idnits 2.17.1 draft-ietf-perc-double-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 17, 2018) is 2017 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-20) exists of draft-ietf-payload-flexible-fec-scheme-08 == Outdated reference: A later version (-12) exists of draft-ietf-perc-dtls-tunnel-03 == Outdated reference: A later version (-12) exists of draft-ietf-perc-private-media-framework-07 == Outdated reference: A later version (-13) exists of draft-ietf-perc-srtp-ekt-diet-08 == Outdated reference: A later version (-10) exists of draft-ietf-rtcweb-fec-08 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Jennings 3 Internet-Draft P. Jones 4 Intended status: Standards Track R. Barnes 5 Expires: April 20, 2019 Cisco Systems 6 A. Roach 7 Mozilla 8 October 17, 2018 10 SRTP Double Encryption Procedures 11 draft-ietf-perc-double-10 13 Abstract 15 In some conferencing scenarios, it is desirable for an intermediary 16 to be able to manipulate some parameters in Real Time Protocol (RTP) 17 packets, while still providing strong end-to-end security guarantees. 18 This document defines a cryptographic transform for the Secure Real 19 Time Protocol (SRTP) that uses two separate but related cryptographic 20 operations to provide hop-by-hop and end-to-end security guarantees. 21 Both the end-to-end and hop-by-hop cryptographic algorithms can 22 utilize an authenticated encryption with associated data scheme or 23 take advantage of future SRTP transforms with different properties. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on April 20, 2019. 42 Copyright Notice 44 Copyright (c) 2018 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4 62 3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5 63 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5 64 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 65 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 7 66 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 8 67 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 9 68 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 10 69 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 10 70 7.1. RTP Retransmission (RTX) . . . . . . . . . . . . . . . . 11 71 7.2. Redundant Audio Data (RED) . . . . . . . . . . . . . . . 11 72 7.3. Forward Error Correction (FEC) . . . . . . . . . . . . . 11 73 7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 74 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 12 75 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 76 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 77 10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 13 78 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 79 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 80 12.1. Normative References . . . . . . . . . . . . . . . . . . 15 81 12.2. Informative References . . . . . . . . . . . . . . . . . 15 82 Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 17 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 85 1. Introduction 87 Cloud conferencing systems that are based on switched conferencing 88 have a central Media Distributor device that receives media from 89 endpoints and distributes it to other endpoints, but does not need to 90 interpret or change the media content. For these systems, it is 91 desirable to have one cryptographic key from the sending endpoint to 92 the receiving endpoint that can encrypt and authenticate the media 93 end-to-end while still allowing certain information in the header of 94 a Real Time Protocol (RTP) packet to be changed by the Media 95 Distributor. At the same time, a separate cryptographic key provides 96 integrity and optional confidentiality for the media flowing between 97 the Media Distributor and the endpoints. The framework document 98 [I-D.ietf-perc-private-media-framework] describes this concept in 99 more detail. 101 This specification defines a transform for the Secure Real Time 102 Protocol (SRTP) that uses the AES-GCM algorithm [RFC7714] to provide 103 encryption and integrity for an RTP packet for the end-to-end 104 cryptographic key as well as a hop-by-hop cryptographic encryption 105 and integrity between the endpoint and the Media Distributor. The 106 Media Distributor decrypts and checks integrity of the hop-by-hop 107 security. The Media Distributor MAY change some of the RTP header 108 information that would impact the end-to-end integrity. In that 109 case, the original value of any RTP header field that is changed is 110 included in a new RTP header extension called the Original Header 111 Block. The new RTP packet is encrypted with the hop-by-hop 112 cryptographic algorithm before it is sent. The receiving endpoint 113 decrypts and checks integrity using the hop-by-hop cryptographic 114 algorithm and then replaces any parameters the Media Distributor 115 changed using the information in the Original Header Block before 116 decrypting and checking the end-to-end integrity. 