< draft-ietf-perc-double-10.txt   draft-ietf-perc-double-11.txt >
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track R. Barnes Intended status: Standards Track R. Barnes
Expires: April 20, 2019 Cisco Systems Expires: January 9, 2020 Cisco Systems
A. Roach A. Roach
Mozilla Mozilla
October 17, 2018 July 8, 2019
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-10 draft-ietf-perc-double-11
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some parameters in Real Time Protocol (RTP) to be able to manipulate some parameters in Real Time Protocol (RTP)
packets, while still providing strong end-to-end security guarantees. packets, while still providing strong end-to-end security guarantees.
This document defines a cryptographic transform for the Secure Real This document defines a cryptographic transform for the Secure Real
Time Protocol (SRTP) that uses two separate but related cryptographic Time Protocol (SRTP) that uses two separate but related cryptographic
operations to provide hop-by-hop and end-to-end security guarantees. operations to provide hop-by-hop and end-to-end security guarantees.
Both the end-to-end and hop-by-hop cryptographic algorithms can Both the end-to-end and hop-by-hop cryptographic algorithms can
utilize an authenticated encryption with associated data scheme or utilize an authenticated encryption with associated data (AEAD)
take advantage of future SRTP transforms with different properties. algorithm or take advantage of future SRTP transforms with different
properties.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 20, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 27 skipping to change at page 2, line 30
3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5 3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 7 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 7
5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 8 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 8
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 9 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 9
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 10 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 10
7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 10 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 10
7.1. RTP Retransmission (RTX) . . . . . . . . . . . . . . . . 11 7.1. RTP Retransmission (RTX) . . . . . . . . . . . . . . . . 11
7.2. Redundant Audio Data (RED) . . . . . . . . . . . . . . . 11 7.2. Redundant Audio Data (RED) . . . . . . . . . . . . . . . 11
7.3. Forward Error Correction (FEC) . . . . . . . . . . . . . 11 7.3. Forward Error Correction (FEC) . . . . . . . . . . . . . 12
7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8. Recommended Inner and Outer Cryptographic Algorithms . . . . 12 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 12
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 13 10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 14
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
12.1. Normative References . . . . . . . . . . . . . . . . . . 15 12.1. Normative References . . . . . . . . . . . . . . . . . . 15
12.2. Informative References . . . . . . . . . . . . . . . . . 15 12.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 17 Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic key from the sending endpoint to desirable to have one cryptographic key that enables encryption and
the receiving endpoint that can encrypt and authenticate the media authentication of the media end-to-end while still allowing certain
end-to-end while still allowing certain information in the header of information in the header of a Real Time Protocol (RTP) packet to be
a Real Time Protocol (RTP) packet to be changed by the Media changed by the Media Distributor. At the same time, a separate
Distributor. At the same time, a separate cryptographic key provides cryptographic key provides integrity and optional confidentiality for
integrity and optional confidentiality for the media flowing between the media flowing between the Media Distributor and the endpoints.
the Media Distributor and the endpoints. The framework document The framework document [I-D.ietf-perc-private-media-framework]
[I-D.ietf-perc-private-media-framework] describes this concept in describes this concept in more detail.
more detail.
This specification defines a transform for the Secure Real Time This specification defines a transform for the Secure Real Time
Protocol (SRTP) that uses the AES-GCM algorithm [RFC7714] to provide Protocol (SRTP) that uses the AES-GCM algorithm [RFC7714] to provide
encryption and integrity for an RTP packet for the end-to-end encryption and integrity for an RTP packet for the end-to-end
cryptographic key as well as a hop-by-hop cryptographic encryption cryptographic key as well as a hop-by-hop cryptographic encryption
and integrity between the endpoint and the Media Distributor. The and integrity between the endpoint and the Media Distributor. The
Media Distributor decrypts and checks integrity of the hop-by-hop Media Distributor decrypts and checks integrity of the hop-by-hop
security. The Media Distributor MAY change some of the RTP header security. The Media Distributor MAY change some of the RTP header
information that would impact the end-to-end integrity. In that information that would impact the end-to-end integrity. In that
case, the original value of any RTP header field that is changed is case, the original value of any RTP header field that is changed is
included in a new RTP header extension called the Original Header included in an "Original Header Block" that is added to the packet.
