idnits 2.17.1 draft-ietf-perc-double-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 3, 2018) is 2185 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-20) exists of draft-ietf-payload-flexible-fec-scheme-07 == Outdated reference: A later version (-12) exists of draft-ietf-perc-dtls-tunnel-03 == Outdated reference: A later version (-12) exists of draft-ietf-perc-private-media-framework-06 == Outdated reference: A later version (-13) exists of draft-ietf-perc-srtp-ekt-diet-07 == Outdated reference: A later version (-10) exists of draft-ietf-rtcweb-fec-08 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Jennings 3 Internet-Draft P. Jones 4 Intended status: Standards Track R. Barnes 5 Expires: November 4, 2018 Cisco Systems 6 A. Roach 7 Mozilla 8 May 3, 2018 10 SRTP Double Encryption Procedures 11 draft-ietf-perc-double-09 13 Abstract 15 In some conferencing scenarios, it is desirable for an intermediary 16 to be able to manipulate some RTP parameters, while still providing 17 strong end-to-end security guarantees. This document defines SRTP 18 procedures that use two separate but related cryptographic operations 19 to provide hop-by-hop and end-to-end security guarantees. Both the 20 end-to-end and hop-by-hop cryptographic algorithms can utilize an 21 authenticated encryption with associated data scheme or take 22 advantage of future SRTP transforms with different properties. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on November 4, 2018. 41 Copyright Notice 43 Copyright (c) 2018 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4 61 3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5 62 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5 63 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6 65 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 7 66 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8 67 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9 68 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 9 69 7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 7.2. RED . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 71 7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 72 7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 11 74 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 75 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 76 10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 13 77 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 78 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 79 12.1. Normative References . . . . . . . . . . . . . . . . . . 14 80 12.2. Informative References . . . . . . . . . . . . . . . . . 15 81 Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 16 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 84 1. Introduction 86 Cloud conferencing systems that are based on switched conferencing 87 have a central Media Distributor device that receives media from 88 endpoints and distributes it to other endpoints, but does not need to 89 interpret or change the media content. For these systems, it is 90 desirable to have one cryptographic key from the sending endpoint to 91 the receiving endpoint that can encrypt and authenticate the media 92 end-to-end while still allowing certain RTP header information to be 93 changed by the Media Distributor. At the same time, a separate 94 cryptographic key provides integrity and optional confidentiality for 95 the media flowing between the Media Distributor and the endpoints. 97 The framework document [I-D.ietf-perc-private-media-framework] 98 describes this concept in more detail. 100 This specification defines an SRTP transform that uses the AES-GCM 101 algorithm [RFC7714] to provide encryption and integrity for an RTP 102 packet for the end-to-end cryptographic key as well as a hop-by-hop 103 cryptographic encryption and integrity between the endpoint and the 104 Media Distributor. The Media Distributor decrypts and checks 105 integrity of the hop-by-hop security. The Media Distributor MAY 106 change some of the RTP header information that would impact the end- 107 to-end integrity. In that case, the original value of any RTP header 108 field that is changed is included in a new RTP header extension 109 called the Original Header Block. The new RTP packet is encrypted 110 with the hop-by-hop cryptographic algorithm before it is sent. The 111 receiving endpoint decrypts and checks integrity using the hop-by-hop 112 cryptographic algorithm and then replaces any parameters the Media 113 Distributor changed using the information in the Original Header 114 Block before decrypting and checking the end-to-end integrity. 