 522 extensions, but does provide integrity and authentication. 524 9.4. Prevention of SRTP IV Reuse 526 In order to prevent IV reuse, we must ensure that the (ROC,SEQ,SSRC) 527 triple is never used twice with the same master key. There are two 528 phases to this issue. 530 Counter Management: A rekey MUST be performed to establish a new 531 master key before the (ROC,SEQ) pair cycles 532 back to its original value. 534 SSRC Management: For a given master key, the set of all SSRC 535 values used with that master key must be 536 partitioned into disjoint pools, one pool for 537 each endpoint using that master key to 538 originate outbound data. Each such originating 539 endpoint MUST only issue SSRC values from the 540 pool it has been assigned. Further, each 541 originating endpoint MUST maintain a history of 542 outbound SSRC identifiers that it has issued 543 within the lifetime of the current master key, 544 and when a new synchronization source requests 545 an SSRC identifier it MUST NOT be given an 546 identifier that has been previously issued. A 547 rekey MUST be performed before any of the 548 originating endpoints using that master key 549 exhausts its pool of SSRC values. 551 10. AES-GCM/CCM Processing of SRTCP Compound Packets 553 All SRTCP compound packets MUST be authenticated, but unlike SRTP, 554 SRTCP packet encryption is optional. A sender can select which 555 packets to encrypt, and indicates this choice with a 1-bit encryption 556 flag (located just before the 31-bit SRTCP index) 558 10.1. SRTCP IV formation for AES-GCM and AES-CCM 560 The 12 octet initialization vector used by both AES-GCM and AES-CCM 561 SRTCP is formed by first concatenating 2-octets of zeroes, the 562 4-octet Synchronization Source identifier (SSRC), 2-octets of zeroes, 563 a single zero bit, and the 31-bit SRTCP Index. The resulting 564 12-octet value is then XORed to the 12-octet salt to form the 565 12-octet IV. 567 0 1 2 3 4 5 6 7 8 9 10 11 568 +--+--+--+--+--+--+--+--+--+--+--+--+ 569 |00|00| SSRC |00|00|0+SRTCP Idx|---+ 570 +--+--+--+--+--+--+--+--+--+--+--+--+ | 571 | 572 +--+--+--+--+--+--+--+--+--+--+--+--+ | 573 | Encryption Salt |->(+) 574 +--+--+--+--+--+--+--+--+--+--+--+--+ | 575 | 576 +--+--+--+--+--+--+--+--+--+--+--+--+ | 577 | Initialization Vector |<--+ 578 +--+--+--+--+--+--+--+--+--+--+--+--+ 580 Figure 3: SRTCP Initialization Vector formation 582 10.2. Data Types in Encrypted SRTCP Compound Packets 584 When the encryption flag is set to 1, the SRTCP packet is broken into 585 plaintext, associated data, and raw (untouched) data as listed below 586 (see figure 4): 588 Associated Data: The packet version (2 bits), padding flag (1 589 bit), reception report count (5 bits), packet 590 type (8 bits), length (2 octets), SSRC (4 591 octets), encryption flag (1 bit) and SRTCP index 592 (31 bits). 594 Raw Data: The 32-bit optional SRTCP MKI index and 32-bit 595 SRTCP authentication tag (whose use is NOT 596 RECOMMENDED). 598 Plaintext: All other data. 600 Note that the plaintext comes in one contiguous field. Since the 601 AEAD cipher is larger than the plaintext by exactly the length of the 602 AEAD authentication tag, the corresponding SRTCP encrypted packet 603 replaces the plaintext field with a slightly larger field containing 604 the cipher. Even if the plaintext field is empty, AEAD encryption 605 must still be performed, with the resulting cipher consisting solely 606 of the authentication tag. This tag is to be placed immediately 607 before the encryption flag and SRTCP index. 609 0 1 2 3 610 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 611 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 612 A |V=2|P| RC | Packet Type | length | 613 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 614 A | synchronization source (SSRC) of Sender | 615 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 616 P | sender info | 617 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 618 P | report block 1 | 619 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 620 P | report block 2 | 621 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 622 P | ... | 623 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 624 P |V=2|P| SC | Packet Type | length | 625 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 626 P | SSRC/CSRC_1 | 627 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 628 P | SDES items | 629 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 630 P | ... | 631 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 632 A |1| SRTCP index | 633 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 634 R | SRTCP MKI (optional) index | 635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 636 R : authentication tag (NOT RECOMMENDED) : 637 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 639 P = Plaintext (to be encrypted and authenticated) 640 A = Associated Data (to be authenticated only) 641 R = neither encrypted nor authenticated 643 Figure 4: AEAD SRTCP inputs when encryption flag = 1. 