Block. The new RTP packet is encrypted with the hop-by-hop The new RTP packet is encrypted with the hop-by-hop cryptographic
cryptographic algorithm before it is sent. The receiving endpoint algorithm before it is sent. The receiving endpoint decrypts and
decrypts and checks integrity using the hop-by-hop cryptographic checks integrity using the hop-by-hop cryptographic algorithm and
algorithm and then replaces any parameters the Media Distributor then replaces any parameters the Media Distributor changed using the
changed using the information in the Original Header Block before information in the Original Header Block before decrypting and
decrypting and checking the end-to-end integrity. checking the end-to-end integrity.
One can think of the double as a normal SRTP transform for encrypting One can think of the double as a normal SRTP transform for encrypting
the RTP in a way where things that only know half of the key, can the RTP in a way where things that only know half of the key, can
decrypt and modify part of the RTP packet but not other parts, decrypt and modify part of the RTP packet but not other parts,
including the media payload. including the media payload.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 5, line 12 skipping to change at page 5, line 12
If the Media Distributor is to be able to modify header fields but If the Media Distributor is to be able to modify header fields but
not decrypt the payload, then it must have cryptographic key for the not decrypt the payload, then it must have cryptographic key for the
outer algorithm, but not the inner (end-to-end) algorithm. This outer algorithm, but not the inner (end-to-end) algorithm. This
document does not define how the Media Distributor should be document does not define how the Media Distributor should be
provisioned with this information. One possible way to provide provisioned with this information. One possible way to provide
keying material for the outer (hop-by-hop) algorithm is to use keying material for the outer (hop-by-hop) algorithm is to use
[I-D.ietf-perc-dtls-tunnel]. [I-D.ietf-perc-dtls-tunnel].
3.1. Key Derivation 3.1. Key Derivation
In order to allow the inner and outer keys to be managed Although SRTP uses a single master key to derive keys for an SRTP
independently via the master key, the transforms defined in this session, this transform requires separate inner and outer keys. In
document MUST be used with the following pseudo-random function order to allow the inner and outer keys to be managed independently
(PRF), which preserves the separation between the two halves of the via the master key, the transforms defined in this document MUST be
key. Given a positive integer "n" representing the desired output used with the following pseudo-random function (PRF), which preserves
length, a master key "k_master", and an input "x": the separation between the two halves of the key. Given a positive
integer "n" representing the desired output length, a master key
PRF_double_n(k_master,x) = PRF_inner_(n/2)(k_master,x) || "k_master", and an input "x":
PRF_outer_(n/2)(k_master,x)
PRF_inner_n(k_master,x) = PRF_n(inner(k_master),x) PRF\_double\_n(k\_master,x) = PRF\_(n/2)(inner(k\_master),x) ||
PRF_outer_n(k_master,x) = PRF_n(outer(k_master),x) PRF\_(n/2)(outer(k\_master),x)
Here "PRF_n(k, x)" represents the AES_CM PRF KDF [RFC3711] for Here "PRF_n(k, x)" represents the AES_CM PRF KDF (see Section 4.3.3
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF of [RFC3711]) for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm
KDF [RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm. and AES_256_CM_PRF KDF [RFC6188] for
"inner(key)" represents the first half of the key, and "outer(key)" DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm. "inner(key)"
represents the second half of the key. represents the first half of the key, and "outer(key)" represents the
second half of the key.
4. Original Header Block 4. Original Header Block
The Original Header Block (OHB) contains the original values of any The Original Header Block (OHB) contains the original values of any
modified RTP header fields. In the encryption process, the OHB is modified RTP header fields. In the encryption process, the OHB is
appended to the RTP payload. In the decryption process, the included in an SRTP packet as described in Section 5. In the
receiving endpoint uses it to reconstruct the original RTP header, so decryption process, the receiving endpoint uses it to reconstruct the
that it can pass the proper AAD value to the inner transform. original RTP header, so that it can pass the proper AAD value to the
inner transform.
The OHB can reflect modifications to the following fields in an RTP The OHB can reflect modifications to the following fields in an RTP
header: the payload type, the sequence number, and the marker bit. header: the payload type, the sequence number, and the marker bit.
