[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 draft-ietf-avt-srtp-big-aes

Network Working Group                                          D. McGrew
Internet-Draft                                       Cisco Systems, Inc.
Expires: October 28, 2006                                 April 26, 2006


              The use of AES-192 and AES-256 in Secure RTP
                    draft-mcgrew-srtp-big-aes-00.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on October 28, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This memo describes the use of the Advanced Encryption Standard (AES)
   with 192 and 256 bit keys within the Secure RTP protocol.  It defines
   Counter Mode encryption for SRTP and SRTCP and a new SRTP Key
   Derivation Function (KDF) for AES-192 and AES-256.








McGrew                  Expires October 28, 2006                [Page 1]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1  Conventions Used In This Document  . . . . . . . . . . . .   3
   2.   AES-192 and AES-256 Encryption . . . . . . . . . . . . . . .   4
   3.   The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation
        Functions  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1  Usage Requirements . . . . . . . . . . . . . . . . . . . .   6
   4.   Test Cases . . . . . . . . . . . . . . . . . . . . . . . . .   7
   5.   Crypto Suties  . . . . . . . . . . . . . . . . . . . . . . .   8
   6.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  12
   7.   Security Considerations  . . . . . . . . . . . . . . . . . .  13
   8.   Open Questions . . . . . . . . . . . . . . . . . . . . . . .  14
   9.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  15
   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  16
     10.1   Normative References . . . . . . . . . . . . . . . . . .  16
     10.2   Informative References . . . . . . . . . . . . . . . . .  16
        Author's Address . . . . . . . . . . . . . . . . . . . . . .  16
        Intellectual Property and Copyright Statements . . . . . . .  17
































McGrew                  Expires October 28, 2006                [Page 2]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


1.  Introduction

   This memo describes the use of the Advanced Encryption Standard (AES)
   [FIPS197] with 192 and 256 bit keys within the Secure RTP protocol
   [RFC3711].  Below those block ciphers are referred to as AES-192 and
   AES-256, respectively, and the use of AES with a 128 bit key is
   referred to as AES-128.  This document defines Counter Mode
   encryption for SRTP and SRTCP and a new SRTP Key Derivation Function
   for AES-192 and AES-256.  It also defines new cryptosuites that use
   these new functions.

   While AES-128 is widely regarded as more than adequately secure, some
   users may be motivated to adopt AES-192 or AES-256.  One motivation
   is conformance to the Suite B profile (which requires AES-256 for the
   protection of TOP SECRET information) [suiteB].  Others may be
   motivated by a perceived need to purse a highly conservative security
   strategy; see Section 7 for more discussion of security issues.

   The crypto functions defined in this document are an addition to, and
   not a replacement for, the crypto functions defined in [RFC3711].

1.1  Conventions Used In This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

























McGrew                  Expires October 28, 2006                [Page 3]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


2.  AES-192 and AES-256 Encryption

   Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption,
   which it refers to as AES_CM.  AES-192 counter mode and AES-256
   counter mode are defined in a similar manner, and are denoted as
   AES_192_CM and AES_256_CM respectively.  In both of these ciphers,
   the plaintext inputs to the block cipher are formed as in AES_CM, and
   the block cipher outputs are processed as in AES_CM.  The only
   difference in the processing is that AES_192_CM uses AES-192, and
   AES_256_CM uses AES-256.  Both AES_192_CM and AES_256_CM use a 112-
   bit salt as an input, as does AES_CM.

   For the convenience of the reader, the structure of the counter
   blocks in SRTP counter mode encryption is illustrated in Figure 1,
   using the terminology from Section 4.1.1 of [RFC3711] .  In this
   diagram, the symbol (+) denotes the bitwise exclusive-or operation,
   and the AES encrypt operation uses AES-128, AES-192, or AES-256 for
   AES_CM, AES_192_CM, and AES_256_CM, respectively.  The field labeled
   b_c contains a block counter, the value of which increments once for
   each invocation of the "AES Encrypt" function.

   one octet
    <-->
     0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |00|00|00|00|   SSRC    |   packet index  | b_c |---+
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                        |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
    |                  salt (k_s)             |00|00|->(+)
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                        |
                                                        v
                                                 +-------------+
                         encryption key (k_e) -> | AES encrypt |
                                                 +-------------+
                                                        |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
    |                keystream block                |<--+
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

                        Figure 1: AES Counter Mode.