645 10.3. Data Types in Unencrypted SRTCP Compound Packets 647 When the encryption flag is set to 0, the SRTCP compound packet is 648 broken into plaintext, associated data, and raw (untouched) data as 649 follows (see figure 5): 651 Plaintext: None. 653 Raw Data: The 32-bit optional SRTCP MKI index and 32-bit 654 SRTCP authentication tag (whose use is NOT 655 RECOMMENDED). 657 Associated Data: All other data. 659 Even though there is no plaintext in this RTCP packet, AEAD 660 encryption returns a cipher field which is precisely the length of 661 the AEAD authentication tag. This cipher is to be placed before the 662 Encryption flag and the SRTCP index in the authenticated SRTCP 663 packet. 665 0 1 2 3 666 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 667 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 668 A |V=2|P| RC | Packet Type | length | 669 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 670 A | synchronization source (SSRC) of Sender | 671 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 672 A | sender info | 673 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 674 A | report block 1 | 675 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 676 A | report block 2 | 677 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 A | ... | 679 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 680 A |V=2|P| SC | Packet Type | length | 681 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 682 A | SSRC/CSRC_1 | 683 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 684 A | SDES items | 685 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 686 A | ... | 687 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 688 A |0| SRTCP index | 689 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 690 R | SRTCP MKI (optional)index | 691 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 692 R : authentication tag (NOT RECOMMENDED) : 693 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 695 A = Associated Data (to be authenticated only) 696 R = neither encrypted nor authenticated 698 Figure 5: AEAD SRTCP inputs when encryption flag = 0 700 10.4. Prevention of SRTCP IV Reuse 702 A new master key MUST be established before the 31-bit SRTCP index 703 cycles back to its original value. Ideally, a rekey performed should 704 be performed and a new master key put in place well before the SRTCP 705 index overflows. 707 The comments on SSRC management in section 9.4 also apply. 709 11. Constraints on AEAD for SRTP and SRTCP 711 In general, any AEAD algorithm can accept inputs with varying 712 lengths, but each algorithm can accept only a limited range of 713 lengths for a specific parameter. In this section, we describe the 714 constraints on the parameter lengths that any AEAD algorithm must 715 support to be used in AEAD-SRTP. Additionally, we specify a complete 716 parameter set for two specific AEAD algorithms, namely AES-GCM and 717 AES-CCM. 719 All AEAD algorithms used with SRTP/SRTCP MUST satisfy the three 720 constraints listed below: 722 PARAMETER Meaning Value 724 A_MAX maximum additional MUST be at least 12 octets. 725 authenticated data 726 length 727 N_MIN minimum nonce (IV) MUST be 12 octets. 728 length 729 N_MAX maximum nonce (IV) MUST be 12 octets. 730 length 731 C_MAX maximum ciphertext GCM: MUST be <= 2^36-16 octets. 732 length per invocation CCM: MUST be <= 2^28-16 octets. 734 The values for C_MAX are based on purely cryptographic 735 considerations. 737 For sake of clarity we specify two additional parameters: 739 AEAD Authentication Tag Length MUST be either 8, 12, or 16 740 octets 741 Maximum number of invocations MUST be at most 2^48 for SRTP 742 for a given instantiation MUST be at most 2^31 for SRTCP 743 Block Counter size MUST be 24 bits for CCM, 744 MUST be 32 bits for GCM 746 The reader is reminded that the ciphertext is longer than the 747 plaintext by exactly the length of the AEAD authentication tag. 749 12. Key Derivation Functions 751 A Key Derivation Function (KDF) is used to derive all of the required 752 encryption and authentication keys from a secret value shared by the 753 endpoints. Both the AEAD_AES_128_GCM algorithms and the 754 AEAD_AES_128_CCM algorithms MUST use the (128-bit) AES_CM_PRF Key 755 Derivation Function described in [RFC3711]. Both the 756 AEAD_AES_256_GCM algorithms and the AEAD_AES_256_CCM algorithms MUST 757 use the AES_256_CM_PRF Key Derivation Function described in [RFC6188] 758 . 