All other fields in the RTP header MUST remain unmodified; since the All other fields in the RTP header MUST remain unmodified; since the
OHB cannot reflect their original values, the receiver will be unable OHB cannot reflect their original values, the receiver will be unable
to verify the E2E integrity of the packet. to verify the E2E integrity of the packet.
The OHB has the following syntax (in ABNF [RFC5234]): The OHB has the following syntax (in ABNF [RFC5234]):
OCTET = %x00-FF OCTET = %x00-FF
skipping to change at page 6, line 34 skipping to change at page 6, line 34
o M: Marker bit is present o M: Marker bit is present
o B: Value of marker bit o B: Value of marker bit
o R: Reserved, MUST be set to 0 o R: Reserved, MUST be set to 0
In particular, an all-zero OHB config octet (0x00) indicates that In particular, an all-zero OHB config octet (0x00) indicates that
there have been no modifications from the original header. there have been no modifications from the original header.
If the marker bit is not present (M=0), then B MUST be set to zero.
That is, if "C" represents the value of the config octet, then the
masked value "C & 0x0C" MUST NOT have the value "0x80".
5. RTP Operations 5. RTP Operations
As implied by the use of the word "double" above, this transform As implied by the use of the word "double" above, this transform
applies AES-GCM to the SRTP packet twice. This allows media applies AES-GCM to the SRTP packet twice. This allows media
distributors to be able to modify some header fields while allowing distributors to be able to modify some header fields while allowing
endpoints to verify the end-to-end integrity and confidentiality of a endpoints to verify the end-to-end integrity of a packet.
packet.
The first, "inner" application of AES-GCM encrypts the SRTP payload The first, "inner" application of AES-GCM encrypts the SRTP payload
and integrity-protects a version of the SRTP header with extensions and integrity-protects a version of the SRTP header with extensions
truncated. Omitting extensions from the inner integrity check means truncated. Omitting extensions from the inner integrity check means
that they can be modified by a media distributor holding only the that they can be modified by a media distributor holding only the
"outer" key. "outer" key.
The second, "outer" application of AES-GCM encrypts the ciphertext The second, "outer" application of AES-GCM encrypts the ciphertext
produced by the inner encryption (i.e., the encrypted payload and produced by the inner encryption (i.e., the encrypted payload and
authentication tag), plus an OHB that expresses any changes made authentication tag), plus an OHB that expresses any changes made
skipping to change at page 7, line 38 skipping to change at page 7, line 40
* The header is truncated to remove any extensions (i.e., keep * The header is truncated to remove any extensions (i.e., keep
only the first 12 + 4 * CC bytes of the header) only the first 12 + 4 * CC bytes of the header)
* Payload: The RTP payload of the original packet * Payload: The RTP payload of the original packet
4. Apply the inner cryptographic algorithm to the synthetic RTP 4. Apply the inner cryptographic algorithm to the synthetic RTP
packet from the previous step. packet from the previous step.
5. Replace the header of the protected RTP packet with the header of 5. Replace the header of the protected RTP packet with the header of
the original packet, and append an empty OHB (0x00) to the the original packet (to restore any header extensions and reset
encrypted payload (with the authentication tag) obtained from the the X bit), and append an empty OHB (0x00) to the encrypted
step 4. payload (with the authentication tag) obtained from the step 4.
6. Apply the outer cryptographic algorithm to the RTP packet. If 6. Apply the outer cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic key. cryptographic key.
When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes
after the SRTP packet exactly like using EKT with any other SRTP after the SRTP packet exactly like using EKT with any other SRTP
transform. transform.
skipping to change at page 8, line 27 skipping to change at page 8, line 27
packet using the the outer (hop-by-hop) cryptographic key before packet using the the outer (hop-by-hop) cryptographic key before
transmitting. transmitting.
1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt
the packet. If decrypting RTP header extensions hop-by-hop, then the packet. If decrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used. Note that the RTP payload produced by [RFC6904] MUST be used. Note that the RTP payload produced by
this decryption operation contains the original encrypted payload this decryption operation contains the original encrypted payload
with the tag from the inner transform and the OHB appended. with the tag from the inner transform and the OHB appended.
