idnits 2.17.1 draft-ietf-perc-double-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 9, 2016) is 2902 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5285 (Obsoleted by RFC 8285) == Outdated reference: A later version (-04) exists of draft-jones-perc-dtls-tunnel-02 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Jennings 3 Internet-Draft P. Jones 4 Intended status: Standards Track Cisco Systems 5 Expires: November 10, 2016 A. Roach 6 Mozilla 7 May 9, 2016 9 SRTP Double Encryption Procedures 10 draft-ietf-perc-double-00 12 Abstract 14 In some conferencing scenarios, it is desirable for an intermediary 15 to be able to manipulate some RTP parameters, while still providing 16 strong end-to-end security guarantees. This document defines SRTP 17 procedures that use two separate but related cryptographic contexts 18 to provide "hop-by-hop" and "end-to-end" security guarantees. Both 19 the end-to-end and hop-by-hop cryptographic transforms can utilize an 20 authenticated encryption with associated data scheme or take 21 advantage of future SRTP transforms with different properties. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 10, 2016. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 60 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 61 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 63 5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6 64 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 65 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 66 7. Recommended Inner and Outer Cryptographic Transforms . . . . 8 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10 70 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 10 71 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 72 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 11.1. Normative References . . . . . . . . . . . . . . . . . . 11 74 11.2. Informative References . . . . . . . . . . . . . . . . . 12 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 77 1. Introduction 79 Cloud conferencing systems that are based on switched conferencing 80 have a central media distribution device (MDD) that receives media 81 from endpoints and distributes it to other endpoints, but does not 82 need to interpret or change the media content. For these systems, it 83 is desirable to have one cryptographic context from the sending 84 endpoint to the receiving endpoint that can encrypt and authenticate 85 the media end-to-end while still allowing certain RTP header 86 information to be changed by the MDD. At the same time, a separate 87 cryptographic context provides integrity and optional confidentiality 88 for the media flowing between the MDD and the endpoints. See the 89 framework document that describes this concept in more detail in more 90 detail in [I-D.jones-perc-private-media-framework]. 92 This specification RECOMMENDS the SRTP AES-GCM transform [RFC7714] to 93 encrypt an RTP packet for the end-to-end cryptographic context. The 94 output of this is treated as an RTP packet and again encrypted with 95 an SRTP transform used in the hop-by-hop cryptographic context 96 between the endpoint and the MDD. The MDD decrypts and checks 97 integrity of the hop-by-hop security. The MDD MAY change some of the 98 RTP header information that would impact the end-to-end integrity. 99 The original value of any RTP header field that is changed is 100 included in a new RTP header extension called the Original Header 101 Block. The new RTP packet is encrypted with the hop-by-hop 102 cryptographic transform before it is sent. The receiving endpoint 103 decrypts and checks integrity using the hop-by-hop cryptographic 104 transform and then replaces any parameters the MDD changed using the 105 information in the Original Header Block before decrypting and 106 checking the end-to-end integrity. 108 2. Terminology 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in [RFC2119]. 114 Terms used throughout this document include: 116 o MDD: media distribution device that routes media from one endpoint 117 to other endpoints 119 o E2E: end-to-end, meaning the link from one endpoint through one or 120 more MDDs to the endpoint at the other end. 122 o HBH: hop-by-hop, meaning the link from the endpoint to or from the 123 MDD. 125 o OHB: Original Header Block is an RTP header extension that 126 contains the original values from the RTP header that might have 127 been changed by an MDD. 129 3. Cryptographic Contexts 131 This specification uses two cryptographic contexts: an inner ("end- 132 to-end") context that is used by endpoints that originate and consume 133 media to ensure the integrity of media end-to-end, and an outer 134 ("hop-by-hop") context that is used between endpoints and MDDs to 135 ensure the integrity of media over a single hop and to enable an MDD 136 to modify certain RTP header fields. RTCP is also encrypted using 137 the hop-by-hop cryptographic context. The RECOMMENDED cipher for the 138 hop-by-hop and end-to-end contexts is AES-GCM. Other combinations of 139 SRTP ciphers that support the procedures in this document can be 140 added to the IANA registry. 