draft-ietf-msec-srtp-tesla-00.txt   draft-ietf-msec-srtp-tesla-01.txt 
Internet Engineering Task Force Baugher (Cisco) Internet Engineering Task Force Baugher (Cisco)
MSEC Working Group Carrara (Ericsson) MSEC Working Group Carrara (Ericsson)
INTERNET-DRAFT INTERNET-DRAFT
EXPIRES: August 2004 February 2004 EXPIRES: January 2005 July 2004
The Use of TESLA in SRTP The Use of TESLA in SRTP
<draft-ietf-msec-srtp-tesla-00.txt> <draft-ietf-msec-srtp-tesla-01.txt>
Status of this memo Status of this memo
This document is an Internet-Draft and is in full conformance with By submitting this Internet-Draft, the authors certify that any
all provisions of Section 10 of RFC2026. applicable patent or other IPR claims of which I am (we are) aware
have been disclosed, and any of which I (we) become aware will be
disclosed, in accordance with RFC 3668 (BCP 79).
Internet-Drafts are working documents of the Internet Engineering By submitting this Internet-Draft, the authors accept the provisions
Task Force (IETF), its areas, and its working groups. Note that of Section 3 of RFC 3667 (BCP 78).
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or cite them other than as "work in progress". reference material or cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
skipping to change at page 2, line ? skipping to change at page 2, line ?
TABLE OF CONTENTS TABLE OF CONTENTS
1. Introduction...................................................2 1. Introduction...................................................2
1.1. Notational Conventions.......................................3 1.1. Notational Conventions.......................................3
2. SRTP...........................................................3 2. SRTP...........................................................3
3. TESLA..........................................................4 3. TESLA..........................................................4
4. Usage of TESLA within SRTP.....................................4 4. Usage of TESLA within SRTP.....................................4
4.1. The TESLA extension..........................................4 4.1. The TESLA extension..........................................4
4.2. SRTP Packet Format...........................................5 4.2. SRTP Packet Format...........................................5
4.3. Extension of the SRTP Cryptographic Context..................6 4.3. Extension of the SRTP Cryptographic Context..................7
4.4. SRTP Processing..............................................7 4.4. SRTP Processing..............................................8
4.4.1 Sender Processing...........................................8 4.4.1 Sender Processing...........................................8
4.4.2 Receiver Processing.........................................8 4.4.2 Receiver Processing.........................................9
4.5. SRTCP Packet Format..........................................9 4.5. SRTCP Packet Format.........................................10
4.6. TESLA MAC...................................................11 4.6. TESLA MAC...................................................12
4.7. PRFs........................................................11 4.7. PRFs........................................................12
5. TESLA Bootstrapping...........................................12 5. TESLA Bootstrapping...........................................13
6. SRTP TESLA Default parameters.................................12 6. SRTP TESLA Default parameters.................................13
6.1 Transform-independent Parameter: SRTP MAC with TESLA MAC.....13 6.2 Transform-dependent Parameters for TESLA MAC.................14
6.2 Transform-dependent Parameters for TESLA MAC.................13
7. Security Considerations.......................................14 7. Security Considerations.......................................14
8. IANA Considerations...........................................14 8. IANA Considerations...........................................15
9. Acknowledgements..............................................14 9. Acknowledgements..............................................15
10. Author's Addresses...........................................15 10. Author's Addresses...........................................15
11. References...................................................15 11. References...................................................16
Intellectual Property Right Considerations.......................16
Full Copyright Statement.........................................16
1. Introduction 1. Introduction
Multicast and broadcast communication introduce some new security Multicast and broadcast communication introduce some new security
challenges compared to unicast communication. Many multicast and challenges compared to unicast communication. Many multicast and
broadcast applications need "data origin authentication" (DOA), or broadcast applications need "data origin authentication" (DOA), or
"source authentication", in order to guarantee that a received "source authentication", in order to guarantee that a received
message originated from a given source, and was not manipulated message had originated from a given source, and was not manipulated
during the transmission. In unicast communication, a pairwise during the transmission. In unicast communication, a pairwise
security association between one sender and one receiver can provide security association between one sender and one receiver can provide
data origin authentication using symmetric-key cryptography (such as data origin authentication using symmetric-key cryptography (such as
a message authentication code, MAC). When the communication is a message authentication code, MAC). When the communication is
strictly pairwise, the sender and receiver agree upon a key that is strictly pairwise, the sender and receiver agree upon a key that is
known only to them. known only to them.