118 One can think of the double as a normal SRTP transform for encrypting 119 the RTP in a way where things that only know half of the key, can 120 decrypt and modify part of the RTP packet but not other parts, 121 including the media payload. 123 2. Terminology 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 127 "OPTIONAL" in this document are to be interpreted as described in BCP 128 14 [RFC2119] [RFC8174] when, and only when, they appear in all 129 capitals, as shown here. 131 Terms used throughout this document include: 133 o Media Distributor: A device that receives media from endpoints and 134 distributes it to other endpoints, but does not need to interpret 135 or change the media content (see also 136 [I-D.ietf-perc-private-media-framework]) 138 o end-to-end: The path from one endpoint through one or more Media 139 Distributors to the endpoint at the other end. 141 o hop-by-hop: The path from the endpoint to or from the Media 142 Distributor. 144 o Original Header Block (OHB): An octet string that contains the 145 original values from the RTP header that might have been changed 146 by a Media Distributor. 148 3. Cryptographic Context 150 This specification uses a cryptographic context with two parts: 152 o An inner (end-to-end) part that is used by endpoints that 153 originate and consume media to ensure the integrity of media end- 154 to-end, and 156 o An outer (hop-by-hop) part that is used between endpoints and 157 Media Distributors to ensure the integrity of media over a single 158 hop and to enable a Media Distributor to modify certain RTP header 159 fields. RTCP is also handled using the hop-by-hop cryptographic 160 part. 162 The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is 163 AES-GCM. Other combinations of SRTP ciphers that support the 164 procedures in this document can be added to the IANA registry. 166 The keys and salt for these algorithms are generated with the 167 following steps: 169 o Generate key and salt values of the length required for the 170 combined inner (end-to-end) and outer (hop-by-hop) algorithms. 172 o Assign the key and salt values generated for the inner (end-to- 173 end) algorithm to the first half of the key and the first half of 174 the salt for the double algorithm. 176 o Assign the key and salt values for the outer (hop-by-hop) 177 algorithm to the second half of the key and second half of the 178 salt for the double algorithm. The first half of the key is 179 referred to as the inner key while the second half is referred to 180 as the outer key. When a key is used by a cryptographic 181 algorithm, the salt used is the part of the salt generated with 182 that key. 184 o the SSRC is the same for both the inner and out outer algorithms 185 as it can not be changed. 187 o The SEQ and ROC are tracked independently for the inner and outer 188 algorithms. 190 If the Media Distributor is to be able to modify header fields but 191 not decrypt the payload, then it must have cryptographic key for the 192 outer algorithm, but not the inner (end-to-end) algorithm. This 193 document does not define how the Media Distributor should be 194 provisioned with this information. One possible way to provide 195 keying material for the outer (hop-by-hop) algorithm is to use 196 [I-D.ietf-perc-dtls-tunnel]. 198 3.1. Key Derivation 200 In order to allow the inner and outer keys to be managed 201 independently via the master key, the transforms defined in this 202 document MUST be used with the following pseudo-random function 203 (PRF), which preserves the separation between the two halves of the 204 key. Given a positive integer "n" representing the desired output 205 length, a master key "k_master", and an input "x": 207 PRF_double_n(k_master,x) = PRF_inner_(n/2)(k_master,x) || 208 PRF_outer_(n/2)(k_master,x) 210 PRF_inner_n(k_master,x) = PRF_n(inner(k_master),x) 211 PRF_outer_n(k_master,x) = PRF_n(outer(k_master),x) 213 Here "PRF_n(k, x)" represents the AES_CM PRF KDF [RFC3711] for 214 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF 215 KDF [RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm. 216 "inner(key)" represents the first half of the key, and "outer(key)" 217 represents the second half of the key. 219 4. Original Header Block 221 The Original Header Block (OHB) contains the original values of any 222 modified RTP header fields. In the encryption process, the OHB is 223 appended to the RTP payload. In the decryption process, the 224 receiving endpoint uses it to reconstruct the original RTP header, so 225 that it can pass the proper AAD value to the inner transform. 