142 The keys and salt for these contexts are generated with the following 143 steps: 145 o Generate key and salt values of the length required for the 146 combined inner (end-to-end) and outer (hop-by-hop) transforms. 148 o Assign the key and salt values generated for the inner (end-to- 149 end) transform. 151 o Assign the key and salt values for the outer (hop-by-hop) 152 transform. 154 Obviously, if the MDD is to be able to modify header fields but not 155 decrypt the payload, then it must have cryptographic context for the 156 outer transform, but not the inner transform. This document does not 157 define how the MDD should be provisioned with this information. One 158 possible way to provide keying material for the outer ("hop-by-hop") 159 transform is to use [I-D.jones-perc-dtls-tunnel]. 161 4. Original Header Block 163 Any SRTP packet processed following these procedures MAY contain an 164 Original Header Block (OHB) RTP header extension. 166 The OHB contains the original values of any modified header fields 167 and MUST be placed after any already-existing RTP header extensions. 168 Placement of the OHB after any original header extensions is 169 important so that the receiving endpoint can properly authenticate 170 the original packet and any originally included RTP header 171 extensions. The receiving endpoint will authenticate the original 172 packet by restoring the modified RTP header field values and header 173 extensions. It does this by copying the original values from the OHB 174 and then removing the OHB extension and any other RTP header 175 extensions that appear after the OHB extension. 177 The MDD is only permitted to modify the extension (X) bit, payload 178 type (PT) field, and the RTP sequence number field. 180 The OHB extension is either one octet in length, two octets in 181 length, or three octets in length. The length of the OHB indicates 182 what data is contained in the extension. 184 If the OHB is one octet in length, it contains both the original X 185 bit and PT field value. In this case, the OHB has this form: 187 0 188 0 1 2 3 4 5 6 7 189 +---------------+ 190 |X| PT | 191 +---------------+ 192 If the OHB is two octets in length, it contains the original RTP 193 packet sequence number. In this case, the OHB has this form: 195 0 1 196 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 197 +-------------------------------+ 198 | Sequence Number | 199 +-------------------------------+ 201 If the OHB is three octets in length, it contains the original X bit, 202 PT field value, and RTP packet sequence number. In this case, the 203 OHB has this form: 205 0 1 2 206 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 207 +---------------+-------------------------------+ 208 |X| PT | Sequence Number | 209 +---------------+-------------------------------+ 211 If an MDD modifies an original RTP header value, the MDD MUST include 212 the OHB extension to reflect the changed value. If another MDD along 213 the media path makes additional changes to the RTP header and any 214 original value is not already present in the OHB, the MDD must extend 215 the OHB by adding the changed value to the OHB. To properly preserve 216 original RTP header values, an MDD MUST NOT change a value already 217 present in the OHB extension. 219 5. RTP Operations 221 5.1. Encrypting a Packet 223 To encrypt a packet, the endpoint encrypts the packet using the inner 224 cryptographic context and then encrypts using the outer cryptographic 225 context. The processes is as follows: 227 o Form an RTP packet. If there are any header extensions, they MUST 228 use [RFC5285]. 230 o Apply the inner cryptographic transform to the RTP packet. If 231 encrypting RTP header extensions end-to-end, then [RFC6904] MUST 232 be used when encrypting the RTP packet using the inner 233 cryptographic context. 