116 One can think of the double as a normal SRTP transform for encrypting 117 the RTP in a way where things that only know half of the key, can 118 decrypt and modify part of the RTP packet but not other parts, 119 including the media payload. 121 2. Terminology 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 Terms used throughout this document include: 129 o Media Distributor: media distribution device that routes media 130 from one endpoint to other endpoints 132 o end-to-end: meaning the link from one endpoint through one or more 133 Media Distributors to the endpoint at the other end. 135 o hop-by-hop: meaning the link from the endpoint to or from the 136 Media Distributor. 138 o OHB: Original Header Block is an octet string that contains the 139 original values from the RTP header that might have been changed 140 by a Media Distributor. 142 3. Cryptographic Context 144 This specification uses a cryptographic context with two parts: 146 o An inner (end-to-end) part that is used by endpoints that 147 originate and consume media to ensure the integrity of media end- 148 to-end, and 150 o An outer (hop-by-hop) part that is used between endpoints and 151 Media Distributors to ensure the integrity of media over a single 152 hop and to enable a Media Distributor to modify certain RTP header 153 fields. RTCP is also handled using the hop-by-hop cryptographic 154 part. 156 The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is 157 AES-GCM. Other combinations of SRTP ciphers that support the 158 procedures in this document can be added to the IANA registry. 160 The keys and salt for these algorithms are generated with the 161 following steps: 163 o Generate key and salt values of the length required for the 164 combined inner (end-to-end) and outer (hop-by-hop) algorithms. 166 o Assign the key and salt values generated for the inner (end-to- 167 end) algorithm to the first half of the key and the first half of 168 the salt for the double algorithm. 170 o Assign the key and salt values for the outer (hop-by-hop) 171 algorithm to the second half of the key and second half of the 172 salt for the double algorithm. The first half of the key is 173 referred to as the inner key while the second half is referred to 174 as the outer key. When a key is used by a cryptographic 175 algorithm, the salt used is the part of the salt generated with 176 that key. 178 o the SSRC is the same for both the inner and out outer algorithms 179 as it can not be changed. 181 o The SEQ and ROC are tracked independently for the inner and outer 182 algorithms. 184 Obviously, if the Media Distributor is to be able to modify header 185 fields but not decrypt the payload, then it must have cryptographic 186 key for the outer algorithm, but not the inner (end-to-end) 187 algorithm. This document does not define how the Media Distributor 188 should be provisioned with this information. One possible way to 189 provide keying material for the outer (hop-by-hop) algorithm is to 190 use [I-D.ietf-perc-dtls-tunnel]. 192 3.1. Key Derivation 194 In order to allow the inner and outer keys to be managed 195 independently via the master key, the transforms defined in this 196 document MUST be used with the following PRF, which preserves the 197 separation between the two halves of the key: 199 PRF_double_n(k_master,x) = PRF_inner_(n/2)(k_master,x) || 200 PRF_outer_(n/2)(k_master,x) 202 PRF_inner_n(k_master,x) = PRF_n(inner(k_master),x) 203 PRF_outer_n(k_master,x) = PRF_n(outer(k_master),x) 205 Here "PRF_n(k, x)" represents the AES_CM PRF KDF [RFC3711] for 206 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF 207 KDF [RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm. 208 "inner(key)" represents the first half of the key, and "outer(key)" 209 represents the second half of the key. 211 4. Original Header Block 213 The Original Header Block (OHB) contains the original values of any 214 modified RTP header fields. In the encryption process, the OHB is 215 appended to the RTP payload. In the decryption process, the 216 receiving endpoint uses it to reconstruct the original RTP header, so 217 that it can pass the proper AAD value to the inner transform. 219 The OHB can reflect modifications to the following fields in an RTP 220 header: the payload type, the sequence number, and the marker bit. 221 All other fields in the RTP header MUST remain unmodified; since the 222 OHB cannot reflect their original values, the receiver will be unable 223 to verify the E2E integrity of the packet. 