227 The OHB can reflect modifications to the following fields in an RTP 228 header: the payload type, the sequence number, and the marker bit. 229 All other fields in the RTP header MUST remain unmodified; since the 230 OHB cannot reflect their original values, the receiver will be unable 231 to verify the E2E integrity of the packet. 233 The OHB has the following syntax (in ABNF [RFC5234]): 235 OCTET = %x00-FF 237 PT = OCTET 238 SEQ = 2OCTET 239 Config = OCTET 240 OHB = [ PT ] [ SEQ ] Config 242 If present, the PT and SEQ parts of the OHB contain the original 243 payload type and sequence number fields, respectively. The final 244 "config" octet of the OHB specifies whether these fields are present, 245 and the original value of the marker bit (if necessary): 247 +-+-+-+-+-+-+-+-+ 248 |R R R R B M P Q| 249 +-+-+-+-+-+-+-+-+ 251 o P: PT is present 253 o Q: SEQ is present 255 o M: Marker bit is present 257 o B: Value of marker bit 259 o R: Reserved, MUST be set to 0 261 In particular, an all-zero OHB config octet (0x00) indicates that 262 there have been no modifications from the original header. 264 5. RTP Operations 266 As implied by the use of the word "double" above, this transform 267 applies AES-GCM to the SRTP packet twice. This allows media 268 distributors to be able to modify some header fields while allowing 269 endpoints to verify the end-to-end integrity and confidentiality of a 270 packet. 272 The first, "inner" application of AES-GCM encrypts the SRTP payload 273 and integrity-protects a version of the SRTP header with extensions 274 truncated. Omitting extensions from the inner integrity check means 275 that they can be modified by a media distributor holding only the 276 "outer" key. 278 The second, "outer" application of AES-GCM encrypts the ciphertext 279 produced by the inner encryption (i.e., the encrypted payload and 280 authentication tag), plus an OHB that expresses any changes made 281 between the inner and outer transforms. 283 A media distributor that has the outer key but not the inner key may 284 modify the header fields that can be included in the OHB by 285 decrypting, modifying, and re-encrypting the packet. 287 5.1. Encrypting a Packet 289 To encrypt a packet, the endpoint encrypts the packet using the inner 290 (end-to-end) cryptographic key and then encrypts using the outer 291 (hop-by-hop) cryptographic key. The encryption also supports a mode 292 for repair packets that only does the outer (hop-by-hop) encryption. 293 The processes is as follows: 295 1. Form an RTP packet. If there are any header extensions, they 296 MUST use [RFC8285]. 298 2. If the packet is for repair mode data, skip to step 6. 300 3. Form a synthetic RTP packet with the following contents: 302 * Header: The RTP header of the original packet with the 303 following modifications: 305 * The X bit is set to zero 307 * The header is truncated to remove any extensions (i.e., keep 308 only the first 12 + 4 * CC bytes of the header) 310 * Payload: The RTP payload of the original packet 312 4. Apply the inner cryptographic algorithm to the synthetic RTP 313 packet from the previous step. 315 5. Replace the header of the protected RTP packet with the header of 316 the original packet, and append an empty OHB (0x00) to the 317 encrypted payload (with the authentication tag) obtained from the 318 step 4. 320 6. Apply the outer cryptographic algorithm to the RTP packet. If 321 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 322 be used when encrypting the RTP packet using the outer 323 cryptographic key. 325 When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes 326 after the SRTP packet exactly like using EKT with any other SRTP 327 transform. 329 5.2. Relaying a Packet 331 The Media Distributor has the part of the key for the outer (hop-by- 332 hop) cryptographic algorithm, but it does not have the part of the 333 key for the (end-to-end) cryptographic algorithm. The cryptographic 334 algorithm and key used to decrypt a packet and any encrypted RTP 335 header extensions would be the same as those used in the endpoint's 336 outer algorithm and key. 338 In order to modify a packet, the Media Distributor decrypts the 339 received packet, modifies the packet, updates the OHB with any 340 modifications not already present in the OHB, and re-encrypts the 341 packet using the the outer (hop-by-hop) cryptographic key before 342 transmitting. 344 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt 345 the packet. If decrypting RTP header extensions hop-by-hop, then 346 [RFC6904] MUST be used. Note that the RTP payload produced by 347 this decryption operation contains the original encrypted payload 348 with the tag from the inner transform and the OHB appended. 