idnits 2.17.1 draft-mcgrew-srtp-big-aes-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 5, 2009) is 5521 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS197' Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. McGrew 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track March 5, 2009 5 Expires: September 6, 2009 7 The use of AES-192 and AES-256 in Secure RTP 8 draft-mcgrew-srtp-big-aes-01.txt 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on September 6, 2009. 33 Copyright Notice 35 Copyright (c) 2009 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents in effect on the date of 40 publication of this document (http://trustee.ietf.org/license-info). 41 Please review these documents carefully, as they describe your rights 42 and restrictions with respect to this document. 44 Abstract 46 This memo describes the use of the Advanced Encryption Standard (AES) 47 with 192 and 256 bit keys within the Secure RTP protocol. It defines 48 Counter Mode encryption for SRTP and SRTCP and a new SRTP Key 49 Derivation Function (KDF) for AES-192 and AES-256. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 55 2. AES-192 and AES-256 Encryption . . . . . . . . . . . . . . . . 4 56 3. The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation 57 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3.1. Usage Requirements . . . . . . . . . . . . . . . . . . . . 6 59 4. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 5. Crypto Suties . . . . . . . . . . . . . . . . . . . . . . . . 8 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 62 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 63 8. Open Questions . . . . . . . . . . . . . . . . . . . . . . . . 14 64 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 66 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 67 10.2. Informative References . . . . . . . . . . . . . . . . . . 16 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 70 1. Introduction 72 This memo describes the use of the Advanced Encryption Standard (AES) 73 [FIPS197] with 192 and 256 bit keys within the Secure RTP protocol 74 [RFC3711]. Below those block ciphers are referred to as AES-192 and 75 AES-256, respectively, and the use of AES with a 128 bit key is 76 referred to as AES-128. This document defines Counter Mode 77 encryption for SRTP and SRTCP and a new SRTP Key Derivation Function 78 for AES-192 and AES-256. It also defines new cryptosuites that use 79 these new functions. 81 While AES-128 is widely regarded as more than adequately secure, some 82 users may be motivated to adopt AES-192 or AES-256. One motivation 83 is conformance to the Suite B profile (which requires AES-256 for the 84 protection of TOP SECRET information) [suiteB]. Others may be 85 motivated by a perceived need to purse a highly conservative security 86 strategy; see Section 7 for more discussion of security issues. 88 The crypto functions defined in this document are an addition to, and 89 not a replacement for, the crypto functions defined in [RFC3711]. 91 1.1. Conventions Used In This Document 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in [RFC2119]. 97 2. AES-192 and AES-256 Encryption 99 Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, 100 which it refers to as AES_CM. AES-192 counter mode and AES-256 101 counter mode are defined in a similar manner, and are denoted as 102 AES_192_CM and AES_256_CM respectively. In both of these ciphers, 103 the plaintext inputs to the block cipher are formed as in AES_CM, and 104 the block cipher outputs are processed as in AES_CM. The only 105 difference in the processing is that AES_192_CM uses AES-192, and 106 AES_256_CM uses AES-256. Both AES_192_CM and AES_256_CM use a 112- 107 bit salt as an input, as does AES_CM. 109 For the convenience of the reader, the structure of the counter 110 blocks in SRTP counter mode encryption is illustrated in Figure 1, 111 using the terminology from Section 4.1.1 of [RFC3711] . In this 112 diagram, the symbol (+) denotes the bitwise exclusive-or operation, 113 and the AES encrypt operation uses AES-128, AES-192, or AES-256 for 114 AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled 115 b_c contains a block counter, the value of which increments once for 116 each invocation of the "AES Encrypt" function. 118 one octet 119 <--> 120 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 121 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 122 |00|00|00|00| SSRC | packet index | b_c |---+ 123 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 124 | 125 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v 126 | salt (k_s) |00|00|->(+) 127 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 128 | 129 v 130 +-------------+ 131 encryption key (k_e) -> | AES encrypt | 132 +-------------+ 133 | 134 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 135 | keystream block |<--+ 136 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 138 Figure 1: AES Counter Mode. 140 3. The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation Functions 142 Section 4.3.3 of [RFC3711] defines AES-128 counter mode key 143 derivation function, which it refers to as "AES-CM PRF". (That 144 specification uses the term PRF, or pseudo-random function, 145 interchangeably with the term "key derivation function". ) The AES- 146 192 counter mode PRF and AES-256 counter mode PRF are defined in a 147 similar manner, and are denoted as AES_192_CM_PRF and AES_256_CM_PRF 148 respectively. In both of these PRFs, the plaintext inputs to the 149 block cipher are formed as in the AES-CM PRF, and the block cipher 150 outputs are processed as in the AES-CM PRF. The only