In groups, however, a key is shared among more than two members, and In groups, however, a key is shared among more than two members, and
this symmetric-key approach does not guarantee data origin this symmetric-key approach does not guarantee data origin
authentication. When there is a group security association authentication. When there is a group security association
skipping to change at page 3, line 23 skipping to change at page 3, line 22
signature in the packet). signature in the packet).
Several schemes have been proposed to provide efficient data origin Several schemes have been proposed to provide efficient data origin
authentication in multicast and broadcast scenarios. The Timed authentication in multicast and broadcast scenarios. The Timed
Efficient Stream loss-tolerant Authentication (TESLA), is one such Efficient Stream loss-tolerant Authentication (TESLA), is one such
scheme. scheme.
This memo specifies TESLA authentication for SRTP. SRTP TESLA can This memo specifies TESLA authentication for SRTP. SRTP TESLA can
provide data origin authentication to RTP applications that use provide data origin authentication to RTP applications that use
group security associations (such as multicast RTP applications) so group security associations (such as multicast RTP applications) so
long as receivers abide by the TESLA security invariants [TESLA1, long as receivers abide by the TESLA security invariants [TESLA].
TESLA2].
1.1. Notational Conventions 1.1. Notational Conventions
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
This specification assumes the reader familiar with both SRTP and This specification assumes the reader familiar with both SRTP and
TESLA. Almost none of their details will be explained, and the TESLA. Few of their details are explained in this document, and the
reader can find them in their respective specifications [SRTP, reader can find them in their respective specifications [RFC3711],
TESLA1, TESLA2]. Also, this specification uses the same definitions [TESLA]. This specification uses the same definitions as TESLA for
as TESLA for common terms. common terms and assumes that the reader is familiar with the TESLA
algorithms and protocols [TESLA].
2. SRTP 2. SRTP
The Secure Real-time Transport Protocol (SRTP) [SRTP] is a profile The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a
of RTP, which can provide confidentiality, message authentication, profile of RTP, which can provide confidentiality, message
and replay protection to the RTP traffic and to the RTP control authentication, and replay protection to the RTP traffic and to the
protocol, the Real-time Transport Control Protocol (RTCP). RTP control protocol, the Real-time Transport Control Protocol
(RTCP). Note, the term SRTP may often used to indicate SRTCP as
well.
SRTP is a framework that allows new security functions and new SRTP is a framework that allows new security functions and new
transforms to be added. SRTP currently does not define any transforms to be added. SRTP currently does not define any
mechanism to provide data origin authentication for group security mechanism to provide data origin authentication for group security
associations. Fortunately, it is straightforward to add TESLA to associations. Fortunately, it is straightforward to add TESLA to
the SRTP cryptographic framework. the SRTP cryptographic framework.
The TESLA extension to SRTP is defined in this specification, which The TESLA extension to SRTP is defined in this specification, which
assumes that the reader is familiar with the SRTP specification assumes that the reader is familiar with the SRTP specification
[SRTP], its packet structure, and processing rules. [RFC3711], its packet structure, and processing rules.
3. TESLA 3. TESLA
TESLA provides delayed per-packet data authentication and is TESLA provides delayed per-packet data authentication and is
specified in two documents, an introductory overview [TESLA1] and a specified in [TESLA]. This specification assumes that the reader is
second specification that defines signaling and data packet familiar with TESLA [TESLA].
parameters [TESLA2]. This specification assumes that the reader is
familiar with these two documents.