350 2. Make any desired changes to the fields are allowed to be changed, 351 i.e., PT, SEQ, and M. 353 3. A Media Distributor can add information to the OHB, but MUST NOT 354 change existing information in the OHB. If RTP value is changed 355 and not already in the OHB, then add it with its original value 356 to the OHB. 358 4. If the Media Distributor resets a parameter to its original 359 value, it MAY drop it from the OHB. Note that this might result 360 in a decrease in the size of the OHB. 362 5. Apply the outer (hop-by-hop) cryptographic algorithm to the 363 packet. If the RTP Sequence Number has been modified, SRTP 364 processing happens as defined in SRTP and will end up using the 365 new Sequence Number. If encrypting RTP header extensions hop-by- 366 hop, then [RFC6904] MUST be used. 368 In order to avoid nonce reuse, the cryptographic contexts used in 369 step 1 and step 5 MUST use different, independent master keys and 370 master salts. 372 Note that if multiple MDs modify the same packet, then the first MD 373 to alter a given header field is the one that adds it to the OHB. If 374 a subsequent MD changes the value of a header field that has already 375 been changed, then the original value will already be in the OHB, so 376 no update to the OHB is required. 378 A Media Distributor that decrypts, modifies, and re-encrypts packets 379 in this way MUST use an independent key for each recipient, SHOULD 380 use an independent salt for each recipient, and MUST NOT re-encrypt 381 the packet using the sender's keys. If the Media Distributor 382 decrypts and re-encrypts with the same key and salt, it will result 383 in the reuse of a (key, nonce) pair, undermining the security of GCM. 385 5.3. Decrypting a Packet 387 To decrypt a packet, the endpoint first decrypts and verifies using 388 the outer (hop-by-hop) cryptographic key, then uses the OHB to 389 reconstruct the original packet, which it decrypts and verifies with 390 the inner (end-to-end) cryptographic key. 392 1. Apply the outer cryptographic algorithm to the packet. If the 393 integrity check does not pass, discard the packet. The result of 394 this is referred to as the outer SRTP packet. If decrypting RTP 395 header extensions hop-by-hop, then [RFC6904] MUST be used when 396 decrypting the RTP packet using the outer cryptographic key. 398 2. If the packet is for repair mode data, skip the rest of the 399 steps. Note that the packet that results from the repair 400 algorithm will still have encrypted data that needs to be 401 decrypted as specified by the repair algorithm sections. 403 3. Remove the inner authentication tag and the OHB from the end of 404 the payload of the outer SRTP packet. 406 4. Form a new synthetic SRTP packet with: 408 * Header = Received header, with the following modifications: 410 * Header fields replaced with values from OHB (if any) 412 * The X bit is set to zero 414 * The header is truncated to remove any extensions (i.e., keep 415 only the first 12 + 4 * CC bytes of the header) 417 * Payload is the encrypted payload from the outer SRTP packet 418 (after the inner tag and OHB have been stripped). 420 * Authentication tag is the inner authentication tag from the 421 outer SRTP packet. 423 5. Apply the inner cryptographic algorithm to this synthetic SRTP 424 packet. Note if the RTP Sequence Number was changed by the Media 425 Distributor, the synthetic packet has the original Sequence 426 Number. If the integrity check does not pass, discard the 427 packet. 429 Once the packet has been successfully decrypted, the application 430 needs to be careful about which information it uses to get the 431 correct behavior. The application MUST use only the information 432 found in the synthetic SRTP packet and MUST NOT use the other data 433 that was in the outer SRTP packet with the following exceptions: 435 o The PT from the outer SRTP packet is used for normal matching to 436 SDP and codec selection. 438 o The sequence number from the outer SRTP packet is used for normal 439 RTP ordering. 441 The PT and sequence number from the inner SRTP packet can be used for 442 collection of various statistics. 444 If the RTP header of the outer packet contains extensions, they MAY 445 be used. However, because extensions are not protected end-to-end, 446 implementations SHOULD reject an RTP packet containing headers that 447 would require end-to-end protection. 449 6. RTCP Operations 451 Unlike RTP, which is encrypted both hop-by-hop and end-to-end using 452 two separate cryptographic keys, RTCP is encrypted using only the 453 outer (hop-by-hop) cryptographic key. The procedures for RTCP 454 encryption are specified in [RFC3711] and this document introduces no 455 additional steps. 