235 o If the endpoint wishes to insert header extensions that can be 236 modified by an MDD, it MUST insert an OHB header extension at the 237 end of any header extensions protected end-to-end, then add any 238 MDD-modifiable header extensions. The OHB MUST replicate the 239 information found in the RTP header following the application of 240 the inner cryptographic transform. For example, if the packet had 241 no header extensions when the inner cryptographic transform was 242 applied, the X bit would be 0. If the endpoint introduces an OHB 243 and then adds MDD-modifiable header extensions, the X bit in the 244 OHB would be 0. After introducing the OHB and MDD-modifiable 245 header extensions, of course, the X bit in the RTP header would be 246 set to 1. 248 o Apply the outer cryptographic transform to the RTP packet. If 249 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 250 be used when encrypting the RTP packet using the outer 251 cryptographic context. 253 5.2. Modifying a Packet 255 The MDD does not have a notion of outer or inner cryptographic 256 contexts. Rather, the MDD has a single cryptographic context. The 257 cryptographic transform and key used to decrypt a packet and any 258 encrypted RTP header extensions would be the same as those used in 259 the endpoint's outer cryptographic context. 261 In order to modify a packet, the MDD decrypts the packet, modifies 262 the packet, updates the OHB with any modifications not already 263 present in the OHB, and re-encrypts the packet using the 264 cryptographic context used for next hop. 266 o Apply the cryptographic transform to the packet. If decrypting 267 RTP header extensions hop-by-hop, then [RFC6904] MUST be used. 269 o Change any required parameters 271 o If a changed RTP header field is not already in the OHB, add it 272 with its original value to the OHB. An MDD MAY add information to 273 the OHB, but MUST NOT change existing information in the OHB. 275 o If the MDD resets a parameter to its original value, it MAY drop 276 it from the OHB as long as there are no other header extensions 277 following the OHB. Note that this might result in a decrease in 278 the size of the OHB. 280 o The MDD MUST NOT delete any header extensions before the OHB, but 281 MAY add, delete, or modify any that follow the OHB. 283 * If the MDD adds any header extensions, it must append them and 284 it must maintain the order of the original header extensions in 285 the [RFC5285] block. 287 * If the MDD appends header extensions, then it MUST add the OHB 288 header extension (if not present), even if the OHB merely 289 replicates the original header field values, and append the new 290 extensions following the OHB. The OHB serves as a demarcation 291 point between original RTP header extensions introduced by the 292 endpoint and those introduced by an MDD. 294 o The MDD MAY modify any header extension appearing after the OHB, 295 but MUST NOT modify header extensions that are present before the 296 OHB. 298 o Apply the cryptographic transform to the packet. If the RTP 299 Sequence Number has been modified, SRTP processing happens as 300 defined in SRTP and which will end up using the new Sequence 301 Number. If encrypting RTP header extensions hop-by-hop, then 302 [RFC6904] MUST be used. 304 5.3. Decrypting a Packet 306 To decrypt a packet, the endpoint first decrypts and verifies using 307 the outer cryptographic context, then uses the OHB to reconstruct the 308 original packet, which it decrypts and verifies with the inner 309 cryptographic context. 311 o Apply the outer cryptographic transform to the packet. If the 312 integrity check does not pass, discard the packet. The result of 313 this is referred to as the outer SRTP packet. If decrypting RTP 314 header extensions hop-by-hop, then [RFC6904] MUST be used when 315 decrypting the RTP packet using the outer cryptographic context. 317 o Form a new synthetic SRTP packet with: 319 * Header = Received header, with header fields replaced with 320 values from OHB (if present). 322 * Insert all header extensions up to the OHB extension, but 323 exclude the OHB and any header extensions that follow the OHB. 324 If the original X bit is 1, then the remaining extensions MUST 325 be padded to the first 32-bit boundary and the overall length 326 of the header extensions adjusted accordingly. If the original 327 X bit is 0, then the header extensions would be removed 328 entirely. 330 * Payload is the original encrypted payload. 332 o Apply the inner cryptographic transform to this synthetic SRTP 333 packet. Note if the RTP Sequence Number was changed by the MDD, 334 the syntetic packet has the original Sequence Number. If the 335 integrity check does not pass, discard the packet. If decrypting 336 RTP header extensions end-to-end, then [RFC6904] MUST be used when 337 decrypting the RTP packet using the inner cryptographic context. 