760 13. Summary of Algorithm Characteristics 761 For convenience, much of the information about the use of AES-GCM and 762 AES-CCM algorithms in SRTP is collected in the tables contained in 763 this section. 765 13.1. AES-GCM for SRTP/SRTCP 767 AES-GCM is a family of AEAD algorithms built around the AES block 768 cipher algorithm. AES-GCM uses AES counter mode for encryption and 769 Galois Message Authentication Code (GMAC) for authentication. A 770 detailed description of the AES-GCM family can be found in 771 [RFC5116]. The following members of the AES-GCM family may be used 772 with SRTP/SRTCP: 774 Table 1: AES-GCM algorithms for SRTP/SRTCP 775 Name Key Size AEAD Tag Size Reference 776 ================================================================ 777 AEAD_AES_128_GCM 16 octets 16 octets [RFC5116] 778 AEAD_AES_256_GCM 32 octets 16 octets [RFC5116] 779 AEAD_AES_128_GCM_8 16 octets 8 octets [RFC5282] 780 AEAD_AES_256_GCM_8 32 octets 8 octets [RFC5282] 781 AEAD_AES_128_GCM_12 16 octets 12 octets [RFC5282] 782 AEAD_AES_256_GCM_12 32 octets 12 octets [RFC5282] 784 Any implementation of AES-GCM SRTP SHOULD support both 785 AEAD_AES_128_GCM_8 and AEAD_AES_256_GCM_8, and it MAY support the 786 four other variants shown in table 1. Below we summarize parameters 787 associated with these six GCM algorithms: 789 +--------------------------------+------------------------------+ 790 | Parameter | Value | 791 +--------------------------------+------------------------------+ 792 | Master key length | 128 bits | 793 | Master salt length | 96 bits | 794 | Key Derivation Function | AES_CM_PRF [RFC3711] | 795 | Default key lifetime (SRTP) | 2^48 packets | 796 | Default key lifetime (SRTCP) | 2^31 packets | 797 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM_8 | 798 | AEAD authentication tag length | 64 bits | 799 +--------------------------------+------------------------------+ 801 Table 2: The AEAD_AES_128_GCM_8 Crypto Suite 803 +--------------------------------+------------------------------+ 804 | Parameter | Value | 805 +--------------------------------+------------------------------+ 806 | Master key length | 128 bits | 807 | Master salt length | 96 bits | 808 | Key Derivation Function | AES_CM_PRF [RFC3711] | 809 | Default key lifetime (SRTP) | 2^48 packets | 810 | Default key lifetime (SRTCP) | 2^31 packets | 811 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM_12 | 812 | AEAD authentication tag length | 96 bits | 813 +--------------------------------+------------------------------+ 815 Table 3: The AEAD_AES_128_GCM_12 Crypto Suite 817 +--------------------------------+------------------------------+ 818 | Parameter | Value | 819 +--------------------------------+------------------------------+ 820 | Master key length | 128 bits | 821 | Master salt length | 96 bits | 822 | Key Derivation Function | AES_CM_PRF [RFC3711] | 823 | Default key lifetime (SRTP) | 2^48 packets | 824 | Default key lifetime (SRTCP) | 2^31 packets | 825 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM | 826 | AEAD authentication tag length | 128 bits | 827 +--------------------------------+------------------------------+ 829 Table 4: The AEAD_AES_128_GCM Crypto Suite 831 +--------------------------------+------------------------------+ 832 | Parameter | Value | 833 +--------------------------------+------------------------------+ 834 | Master key length | 256 bits | 835 | Master salt length | 96 bits | 836 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 837 | Default key lifetime (SRTP) | 2^48 packets | 838 | Default key lifetime (SRTCP) | 2^31 packets | 839 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM_8 | 840 | AEAD authentication tag length | 64 bits | 841 +--------------------------------+------------------------------+ 843 Table 5: The AEAD_AES_256_GCM_8 Crypto Suite 845 +--------------------------------+------------------------------+ 846 | Parameter | Value | 847 +--------------------------------+------------------------------+ 848 | Master key length | 256 bits | 849 | Master salt length | 96 bits | 850 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 851 | Default key lifetime (SRTP) | 2^48 packets | 852 | Default key lifetime (SRTCP) | 2^31 packets | 853 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM_12 | 854 | AEAD authentication tag length | 96 bits | 855 +--------------------------------+------------------------------+ 857 Table 6: The AEAD_AES_256_GCM_12 Crypto Suite 859 +--------------------------------+------------------------------+ 