457 7. Use with Other RTP Mechanisms 459 Media distributors sometimes interact with RTP media packets sent by 460 endpoints, e.g., to provide recovery or receive commands via DTMF. 461 When media packets are encrypted end-to-end, these procedures require 462 modification. 464 Repair mechanisms, in general, will need to perform recovery on 465 encrypted packets (double-encrypted when using this transform). When 466 the recovery mechanism calls for the recovery packet itself to be 467 encrypted, it is encrypted with only the outer, HBH key. This allows 468 a media distributor to generate recovery packets without having 469 access to the inner, E2E keys. However, it also results in recovery 470 packets being triple-encrypted, twice for the base transform, and 471 once for the recovery protection. 473 7.1. RTP Retransmission (RTX) 475 When using RTX [RFC4588] with double, the cached payloads MUST be the 476 double-encrypted packets, i.e., the bits that are sent over the wire 477 to the other side. When encrypting a retransmission packet, it MUST 478 be encrypted the packet in repair mode (i.e., with only the HBH key). 480 A typical RTX receiver would decrypt the packet, undo the RTX 481 transformation, then process the resulting packet normally by using 482 the steps in Section 5.3. 484 7.2. Redundant Audio Data (RED) 486 When using RED [RFC2198] with double, the primary encoding MAY 487 contain RTP header extensions and CSRC identifiers but non primary 488 encodings cannot. 490 The sender takes encrypted payload from the cached packets to form 491 the RED payload. Any header extensions from the primary encoding are 492 copied to the RTP packet that will carry the RED payload and the 493 other RTP header information such as SSRC, SEQ, CSRC, etc are set to 494 the same as the primary payload. The RED RTP packet is then 495 encrypted in repair mode and sent. 497 The receiver decrypts the payload to find the encrypted RED payload. 498 Note a media relay can do this decryption as the packet was sent in 499 repair mode that only needs the hop-by-hop key. The RTP headers and 500 header extensions along with the primary payload and PT from inside 501 the RED payload (for the primary encoding) are used to form the 502 encrypted primary RTP packet which can then be decrypted with double. 504 The RTP headers (but not header extensions or CSRC) along with PT 505 from inside the RED payload corresponding to the redundant encoding 506 are used to from the non primary payloads. The time offset and 507 packet rate information in the RED data MUST be used to adjust the 508 sequence number in the RTP header. At this point the non primary 509 packets can be decrypted with double. 511 Note that Flex FEC [I-D.ietf-payload-flexible-fec-scheme] is a 512 superset of the capabilities of RED. For most applications, FlexFEC 513 is a better choice than RED. 515 7.3. Forward Error Correction (FEC) 517 When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with 518 double, repair packets MUST be constructed by first double-encrypting 519 the packet, then performing FEC. Processing of repair packets 520 proceeds in the opposite order, performing FEC recovery and then 521 decrypting. This ensures that the original media is not revealed to 522 the Media Distributor but at the same time allows the Media 523 Distributor to repair media. When encrypting a packet that contains 524 the Flex FEC data, which is already encrypted, it MUST be encrypted 525 with only the outer, HBH transform. 527 The algorithm recommended in [I-D.ietf-rtcweb-fec] for repair of 528 video is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that 529 for interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends 530 not using additional FEC only m-line in SDP for the repair packets. 532 7.4. DTMF 534 When DTMF is sent using the mechanism in [RFC4733], it is end-to-end 535 encrypted and the relay can not read it, so it cannot be used to 536 control the relay. Other out of band methods to control the relay 537 need to be used instead. 539 8. Recommended Inner and Outer Cryptographic Algorithms 541 This specification recommends and defines AES-GCM as both the inner 542 and outer cryptographic algorithms, identified as 543 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and 544 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide 545 for authenticated encryption and will consume additional processing 546 time double-encrypting for hop-by-hop and end-to-end. However, the 547 approach is secure and simple, and is thus viewed as an acceptable 548 trade-off in processing efficiency. 550 Note that names for the cryptographic transforms are of the form 551 DOUBLE_(inner algorithm)_(outer algorithm). 