McGrew                  Expires October 28, 2006                [Page 4]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


3.  The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation Functions

   Section 4.3.3 of [RFC3711] defines AES-128 counter mode key
   derivation function, which it refers to as "AES-CM PRF".  (That
   specification uses the term PRF, or pseudo-random function,
   interchangeably with the term "key derivation function". ) The AES-
   192 counter mode PRF and AES-256 counter mode PRF are defined in a
   similar manner, and are denoted as AES_192_CM_PRF and AES_256_CM_PRF
   respectively.  In both of these PRFs, the plaintext inputs to the
   block cipher are formed as in the AES-CM PRF, and the block cipher
   outputs are processed as in the AES-CM PRF.  The only difference in
   the processing is that AES_192_CM_PRF uses AES-192, and
   AES_256_CM_PRF uses AES-256.  Both AES_192_CM_PRF and AES_256_CM_PRF
   use a 112-bit salt as an input, as does the AES-CM PRF.

   For the convenience of the reader, the structure of the counter
   blocks in SRTP counter mode key derivation is illustrated in
   Figure 2, using the terminology from Section 4.3.3 of [RFC3711].  In
   this diagram, the symbol (+) denotes the bitwise exclusive-or
   operation, and the "AES Encrypt" operation uses AES-128, AES-192, or
   AES-256 for the "AES-CM PRF", AES_192_CM_PRF, and AES_256_CM_PRF,
   respectively.  The field "LB" contains the 8-bit constant "label"
   which is provided as an input to the key derivation function (and
   which is distint for each key generated by that function).  The field
   labeled b_c contains a block counter, the value of which increments
   once for each invocation of the "AES Encrypt" function.

   one octet
    <-->
     0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |00|00|00|00|00|00|00|LB| index DIV kdr   | b_c |---+
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                        |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
    |               master salt               |00|00|->(+)
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                        |
                                                        v
                                                 +-------------+
                                   master key -> | AES encrypt |
                                                 +-------------+
                                                        |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
    |                   output block                |<--+
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

          Figure 2: The AES counter mode Key Derivation Function



McGrew                  Expires October 28, 2006                [Page 5]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


3.1  Usage Requirements

   When AES_192_CM is used for encryption, AES_192_CM SHOULD be used as
   the key derivation function, and AES_128_CM MUST NOT be used as the
   key derivation function.

   When AES_256_CM is used for encryption, AES_256_CM SHOULD be used as
   the key derivation function.  Both AES_128_CM and AES_192_CM MUST NOT
   be used as the key derivation function.

      Rationale: it is essential that the cryptographic strength of the
      key derivation meets or exceeds that of the encryption method.  It
      is natural to use the same function for both encryption and key
      derivation.  However, it is not required to do so because it is
      desirable to allow these ciphers to be used with alternative key
      derivation functions that may be defined in the future.



































McGrew                  Expires October 28, 2006                [Page 6]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


4.  Test Cases

   In a future version of this document, this section will provide test
   cases that can be used to validate implementations.















































McGrew                  Expires October 28, 2006                [Page 7]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


5.  Crypto Suties

   This section defines SRTP crypto suites that use the ciphers and key
   derivation functions defined in this document.  These suites are
   registered with IANA for use with the SDP Security Descriptions
   attributes (Section 10.3.2.1 of [I-D.ietf-mmusic-sdescriptions]).
   Other SRTP key management methods that use the crypto functions
   defined in this document are encouraged to also use these crypto
   suite definitions.

   +---------------------------------+---------------------------------+
   | Parameter                       | Value                           |
   +---------------------------------+---------------------------------+
   | Master key length               | 192 bits                        |
   |                                 |                                 |
   | Master salt length              | 112 bits                        |
   |                                 |                                 |
   | Key Derivation Function         | AES_192_CM_PRF (Section 3)      |
   |                                 |                                 |
   | Default key lifetime            | 2^31 packets                    |
   |                                 |                                 |
   | Cipher (for SRTP and SRTCP)     | AES_192_CM (Section 2)          |
   |                                 |                                 |
   | SRTP authentication function    | HMAC-SHA1  (Section 4.2.1 of    |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTP authentication key length  | 160 bits                        |
   |                                 |                                 |
   | SRTP authentication tag length  | 80 bits                         |
   |                                 |                                 |
   | SRTCP authentication function   | HMAC-SHA1 (Section 4.2.1 of     |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTCP authentication key length | 160 bits                        |
   |                                 |                                 |
   | SRTCP authentication tag length | 80 bits                         |
   +---------------------------------+---------------------------------+

             Table 1: The AES_CM_192_HMAC_SHA1_80 cryptosuite.












