idnits 2.17.1 

draft-lennox-avtcore-srtp-encrypted-header-ext-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 28, 2011) is 4778 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 5285 (Obsoleted by RFC 8285)

  == Outdated reference: A later version (-06) exists of
     draft-ietf-avtext-client-to-mixer-audio-level-01

  == Outdated reference: A later version (-06) exists of
     draft-ietf-avtext-mixer-to-client-audio-level-01


     Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	AVTCORE                                                        J. Lennox
3	Internet-Draft                                                     Vidyo
4	Intended status: Standards Track                          March 28, 2011
5	Expires: September 29, 2011

7	   Encryption of Header Extensions in the Secure  Real-Time Transport
8	                            Protocol (SRTP)
9	           draft-lennox-avtcore-srtp-encrypted-header-ext-00

11	Abstract

13	   The Secure Real-Time Transport Protocol (SRTP) provides
14	   authentication, but not encryption, of the headers of Real-Time
15	   Transport Protocol (RTP) packets.  However, RTP header extensions may
16	   carry sensitive information for which participants in multimedia
17	   sessions want confidentiality.  This document provides a mechanism,
18	   extending the mechanisms of SRTP, to selectively encrypt RTP header
19	   extensions in SRTP.

21	Status of this Memo

23	   This Internet-Draft is submitted in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF).  Note that other groups may also distribute
28	   working documents as Internet-Drafts.  The list of current Internet-
29	   Drafts is at http://datatracker.ietf.org/drafts/current/.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   This Internet-Draft will expire on September 29, 2011.

38	Copyright Notice

40	   Copyright (c) 2011 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (http://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.  Code Components extracted from this document must
49	   include Simplified BSD License text as described in Section 4.e of
50	   the Trust Legal Provisions and are provided without warranty as
51	   described in the Simplified BSD License.

53	Table of Contents

55	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
56	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
57	   3.  Encryption Mechanism  . . . . . . . . . . . . . . . . . . . . . 3
58	     3.1.  Example Encryption Mask . . . . . . . . . . . . . . . . . . 5
59	   4.  Signaling (Setup) Information . . . . . . . . . . . . . . . . . 6
60	   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
61	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
62	   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
63	     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
64	     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
65	   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . . . 8
66	   Appendix B.  Changes From Earlier Versions  . . . . . . . . . . . . 8
67	     B.1.  Changes from draft-lennox-avt -02 . . . . . . . . . . . . . 8
68	     B.2.  Changes From Individual Submission Draft -01  . . . . . . . 8
69	     B.3.  Changes From Individual Submission Draft -00  . . . . . . . 8
70	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8

72	1.  Introduction

74	   The Secure Real-Time Transport Protocol [RFC3711] specification
75	   provides confidentiality, message authentication, and replay
76	   protection for multimedia payloads sent using of the Real-Time
77	   Protocol (RTP) [RFC3550].  However, in order to preserve RTP header
78	   compression efficiency, SRTP provides only authentication and replay
79	   protection for the headers of RTP packets, not confidentiality.

81	   For the standard portions of an RTP header, this does not normally
82	   present a problem, as the information carried in an RTP header does
83	   not provide much information beyond that which an attacker could
84	   infer by observing the size and timing of RTP packets.  Thus, there
85	   is little need for confidentiality of the header information.

87	   However, this is not necessarily true for information carried in RTP
88	   header extensions.  A number of recent proposals for header
89	   extensions using the General Mechanism for RTP Header Extensions
90	   [RFC5285] carry information for which confidentiality could be
91	   desired or essential.  Notably, two recent drafts
92	   ([I-D.ietf-avtext-client-to-mixer-audio-level] and
93	   [I-D.ietf-avtext-mixer-to-client-audio-level]) carry information
94	   about per-packet sound levels of the media data carried in the RTP
95	   payload, and exposing this to an eavesdropper may be unacceptable in
96	   many circumstances.

98	   This document, therefore, defines a mechanism by which encryption can
99	   be applied to RTP header extensions when they are transported using
100	   SRTP.  As an RTP sender may wish some extension information to be
101	   sent in the clear (for example, it may be useful for a network
102	   monitoring device to be aware of RTP transmission time offsets
103	   [RFC5450]), this mechanism can be selectively applied to a subset of
104	   the header extension elements carried in an SRTP packet.

106	2.  Terminology

108	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
109	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
110	   document are to be interpreted as described in RFC 2119 [RFC2119] and
111	   indicate requirement levels for compliant implementations.