difference in 151 the processing is that AES_192_CM_PRF uses AES-192, and 152 AES_256_CM_PRF uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF 153 use a 112-bit salt as an input, as does the AES-CM PRF. 155 For the convenience of the reader, the structure of the counter 156 blocks in SRTP counter mode key derivation is illustrated in 157 Figure 2, using the terminology from Section 4.3.3 of [RFC3711]. In 158 this diagram, the symbol (+) denotes the bitwise exclusive-or 159 operation, and the "AES Encrypt" operation uses AES-128, AES-192, or 160 AES-256 for the "AES-CM PRF", AES_192_CM_PRF, and AES_256_CM_PRF, 161 respectively. The field "LB" contains the 8-bit constant "label" 162 which is provided as an input to the key derivation function (and 163 which is distint for each key generated by that function). The field 164 labeled b_c contains a block counter, the value of which increments 165 once for each invocation of the "AES Encrypt" function. 167 one octet 168 <--> 169 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 170 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 171 |00|00|00|00|00|00|00|LB| index DIV kdr | b_c |---+ 172 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 173 | 174 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v 175 | master salt |00|00|->(+) 176 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 177 | 178 v 179 +-------------+ 180 master key -> | AES encrypt | 181 +-------------+ 182 | 183 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 184 | output block |<--+ 185 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 187 Figure 2: The AES counter mode Key Derivation Function 189 3.1. Usage Requirements 191 When AES_192_CM is used for encryption, AES_192_CM SHOULD be used as 192 the key derivation function, and AES_128_CM MUST NOT be used as the 193 key derivation function. 195 When AES_256_CM is used for encryption, AES_256_CM SHOULD be used as 196 the key derivation function. Both AES_128_CM and AES_192_CM MUST NOT 197 be used as the key derivation function. 199 Rationale: it is essential that the cryptographic strength of the 200 key derivation meets or exceeds that of the encryption method. It 201 is natural to use the same function for both encryption and key 202 derivation. However, it is not required to do so because it is 203 desirable to allow these ciphers to be used with alternative key 204 derivation functions that may be defined in the future. 206 4. Test Cases 208 In a future version of this document, this section will provide test 209 cases that can be used to validate implementations. 211 5. Crypto Suties 213 This section defines SRTP crypto suites that use the ciphers and key 214 derivation functions defined in this document. These suites are 215 registered with IANA for use with the SDP Security Descriptions 216 attributes (Section 10.3.2.1 of [RFC4568]). Other SRTP key 217 management methods that use the crypto functions defined in this 218 document are encouraged to also use these crypto suite definitions. 220 +------------------------------+------------------------------------+ 221 | Parameter | Value | 222 +------------------------------+------------------------------------+ 223 | Master key length | 192 bits | 224 | | | 225 | Master salt length | 112 bits | 226 | | | 227 | Key Derivation Function | AES_192_CM_PRF (Section 3) | 228 | | | 229 | Default key lifetime | 2^31 packets | 230 | | | 231 | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | 232 | | | 233 | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | 234 | | [RFC3711]) | 235 | | | 236 | SRTP authentication key | 160 bits | 237 | length | | 238 | | | 239 | SRTP authentication tag | 80 bits | 240 | length | | 241 | | | 242 | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | 243 | function | [RFC3711]) | 244 | | | 245 | SRTCP authentication key | 160 bits | 246 | length | | 247 | | | 248 | SRTCP authentication tag | 80 bits | 249 | length | | 250 +------------------------------+------------------------------------+ 252 Table 1: The AES_CM_192_HMAC_SHA1_80 cryptosuite. 254 +------------------------------+------------------------------------+ 255 | Parameter | Value | 256 +------------------------------+------------------------------------+ 257 | Master key length | 192 bits | 258 | | | 259 | Master salt length | 112 bits | 260 | | | 261 | Key Derivation Function | AES_192_CM_PRF (Section 3) | 262 | | | 263 | Default key lifetime | 2^31 packets | 264 | | | 265 | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | 266 | | | 267 | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | 268 | | [RFC3711]) | 269 | | | 270 | SRTP authentication key | 160 bits | 271 | length | | 272 | | | 273 | SRTP authentication tag | 32 bits | 274 | length | | 275 | | | 276 | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | 277 | function | [RFC3711]) | 278 | | | 279 | SRTCP authentication key | 160 bits | 280 | length | | 281 | | | 282 | SRTCP authentication tag | 80 bits | 283 | length | | 284 +------------------------------+------------------------------------+ 286 Table 2: The AES_CM_192_HMAC_SHA1_32 cryptosuite. 288 +------------------------------+------------------------------------+ 289 | Parameter | Value | 290 +------------------------------+------------------------------------+ 291 | Master key length | 256 bits | 292 | | | 293 | Master salt length | 112 bits | 294 | | | 295 | Key Derivation Function | AES_256_CM_PRF (Section 3) | 296 | | | 297 | Default key lifetime | 2^31 packets | 298 | | | 299 | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | 300 | | | 301 | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | 302 | | [RFC3711]) | 303 | | | 304 | SRTP authentication key | 160 bits | 305 | length | | 306 | | | 307 | SRTP authentication tag | 80 bits | 308 | length | | 309 | | | 310 | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | 311 | function | [RFC3711]) | 312 | | | 313 | SRTCP authentication key | 160 bits | 314 | length | | 315 | | | 316 | SRTCP authentication tag | 80 bits | 317 | length | | 318 +------------------------------+------------------------------------+ 320 Table 3: The AES_CM_256_HMAC_SHA1_80 cryptosuite. 