860 | Parameter | Value | 861 +--------------------------------+------------------------------+ 862 | Master key length | 256 bits | 863 | Master salt length | 96 bits | 864 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 865 | Default key lifetime (SRTP) | 2^48 packets | 866 | Default key lifetime (SRTCP) | 2^31 packets | 867 | Cipher (for SRTP and SRTCP) | AEAD_AES_GCM | 868 | AEAD authentication tag length | 128 bits | 869 +--------------------------------+------------------------------+ 870 Table 7: The AEAD_AES_256_GCM Crypto Suite 872 13.2. AES-CCM for SRTP/SRTCP 874 AES-CCM is another family of AEAD algorithms built around the AES 875 block cipher algorithm. AES-CCM uses AES counter mode for encryption 876 and AES Cipher Block Chaining Message Authentication Code (CBC MAC) 877 for authentication. A detailed description of the AES-CCM family can 878 be found in [RFC5116]. Four of the six CCM algorithms used in this 879 document are defined in previous RFCs, while two, AEAD_AES_128_CCM_12 880 and AEAD_AES_256_CCM_12, are defined in section 7 of this document. 882 Table 8: AES-CCM algorithms for SRTP/SRTCP 883 Name Key Size AEAD Tag Size Reference 884 ================================================================ 885 AEAD_AES_128_CCM 128 bits 16 octets [RFC5116] 886 AEAD_AES_256_CCM 256 bits 16 octets [RFC5116] 887 AEAD_AES_128_CCM_12 128 bits 12 octets see section 7 888 AEAD_AES_256_CCM_12 256 bits 12 octets see section 7 889 AEAD_AES_128_CCM_8 128 bits 8 octets [RFC6655] 890 AEAD_AES_256_CCM_8 256 bits 8 octets [RFC6655] 892 Any implementation of AES-CCM SRTP/SRTCP SHOULD support both 893 AEAD_AES_128_CCM_8 and AEAD_AES_256_CCM_8, and MAY support the other 894 four variants. 896 In addition to the flag octet used in counter mode encryption, 897 AES-CCM authentications also uses a flag octet that conveys 898 information about the length of the authentication tag, length of the 899 block counter, and presence of additional authenticated data (see 900 section 2.2 of [RFC3610]). For AES-CCM in SRTP/SRTCP, the flag octet 901 has the hex value 5A if an 8-octet AEAD authentication tag is used, 902 6A if a 12-octet AEAD authentication tag is used, and 7A if a 903 16-octet AEAD authentication tag is used. The flag octet is one of 904 the inputs to AES during the counter mode encryption of the 905 plaintext. 907 +--------------------------------+------------------------------+ 908 | Parameter | Value | 909 +--------------------------------+------------------------------+ 910 | Master key length | 128 bits | 911 | Master salt length | 96 bits | 912 | Key Derivation Function | AES_CM_PRF [RFC3711] | 913 | Default key lifetime (SRTP) | 2^48 packets | 914 | Default key lifetime (SRTCP) | 2^31 packets | 915 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM_8 | 916 | AEAD authentication tag length | 64 bits | 917 +--------------------------------+------------------------------+ 919 Table 9: The AEAD_AES_128_CCM_8 Crypto Suite 921 +--------------------------------+------------------------------+ 922 | Parameter | Value | 923 +--------------------------------+------------------------------+ 924 | Master key length | 128 bits | 925 | Master salt length | 96 bits | 926 | Key Derivation Function | AES_CM_PRF [RFC3711] | 927 | Default key lifetime (SRTP) | 2^48 packets | 928 | Default key lifetime (SRTCP) | 2^31 packets | 929 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM_12 | 930 | AEAD authentication tag length | 96 bits | 931 +--------------------------------+------------------------------+ 933 Table 10: The AEAD_AES_128_CCM_12 Crypto Suite 935 +--------------------------------+------------------------------+ 936 | Parameter | Value | 937 +--------------------------------+------------------------------+ 938 | Master key length | 128 bits | 939 | Master salt length | 96 bits | 940 | Key Derivation Function | AES_CM_PRF [RFC3711] | 941 | Default key lifetime (SRTP) | 2^48 packets | 942 | Default key lifetime (SRTCP) | 2^31 packets | 943 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM | 944 | AEAD authentication tag length | 128 bits | 945 +--------------------------------+------------------------------+ 947 Table 11: The AEAD_AES_128_CCM Crypto Suite 949 +--------------------------------+------------------------------+ 950 | Parameter | Value | 951 +--------------------------------+------------------------------+ 952 | Master key length | 256 bits | 953 | Master salt length | 96 bits | 954 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 955 | Default key lifetime (SRTP) | 2^48 packets | 956 | Default key lifetime (SRTCP) | 2^31 packets | 957 