113	3.  Encryption Mechanism

115	   Encrypted header extension elements are carried in the same manner as
116	   non-encrypted header extension elements, as defined by [RFC5285].
117	   The (one- or two-byte) header of the extension elements is not
118	   encrypted, nor is any of the header extension padding.  If multiple
119	   different header extension elements are being encrypted, they have
120	   separate element identifier values, just as they would if they were
121	   not encrypted; similarly, encrypted and non-encrypted header
122	   extension elements have separate identifier values.

124	   To encrypt (or decrypt) an encrypted extension header, an SRTP
125	   participant first generates a keystream for the SRTP extension
126	   header.  This keystream is generated in the same manner as the
127	   encryption keystream for the corresponding SRTP payload, except the
128	   the SRTP encryption and salting keys k_e and k_s are replaced by the
129	   keys k_he and k_hs, respectively.  The keys k_he and k_hs are
130	   computed in the same manner as k_e and k_s, except that the <label>
131	   values used are 0x06 for k_he and and 0x07 for k_hs.  (Note that
132	   since RTP headers, including extension headers, are authenticated in
133	   SRTP, no new authentication key is needed for extension headers.)

135	   The SRTP participant then computes an encryption mask for the header
136	   extension, identifying the portions of the header extension that are,
137	   or are to be, encrypted.  This encryption mask corresponds to the
138	   entire payload of each header extension element that is encrypted.
139	   It does not include any non-encrypted header extension elements, any
140	   extension element headers, or any padding octets.  The encryption
141	   mask has all-bits-1 octets (i.e., hexadecimal 0xff) for header
142	   extension octets which are to be encrypted, and all-bits-0 octets for
143	   header extension octets which are not to be.

145	   For those octets indicated in the encryption mask, the SRTP
146	   participant bitwise exclusive-ors the header extension with the
147	   keystream to produce the ciphertext version of the header extension.
148	   Those octets not indicated in the encryption mask are left
149	   unmodified.  Thus, conceptually, the encryption mask is logically
150	   ANDed with the keystream to produce a masked keystream.  The sender
151	   and receiver MUST use the same encryption mask.  The set of extension
152	   elements to be encrypted is communicated between the sender and the
153	   receiver using the signaling mechanisms described in Section 4.

155	   The SRTP authentication tag is computed across the encrypted header
156	   extension, i.e., the data that is actually transmitted on the wire.
157	   Thus, header extension encryption MUST be done before the
158	   authentication tag is computed, and authentication tag validation
159	   MUST be done on the encrypted header extensions.  For receivers,
160	   header extension decryption SHOULD be done only after the receiver
161	   has validated the packet's message authentication tag.

163	3.1.  Example Encryption Mask

165	   If a sender wished to send a header extension containing an encrypted
166	   SMPTE timecode [RFC5484] with ID 1, a plaintext transmission time
167	   offset [RFC5450] with ID 2, and an encrypted audio level indication
168	   [I-D.ietf-avtext-client-to-mixer-audio-level] with ID 3, the
169	   plaintext RTP header extension might look like this:

171	    0                   1                   2                   3
172	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
173	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
174	   |  ID=1 | len=15|     SMTPE timecode (long form)                |
175	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
176	   |       SMTPE timecode (continued)                              |
177	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
178	   |       SMTPE timecode (continued)                              |
179	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
180	   |       SMTPE timecode (continued)                              |
181	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
182	   | SMTPE (cont'd)|  ID=2 | len=2 | toffset                       |
183	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
184	   | toffset (ct'd)|  ID=3 | len=0 | audio level   | padding = 0   |
185	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

187	                                 Figure 1

189	   The corresponding encryption mask would then be:

191	    0                   1                   2                   3
192	    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
193	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
194	   |0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
195	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
196	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
197	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
198	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
199	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
200	   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
201	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
202	   |1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|
203	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
204	   |0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|
205	   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

207	                                 Figure 2

209	   In the mask, the octets corresponding to the payloads of the
210	   encrypted header extension elements are set to all-1 values, and
211	   octets corresponding to non-encrypted elements, element headers, and
212	   header extension padding are set to all-0 values.