In addition to its SRTP data-packet definition given here, TESLA In addition to its SRTP data-packet definition given here, TESLA
needs an initial synchronization protocol and initial bootstrapping needs an initial synchronization protocol and initial bootstrapping
procedure. The synchronization protocol allows the sender and the procedure. The synchronization protocol allows the sender and the
receiver to compare their clocks and determine an upper bound of the receiver to compare their clocks and determine an upper bound of the
difference. The synchronization protocol is outside the scope of difference. The synchronization protocol is outside the scope of
this document. this document.
TESLA also requires an initial bootstrapping procedure to exchange TESLA also requires an initial bootstrapping procedure to exchange
needed parameters and the initial commitment to the key chain needed parameters and the initial commitment to the key chain
[TESLA2]. For SRTP, it is assumed that the bootstrapping is [TESLA]. For SRTP, it is assumed that the bootstrapping is
performed out-of-band, possibly using the key management protocol performed out-of-band, possibly using the key management protocol
that is exchanging the security parameters for SRTP, e.g. [GDOI, that is exchanging the security parameters for SRTP, e.g. [GDOI],
MIKEY]. Initial bootstrapping of TESLA is outside the scope of this [MIKEY]. Initial bootstrapping of TESLA is outside the scope of
document. this document.
4. Usage of TESLA within SRTP 4. Usage of TESLA within SRTP
The present specification is an extension to the SRTP specification The present specification is an extension to the SRTP specification
[SRTP] and describes the use of TESLA with only a single key chain, [RFC3711] and describes the use of TESLA with only a single key
and the delayed-authentication TESLA elements of procedure [TESLA1, chain, and the delayed-authentication TESLA elements of procedure
TESLA2]. [TESLA].
4.1. The TESLA extension 4.1. The TESLA extension
TESLA is an OPTIONAL authentication algorithm for SRTP. When used, TESLA is an OPTIONAL authentication transform for SRTP. When used,
TESLA adds the fields showed in Figure 1 per-packet. The fields TESLA adds the fields showed in Figure 1 per-packet. The fields
added by TESLA are called "TESLA authentication extensions" added by TESLA are called "TESLA authentication extensions"
altogether, whereas "authentication tag" or "integrity protection altogether, whereas "authentication tag" or "integrity protection
tag" indicate the normal integrity protection tag when the SRTP tag" indicate the normal SRTP integrity protection tag, when the
master key is shared by more than two endpoints [SRTP]. SRTP master key is shared by more than two endpoints [RFC3711].
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Id | | I |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Disclosed Key ~ ~ Disclosed Key ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ TESLA MAC ~ ~ TESLA MAC ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: The "TESLA authentication extension". Figure 1: The "TESLA authentication extension".
Id: identifier of K_i, MANDATORY I: 32 bit, MANDATORY
The identifier of the key that was used to calculate the MAC Identifier of the time interval I, corresponding to the key K_i
present in the packet during interval i. that is used to calculate the TESLA MAC present in the current
packet (and in the packets sent in the current time interval I).
Disclosed Key: variable length, MANDATORY Disclosed Key: variable length, MANDATORY
The disclosed key, that can be used to authenticate previous The disclosed key (K_i-d), that can be used to authenticate
packets from earlier time intervals, i.e. K_{i-d}. previous packets from earlier time intervals [TESLA].
TESLA MAC (Message Authentication Code): variable length, MANDATORY TESLA MAC (Message Authentication Code): variable length, MANDATORY
The MAC computed using K'_i, which is disclosed in a subsequent The MAC computed using the key K'_i (derived from K_i) [TESLA],
packet. The MAC coverage is defined in Section 4.6. which is disclosed in a subsequent packet (in the Disclosed Key
field). The MAC coverage is defined in Section 4.6.
4.2. SRTP Packet Format 4.2. SRTP Packet Format
Figure 2 illustrates the format of the SRTP packet when TESLA is Figure 2 illustrates the format of the SRTP packet when TESLA is
applied. When applied to RTP, the TESLA authentication extension applied. When applied to RTP, the TESLA authentication extension
SHALL be inserted before the (optional) SRTP MKI and (recommended) SHALL be inserted before the (optional) SRTP MKI and (recommended)
authentication tag. authentication tag.
As in SRTP, the "Encrypted Portion" of an SRTP packet consists of
the encryption of the RTP payload (including RTP padding when
present) of the equivalent RTP packet.