225 The OHB has the following syntax (in ABNF [RFC5234]): 227 OCTET = %x00-FF 229 PT = OCTET 230 SEQ = 2OCTET 231 Config = OCTET 232 OHB = [ PT ] [ SEQ ] Config 234 If present, the PT and SEQ parts of the OHB contain the original 235 payload type and sequence number fields, respectively. The final 236 "config" octet of the OHB specifies whether these fields are present, 237 and the original value of the marker bit (if necessary): 239 +-+-+-+-+-+-+-+-+ 240 |R R R R B M P Q| 241 +-+-+-+-+-+-+-+-+ 243 o P: PT is present 245 o Q: SEQ is present 247 o M: Marker bit is present 249 o B: Value of marker bit 251 o R: Reserved, MUST be set to 0 253 In particular, an all-zero OHB config octet (0x00) indicates that 254 there have been no modifications from the original header. 256 5. RTP Operations 258 5.1. Encrypting a Packet 260 To encrypt a packet, the endpoint encrypts the packet using the inner 261 (end-to-end) cryptographic key and then encrypts using the outer 262 (hop-by-hop) cryptographic key. The encryption also supports a mode 263 for repair packets that only does the outer (hop-by-hop) encryption. 264 The processes is as follows: 266 1. Form an RTP packet. If there are any header extensions, they 267 MUST use [RFC8285]. 269 2. If the packet is for repair mode data, skip to step 6. 271 3. Form a synthetic RTP packet with the following contents: 273 * Header: The RTP header of the original packet with the 274 following modifications: 276 * The X bit is set to zero 278 * The header is truncated to remove any extensions (12 + 4 * CC 279 bytes) 281 * Payload: The RTP payload of the original packet 283 4. Apply the inner cryptographic algorithm to the synthetic RTP 284 packet from the previous step. 286 5. Replace the header of the protected RTP packet with the header of 287 the original packet, and append an empty OHB (0x00) to the 288 encrypted payload (with the authentication tag) obtained from the 289 step 4. 291 6. Apply the outer cryptographic algorithm to the RTP packet. If 292 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 293 be used when encrypting the RTP packet using the outer 294 cryptographic key. 296 When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes 297 after the SRTP packet exactly like using EKT with any other SRTP 298 transform. 300 5.2. Relaying a Packet 302 The Media Distributor has the part of the key for the outer (hop-by- 303 hop) cryptographic algorithm, but it does not have the part of the 304 key for the (end-to-end) cryptographic algorithm. The cryptographic 305 algorithm and key used to decrypt a packet and any encrypted RTP 306 header extensions would be the same as those used in the endpoint's 307 outer algorithm and key. 309 In order to modify a packet, the Media Distributor decrypts the 310 received packet, modifies the packet, updates the OHB with any 311 modifications not already present in the OHB, and re-encrypts the 312 packet using the the outer (hop-by-hop) cryptographic key before 313 transmitting. 315 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt 316 the packet. If decrypting RTP header extensions hop-by-hop, then 317 [RFC6904] MUST be used. Note that the RTP payload produced by 318 this decryption operation contains the original encrypted payload 319 with the tag from the inner transform and the OHB appended. 321 2. Change any parts of the RTP packet that the relay wishes to 322 change and should be changed. 324 3. A Media Distributor can add information to the OHB, but MUST NOT 325 change existing information in the OHB. If RTP value is changed 326 and not already in the OHB, then add it with its original value 327 to the OHB. 329 4. If the Media Distributor resets a parameter to its original 330 value, it MAY drop it from the OHB. Note that this might result 331 in a decrease in the size of the OHB. 333 5. Apply the outer (hop-by-hop) cryptographic algorithm to the 334 packet. If the RTP Sequence Number has been modified, SRTP 335 processing happens as defined in SRTP and will end up using the 336 new Sequence Number. If encrypting RTP header extensions hop-by- 337 hop, then [RFC6904] MUST be used. 339 5.3. Decrypting a Packet 341 To decrypt a packet, the endpoint first decrypts and verifies using 342 the outer (hop-by-hop) cryptographic key, then uses the OHB to 343 reconstruct the original packet, which it decrypts and verifies with 344 the inner (end-to-end) cryptographic key. 346 1. Apply the outer cryptographic algorithm to the packet. If the 347 integrity check does not pass, discard the packet. The result of 348 this is referred to as the outer SRTP packet. If decrypting RTP 349 header extensions hop-by-hop, then [RFC6904] MUST be used when 350 decrypting the RTP packet using the outer cryptographic key. 352 2. If the packet is for repair mode data, skip the rest of the 353 steps. Note that the packet that results from the repair 354 algorithm will still have encrypted data that needs to be 355 decrypted as specified by the repair algorithm sections. 