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM_8 | 958 | AEAD authentication tag length | 64 bits | 959 +--------------------------------+------------------------------+ 961 Table 12: The AEAD_AES_256_CCM_8 Crypto Suite 963 +--------------------------------+------------------------------+ 964 | Parameter | Value | 965 +--------------------------------+------------------------------+ 966 | Master key length | 256 bits | 967 | Master salt length | 96 bits | 968 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 969 | Default key lifetime (SRTP) | 2^48 packets | 970 | Default key lifetime (SRTCP) | 2^31 packets | 971 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM_12 | 972 | AEAD authentication tag length | 96 bits | 973 +--------------------------------+------------------------------+ 975 Table 13: The AEAD_AES_256_CCM_12 Crypto Suite 977 +--------------------------------+------------------------------+ 978 | Parameter | Value | 979 +--------------------------------+------------------------------+ 980 | Master key length | 256 bits | 981 | Master salt length | 96 bits | 982 | Key Derivation Function | AES_256_CM_PRF [RFC6188] | 983 | Default key lifetime (SRTP) | 2^48 packets | 984 | Default key lifetime (SRTCP) | 2^31 packets | 985 | Cipher (for SRTP and SRTCP) | AEAD_AES_CCM | 986 | AEAD authentication tag length | 128 bits | 987 +--------------------------------+------------------------------+ 989 Table 14: The AEAD_AES_256_CCM Crypto Suite 991 14. Security Considerations 993 14.1. Handling of Security Critical Parameters 995 As with any security process, the implementer must take care to 996 ensure cryptographically sensitive parameters are properly handled. 997 Many of these recommendations hold for all SRTP cryptographic 998 algorithms, but we include them here to emphasize their importance. 1000 - If the master salt is to be kept secret, it MUST be properly 1001 erased when no longer needed. 1002 - The secret master key and all keys derived from it MUST be kept 1003 secret. All keys MUST be properly erased when no longer 1004 needed. 1005 - At the start of each packet, the block counter MUST be reset (to 1006 0 for CCM, to 1 for GCM). The block counter is incremented 1007 after each block key has been produced, but it MUST NOT be 1008 allowed to exceed 2^32 for GCM and 2^24 for CCM. 1009 - Each time a rekey occurs, the initial values of the SRTCP index 1010 and the values of all the SEQ counters MUST be saved. 1011 - Processing MUST cease if the 48-bit Packet Counter or the 31-bit 1012 SRTCP index cycles back to its initial value. Processing MUST 1013 NOT resume until a new SRTP/SRTCP session has been established 1014 using a new SRTP master key. Ideally, a rekey should be done 1015 well before either of these counters cycle. 1017 14.2. Size of the Authentication Tag 1019 We require that the AEAD authentication tag must be at least 8 1020 octets, significantly reducing the probability of an adversary 1021 successfully introducing fraudulent data. The goal of an 1022 authentication tag is to minimize the probability of a successful 1023 forgery occurring anywhere in the network we are attempting to 1024 defend. There are three relevant factors: how low we wish the 1025 probability of successful forgery to be (prob_success), how many 1026 attempts the adversary can make (N_tries) and the size of the 1027 authentication tag in bits (N_tag_bits). Then 1029 prob_success < expected number of successes 1030 = N_tries * 2^-N_tag_bits. 1032 Suppose an adversary wishes to introduce a forged or altered packet 1033 into a target network by randomly selecting an authentication value 1034 until by chance they hit a valid authentication tag. The table below 1035 summarizes the relationship between the number of forged packets the 1036 adversary has tried, the size of the authentication tag, and the 1037 probability of a compromise occurring (i.e. at least one of the 1038 attempted forgeries having a valid authentication tag). The reader 1039 is reminded that the forgery attempts can be made over the entire 1040 network, not just a single link, and that frequently changing the key 1041 does not decrease the probability of a compromise occurring. 