idnits 2.17.1 

draft-lennox-avt-srtp-encrypted-extension-headers-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Sep 2009 rather than the newer Notice from 28 Dec 2009.  (See
     https://trustee.ietf.org/license-info/)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 8, 2010) is 5161 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 5285 (Obsoleted by RFC 8285)

  == Outdated reference: A later version (-04) exists of
     draft-ivov-avt-slic-02

  == Outdated reference: A later version (-02) exists of
     draft-lennox-avt-rtp-audio-level-exthdr-01


     Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	MMUSIC                                                         J. Lennox
3	Internet-Draft                                                     Vidyo
4	Intended status: Standards Track                           March 8, 2010
5	Expires: September 9, 2010

7	   Encryption of Header Extensions in the Secure  Real-Time Transport
8	                            Protocol (SRTP)
9	          draft-lennox-avt-srtp-encrypted-extension-headers-01

11	Abstract

13	   The Secure Real-Time Transport Protocol (SRTP) provides
14	   authentication, but not encryption, of the headers of Real-Time
15	   Transport Protocol (RTP) packets.  However, RTP header extensions may
16	   carry sensitive information for which participants in multimedia
17	   sessions want confidentiality.  This document provides a mechanism,
18	   extending the mechanisms of SRTP, to selectively encrypt RTP header
19	   extensions in SRTP.

21	Status of this Memo

23	   This Internet-Draft is submitted to IETF in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF), its areas, and its working groups.  Note that
28	   other groups may also distribute working documents as Internet-
29	   Drafts.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   The list of current Internet-Drafts can be accessed at
37	   http://www.ietf.org/ietf/1id-abstracts.txt.

39	   The list of Internet-Draft Shadow Directories can be accessed at
40	   http://www.ietf.org/shadow.html.

42	   This Internet-Draft will expire on September 9, 2010.

44	Copyright Notice

46	   Copyright (c) 2010 IETF Trust and the persons identified as the
47	   document authors.  All rights reserved.

49	   This document is subject to BCP 78 and the IETF Trust's Legal
50	   Provisions Relating to IETF Documents
51	   (http://trustee.ietf.org/license-info) in effect on the date of
52	   publication of this document.  Please review these documents
53	   carefully, as they describe your rights and restrictions with respect
54	   to this document.  Code Components extracted from this document must
55	   include Simplified BSD License text as described in Section 4.e of
56	   the Trust Legal Provisions and are provided without warranty as
57	   described in the BSD License.

59	Table of Contents

61	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
62	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
63	   3.  Encryption Mechanism  . . . . . . . . . . . . . . . . . . . . . 3
64	     3.1.  Example Encryption Mask . . . . . . . . . . . . . . . . . . 4
65	   4.  Signaling (Setup) Information . . . . . . . . . . . . . . . . . 6
66	   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
67	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
68	   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
69	     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
70	     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
71	   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . . . 8
72	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8

74	1.  Introduction

76	   The Secure Real-Time Transport Protocol [RFC3711] specification
77	   provides confidentiality, message authentication, and replay
78	   protection for multimedia payloads sent using of the Real-Time
79	   Protocol (RTP) [RFC3550].  However, in order to preserve RTP header
80	   compression efficiency, SRTP provides only authentication and replay
81	   protection for the headers of RTP packets, not confidentiality.

83	   For the standard portions of an RTP header, this does not normally
84	   present a problem, as the information carried in an RTP header does
85	   not provide much information beyond that which an attacker could
86	   infer by observing the size and timing of RTP packets.  Thus, there
87	   is little need for confidentiality of the header information.

89	   However, this is not necessarily true for information carried in RTP
90	   header extensions.  A number of recent proposals for header
91	   extensions using the General Mechanism for RTP Header Extensions
92	   [RFC5285] carry information for which confidentiality could be
93	   desired or essential.  Notably, two recent drafts
94	   ([I-D.lennox-avt-rtp-audio-level-exthdr] and [I-D.ivov-avt-slic])
95	   carry information about per-packet sound levels of the media data
96	   carried in the RTP payload, and exposing this to an eavesdropper may
97	   be unacceptable in many circumstances.

99	   This document, therefore, defines a mechanism by which encryption can
100	   be applied to RTP header extensions when they are transported using
101	   SRTP.  As an RTP sender may wish some extension information to be
102	   sent in the clear (for example, it may be useful for a network
103	   monitoring device to be aware of RTP transmission time offsets
104	   [RFC5450]), this mechanism can be selectively applied to a subset of
105	   the header extension elements carried in an SRTP packet.