McGrew                  Expires October 28, 2006                [Page 8]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


   +---------------------------------+---------------------------------+
   | Parameter                       | Value                           |
   +---------------------------------+---------------------------------+
   | Master key length               | 192 bits                        |
   |                                 |                                 |
   | Master salt length              | 112 bits                        |
   |                                 |                                 |
   | Key Derivation Function         | AES_192_CM_PRF (Section 3)      |
   |                                 |                                 |
   | Default key lifetime            | 2^31 packets                    |
   |                                 |                                 |
   | Cipher (for SRTP and SRTCP)     | AES_192_CM (Section 2)          |
   |                                 |                                 |
   | SRTP authentication function    | HMAC-SHA1  (Section 4.2.1 of    |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTP authentication key length  | 160 bits                        |
   |                                 |                                 |
   | SRTP authentication tag length  | 32 bits                         |
   |                                 |                                 |
   | SRTCP authentication function   | HMAC-SHA1 (Section 4.2.1 of     |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTCP authentication key length | 160 bits                        |
   |                                 |                                 |
   | SRTCP authentication tag length | 80 bits                         |
   +---------------------------------+---------------------------------+

             Table 2: The AES_CM_192_HMAC_SHA1_32 cryptosuite.






















McGrew                  Expires October 28, 2006                [Page 9]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


   +---------------------------------+---------------------------------+
   | Parameter                       | Value                           |
   +---------------------------------+---------------------------------+
   | Master key length               | 256 bits                        |
   |                                 |                                 |
   | Master salt length              | 112 bits                        |
   |                                 |                                 |
   | Key Derivation Function         | AES_256_CM_PRF (Section 3)      |
   |                                 |                                 |
   | Default key lifetime            | 2^31 packets                    |
   |                                 |                                 |
   | Cipher (for SRTP and SRTCP)     | AES_256_CM (Section 2)          |
   |                                 |                                 |
   | SRTP authentication function    | HMAC-SHA1  (Section 4.2.1 of    |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTP authentication key length  | 160 bits                        |
   |                                 |                                 |
   | SRTP authentication tag length  | 80 bits                         |
   |                                 |                                 |
   | SRTCP authentication function   | HMAC-SHA1 (Section 4.2.1 of     |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTCP authentication key length | 160 bits                        |
   |                                 |                                 |
   | SRTCP authentication tag length | 80 bits                         |
   +---------------------------------+---------------------------------+

             Table 3: The AES_CM_256_HMAC_SHA1_80 cryptosuite.






















McGrew                  Expires October 28, 2006               [Page 10]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


   +---------------------------------+---------------------------------+
   | Parameter                       | Value                           |
   +---------------------------------+---------------------------------+
   | Master key length               | 256 bits                        |
   |                                 |                                 |
   | Master salt length              | 112 bits                        |
   |                                 |                                 |
   | Key Derivation Function         | AES_256_CM_PRF (Section 3)      |
   |                                 |                                 |
   | Default key lifetime            | 2^31 packets                    |
   |                                 |                                 |
   | Cipher (for SRTP and SRTCP)     | AES_256_CM (Section 2)          |
   |                                 |                                 |
   | SRTP authentication function    | HMAC-SHA1  (Section 4.2.1 of    |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTP authentication key length  | 160 bits                        |
   |                                 |                                 |
   | SRTP authentication tag length  | 32 bits                         |
   |                                 |                                 |
   | SRTCP authentication function   | HMAC-SHA1 (Section 4.2.1 of     |
   |                                 | [RFC3711])                      |
   |                                 |                                 |
   | SRTCP authentication key length | 160 bits                        |
   |                                 |                                 |
   | SRTCP authentication tag length | 80 bits                         |
   +---------------------------------+---------------------------------+

             Table 4: The AES_CM_256_HMAC_SHA1_32 cryptosuite.






















McGrew                  Expires October 28, 2006               [Page 11]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


6.  IANA Considerations

   IANA is expected to assign the following parameters for the SDP
   Security Descriptions crypto suite attribute.

      AES_CM_192_HMAC_SHA1_80

      AES_CM_192_HMAC_SHA1_32

      AES_CM_256_HMAC_SHA1_80

      AES_CM_256_HMAC_SHA1_32

   The cryptosuites are as defined in Section 5.





