The "Authenticated Portion" of an SRTP packet consists of the RTP
header, the Encrypted Portion of the SRTP packet, and the TESLA
authentication extension. Note that the definition is extended from
[SRTP] by the inclusion of the TESLA authentication extension.
The "TESLA Authenticated Portion" of an SRTP packet consists of the
RTP header, the Encrypted Portion of the SRTP packet, the TESLA Id
field, and the TESLA disclosed key.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
|V=2|P|X| CC |M| PT | sequence number | | | |V=2|P|X| CC |M| PT | sequence number | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| timestamp | | | | timestamp | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| synchronization source (SSRC) identifier | | | | synchronization source (SSRC) identifier | | |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |
| contributing source (CSRC) identifiers | | | | contributing source (CSRC) identifiers | | |
| .... | | | | .... | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| RTP extension (OPTIONAL) | | | | RTP extension (OPTIONAL) | | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | payload ... | | | | | payload ... | | |
| | +-------------------------------+ | | | | +-------------------------------+ | |
| | | RTP padding | RTP pad count | | | | | | RTP padding | RTP pad count | | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Id | | | | | I | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ Disclosed Key ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ |
| ~ Disclosed Key ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ TESLA MAC ~ | | | ~ TESLA MAC ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+
| ~ MKI ~ | | | | ~ MKI ~ | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ MAC ~ | | | ~ MAC ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | | | | |
+- Encrypted Portion TESLA Authenticated Portion ---+ | +- Encrypted Portion TESLA Authenticated Portion ---+ |
| |
Authenticated Portion ---+ Authenticated Portion ---+
Figure 2. The format of the SRTP packet when TESLA is applied. Note Figure 2. The format of the SRTP packet when TESLA is applied. Note
that it is OPTIONAL to apply TESLA, i.e. the TESLA fields are that it is OPTIONAL to apply TESLA, i.e. the TESLA fields are
OPTIONAL. OPTIONAL.
As in SRTP, the "Encrypted Portion" of an SRTP packet consists of
the encryption of the RTP payload (including RTP padding when
present) of the equivalent RTP packet.
The "Authenticated Portion" of an SRTP packet consists of the RTP
header, the Encrypted Portion of the SRTP packet, and the TESLA
authentication extension. Note that the definition is extended from
[RFC3711] by the inclusion of the TESLA authentication extension.
The "TESLA Authenticated Portion" of an SRTP packet consists of the
RTP header, the Encrypted Portion of the SRTP packet, and the TESLA
I field.
4.3. Extension of the SRTP Cryptographic Context 4.3. Extension of the SRTP Cryptographic Context
When TESLA is used, the definition of cryptographic context in When TESLA is used, the definition of cryptographic context in
Section 3.2 of SRTP SHALL include the following extensions: Section 3.2 of SRTP SHALL include the following extensions.
Transform-independent Parameter
a flag indicating the use of TESLA in SRTP. When this bit is set,
the following TESLA transform-dependent parameters define the
particular TESLA configuration.
Transform-dependent Parameters
1. an identifier for the PRF, f, implementing the one-way function 1. an identifier for the PRF, f, implementing the one-way function
F(x) in TESLA (to derive the keys in the chain), e.g. HMAC- F(x) in TESLA (to derive the keys in the chain), e.g. to
SHA1, indicate HMAC-SHA1, see Section 6.2 for the default value.
2. a non-negative integer n_c, determining the length of the F 2. a non-negative integer n_c, determining the length of the F
output, i.e. the length of the keys in the chain (that is also output, i.e. the length of the keys in the chain (that is also
the key disclosed in an SRTP packet), the key disclosed in an SRTP packet), see Section 6.2 for the
default value.
3. an identifier for the PRF, f', implementing the one-way 3. an identifier for the PRF, f', implementing the one-way
function F'(x) in TESLA (to derive the keys for the TESLA MAC, function F'(x) in TESLA (to derive the keys for the TESLA MAC,
from the keys in the chain), e.g. HMAC-SHA1, from the keys in the chain), e.g. to indicate HMAC-SHA1, see
Section 6.2 for the default value.