322 +------------------------------+------------------------------------+ 323 | Parameter | Value | 324 +------------------------------+------------------------------------+ 325 | Master key length | 256 bits | 326 | | | 327 | Master salt length | 112 bits | 328 | | | 329 | Key Derivation Function | AES_256_CM_PRF (Section 3) | 330 | | | 331 | Default key lifetime | 2^31 packets | 332 | | | 333 | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | 334 | | | 335 | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | 336 | | [RFC3711]) | 337 | | | 338 | SRTP authentication key | 160 bits | 339 | length | | 340 | | | 341 | SRTP authentication tag | 32 bits | 342 | length | | 343 | | | 344 | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | 345 | function | [RFC3711]) | 346 | | | 347 | SRTCP authentication key | 160 bits | 348 | length | | 349 | | | 350 | SRTCP authentication tag | 80 bits | 351 | length | | 352 +------------------------------+------------------------------------+ 354 Table 4: The AES_CM_256_HMAC_SHA1_32 cryptosuite. 356 6. IANA Considerations 358 IANA is expected to assign the following parameters for the SDP 359 Security Descriptions crypto suite attribute. 361 AES_CM_192_HMAC_SHA1_80 363 AES_CM_192_HMAC_SHA1_32 365 AES_CM_256_HMAC_SHA1_80 367 AES_CM_256_HMAC_SHA1_32 369 The cryptosuites are as defined in Section 5. 371 7. Security Considerations 373 AES-128 provides a level of security that is widely regarded as being 374 more than sufficient for providing confidentiality. It is believed 375 that the economic cost of breaking AES-128 is significantly higher 376 than the cost of more direct approaches to violating system security, 377 e.g. theft, bribery, wiretapping, and other forms of malfeasance. 379 Future advances in the state of the art of cryptanalysis could 380 eliminate this confidence in AES-128, and motivate the use of AES-192 381 or AES-256. AES-192 is regarded as being secure even against some 382 adversaries for which breaking AES-128 may be feasible. Similarly, 383 AES-256 is regarded as being secure even against some adversaries for 384 which it may be feasible to break AES-192. The availability of the 385 larger key size versions of AES provides a fallback plan in case of 386 unanticipated cryptanalytic results. 388 It is conjectured that AES-256 provides adequate security even 389 against adversaries that possess the ability to construct a quantum 390 computer that works on 256 or more quantum bits. No such computer is 391 known to exist; its feasibility is an area of active speculation and 392 research. 394 Despite the apparent sufficiency of AES-128, some users are 395 interested in the larger AES key sizes. For some applications, the 396 40% increase in computational cost for AES-256 over AES-128 is a 397 worthwhile bargain when traded for the security advantages outlined 398 above. These applications include those with a perceived need for 399 very high security, e.g. due to a desire for very long-term 400 confidentiality. 402 As with any cipher, the conjectured security level of AES may change 403 over time. The considerations in this section reflect the best 404 knowledge available at the time of publication of this document. 406 It is desirable that AES_192_CM and AES_192_CM_PRF be used with an 407 authentication function that uses a 192 bit key, and that AES_256_CM 408 and AES_256_CM_PRF be used with an authentication function that uses 409 a 256 bit key. However, this desire is not regarded as security- 410 critical. Cryptographic authentication is resilient against future 411 advances in cryptanalysis, since the opportunity for a forgery attack 412 against a session closes when that session closes. 414 8. Open Questions 416 It may be desirable to eliminate AES-192 altogether, leaving users 417 with the simpler choice of using AES-128 or AES-256. This option 418 preserves the possibility of Suite B conformance. Given that the 419 incremental computational cost of AES-256 over AES-192 is only 16%, 420 and the additional key storage overhead is only 33%, this option 421 imposes only a minimal burden on implementations. 423 9. Acknowledgements 425 Thanks to Bob Bell for feedback and encouragement. 427 10. References 429 10.1. Normative References 431 [FIPS197] "The Advanced Encryption Standard (AES)", FIPS-197 Federal 432 Information Processing Standard. 434 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 435 Requirement Levels", BCP 14, RFC 2119, March 1997. 437 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 438 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 439 RFC 3711, March 2004. 441 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 442 Description Protocol (SDP) Security Descriptions for Media 443 Streams", RFC 4568, July 2006. 445 10.2. Informative References 447 [suiteB] "Fact Sheet for NSA Suite B Cryptography", 448 http://www.nsa.gov/ia/industry/crypto_suite_b.cfm. 450 Author's Address 452 David A. McGrew 453 Cisco Systems, Inc. 454 510 McCarthy Blvd. 455 Milpitas, CA 95035 456 US 458 Phone: (408) 525 8651 459 Email: mcgrew@cisco.com 460 URI: http://www.mindspring.com/~dmcgrew/dam.htm