339 Once the packet has successfully decrypted, the application needs to 340 be careful about which information it uses to get the correct 341 behavior. The application MUST use only the information found in the 342 synthetic SRTP packet and MUST NOT use the other data that was in the 343 outer SRTP packet with the following exceptions: 345 o The PT from the outer SRTP packet is used for normal matching to 346 SDP and codec selection. 348 o The sequence number from the outer SRTP packet is used for normal 349 RTP ordering. 351 If any of the following RTP headers extensions are found in the outer 352 SRTP packet, they MAY be used: 354 o TBD 356 6. RTCP Operations 358 Unlike RTP, which is encrypted both hop-by-hop and end-to-end using 359 two separate cryptographic contexts, RTCP is encrypted using only the 360 outer (HBH) cryptographic context. The procedures for RTCP 361 encryption are specified in [RFC3711] and this document introduces no 362 additional steps. 364 7. Recommended Inner and Outer Cryptographic Transforms 366 This specification recommends and defines AES-GCM as both the inner 367 and outer cryptographic transforms, identified as 368 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and 369 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These transforms provide 370 for authenticated encryption and will consume additional processing 371 time double-encrypting for HBH and E2E. However, the approach is 372 secure and simple, and is thus viewed as an acceptable trade-off in 373 processing efficiency. 375 Note that names for the cryptographic transforms are of the form 376 DOUBLE_(inner transform)_(outer transform). 378 While this document only defines a profile based on AES-GCM, it is 379 possible for future documents to define further profiles with 380 different inner and outer transforms in this same framework. For 381 example, if a new SRTP transform was defined that encrypts some or 382 all of the RTP header, it would be reasonable for systems to have the 383 option of using that for the outer transform. Similarly, if a new 384 transform was defined that provided only integrity, that would also 385 be reasonable to use for the HBH as the payload data is already 386 encrypted by the E2E. 388 The AES-GCM cryptographic transform introduces an additional 16 389 octets to the length of the packet. When using AES-GCM for both the 390 inner and outer cryptographic transforms, the total additional length 391 is 32 octets. If no other header extensions are present in the 392 packet and the OHB is introduced, that will consume an additional 8 393 octets. If other extensions are already present, the OHB will 394 consume up to 4 additional octets. 396 Open Issue: For an audio confernce using opus in a narrowband 397 configuration at TBD kbps with 20 ms packetizaton, the total 398 bandwidth of the RTP would change from TBD to TBD. Do we want to 399 consider having some AES-GCM transfroms with reduced length 400 authentication tags? 402 8. Security Considerations 404 To summarize what is encrypted and authenticated, we will refer to 405 all the RTP fields and headers created by the sender and before the 406 pay load as the initial envelope and the RTP payload information with 407 the media as the payload. Any additional headers added by the MDD 408 are referred to as the extra envelope. The sender uses the E2E key 409 to encrypts the payload and authenticate the payload + initial 410 envelope which using an AEAD cipher results in a slight longer new 411 payload. Then the sender uses the HBH key to encrypt the new payload 412 and authenticate the initial envelope and new payload. 414 The MDD has the HBH key so it can check the authentication of the 415 received packet across the initial envelope and payload data but it 416 can't decrypt the payload as it does not have the E2E key. It can 417 add extra envelope information. It then authenticates the initial 418 plus extra envelope information plus payload with a HBH key. This 419 HBH for the outgoing packet is typically different than the HBH key 420 for the incoming packet. 422 The receiver can check the authentication of the initial and extra 423 envelope information. This, along with the OBH, i used to construct 424 a synthetic packet that is should be identital to one the sender 425 created and the receiver can check that it is identical and then 426 decrypt the original payload. 