McGrew                  Expires October 28, 2006               [Page 12]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


7.  Security Considerations

   AES-128 provides a level of security that is widely regarded as being
   more than sufficient for providing confidentiality.  It is believed
   that the economic cost of breaking AES-128 is significantly higher
   than the cost of more direct approaches to violating system security,
   e.g. theft, bribery, wiretapping, and other forms of malfeasance.

   Future advances in the state of the art of cryptanalysis could
   eliminate this confidence in AES-128, and motivate the use of AES-192
   or AES-256.  AES-192 is regarded as being secure even against some
   adversaries for which breaking AES-128 may be feasible.  Similarly,
   AES-256 is regarded as being secure even against some adversaries for
   which it may be feasible to break AES-192.  The availability of the
   larger key size versions of AES provides a fallback plan in case of
   unanticipated cryptanalytic results.

   It is conjectured that AES-256 provides adequate security even
   against adversaries that possess the ability to construct a quantum
   computer that works on 256 or more quantum bits.  No such computer is
   known to exist; its feasibility is an area of active speculation and
   research.

   Despite the apparent sufficiency of AES-128, some users are
   interested in the larger AES key sizes.  For some applications, the
   40% increase in computational cost for AES-256 over AES-128 is a
   worthwhile bargain when traded for the security advantages outlined
   above.  These applications include those with a perceived need for
   very high security, e.g. due to a desire for very long-term
   confidentiality.

   As with any cipher, the conjectured security level of AES may change
   over time.  The considerations in this section reflect the best
   knowledge available at the time of publication of this document.

   It is desirable that AES_192_CM and AES_192_CM_PRF be used with an
   authentication function that uses a 192 bit key, and that AES_256_CM
   and AES_256_CM_PRF be used with an authentication function that uses
   a 256 bit key.  However, this desire is not regarded as security-
   critical.  Cryptographic authentication is resilient against future
   advances in cryptanalysis, since the opportunity for a forgery attack
   against a session closes when that session closes.









McGrew                  Expires October 28, 2006               [Page 13]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


8.  Open Questions

   It may be desirable to eliminate AES-192 altogether, leaving users
   with the simpler choice of using AES-128 or AES-256.  This option
   preserves the possibility of Suite B conformance.  Given that the
   incremental computational cost of AES-256 over AES-192 is only 16%,
   and the additional key storage overhead is only 33%, this option
   imposes only a minimal burden on implementations.

   It may be desirable to use AES in the Chained Message Authentication
   Code (CMAC) mode of operation [CMAC] in conjunction with the ciphers
   defined in this document, with the CMAC key size matching the counter
   mode key size.  This mode of operation can be used as a replacement
   for HMAC-SHA1, and that use would provide an authentication function
   with security that is directly comparable to AES-192 and AES-256.
   This mode of operation has some additional benefits and may be worth
   considering for secure RTP.


































McGrew                  Expires October 28, 2006               [Page 14]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


9.  Acknowledgements

   Thanks to Bob Bell for feedback and encouragement.
















































McGrew                  Expires October 28, 2006               [Page 15]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


10.  References

10.1  Normative References

   [FIPS197]  "The Advanced Encryption Standard (AES)", FIPS-197 Federal
              Information Processing Standard.

   [I-D.ietf-mmusic-sdescriptions]
              Andreasen, F., "Session Description Protocol Security
              Descriptions for Media Streams",
              draft-ietf-mmusic-sdescriptions-12 (work in progress),
              September 2005.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, March 2004.

10.2  Informative References

   [CMAC]    "NIST Special Publication 800-38B",  http://csrc.nist.gov/
             CryptoToolkit/modes/800-38_Series_Publications/
             SP800-38B.pdf.

   [suiteB]  "Fact Sheet for NSA Suite B Cryptography",
              http://www.nsa.gov/ia/industry/crypto_suite_b.cfm.


Author's Address

   David A. McGrew
   Cisco Systems, Inc.
   510 McCarthy Blvd.
   Milpitas, CA  95035
   US

   Phone: (408) 525 8651
   Email: mcgrew@cisco.com
   URI:   http://www.mindspring.com/~dmcgrew/dam.htm










McGrew                  Expires October 28, 2006               [Page 16]


Internet-Draft          SRTP AES-192 and AES-256              April 2006


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




McGrew                  Expires October 28, 2006               [Page 17]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/