2. Make any desired changes to the fields are allowed to be changed, 2. Make any desired changes to the fields are allowed to be changed,
i.e., PT, SEQ, and M. i.e., PT, SEQ, and M. The Media Distributor MAY also make
modifications to header extensions, without the need to reflect
these changes in the OHB.
3. A Media Distributor can add information to the OHB, but MUST NOT 3. Reflect any changes to header fields in the OHB:
change existing information in the OHB. If RTP value is changed
and not already in the OHB, then add it with its original value
to the OHB.
4. If the Media Distributor resets a parameter to its original * If Media Distributor changed a field that is not already in
value, it MAY drop it from the OHB. Note that this might result the OHB, then it MUST add the original value of the field to
in a decrease in the size of the OHB. the OHB. Note that this might result in an increase in the
size of the OHB.
5. Apply the outer (hop-by-hop) cryptographic algorithm to the * If the Media Distributor took a field that had previously been
modified and reset to its original value, then it SHOULD drop
the corresponding information from the OHB. Note that this
might result in a decrease in the size of the OHB.
* Otherwise, the Media Distributor MUST NOT modify the OHB.
4. Apply the outer (hop-by-hop) cryptographic algorithm to the
packet. If the RTP Sequence Number has been modified, SRTP packet. If the RTP Sequence Number has been modified, SRTP
processing happens as defined in SRTP and will end up using the processing happens as defined in SRTP and will end up using the
new Sequence Number. If encrypting RTP header extensions hop-by- new Sequence Number. If encrypting RTP header extensions hop-by-
hop, then [RFC6904] MUST be used. hop, then [RFC6904] MUST be used.
In order to avoid nonce reuse, the cryptographic contexts used in In order to avoid nonce reuse, the cryptographic contexts used in
step 1 and step 5 MUST use different, independent master keys and step 1 and step 5 MUST use different, independent master keys. Note
master salts. that this means that the key used for decryption by the MD MUST be
different from the key used for re-encryption to the end recipient.
Note that if multiple MDs modify the same packet, then the first MD Note that if multiple MDs modify the same packet, then the first MD
to alter a given header field is the one that adds it to the OHB. If to alter a given header field is the one that adds it to the OHB. If
a subsequent MD changes the value of a header field that has already a subsequent MD changes the value of a header field that has already
been changed, then the original value will already be in the OHB, so been changed, then the original value will already be in the OHB, so
no update to the OHB is required. no update to the OHB is required.
A Media Distributor that decrypts, modifies, and re-encrypts packets A Media Distributor that decrypts, modifies, and re-encrypts packets
in this way MUST use an independent key for each recipient, SHOULD in this way MUST use an independent key for each recipient, and MUST
use an independent salt for each recipient, and MUST NOT re-encrypt NOT re-encrypt the packet using the sender's keys. If the Media
the packet using the sender's keys. If the Media Distributor Distributor decrypts and re-encrypts with the same key and salt, it
decrypts and re-encrypts with the same key and salt, it will result will result in the reuse of a (key, nonce) pair, undermining the
in the reuse of a (key, nonce) pair, undermining the security of GCM. security of AES-GCM.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
the outer (hop-by-hop) cryptographic key, then uses the OHB to the outer (hop-by-hop) cryptographic key, then uses the OHB to
reconstruct the original packet, which it decrypts and verifies with reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key. the inner (end-to-end) cryptographic key.
1. Apply the outer cryptographic algorithm to the packet. If the 1. Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
skipping to change at page 10, line 37 skipping to change at page 10, line 47
6. RTCP Operations 6. RTCP Operations
Unlike RTP, which is encrypted both hop-by-hop and end-to-end using Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic keys, RTCP is encrypted using only the two separate cryptographic keys, RTCP is encrypted using only the
outer (hop-by-hop) cryptographic key. The procedures for RTCP outer (hop-by-hop) cryptographic key. The procedures for RTCP
encryption are specified in [RFC3711] and this document introduces no encryption are specified in [RFC3711] and this document introduces no
additional steps. additional steps.
7. Use with Other RTP Mechanisms 7. Use with Other RTP Mechanisms
Media distributors sometimes interact with RTP media packets sent by Media Distributors sometimes interact with RTP media packets sent by
endpoints, e.g., to provide recovery or receive commands via DTMF. endpoints, e.g., to provide recovery or receive commands via DTMF.