4. a non-negative integer n_f, determining the length of the 4. a non-negative integer n_f, determining the length of the
output of F', i.e. of the key for the TESLA MAC, output of F', i.e. of the key for the TESLA MAC, see Section
6.2 for the default value.
5. an identifier for the TESLA MAC, that accepts the output of 5. an identifier for the TESLA MAC, that accepts the output of
F'(x) as its key, F'(x) as its key, e.g. to indicate HMAC-SHA1, see Section 6.2
for the default value.
6. a non-negative integer n_m, determining the length of the 6. a non-negative integer n_m, determining the length of the
output of the TESLA MAC, output of the TESLA MAC, see Section 6.2 for the default value.
7. the identifier id_j of a specific time interval I_j,
8. an NTP timestamp TI_j describing the beginning of I_j,
9. an NTP timestamp T_int describing the interval duration, 7. the beginning of the session T_0,
10. the key-disclosure interval, d, 8. the interval duration T_int (in msec),
11. the id_n of the final key in the keychain, K_n, 9. the key disclosure delay d (in number of intervals)
10. non-negative integer n_c, determining the length of the key
chain, which is determined based up the expected duration of
the stream.
12. the interval d_n of the last key chain element. 11. the initial key of the chain to which the sender has
committed himself.
F(x) is used to compute a keychain of keys in SRTP TESLA, as defined F(x) is used to compute a keychain of keys in SRTP TESLA, as defined
in Section 6. Also according to TESLA, F'(x) computes a TESLA MAC in Section 6. Also according to TESLA, F'(x) computes a TESLA MAC
key with inputs as defined in Section 6. key with inputs as defined in Section 6.
Note that the replay list is now containing indices of recently Section 6 of this document defines the default values for the
received packets that have been authenticated by TESLA. I.e. replay transform-independent and transform-specific TESLA parameters.
list updates MUST NOT be based on SRTP MAC.
These parameters are all "transform-specific" parameters. There is
one transform-independent parameter that declares that SRTP message
authentication is extended with TESLA DOA authentication. Section 6
of this document defines the default values for the transform-
independent and transform-specific TESLA parameters.
4.4. SRTP Processing 4.4. SRTP Processing
The SRTP packet processing is described in Section 3.3 of the SRTP The SRTP packet processing is described in Section 3.3 of the SRTP
specification [SRTP]. The use of TESLA slightly changes the specification [RFC3711]. The use of TESLA slightly changes the
processing, as the SRTP MAC is checked upon packet arrival for DoS processing, as the SRTP MAC is checked upon packet arrival for DoS
prevention, but the current packet is not TESLA-authenticated. Each prevention, but the current packet is not TESLA-authenticated. Each
packet is buffered until a subsequent packet discloses its TESLA packet is buffered until a subsequent packet discloses its TESLA
key. The TESLA verification itself consists of some steps, such as key. The TESLA verification itself consists of some steps, such as
tests of TESLA security invariants, that are described in Section 4 tests of TESLA security invariants, that are described in Section
of [TESLA1]. The words "TESLA computation" and "TESLA verification" 3.5-3.7 of [TESLA]. The words "TESLA computation" and "TESLA
hereby imply all those steps, which are not all spelled out in the verification" hereby imply all those steps, which are not all
following. spelled out in the following. In particular, notice that the TESLA
verification implies checking the safety condition (Section 3.5 of
[TESLA]). If the safe condition does not hold, the packet MUST be
discarded.
4.4.1 Sender Processing 4.4.1 Sender Processing
The sender processing is as described in Section 3.3 of [SRTP], up The sender processing is as described in Section 3.3 of [RFC3711],
to step 5 included. After that the following process is followed: up to step 5 included. After that the following process is
followed:
6. When TESLA is applied, identify the key in the TESLA chain to be 6. When TESLA is applied, identify the key in the TESLA chain to be
used in the current time interval, and the TESLA MAC key derived used in the current time interval, and the TESLA MAC key derived
from it. Execute the TESLA computation to obtain the TESLA from it. Execute the TESLA computation to obtain the TESLA
authentication extension for the current packet, by appending the authentication extension for the current packet, by appending the
key Id, the disclosed key of the chain for an earlier packet, and current interval time (as I field), the disclosed key of the chain
the TESLA MAC under the current key from the chain. This step uses for an earlier packet, and the TESLA MAC under the current key from
the related TESLA parameters from the crypto context as for Step 4. the chain. This step uses the related TESLA parameters from the
crypto context as for Step 4.