553 While this document only defines a profile based on AES-GCM, it is 554 possible for future documents to define further profiles with 555 different inner and outer algorithms in this same framework. For 556 example, if a new SRTP transform was defined that encrypts some or 557 all of the RTP header, it would be reasonable for systems to have the 558 option of using that for the outer algorithm. Similarly, if a new 559 transform was defined that provided only integrity, that would also 560 be reasonable to use for the outer transform as the payload data is 561 already encrypted by the inner transform. 563 The AES-GCM cryptographic algorithm introduces an additional 16 564 octets to the length of the packet. When using AES-GCM for both the 565 inner and outer cryptographic algorithms, the total additional length 566 is 32 octets. If no other header extensions are present in the 567 packet and the OHB is introduced, that will consume an additional 8 568 octets. If other extensions are already present, the OHB will 569 consume up to 4 additional octets. Packets in repair mode will carry 570 additional repair data, further increasing their size. 572 9. Security Considerations 574 This SRTP transform provides protection against two classes of 575 attacker: An network attacker that knows neither the inner nor outer 576 keys, and a malicious MD that knows the outer key. Obviously, it 577 provides no protections against an attacker that holds both the inner 578 and outer keys. 580 The protections with regard to the network are the same as with the 581 normal SRTP AES-GCM transforms. 583 With regard to a malicious MD, the recipient can verify the integrity 584 of the base header fields and confidentiality and integrity of the 585 payload. The recipient has no assurance, however, of the integrity 586 of the header extensions in the packet. 588 The main innovation of this transform relative to other SRTP 589 transforms is that it allows a partly-trusted MD to decrypt, modify, 590 and re-encrypt a packet. When this is done, the cryptographic 591 contexts used for decryption and re-encryption MUST use different, 592 independent master keys and master salts. If the same context is 593 used, the nonce formation rules for SRTP will cause the same key and 594 nonce to be used with two different plaintexts, which substantially 595 degrades the security of AES-GCM. 597 In other words, from the perspective of the MD, re-encrypting packets 598 using this protocol will involve the same cryptographic operations as 599 if it had established independent AES-GCM crypto contexts with the 600 sender and the receiver. If the MD doesn't modify any header fields, 601 then an MD that supports AES-GCM could be unused unmodified. 603 10. IANA Considerations 605 10.1. DTLS-SRTP 607 We request IANA to add the following values to defines a DTLS-SRTP 608 "SRTP Protection Profile" defined in [RFC5764]. 610 +------------+------------------------------------------+-----------+ 611 | Value | Profile | Reference | 612 +------------+------------------------------------------+-----------+ 613 | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | 614 | 0x09} | | | 615 | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | 616 | 0x0A} | | | 617 +------------+------------------------------------------+-----------+ 619 Note to IANA: Please assign value RFCXXXX and update table to point 620 at this RFC for these values. 622 The SRTP transform parameters for each of these protection are: 624 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 625 cipher: AES_128_GCM then AES_128_GCM 626 cipher_key_length: 256 bits 627 cipher_salt_length: 192 bits 628 aead_auth_tag_length: 256 bits 629 auth_function: NULL 630 auth_key_length: N/A 631 auth_tag_length: N/A 632 maximum lifetime: at most 2^31 SRTCP packets and 633 at most 2^48 SRTP packets 635 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 636 cipher: AES_256_GCM then AES_256_GCM 637 cipher_key_length: 512 bits 638 cipher_salt_length: 192 bits 639 aead_auth_tag_length: 256 bits 640 auth_function: NULL 641 auth_key_length: N/A 642 auth_tag_length: N/A 643 maximum lifetime: at most 2^31 SRTCP packets and 644 at most 2^48 SRTP packets 646 The first half of the key and salt is used for the inner (end-to-end) 647 algorithm and the second half is used for the outer (hop-by-hop) 648 algorithm. 650 11. Acknowledgments 652 Thank you for reviews and improvements to this specification from 653 Alex Gouaillard, David Benham, Magnus Westerlund, Nils Ohlmeier, Paul 654 Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to 655 Sergio Garcia Murillo proposed the change of transporting the OHB 656 information in the RTP payload instead of the RTP header. 658 12. References 660 12.1. Normative References 662 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 663 Requirement Levels", BCP 14, RFC 2119, 664 DOI 10.17487/RFC2119, March 1997, 665 . 