When media packets are encrypted end-to-end, these procedures require When media packets are encrypted end-to-end, these procedures require
modification. modification. (End-to-end interactions, including end-to-end
recovery, are not affected by end-to-end encryption.)
Repair mechanisms, in general, will need to perform recovery on Repair mechanisms, in general, will need to perform recovery on
encrypted packets (double-encrypted when using this transform). When encrypted packets (double-encrypted when using this transform), since
the recovery mechanism calls for the recovery packet itself to be the Media Distributor does not have access to the plaintext of the
encrypted, it is encrypted with only the outer, HBH key. This allows packet, only an intermediate, E2E-encrypted form.
a media distributor to generate recovery packets without having
access to the inner, E2E keys. However, it also results in recovery When the recovery mechanism calls for the recovery packet itself to
packets being triple-encrypted, twice for the base transform, and be encrypted, it is encrypted with only the outer, hop-by-hop key.
once for the recovery protection. This allows a media distributor to generate recovery packets without
having access to the inner, end-to-end keys. However, it also
results in recovery packets being triple-encrypted, twice for the
base transform, and once for the recovery protection.
7.1. RTP Retransmission (RTX) 7.1. RTP Retransmission (RTX)
When using RTX [RFC4588] with double, the cached payloads MUST be the When using RTX [RFC4588] with double, the cached payloads MUST be the
double-encrypted packets, i.e., the bits that are sent over the wire double-encrypted packets, i.e., the bits that are sent over the wire
to the other side. When encrypting a retransmission packet, it MUST to the other side. When encrypting a retransmission packet, it MUST
be encrypted the packet in repair mode (i.e., with only the HBH key). be encrypted the packet in repair mode (i.e., with only the hop-by-
hop key).
If the Media Distributor were to cache the inner, E2E-encrypted
payload and retransmit that with an RTX OSN field prepended, then the
modifications to the payload would cause the inner integrity check to
fail at the receiver.
A typical RTX receiver would decrypt the packet, undo the RTX A typical RTX receiver would decrypt the packet, undo the RTX
transformation, then process the resulting packet normally by using transformation, then process the resulting packet normally by using
the steps in Section 5.3. the steps in Section 5.3.
7.2. Redundant Audio Data (RED) 7.2. Redundant Audio Data (RED)
When using RED [RFC2198] with double, the primary encoding MAY When using RED [RFC2198] with double, the processing at the sender
contain RTP header extensions and CSRC identifiers but non primary and receiver is the same as when using RED with any other SRTP
encodings cannot. transform.
The sender takes encrypted payload from the cached packets to form
the RED payload. Any header extensions from the primary encoding are
copied to the RTP packet that will carry the RED payload and the
other RTP header information such as SSRC, SEQ, CSRC, etc are set to
the same as the primary payload. The RED RTP packet is then
encrypted in repair mode and sent.
The receiver decrypts the payload to find the encrypted RED payload.
Note a media relay can do this decryption as the packet was sent in
repair mode that only needs the hop-by-hop key. The RTP headers and
header extensions along with the primary payload and PT from inside
the RED payload (for the primary encoding) are used to form the
encrypted primary RTP packet which can then be decrypted with double.
The RTP headers (but not header extensions or CSRC) along with PT The main difference between double and any other transform is that in
from inside the RED payload corresponding to the redundant encoding an intermediated environment, usage of RED must be end-to-end. A
are used to from the non primary payloads. The time offset and Media Distributor cannot synthesize RED packets, because it lacks
packet rate information in the RED data MUST be used to adjust the access to the plaintext media payloads that are combined to form a
sequence number in the RTP header. At this point the non primary RED payload.
packets can be decrypted with double.
Note that Flex FEC [I-D.ietf-payload-flexible-fec-scheme] is a Note that FlexFEC may often provide similar or better repair
superset of the capabilities of RED. For most applications, FlexFEC capabilities compared to RED. For most applications, FlexFEC is a
is a better choice than RED. better choice than RED; in particular, FlexFEC has modes in which the
Media Distributor can synthesize recovery packets.