1043 +==================+========================================+ 1044 | Authentication | Probability of a Compromise Occurring | 1045 | Tag | for a given number of forgery attempts | 1046 | Size |------------+-------------+-------------| 1047 | (octets) | prob=2^-30 | prob=2^-20 | prob=2^-10 | 1048 |==================+=============+=============+============| 1049 | 4 | 2^2 tries | 2^12 tries | 2^22 tries | 1050 |==================+============+=============+=============| 1051 | 8 | 2^34 tries | 2^44 tries | 2^54 tries | 1052 |==================+============+=============+=============| 1053 | 12 | 2^66 tries | 2^76 tries | 2^86 tries | 1054 |==================+============+=============+=============| 1055 | 16 | 2^98 tries | 2^108 tries | 2^118 tries | 1056 +=================+============+=============+==============+ 1058 Table 15: Probability of a compromise occurring for a given 1059 number of forgery attempts and tag size. 1061 15. IANA Considerations 1063 15.1. SDES 1065 Session description [RFC4568] defines SRTP "crypto suites". A crypto 1066 suite corresponds to a particular AEAD algorithm in SRTP. In order 1067 to allow SDP to signal the use of the algorithms defined in this 1068 document, IANA will register the following crypto suites into the 1069 subregistry for SRTP crypto suites under Session Description Protocol 1070 (SDP) Parameters: 1072 srtp-crypto-suite-ext = "AEAD_AES_128_GCM" / 1073 "AEAD_AES_256_GCM" / 1074 "AEAD_AES_128_GCM_8" / 1075 "AEAD_AES_256_GCM_8" / 1076 "AEAD_AES_128_GCM_12" / 1077 "AEAD_AES_256_GCM_12" / 1078 "AEAD_AES_128_CCM" / 1079 "AEAD_AES_256_CCM" / 1080 "AEAD_AES_128_CCM_8" / 1081 "AEAD_AES_256_CCM_8" / 1082 "AEAD_AES_128_CCM_12" / 1083 "AEAD_AES_256_CCM_12" / 1084 srtp-crypto-suite-ext 1086 15.2. DTLS 1088 DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". 1089 These also correspond to the use of an AEAD algorithm in SRTP. In 1090 order to allow the use of the algorithms defined in this document in 1091 DTLS-SRTP, we request IANA register the following SRTP Protection 1092 Profiles: 1094 AEAD_AES_128_GCM = {TBD, TBD } 1095 AEAD_AES_256_GCM = {TBD, TBD } 1096 AEAD_AES_128_GCM_8 = {TBD, TBD } 1097 AEAD_AES_256_GCM_8 = {TBD, TBD } 1098 AEAD_AES_128_GCM_12 = {TBD, TBD } 1099 AEAD_AES_256_GCM_12 = {TBD, TBD } 1100 AEAD_AES_128_CCM = {TBD, TBD } 1101 AEAD_AES_256_CCM = {TBD, TBD } 1102 AEAD_AES_128_CCM_8 = {TBD, TBD } 1103 AEAD_AES_256_CCM_8 = {TBD, TBD } 1104 AEAD_AES_128_CCM_12 = {TBD, TBD } 1105 AEAD_AES_256_CCM_12 = {TBD, TBD } 1107 Below we list the SRTP transform parameters for each of these 1108 protection profile. Unless separate parameters for SRTCP and SRTCP 1109 are explicitly listed, these parameters apply to both SRTP and 1110 SRTCP. 1112 AEAD_AES_128_CCM 1113 cipher: AES_128_CCM 1114 cipher_key_length: 128 bits 1115 cipher_salt_length: 96 bits 1116 aead_auth_tag_length: 16 octets 1117 auth_function: NULL 1118 auth_key_length: N/A 1119 auth_tag_length: N/A 1120 maximum lifetime: at most 2^31 SRTCP packets and 1121 at most 2^48 SRTP packets 1123 AEAD_AES_256_CCM 1124 cipher: AES_256_CCM 1125 cipher_key_length: 256 bits 1126 cipher_salt_length: 96 bits 1127 aead_auth_tag_length: 16 octets 1128 auth_function: NULL 1129 auth_key_length: N/A 1130 auth_tag_length: N/A 1131 maximum lifetime: at most 2^31 SRTCP packets and 1132 at most 2^48 SRTP packets 1134 AEAD_AES_128_CCM_8 1135 cipher: AES_128_CCM 1136 cipher_key_length: 128 bits 1137 cipher_salt_length: 96 bits 1138 aead_auth_tag_length: 8 octets 1139 auth_function: NULL 1140 auth_key_length: N/A 1141 auth_tag_length: N/A 1142 maximum lifetime: at most 2^31 SRTCP packets and 1143 at most 2^48 SRTP packets 1145 AEAD_AES_256_CCM_8 1146 cipher: AES_256_CCM 1147 cipher_key_length: 256 bits 1148 cipher_salt_length: 96 bits 1149 aead_auth_tag_length: 8 octets 1150 auth_function: NULL 1151 auth_key_length: N/A 1152 auth_tag_length: N/A 1153 maximum lifetime: at most 2^31 SRTCP packets and 1154 at most 2^48 SRTP packets 1156 AEAD_AES_128_CCM_12 1157 cipher: AES_128_CCM 1158 cipher_key_length: 128 bits 1159 cipher_salt_length: 96 bits 1160 aead_auth_tag_length: 12 octets 1161 auth_function: NULL 1162 auth_key_length: N/A 1163 auth_tag_length: N/A 1164 maximum lifetime: at most 2^31 SRTCP packets and 1165 at most 2^48 SRTP packets 1167 AEAD_AES_256_CCM_12 1168 cipher: AES_256_CCM 1169 cipher_key_length: 256 bits 1170 cipher_salt_length: 96 bits 1171 aead_auth_tag_length: 12 octets 1172 auth_function: NULL 1173 auth_key_length: N/A 1174 auth_tag_length: N/A 1175 maximum lifetime: at most 2^31 SRTCP packets and 1176 at most 2^48 SRTP packets 1178 AEAD_AES_128_GCM 1179 cipher: AES_128_GCM 1180 cipher_key_length: 128 bits 1181 cipher_salt_length: 96 bits 1182 aead_auth_tag_length: 16 octets 1183 auth_function: NULL 1184 auth_key_length: N/A 1185 auth_tag_length: N/A 1186 maximum lifetime: at most 2^31 SRTCP packets and 1187 at most 2^48 SRTP packets 1189 AEAD_AES_256_GCM 1190 cipher: AES_256_GCM 1191 cipher_key_length: 256 bits 1192 cipher_salt_length: 96 bits 1193 aead_auth_tag_length: 16 octets 1194 auth_function: NULL 1195 auth_key_length: N/A 1196 auth_tag_length: N/A 1197 maximum lifetime: at most 2^31 SRTCP packets and 1198 at most 2^48 SRTP packets 1200 AEAD_AES_128_GCM_8 1201 cipher: AES_128_GCM 1202 cipher_key_length: 128 bits 1203 cipher_salt_length: 96 bits 1204 aead_auth_tag_length: 8 octets 1205 auth_function: NULL 1206 auth_key_length: N/A 1207 auth_tag_length: N/A 1208 maximum lifetime: at most 2^31 SRTCP packets and 1209 at most 2^48 SRTP packets 1211 AEAD_AES_256_GCM_8 1212 cipher: AES_256_GCM 1213 cipher_key_length: 256 bits 1214 cipher_salt_length: 96 bits 1215 aead_auth_tag_length: 8 octets 1216 auth_function: NULL 1217 auth_key_length: N/A 1218 auth_tag_length: N/A 1219 maximum lifetime: at most 2^31 SRTCP packets and 1220 at most 2^48 SRTP packets 1222 AEAD_AES_128_GCM_12 1223 cipher: AES_128_GCM 1224 cipher_key_length: 128 bits 1225 cipher_salt_length: 96 bits 1226 aead_auth_tag_length: 12 octets 1227 auth_function: NULL 1228 auth_key_length: N/A 1229 auth_tag_length: N/A 1230 maximum lifetime: at most 2^31 SRTCP packets and 1231 at most 2^48 SRTP packets 1233 AEAD_AES_256_GCM_12 1234 cipher: AES_256_GCM 1235 cipher_key_length: 256 bits 1236 cipher_salt_length: 96 bits 1237 aead_auth_tag_length: 12 octets 1238 auth_function: NULL 1239 auth_key_length: N/A 1240 auth_tag_length: N/A 1241 maximum lifetime: at most 2^31 SRTCP packets and 1242 at most 2^48 SRTP packets 1244 Note that these SRTP Protection Profiles do not specify an 1245 auth_function, auth_key_length, or auth_tag_length because all of 1246 these profiles use AEAD algorithms, and thus do not use a separate 1247 auth_function, auth_key, or auth_tag. The term aead_auth_tag_length 1248 is used to emphasize that this refers to the authentication tag 1249 provided by the AEAD algorithm and that this tag is not located in 1250 the authentication tag field provided by SRTP/SRTCP. 1252 15.3. MIKEY 1254 In accordance with "MIKEY: Multimedia Internet KEYing" [RFC3830], 1255 IANA maintains several Payload Name Spaces under Multimedia Internet 1256 KEYing (MIKEY). This document requires additions to two of the lists 1257 maintained under MIKEY Security Protocol Parameters. 1259 On the SRTP policy Type/Value list (derived from Table 6.10.1.a of 1260 [RFC3830]) we request the following addition: 1262 Type | Meaning | Possible values 1263 ---------------------------------------------------------------- 1264 TBD | AEAD authentication tag length | 8, 12, or 16 (in octets) 1266 On the Encryption Algorithm List (derived from Table 6.10.1.b of 1267 [RFC3830]) we request the following additions: 1269 SRTP encr alg. | Value | Default Session Encr. Key Length 1270 ----------------------------------------------------------- 1271 AES-CCM | TBD | 16 octets 1272 AES-GCM | TBD | 16 octets 1274 The SRTP encryption algorithm, session encryption key length, and 1275 AEAD authentication tag values received from MIKEY fully determine 1276 the AEAD algorithm (e.g., AEAD_AES_256_GCM_8). The exact mapping is 1277 described in section 16. 1279 15.4. AEAD registry 1281 We request that IANA make the following additions to the AEAD 1282 registry: 1284 AEAD_AES_128_CCM_12 = TBD 1285 AEAD_AES_256_CCM_12 = TBD 1287 16. Parameters for use with MIKEY 1289 MIKEY specifies the algorithm family separately from the key length 1290 (which is specified by the Session Encryption key length ) and the 1291 authentication tag length (specified by AEAD Auth. tag length). 1293 +------------+-------------+-------------+ 1294 | Encryption | Encryption | AEAD Auth. | 1295 | Algorithm | Key Length | Tag Length | 1296 +============+=============+=============+ 1297 AEAD_AES_128_GCM | AES-GCM | 16 octets | 16 octets | 1298 +------------+-------------+-------------+ 1299 AEAD_AES_128_CCM | AES-CCM | 16 octets | 16 octets | 1300 +------------+-------------+-------------+ 1301 AEAD_AES_128_GCM_12 | AES-GCM | 16 octets | 12 octets | 1302 +------------+-------------+-------------+ 1303 AEAD_AES_128_CCM_12 | AES-CCM | 16 octets | 12 octets | 1304 +------------+-------------+-------------+ 1305 AEAD_AES_128_GCM_8 | AES-GCM | 16 octets | 8 octets | 1306 +------------+-------------+-------------+ 1307 AEAD_AES_128_CCM_8 | AES-CCM | 16 octets | 8 octets | 1308 +------------+-------------+-------------+ 1309 AEAD_AES_256_GCM | AES-GCM | 32 octets | 16 octets | 1310 +------------+-------------+-------------+ 1311 AEAD_AES_256_CCM | AES-CCM | 32 octets | 16 octets | 1312 +------------+-------------+-------------+ 1313 AEAD_AES_256_GCM_12 | AES-GCM | 32 octets | 12 octets | 1314 +------------+-------------+-------------+ 1315 AEAD_AES_256_CCM_12 | AES-CCM | 32 octets | 12 octets | 1316 +------------+-------------+-------------+ 1317 