667 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 668 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 669 RFC 3711, DOI 10.17487/RFC3711, March 2004, 670 . 672 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 673 Security (DTLS) Extension to Establish Keys for the Secure 674 Real-time Transport Protocol (SRTP)", RFC 5764, 675 DOI 10.17487/RFC5764, May 2010, 676 . 678 [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure 679 RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, 680 . 682 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 683 Real-time Transport Protocol (SRTP)", RFC 6904, 684 DOI 10.17487/RFC6904, April 2013, 685 . 687 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 688 in the Secure Real-time Transport Protocol (SRTP)", 689 RFC 7714, DOI 10.17487/RFC7714, December 2015, 690 . 692 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 693 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 694 May 2017, . 696 [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General 697 Mechanism for RTP Header Extensions", RFC 8285, 698 DOI 10.17487/RFC8285, October 2017, 699 . 701 12.2. Informative References 703 [I-D.ietf-payload-flexible-fec-scheme] 704 Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP 705 Payload Format for Flexible Forward Error Correction 706 (FEC)", draft-ietf-payload-flexible-fec-scheme-08 (work in 707 progress), July 2018. 709 [I-D.ietf-perc-dtls-tunnel] 710 Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel 711 between a Media Distributor and Key Distributor to 712 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03 713 (work in progress), April 2018. 715 [I-D.ietf-perc-private-media-framework] 716 Jones, P., Benham, D., and C. Groves, "A Solution 717 Framework for Private Media in Privacy Enhanced RTP 718 Conferencing", draft-ietf-perc-private-media-framework-07 719 (work in progress), September 2018. 721 [I-D.ietf-perc-srtp-ekt-diet] 722 Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. 723 Andreasen, "Encrypted Key Transport for DTLS and Secure 724 RTP", draft-ietf-perc-srtp-ekt-diet-08 (work in progress), 725 July 2018. 727 [I-D.ietf-rtcweb-fec] 728 Uberti, J., "WebRTC Forward Error Correction 729 Requirements", draft-ietf-rtcweb-fec-08 (work in 730 progress), March 2018. 732 [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., 733 Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- 734 Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, 735 DOI 10.17487/RFC2198, September 1997, 736 . 738 [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. 739 Hakenberg, "RTP Retransmission Payload Format", RFC 4588, 740 DOI 10.17487/RFC4588, July 2006, 741 . 743 [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF 744 Digits, Telephony Tones, and Telephony Signals", RFC 4733, 745 DOI 10.17487/RFC4733, December 2006, 746 . 748 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 749 Specifications: ABNF", STD 68, RFC 5234, 750 DOI 10.17487/RFC5234, January 2008, 751 . 753 Appendix A. Encryption Overview 755 The following figure shows a double encrypted SRTP packet. The sides 756 indicate the parts of the packet that are encrypted and authenticated 757 by the hop-by-hop and end-to-end operations. 759 0 1 2 3 760 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++ 762 |V=2|P|X| CC |M| PT | sequence number | IO 763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO 764 | timestamp | IO 765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO 766 | synchronization source (SSRC) identifier | IO 767 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO 768 | contributing source (CSRC) identifiers | IO 769 | .... | IO 770 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 771 | RTP extension (OPTIONAL) ... | |O 772 +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 773 O I | payload ... | IO 774 O I | +-------------------------------+ IO 775 O I | | RTP padding | RTP pad count | IO 776 O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O 777 O | | E2E authentication tag | |O 778 O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O 779 O | | OHB ... | |O 780 +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+ 781 | | | HBH authentication tag | || 782 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || 783 | | || 784 | +- E2E Encrypted Portion E2E Authenticated Portion ---+| 785 | | 786 +--- HBH Encrypted Portion HBH Authenticated Portion ----+ 788 Authors' Addresses 790 Cullen Jennings 791 Cisco Systems 793 Email: fluffy@iii.ca 794 Paul E. Jones 795 Cisco Systems 797 Email: paulej@packetizer.com 799 Richard Barnes 800 Cisco Systems 802 Email: rlb@ipv.sx 804 Adam Roach 805 Mozilla 807 Email: adam@nostrum.com