214	4.  Signaling (Setup) Information

216	   Encrypted header extension elements are signaled in the SDP extmap
217	   attribute, using the URI "urn:ietf:params:rtp-hdrext:encrypt",
218	   followed by the URI of the header extension element being encrypted
219	   as well as any extensionattributes that extension normally takes.
220	   Thus, for example, to signal an SRTP session using encrypted SMPTE
221	   timecodes [RFC5484], while simultaneously signaling plaintext
222	   transmission time offsets [RFC5450], an SDP document could contain
223	   (line breaks added for formatting):

225	   m=audio 49170 RTP/SAVP 0
226	   a=crypto:1 AES_CM_128_HMAC_SHA1_32 \
227	     inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32
228	   a=extmap:1 urn:ietf:params:rtp-hdrext:encrypt \
229	       urn:ietf:params:rtp-hdrext:smpte-tc 25@600/24
230	   a=extmap:2 urn:ietf:params:rtp-hdrext:toffset

232	                                 Figure 3

234	   This example uses SDP Security Descriptions [RFC4568] for SRTP
235	   keying, but this is merely for illustration; any SRTP keying
236	   mechanism to establish session keys will work.

238	5.  Security Considerations

240	   The security properties of header extension elements protected by the
241	   mechanism in this document are equivalent to those for SRTP payloads.

243	   The mechanism defined in this document does not provide
244	   confidentiality about which header extension elements are used for a
245	   given SRTP packet, only for the content of those header extension
246	   elements.  This appears to be in the spirit of SRTP itself, which
247	   does not encrypt RTP headers.  If this is a concern, an alternate
248	   mechanism would be needed to provide confidentiality.

250	   This document does not specify the circumstances in which extension
251	   header encryption should be used.  Documents defining specific header
252	   extension elements should provide guidance on when encryption is
253	   appropriate for these elements.

255	6.  IANA Considerations

257	   This document defines a new extension URI to the RTP Compact Header
258	   Extensions subregistry of the Real-Time Transport Protocol (RTP)
259	   Parameters registry, according to the following data:

261	   Extension URI:  urn:ietf:params:rtp-hdrext:encrypt
262	   Description:  Encrypted extension header element
263	   Contact:  jonathan@vidyo.com
264	   Reference:  RFC XXXX

266	   (Note to the RFC-Editor: please replace "XXXX" with the number of
267	   this document prior to publication as an RFC.)

269	7.  References

271	7.1.  Normative References

273	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
274	              Requirement Levels", BCP 14, RFC 2119, March 1997.

276	   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
277	              Jacobson, "RTP: A Transport Protocol for Real-Time
278	              Applications", STD 64, RFC 3550, July 2003.

280	   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
281	              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
282	              RFC 3711, March 2004.

284	   [RFC5285]  Singer, D. and H. Desineni, "A General Mechanism for RTP
285	              Header Extensions", RFC 5285, July 2008.

287	7.2.  Informative References

289	   [I-D.ietf-avtext-client-to-mixer-audio-level]
290	              Lennox, J., Ivov, E., and E. Marocco, "A Real-Time
291	              Transport Protocol (RTP) Header Extension for Client-to-
292	              Mixer Audio Level Indication",
293	              draft-ietf-avtext-client-to-mixer-audio-level-01 (work in
294	              progress), March 2011.

296	   [I-D.ietf-avtext-mixer-to-client-audio-level]
297	              Ivov, E., Marocco, E., and J. Lennox, "A Real-Time
298	              Transport Protocol (RTP) Header Extension for Mixer-to-
299	              Client Audio Level Indication",
300	              draft-ietf-avtext-mixer-to-client-audio-level-01 (work in
301	              progress), March 2011.

303	   [RFC4568]  Andreasen, F., Baugher, M., and D. Wing, "Session
304	              Description Protocol (SDP) Security Descriptions for Media
305	              Streams", RFC 4568, July 2006.

307	   [RFC5450]  Singer, D. and H. Desineni, "Transmission Time Offsets in
308	              RTP Streams", RFC 5450, March 2009.

310	   [RFC5484]  Singer, D., "Associating Time-Codes with RTP Streams",
311	              RFC 5484, March 2009.

313	Appendix A.  Test Vectors

315	   TODO

317	Appendix B.  Changes From Earlier Versions

319	   Note to the RFC-Editor: please remove this section prior to
320	   publication as an RFC.

322	B.1.  Changes from draft-lennox-avt -02

324	   o  Retargeted at AVTCORE working group.
325	   o  Updated references.

327	B.2.  Changes From Individual Submission Draft -01

329	   o  Minor editorial changes.

331	B.3.  Changes From Individual Submission Draft -00

333	   o  Clarified description of encryption mask creation.
334	   o  Added example encryption mask.
335	   o  Editorial changes.

337	Author's Address

339	   Jonathan Lennox
340	   Vidyo, Inc.
341	   433 Hackensack Avenue
342	   Sixth Floor
343	   Hackensack, NJ  07601
344	   US

346	   Email: jonathan@vidyo.com