357 3. Remove the inner authentication tag and the OHB from the end of 358 the payload of the outer SRTP packet. 360 4. Form a new synthetic SRTP packet with: 362 * Header = Received header, with the following modifications: 364 * Header fields replaced with values from OHB (if any) 366 * The X bit is set to zero 368 * The header is truncated to remove any extensions (12 + 4 * CC 369 bytes) 371 * Payload is the encrypted payload from the outer SRTP packet 372 (after the inner tag and OHB have been stripped). 374 * Authentication tag is the inner authentication tag from the 375 outer SRTP packet. 377 5. Apply the inner cryptographic algorithm to this synthetic SRTP 378 packet. Note if the RTP Sequence Number was changed by the Media 379 Distributor, the synthetic packet has the original Sequence 380 Number. If the integrity check does not pass, discard the 381 packet. 383 Once the packet has been successfully decrypted, the application 384 needs to be careful about which information it uses to get the 385 correct behavior. The application MUST use only the information 386 found in the synthetic SRTP packet and MUST NOT use the other data 387 that was in the outer SRTP packet with the following exceptions: 389 o The PT from the outer SRTP packet is used for normal matching to 390 SDP and codec selection. 392 o The sequence number from the outer SRTP packet is used for normal 393 RTP ordering. 395 The PT and sequence number from the inner SRTP packet can be used for 396 collection of various statistics. 398 If any of the following RTP headers extensions are found in the outer 399 SRTP packet, they MAY be used: 401 o Mixer-to-client audio level indicators (See [RFC6465]) 403 6. RTCP Operations 405 Unlike RTP, which is encrypted both hop-by-hop and end-to-end using 406 two separate cryptographic keys, RTCP is encrypted using only the 407 outer (hop-by-hop) cryptographic key. The procedures for RTCP 408 encryption are specified in [RFC3711] and this document introduces no 409 additional steps. 411 7. Use with Other RTP Mechanisms 413 There are some RTP related extensions that need special consideration 414 to be used by a relay when using the double transform due to the end- 415 to-end protection of the RTP. The repair mechanism, when used with 416 double, typically operates on the double encrypted data and encrypts 417 them using only the HBH key. This results in three cryptography 418 operation happening to the repair data sent over the wire. 420 7.1. RTX 422 When using RTX [RFC4588] with double, the cached payloads MUST be the 423 encrypted packets with the bits that are sent over the wire to the 424 other side. When encrypting a retransmission packet, it MUST be 425 encrypted the packet in repair mode. 427 A typical RTX receiver would decrypt the packet, undo the RTX 428 transformation, then process the resulting packet normally by using 429 the steps in Section 5.3. 431 7.2. RED 433 When using RED [RFC2198] with double, the primary encoding MAY 434 contain RTP header extensions and CSRC identifiers but non primary 435 encodings cannot. 437 The sender takes encrypted payload from the cached packets to form 438 the RED payload. Any header extensions from the primary encoding are 439 copied to the RTP packet that will carry the RED payload and the 440 other RTP header information such as SSRC, SEQ, CSRC, etc are set to 441 the same as the primary payload. The RED RTP packet is then 442 encrypted in repair mode and sent. 444 The receiver decrypts the payload to find the encrypted RED payload. 445 Note a media relay can do this decryption as the packet was sent in 446 repair mode that only needs the hop-by-hop key. The RTP headers and 447 header extensions along with the primary payload and PT from inside 448 the RED payload (for the primary encoding) are used to form the 449 encrypted primary RTP packet which can then be decrypted with double. 