7.3. Forward Error Correction (FEC) 7.3. Forward Error Correction (FEC)
When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
double, repair packets MUST be constructed by first double-encrypting double, repair packets MUST be constructed by first double-encrypting
the packet, then performing FEC. Processing of repair packets the packet, then performing FEC. Processing of repair packets
proceeds in the opposite order, performing FEC recovery and then proceeds in the opposite order, performing FEC recovery and then
decrypting. This ensures that the original media is not revealed to decrypting. This ensures that the original media is not revealed to
the Media Distributor but at the same time allows the Media the Media Distributor but at the same time allows the Media
Distributor to repair media. When encrypting a packet that contains Distributor to repair media. When encrypting a packet that contains
the Flex FEC data, which is already encrypted, it MUST be encrypted the Flex FEC data, which is already encrypted, it MUST be encrypted
with only the outer, HBH transform. with only the outer, hop-by-hop transform.
The algorithm recommended in [I-D.ietf-rtcweb-fec] for repair of The algorithm recommended in [I-D.ietf-rtcweb-fec] for repair of
video is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that video is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that
for interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends for interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends
not using additional FEC only m-line in SDP for the repair packets. not using additional FEC only m-line in SDP for the repair packets.
7.4. DTMF 7.4. DTMF
When DTMF is sent using the mechanism in [RFC4733], it is end-to-end When DTMF is sent using the mechanism in [RFC4733], it is end-to-end
encrypted and the relay can not read it, so it cannot be used to encrypted and the relay can not read it, so it cannot be used to
skipping to change at page 12, line 49 skipping to change at page 13, line 8
example, if a new SRTP transform was defined that encrypts some or example, if a new SRTP transform was defined that encrypts some or
all of the RTP header, it would be reasonable for systems to have the all of the RTP header, it would be reasonable for systems to have the
option of using that for the outer algorithm. Similarly, if a new option of using that for the outer algorithm. Similarly, if a new
transform was defined that provided only integrity, that would also transform was defined that provided only integrity, that would also
be reasonable to use for the outer transform as the payload data is be reasonable to use for the outer transform as the payload data is
already encrypted by the inner transform. already encrypted by the inner transform.
The AES-GCM cryptographic algorithm introduces an additional 16 The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic algorithms, the total additional length inner and outer cryptographic algorithms, the total additional length
is 32 octets. If no other header extensions are present in the is 32 octets. The OHB will consume an additional 1-4 octets.
packet and the OHB is introduced, that will consume an additional 8 Packets in repair mode will carry additional repair data, further
octets. If other extensions are already present, the OHB will increasing their size.
consume up to 4 additional octets. Packets in repair mode will carry
additional repair data, further increasing their size.
9. Security Considerations 9. Security Considerations
This SRTP transform provides protection against two classes of This SRTP transform provides protection against two classes of
attacker: An network attacker that knows neither the inner nor outer attacker: An network attacker that knows neither the inner nor outer
keys, and a malicious MD that knows the outer key. Obviously, it keys, and a malicious MD that knows the outer key. Obviously, it
provides no protections against an attacker that holds both the inner provides no protections against an attacker that holds both the inner
and outer keys. and outer keys.
The protections with regard to the network are the same as with the The protections with regard to the network are the same as with the
normal SRTP AES-GCM transforms. normal SRTP AES-GCM transforms. The major difference is that the
double transforms are designed to work better in a group context. In
such contexts, it is important to note that because these transforms
are symmetric, they do not protect against attacks within the group.
Any member of the group can generate valid SRTP packets for any SSRC
in use by the group.
With regard to a malicious MD, the recipient can verify the integrity With regard to a malicious MD, the recipient can verify the integrity
of the base header fields and confidentiality and integrity of the of the base header fields and confidentiality and integrity of the
payload. The recipient has no assurance, however, of the integrity payload. The recipient has no assurance, however, of the integrity
of the header extensions in the packet. of the header extensions in the packet.