AEAD_AES_256_GCM_8 | AES-GCM | 32 octets | 8 octets | 1318 +------------+-------------+-------------+ 1319 AEAD_AES_256_CCM_8 | AES-CCM | 32 octets | 8 octets | 1320 +============+=============+=============+ 1322 Table 16: Mapping MIKEY parameters to AEAD algorithm 1324 Section 12 in this document restricts the choice of Key Derivation 1325 Function for AEAD algorithms. To enforce this restriction in MIKEY, 1326 we require that the SRTP PRF has value AES-CM whenever an AEAD 1327 algorithm is used. Note that, according to Section 6.10.1 in 1328 [RFC3830], the key length of the Key Derivation Function (i.e. the 1329 SRTP master key length) is always equal to the session encryption key 1330 length. This means, for example, that AEAD_AES_256_GCM will use 1331 AES_256_CM_PRF as the Key Derivation Function. 1333 17. Acknowledgements 1335 The authors would like to thank Michael Peck, Michael Torla, Qin Wu, 1336 Magnus Westerland, Oscar Ohllson, Woo-Hwan Kim and many other 1337 reviewers who provided valuable comments on earlier drafts of this 1338 document. 1340 18. References 1342 18.1. Normative References 1344 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1345 Requirement Levels", BCP 14, RFC 2119, March 1997. 1347 [RFC3550] Casner, S., Frederick, R., and V. Jacobson, "RTP: A 1348 Transport Protocol for Real-Time Applications", RFC 3550, 1349 July 2003. 1351 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and 1352 K. Norrman, "The Secure Real-time Transport Protocol 1353 (SRTP)", RFC 3711, September 2003. 1355 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M.,and 1356 Norrman, K, "MIKEY: Multimedia Internet KEYing", RFC 3830, 1357 August 2004. 1359 [RFC4568] Andreasen, F., Baugher, M., and D.Wing, "Session 1360 Description Protocol (SDP): Security Descriptions for 1361 Media Streams", RFC 4568, July 2006. 1363 [RFC5116] McGrew, D., "An Interface and Algorithms for 1364 Authenticated Encryption with Associated Data", RFC 5116, 1365 January 2008. 1367 [RFC5282] McGrew, D. and D. Black, "Using Authenticated Encryption 1368 Algorithms with the Encrypted Payload of the Internet Key 1369 Exchange version 2 (IKEv2) Protocol", RFC 5282, 1370 August 2008. 1372 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 1373 Security (DTLS) Extension to Establish Keys for the Secure 1374 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 1376 [RFC6188] D. McGrew, "The Use of AES-192 and AES-256 in Secure 1377 RTP", RFC 6188, March 2011. 1379 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 1380 Transport Layer Security (TLS)", RFC 6655, July 2012. 1382 [RFC6904] J. Lennox, "Encryption of Header Extensions in the Secure 1383 Real-Time Transport Protocol (SRTP)", January 2013. 1385 , January 2013. 1387 [RFC6904] J. Lennox, "Encryption of Header Extensions in the Secure 1388 Real-Time Transport Protocol (SRTP)", January 2013. 1390 18.2. Informative References 1392 [BN00] Bellare, M. and C. Namprempre, "Authenticated encryption: 1393 Relations among notions and analysis of the generic 1394 composition paradigm", Proceedings of ASIACRYPT 2000, 1395 Springer-Verlag, LNCS 1976, pp. 531-545 http:// 1396 www-cse.ucsd.edu/users/mihir/papers/oem.html. 1398 [GCM] Dworkin, M., "NIST Special Publication 800-38D: 1399 Recommendation for Block Cipher Modes of Operation: 1400 Galois/Counter Mode (GCM) and GMAC.", U.S. National 1401 Institute of Standards and Technology http:// 1402 csrc.nist.gov/publications/nistpubs/800-38D/SP800-38D.pdf. 1404 [R02] Rogaway, P., "Authenticated encryption with Associated- 1405 Data", ACM Conference on Computer and Communication 1406 Security (CCS'02), pp. 98-107, ACM Press, 1407 2002. http://www.cs.ucdavis.edu/~rogaway/papers/ad.html. 1409 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 1410 Jacobson, "RTP: A Transport Protocol for Real-Time 1411 Applications", STD 64, RFC 3550, July 2003. 1413 [RFC3610] Whiting,D., Housley, R., and N. Ferguson, "Counter with 1414 CBC-MAC (CCM)", RFC 3610, March 2004. 1416 [RFC4771] Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity 1417 Transform Carrying Roll-Over Counter for the Secure Real- 1418 time Transport Protocol (SRTP)", RFC 4771, January 2007. 1420 Author's Address 1422 David A. McGrew 1423 Cisco Systems, Inc. 1424 510 McCarthy Blvd. 1425 Milpitas, CA 95035 1426 US 1427 Phone: (408) 525 8651 1428 Email: mcgrew@cisco.com 1429 URI: http://www.mindspring.com/~dmcgrew/dam.htm 1431 Kevin M. Igoe 1432 NSA/CSS Commercial Solutions Center 1433 National Security Agency 1434 EMail: kmigoe@nsa.gov 1436 Acknowledgement 1438 Funding for the RFC Editor function is provided by the IETF 1439 Administrative Support Activity (IASA).