451 The RTP headers (but not header extensions or CSRC) along with PT 452 from inside the RED payload corresponding to the redundant encoding 453 are used to from the non primary payloads. The time offset and 454 packet rate information in the RED data MUST be used to adjust the 455 sequence number in the RTP header. At this point the non primary 456 packets can be decrypted with double. 458 Note that Flex FEC [I-D.ietf-payload-flexible-fec-scheme] is a 459 superset of the capabilities of RED. For most applications, FlexFEC 460 is a better choice than RED. 462 7.3. FEC 464 When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with 465 double, the negotiation of double for the crypto is the out of band 466 signaling that indicates that the repair packets MUST use the order 467 of operations of SRTP followed by FEC when encrypting. This is to 468 ensure that the original media is not revealed to the Media 469 Distributor but at the same time allow the Media Distributor to 470 repair media. When encrypting a packet that contains the Flex FEC 471 data, which is already encrypted, it MUST be encrypted in repair mode 472 packet. 474 The algorithm recommend in [I-D.ietf-rtcweb-fec] for repair of video 475 is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that for 476 interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends not 477 using additional FEC only m-line in SDP for the repair packets. 479 7.4. DTMF 481 When DTMF is sent with [RFC4733], it is end-to-end encrypted and the 482 relay can not read it so it cannot be used to control the relay. 483 Other out of band methods to control the relay need to be used 484 instead. 486 8. Recommended Inner and Outer Cryptographic Algorithms 488 This specification recommends and defines AES-GCM as both the inner 489 and outer cryptographic algorithms, identified as 490 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and 491 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide 492 for authenticated encryption and will consume additional processing 493 time double-encrypting for hop-by-hop and end-to-end. However, the 494 approach is secure and simple, and is thus viewed as an acceptable 495 trade-off in processing efficiency. 497 Note that names for the cryptographic transforms are of the form 498 DOUBLE_(inner algorithm)_(outer algorithm). 500 While this document only defines a profile based on AES-GCM, it is 501 possible for future documents to define further profiles with 502 different inner and outer algorithms in this same framework. For 503 example, if a new SRTP transform was defined that encrypts some or 504 all of the RTP header, it would be reasonable for systems to have the 505 option of using that for the outer algorithm. Similarly, if a new 506 transform was defined that provided only integrity, that would also 507 be reasonable to use for the hop-by-hop as the payload data is 508 already encrypted by the end-to-end. 510 The AES-GCM cryptographic algorithm introduces an additional 16 511 octets to the length of the packet. When using AES-GCM for both the 512 inner and outer cryptographic algorithms, the total additional length 513 is 32 octets. If no other header extensions are present in the 514 packet and the OHB is introduced, that will consume an additional 8 515 octets. If other extensions are already present, the OHB will 516 consume up to 4 additional octets. For packets in repair mode, the 517 data they are caring is often already encrypted further increasing 518 the size. 520 9. Security Considerations 522 To summarize what is encrypted and authenticated, we will refer to 523 all the RTP fields except headers created by the sender and before 524 the payload as the initial envelope and the RTP payload information 525 with the media as the payload. Any additional headers added by the 526 sender or Media Distributor are referred to as the extra envelope. 527 The sender uses the end-to-end key to encrypt the payload and 528 authenticate the payload + initial envelope, which using an AEAD 529 cipher results in a slight longer new payload. Then the sender uses 530 the hop-by-hop key to encrypt the new payload and authenticate the 531 initial envelope, extra envelope and the new payload. Also to note, 532 the "Associated Data" input (which excludes header extensions ) to 533 the inner crypto differs from [RFC7714] construction. This shouldn't 534 typically impact the strength of e2e integrity given the fact that 535 there doesn't exist header extensions defined today that needs e2e 536 protection. However, if future specifications define header 537 extensions that needs e2e integrity protection, the input to inner 538 transform may be modified to consider including the header 539 extensions. 