The main innovation of this transform relative to other SRTP The main innovation of this transform relative to other SRTP
transforms is that it allows a partly-trusted MD to decrypt, modify, transforms is that it allows a partly-trusted MD to decrypt, modify,
and re-encrypt a packet. When this is done, the cryptographic and re-encrypt a packet. When this is done, the cryptographic
contexts used for decryption and re-encryption MUST use different, contexts used for decryption and re-encryption MUST use different,
independent master keys and master salts. If the same context is independent master keys. If the same context is used, the nonce
used, the nonce formation rules for SRTP will cause the same key and formation rules for SRTP will cause the same key and nonce to be used
nonce to be used with two different plaintexts, which substantially with two different plaintexts, which substantially degrades the
degrades the security of AES-GCM. security of AES-GCM.
In other words, from the perspective of the MD, re-encrypting packets In other words, from the perspective of the MD, re-encrypting packets
using this protocol will involve the same cryptographic operations as using this protocol will involve the same cryptographic operations as
if it had established independent AES-GCM crypto contexts with the if it had established independent AES-GCM crypto contexts with the
sender and the receiver. If the MD doesn't modify any header fields, sender and the receiver. If the MD doesn't modify any header fields,
then an MD that supports AES-GCM could be unused unmodified. then an MD that supports AES-GCM could be unused unmodified.
10. IANA Considerations 10. IANA Considerations
10.1. DTLS-SRTP 10.1. DTLS-SRTP
We request IANA to add the following values to defines a DTLS-SRTP We request IANA to add the following values to defines a DTLS-SRTP
"SRTP Protection Profile" defined in [RFC5764]. "SRTP Protection Profile" defined in [RFC5764].
+------------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| Value | Profile | Reference | | Value | Profile | Reference |
+------------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX |
| 0x09} | | | | 0x09} | | |
skipping to change at page 16, line 8 skipping to change at page 16, line 15
[RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General
Mechanism for RTP Header Extensions", RFC 8285, Mechanism for RTP Header Extensions", RFC 8285,
DOI 10.17487/RFC8285, October 2017, DOI 10.17487/RFC8285, October 2017,
<https://www.rfc-editor.org/info/rfc8285>. <https://www.rfc-editor.org/info/rfc8285>.
12.2. Informative References 12.2. Informative References
[I-D.ietf-payload-flexible-fec-scheme] [I-D.ietf-payload-flexible-fec-scheme]
Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction Payload Format for Flexible Forward Error Correction
(FEC)", draft-ietf-payload-flexible-fec-scheme-08 (work in (FEC)", draft-ietf-payload-flexible-fec-scheme-20 (work in
progress), July 2018. progress), May 2019.
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-05
(work in progress), April 2018. (work in progress), April 2019.
[I-D.ietf-perc-private-media-framework] [I-D.ietf-perc-private-media-framework]
Jones, P., Benham, D., and C. Groves, "A Solution Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy Enhanced RTP Framework for Private Media in Privacy Enhanced RTP
Conferencing", draft-ietf-perc-private-media-framework-07 Conferencing (PERC)", draft-ietf-perc-private-media-
(work in progress), September 2018. framework-12 (work in progress), June 2019.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
Andreasen, "Encrypted Key Transport for DTLS and Secure Andreasen, "Encrypted Key Transport for DTLS and Secure
RTP", draft-ietf-perc-srtp-ekt-diet-08 (work in progress), RTP", draft-ietf-perc-srtp-ekt-diet-09 (work in progress),
July 2018. October 2018.
[I-D.ietf-rtcweb-fec] [I-D.ietf-rtcweb-fec]
Uberti, J., "WebRTC Forward Error Correction Uberti, J., "WebRTC Forward Error Correction
Requirements", draft-ietf-rtcweb-fec-08 (work in Requirements", draft-ietf-rtcweb-fec-09 (work in
progress), March 2018. progress), July 2019.
[RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V.,
Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse-
Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, Parisis, "RTP Payload for Redundant Audio Data", RFC 2198,
DOI 10.17487/RFC2198, September 1997, DOI 10.17487/RFC2198, September 1997,
<https://www.rfc-editor.org/info/rfc2198>. <https://www.rfc-editor.org/info/rfc2198>.
[RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
Hakenberg, "RTP Retransmission Payload Format", RFC 4588, Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
DOI 10.17487/RFC4588, July 2006, DOI 10.17487/RFC4588, July 2006,
 End of changes. 42 change blocks. 
127 lines changed or deleted 136 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/