107	2.  Terminology

109	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
110	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
111	   document are to be interpreted as described in RFC 2119 [RFC2119] and
112	   indicate requirement levels for compliant implementations.

114	3.  Encryption Mechanism

116	   Encrypted header extension elements are carried in the same manner as
117	   non-encrypted header extension elements, as defined by [RFC5285].
118	   The (one- or two-byte) header of the extension elements is not
119	   encrypted, nor is any of the header extension padding.  If multiple
120	   different header extension elements are being encrypted, they have
121	   separate element identifier values, just as they would if they were
122	   not encrypted; similarly, encrypted and non-encrypted header
123	   extension elements have separate identifier values.

125	   To encrypt (or decrypt) an encrypted extension header, an SRTP
126	   participant first generates a keystream for the SRTP extension
127	   header.  This keystream is generated in the same manner as the
128	   encryption keystream for the corersponding SRTP payload, except the
129	   the SRTP encryption and salting keys k_e and k_s are replaced by the
130	   keys k_he and k_hs, respectively.  The keys k_he and k_hs are
131	   computed in the same manner as k_e and k_s, except that the <label>
132	   values used are 0x06 for k_he and and 0x07 for k_hs.  (Note that
133	   since RTP headers, including extension headers, are authenticated in
134	   SRTP, no new authentication key is needed for extension headers.

136	   The SRTP participant then computes an encryption mask for the header
137	   extension, identifying the portions of the header extension that are,
138	   or are to be, encrypted.  This encryption mask corresponds to the
139	   entire payload of each header extension element that is encrypted.
140	   It does not include any non-encrypted header extension elements, any
141	   extension element headers, or any padding octets.  The encryption
142	   mask has all-bits-1 octets (i.e., hexidecimal 0xff) for octets which
143	   are to be encrypted, and all-bits-0 for octets which are not to be.

145	   For those octets indicated in the encryption mask, the SRTP
146	   participant bitwise exclusive-ors the header extension with the
147	   keystream to produce the ciphertext version of the header extension.
148	   Those octets not indicated in the encryption mask are left
149	   unmodified.  Thus, conceptually, the encryption mask is logically
150	   ANDed with the keystream to produce a masked keystream.  The sender
151	   and receiver MUST use the same encryption mask.  The set of extension
152	   elements to be encrypted is communicated between the sender and the
153	   receiver using the signaling mechanisms described in Section 4.

155	   The SRTP authentication tag is computed across the encrypted header
156	   extension, i.e., the data that is actually transmitted on the wire.
157	   Thus, header extension encryption MUST be done before the
158	   authentication tag is computed, and authentication tag validation
159	   MUST be done on the encrypted header extensions.  For receivers,
160	   header extension decryption SHOULD be done only after the receiver
161	   has validated the packet's message authentication tag.

163	3.1.  Example Encryption Mask

165	   If a sender wished to send a header extension containing an encrypted
166	   SMPTE timecode [RFC5484] with ID 1, a plaintext transmission time
167	   offset [RFC5450] with ID 2, and an audio level indication

169	   [I-D.lennox-avt-rtp-audio-level-exthdr] with ID 3, the plaintext RTP
170	   header extension might look like this:

172	    0                   1                   2                   3
173	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
174	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
175	   |  ID=1 | len=15|     SMTPE timecode (long form)                |
176	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
177	   |       SMTPE timecode (continued)                              |
178	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
179	   |       SMTPE timecode (continued)                              |
180	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
181	   |       SMTPE timecode (continued)                              |
182	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
183	   | SMTPE (cont'd)|  ID=2 | len=2 | toffset                       |
184	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
185	   | toffset (ct'd)|  ID=3 | len=0 | audio level   | padding = 0   |
186	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

188	                                 Figure 1

190	   The corresponding encryption mask would then be:

192	    0                   1                   2                   3
193	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
194	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195	   |0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
196	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
197	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
198	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
199	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
200	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
201	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
202	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
203	   |1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|
204	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
205	   |0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|
206	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

208	                                 Figure 2

210	   In the mask, the octets corresponding to the payloads of the
211	   encrypted header extension elements are set to all-1 values, and
212	   octets corresponding to non-encrypted elements, element headers, and
213	   header extension padding are set to all-0 values.