541 The Media Distributor has the hop-by-hop key so it can check the 542 authentication of the received packet across the initial envelope, 543 extra envelope and payload data but it can't decrypt the payload as 544 it does not have the end-to-end key. It can add or change extra 545 envelope information. It then authenticates the initial plus extra 546 envelope information plus payload with a hop-by-hop key. The hop-by- 547 hop key for the outgoing packet is typically different than the hop- 548 by-hop key for the incoming packet. 550 The receiver can check the authentication of the initial and extra 551 envelope information from the Media Distributor. This, along with 552 the OHB, is used to construct a synthetic packet which should be 553 identical to the initial envelope plus payload to one the sender 554 created and the receiver can check that it is identical and then 555 decrypt the original payload. 557 The end result is that if the authentications succeed, the receiver 558 knows exactly the payload and initial envelope the sender sent, as 559 well as exactly which modifications were made by the Media 560 Distributor and what extra envelope the Media Distributor sent. The 561 receiver does not know exactly what extra envelope the sender sent. 563 It is obviously critical that the intermediary has access to just the 564 outer (hop-by-hop) algorithm key and not the half of the key for the 565 the inner (end-to-end) algorithm. We rely on an external key 566 management protocol to ensure this property. 568 Modifications by the intermediary results in the recipient getting 569 two values for changed parameters (original and modified). The 570 recipient will have to choose which to use; there is risk in using 571 either that depends on the session setup. 573 The security properties for both the inner (end-to-end) and outer 574 (hop-by-hop) key holders are the same as the security properties of 575 classic SRTP. 577 10. IANA Considerations 579 10.1. DTLS-SRTP 581 We request IANA to add the following values to defines a DTLS-SRTP 582 "SRTP Protection Profile" defined in [RFC5764]. 584 +------------+------------------------------------------+-----------+ 585 | Value | Profile | Reference | 586 +------------+------------------------------------------+-----------+ 587 | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | 588 | 0x09} | | | 589 | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | 590 | 0x0A} | | | 591 +------------+------------------------------------------+-----------+ 593 Note to IANA: Please assign value RFCXXXX and update table to point 594 at this RFC for these values. 596 The SRTP transform parameters for each of these protection are: 598 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 599 cipher: AES_128_GCM then AES_128_GCM 600 cipher_key_length: 256 bits 601 cipher_salt_length: 192 bits 602 aead_auth_tag_length: 256 bits 603 auth_function: NULL 604 auth_key_length: N/A 605 auth_tag_length: N/A 606 maximum lifetime: at most 2^31 SRTCP packets and 607 at most 2^48 SRTP packets 609 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 610 cipher: AES_256_GCM then AES_256_GCM 611 cipher_key_length: 512 bits 612 cipher_salt_length: 192 bits 613 aead_auth_tag_length: 256 bits 614 auth_function: NULL 615 auth_key_length: N/A 616 auth_tag_length: N/A 617 maximum lifetime: at most 2^31 SRTCP packets and 618 at most 2^48 SRTP packets 620 The first half of the key and salt is used for the inner (end-to-end) 621 algorithm and the second half is used for the outer (hop-by-hop) 622 algorithm. 624 11. Acknowledgments 626 Thank you for reviews and improvements to this specification from 627 Alex Gouaillard, David Benham, Magnus Westerlund, Nils Ohlmeier, Paul 628 Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to 629 Sergio Garcia Murillo proposed the change of transporting the OHB 630 information in the RTP payload instead of the RTP header. 632 12. References 634 12.1. Normative References 636 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 637 Requirement Levels", BCP 14, RFC 2119, 638 DOI 10.17487/RFC2119, March 1997, 639 . 641 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 642 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 643 RFC 3711, DOI 10.17487/RFC3711, March 2004, 644 . 646 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 647 Security (DTLS) Extension to Establish Keys for the Secure 648 Real-time Transport Protocol (SRTP)", RFC 5764, 649 DOI 10.17487/RFC5764, May 2010, 650 . 