428 The end result is that if the authentications succeed, the receiver 429 knows exactly what the original sender sent, as well as exactly which 430 modifications were made by the MDD. 432 It is obviously critical that the intermediary have only the outer 433 transform parameters and not the inner transform parameters. We rely 434 on an external key management protocol to assure this property. 436 Modifications by the intermediary result in the recipient getting two 437 values for changed parameters (original and modified). The recipient 438 will have to choose which to use; there is risk in using either that 439 depends on the session setup. 441 The security properties for both the inner and outer key holders are 442 the same as the security properties of classic SRTP. 444 9. IANA Considerations 446 9.1. RTP Header Extension 448 This document defines a new extension URI in the RTP Compact Header 449 Extensions part of the Real-Time Transport Protocol (RTP) Parameters 450 registry, according to the following data: 452 Extension URI: urn:ietf:params:rtp-hdrext:ohb 454 Description: Original Header Block 456 Contact: Cullen Jennings 458 Reference: RFCXXXX 460 Note to RFC Editor: Replace RFCXXXX with the RFC number of this 461 specification. 463 9.2. DTLS-SRTP 465 We request IANA to add the following values to defines a DTLS-SRTP 466 "SRTP Protection Profile" defined in [RFC5764]. 468 +-------+------------------------------------------+-----------+ 469 | Value | Profile | Reference | 470 +-------+------------------------------------------+-----------+ 471 | {TBD} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | 472 | {TBD} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | 473 +-------+------------------------------------------+-----------+ 475 Note to IANA: Please assign value RFCXXXX and update table to point 476 at this RFC for these values. 478 The SRTP transform parameters for each of these protection are: 480 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 481 cipher: AES_128_GCM then AES_128_GCM 482 cipher_key_length: 256 bits 483 cipher_salt_length: 192 bits 484 aead_auth_tag_length: 32 octets 485 auth_function: NULL 486 auth_key_length: N/A 487 auth_tag_length: N/A 488 maximum lifetime: at most 2^31 SRTCP packets and 489 at most 2^48 SRTP packets 491 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 492 cipher: AES_256_GCM then AES_256_GCM 493 cipher_key_length: 512 bits 494 cipher_salt_length: 192 bits 495 aead_auth_tag_length: 32 octets 496 auth_function: NULL 497 auth_key_length: N/A 498 auth_tag_length: N/A 499 maximum lifetime: at most 2^31 SRTCP packets and 500 at most 2^48 SRTP packets 502 The first half of the key and salt is used for the inner (E2E) 503 transform and the second half is used for the outer (HBH) transform. 505 10. Acknowledgments 507 Many thanks to review from Suhas Nandakumar, David Benham, Magnus 508 Westerlund and significant text from Richard Barnes. 510 11. References 512 11.1. Normative References 514 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 515 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 516 RFC2119, March 1997, 517 . 519 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 520 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 521 RFC 3711, DOI 10.17487/RFC3711, March 2004, 522 . 524 [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP 525 Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July 526 2008, . 528 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 529 Security (DTLS) Extension to Establish Keys for the Secure 530 Real-time Transport Protocol (SRTP)", RFC 5764, DOI 531 10.17487/RFC5764, May 2010, 532 . 534 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 535 Real-time Transport Protocol (SRTP)", RFC 6904, DOI 536 10.17487/RFC6904, April 2013, 537 . 539 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 540 in the Secure Real-time Transport Protocol (SRTP)", RFC 541 7714, DOI 10.17487/RFC7714, December 2015, 542 . 544 11.2. Informative References 546 [I-D.jones-perc-dtls-tunnel] 547 Jones, P., "DTLS Tunnel between Media Distribution Device 548 and Key Management Function to Facilitate Key Exchange", 549 draft-jones-perc-dtls-tunnel-02 (work in progress), March 550 2016. 552 [I-D.jones-perc-private-media-framework] 553 Jones, P. and D. Benham, "A Solution Framework for Private 554 Media in Privacy Enhanced RTP Conferencing", draft-jones- 555 perc-private-media-framework-02 (work in progress), March 556 2016. 558 Authors' Addresses 560 Cullen Jennings 561 Cisco Systems 563 Email: fluffy@iii.ca 565 Paul E. Jones 566 Cisco Systems 568 Email: paulej@packetizer.com 570 Adam Roach 571 Mozilla 573 Email: adam@nostrum.com