215	4.  Signaling (Setup) Information

217	   Encrypted header extension elements are signaled in the SDP extmap
218	   attribute, using the URI "urn:ietf:params:rtp-hdrext:encrypt",
219	   followed by the URI of the header extension element being encrypted
220	   as well as any extensionattributes that extension normally takes.
221	   Thus, for example, to signal an SRTP session using encrypted SMPTE
222	   timecodes [RFC5484], while simultaneously signaling plaintext
223	   transmission time offsets [RFC5450], an SDP document could contain
224	   (linebreaks added for formatting):

226	   m=audio 49170 RTP/SAVP 0
227	   a=crypto:1 AES_CM_128_HMAC_SHA1_32 \
228	     inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32
229	   a=extmap:1 urn:ietf:params:rtp-hdrext:encrypt \
230	       urn:ietf:params:rtp-hdrext:smpte-tc 25@600/24
231	   a=extmap:2 urn:ietf:params:rtp-hdrext:toffset

233	                                 Figure 3

235	   This example uses SDP Security Descriptions [RFC4568] for SRTP
236	   keying, but this is merely for illustration; any SRTP keying
237	   mechanism to establish session keys will work.

239	5.  Security Considerations

241	   The security properties of header extension elements protected by the
242	   mechanism in this document are equivalent to those for SRTP payloads.

244	   The mechanism defined in this document does not provide
245	   confidentiality about which header extension elements are used for a
246	   given SRTP packet, only for the content of those header extension
247	   elements.  This appears to be in the spirit of SRTP itself, which
248	   does not encrypt RTP headers.  If this is a concern, an alternate
249	   mechanism would be needed to provide confidentiality.

251	   This document does not specify the circumstances in which extension
252	   header encryption should be used.  Documents defining specific
253	   extension header elements should provide guidance on when encryption
254	   is appropriate for these elements.

256	6.  IANA Considerations

258	   This document defines a new extension URI to the RTP Compact Header
259	   Extensions subregistry of the Real-Time Transport Protocol (RTP)
260	   Parameters registry, according to the following data:

262	   Extension URI:  urn:ietf:params:rtp-hdrext:encrypt
263	   Description:  Encrypted extension header element
264	   Contact:  jonathan@vidyo.com
265	   Reference:  RFC XXXX

267	   (Note to the RFC-Editor: please replace "XXXX" with the number of
268	   this document prior to publication as an RFC.)

270	7.  References

272	7.1.  Normative References

274	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
275	              Requirement Levels", BCP 14, RFC 2119, March 1997.

277	   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
278	              Jacobson, "RTP: A Transport Protocol for Real-Time
279	              Applications", STD 64, RFC 3550, July 2003.

281	   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
282	              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
283	              RFC 3711, March 2004.

285	   [RFC5285]  Singer, D. and H. Desineni, "A General Mechanism for RTP
286	              Header Extensions", RFC 5285, July 2008.

288	7.2.  Informative References

290	   [I-D.ivov-avt-slic]
291	              Ivov, E. and E. Marocco, "A Real-Time Transport Protocol
292	              (RTP) Extension Header for Mixer-to- client Audio Level
293	              Indication", draft-ivov-avt-slic-02 (work in progress),
294	              October 2009.

296	   [I-D.lennox-avt-rtp-audio-level-exthdr]
297	              Lennox, J., "A Real-Time Transport Protocol (RTP) Header
298	              Extension for Client-to- Mixer Audio Level Indication",
299	              draft-lennox-avt-rtp-audio-level-exthdr-01 (work in
300	              progress), October 2009.

302	   [RFC4568]  Andreasen, F., Baugher, M., and D. Wing, "Session
303	              Description Protocol (SDP) Security Descriptions for Media
304	              Streams", RFC 4568, July 2006.

306	   [RFC5450]  Singer, D. and H. Desineni, "Transmission Time Offsets in
307	              RTP Streams", RFC 5450, March 2009.

309	   [RFC5484]  Singer, D., "Associating Time-Codes with RTP Streams",
310	              RFC 5484, March 2009.

312	Appendix A.  Test Vectors

314	   TODO

316	Author's Address

318	   Jonathan Lennox
319	   Vidyo, Inc.
320	   433 Hackensack Avenue
321	   Sixth Floor
322	   Hackensack, NJ  07601
323	   US

325	   Email: jonathan@vidyo.com