652 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 653 RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, 654 . 656 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 657 Real-time Transport Protocol (SRTP)", RFC 6904, 658 DOI 10.17487/RFC6904, April 2013, 659 . 661 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 662 in the Secure Real-time Transport Protocol (SRTP)", 663 RFC 7714, DOI 10.17487/RFC7714, December 2015, 664 . 666 [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General 667 Mechanism for RTP Header Extensions", RFC 8285, 668 DOI 10.17487/RFC8285, October 2017, 669 . 671 12.2. Informative References 673 [I-D.ietf-payload-flexible-fec-scheme] 674 Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP 675 Payload Format for Flexible Forward Error Correction 676 (FEC)", draft-ietf-payload-flexible-fec-scheme-07 (work in 677 progress), March 2018. 679 [I-D.ietf-perc-dtls-tunnel] 680 Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel 681 between a Media Distributor and Key Distributor to 682 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03 683 (work in progress), April 2018. 685 [I-D.ietf-perc-private-media-framework] 686 Jones, P., Benham, D., and C. Groves, "A Solution 687 Framework for Private Media in Privacy Enhanced RTP 688 Conferencing", draft-ietf-perc-private-media-framework-06 689 (work in progress), March 2018. 691 [I-D.ietf-perc-srtp-ekt-diet] 692 Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. 693 Andreasen, "Encrypted Key Transport for DTLS and Secure 694 RTP", draft-ietf-perc-srtp-ekt-diet-07 (work in progress), 695 March 2018. 697 [I-D.ietf-rtcweb-fec] 698 Uberti, J., "WebRTC Forward Error Correction 699 Requirements", draft-ietf-rtcweb-fec-08 (work in 700 progress), March 2018. 702 [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., 703 Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- 704 Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, 705 DOI 10.17487/RFC2198, September 1997, 706 . 708 [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. 709 Hakenberg, "RTP Retransmission Payload Format", RFC 4588, 710 DOI 10.17487/RFC4588, July 2006, 711 . 713 [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF 714 Digits, Telephony Tones, and Telephony Signals", RFC 4733, 715 DOI 10.17487/RFC4733, December 2006, 716 . 718 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 719 Specifications: ABNF", STD 68, RFC 5234, 720 DOI 10.17487/RFC5234, January 2008, 721 . 723 [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- 724 time Transport Protocol (RTP) Header Extension for Mixer- 725 to-Client Audio Level Indication", RFC 6465, 726 DOI 10.17487/RFC6465, December 2011, 727 . 729 Appendix A. Encryption Overview 731 The following figure shows a double encrypted SRTP packet. The sides 732 indicate the parts of the packet that are encrypted and authenticated 733 by the hop-by-hop and end-to-end operations. 735 0 1 2 3 736 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 737 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++ 738 |V=2|P|X| CC |M| PT | sequence number | IO 739 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO 740 | timestamp | IO 741 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO 742 | synchronization source (SSRC) identifier | IO 743 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO 744 | contributing source (CSRC) identifiers | IO 745 | .... | IO 746 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 747 | RTP extension (OPTIONAL) ... | |O 748 +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 749 O I | payload ... | IO 750 O I | +-------------------------------+ IO 751 O I | | RTP padding | RTP pad count | IO 752 O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 753 O | | E2E authentication tag | |O 754 O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O 755 O | | OHB ... | |O 756 +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+ 757 | | | HBH authentication tag | || 758 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || 759 | | || 760 | +- E2E Encrypted Portion E2E Authenticated Portion ---+| 761 | | 762 +--- HBH Encrypted Portion HBH Authenticated Portion ----+ 764 Authors' Addresses 766 Cullen Jennings 767 Cisco Systems 769 Email: fluffy@iii.ca 771 Paul E. Jones 772 Cisco Systems 774 Email: paulej@packetizer.com 776 Richard Barnes 777 Cisco Systems 779 Email: rlb@ipv.sx 780 Adam Roach 781 Mozilla 783 Email: adam@nostrum.com