7. If the MKI indicator is set to one, append the MKI to the packet. 7. If the MKI indicator in the SRTP crypto context is set to one,
append the MKI to the packet.
8. When TESLA is applied, compute the authentication tag as 8. When TESLA is applied, compute the authentication tag as
described in step 7 of Section 3.3 of the SRTP specification, but described in step 7 of Section 3.3 of the SRTP specification, but
with coverage as defined in this specification (see Section 4.6). with coverage as defined in this specification (see Section 4.6).
9. If necessary, update the ROC (step 9 in Section 3.3 of [SRTP]). 9. If necessary, update the ROC (step 8 in Section 3.3 of
[RFC3711]).
4.4.2 Receiver Processing 4.4.2 Receiver Processing
The receiver processing is as described in Section 3.3 of [SRTP], up The receiver processing is as described in Section 3.3 of [RFC3711],
to step 4 included. up to step 4 included.
To authenticate and replay-protect the current packet, the To authenticate and replay-protect the current packet, the
processing is the following: processing is the following:
First check if the packet has been replayed (as for Section 3.3 of First check if the packet has been replayed (as for Section 3.3 of
[SRTP]). If the packet is judged to be replayed, then the packet [RFC3711]). The SRTP replay list contains SRTP indices of recently
MUST be discarded, and the event SHOULD be logged. received packets that have been authenticated by TESLA. (I.e.
replay list updates MUST NOT be based on SRTP MAC.) If the packet
is judged to be replayed, then the packet MUST be discarded, and
the event SHOULD be logged.
Next, perform verification of the SRTP integrity protection tag Next, perform verification of the SRTP integrity protection tag
(note, not the TESLA MAC), if present, using the rollover counter (note, not the TESLA MAC), if present, using the rollover counter
from the current packet, the authentication algorithm indicated in from the current packet, the authentication algorithm indicated in
the cryptographic context, and the session authentication key. If the cryptographic context, and the session authentication key. If
the verification is unsuccessful, the packet MUST be discarded the verification is unsuccessful, the packet MUST be discarded
from further processing and the event SHOULD be logged. from further processing and the event SHOULD be logged.
If the verification is successful, remove the MKI (if present) and If the verification is successful, remove and store the MKI (if
authentication tag fields from the packet. The packet is buffered, present) and authentication tag fields from the packet. The packet
awaiting disclosure of the TESLA key in a subsequent packet. is buffered, awaiting disclosure of the TESLA key in a subsequent
packet.
TESLA authentication is performed on a packet when the key is TESLA authentication is performed on a packet when the key is
disclosed in a subsequent packet. When such key is disclosed, disclosed in a subsequent packet. When such key is disclosed,
perform the TESLA verification of the packet using the rollover perform the TESLA verification of the packet using the rollover
counter from the packet, the TESLA security parameters from the counter from the packet, the TESLA security parameters from the
cryptographic context, and the disclosed key. If the verification cryptographic context, and the disclosed key. If the verification
is unsuccessful, the packet MUST be discarded from further is unsuccessful, the packet MUST be discarded from further
processing and the event SHOULD be logged. If the TESLA processing and the event SHOULD be logged. If the TESLA
verification is successful, remove the TESLA authentication verification is successful, remove the TESLA authentication
extension from the packet. extension from the packet.
To decrypt the current packet, the processing is the following: To decrypt the current packet, the processing is the following:
Decrypt the Encrypted Portion of the packet, using the decryption Decrypt the Encrypted Portion of the packet, using the decryption
algorithm indicated in the cryptographic context, the session algorithm indicated in the cryptographic context, the session
encryption key and salt (if used) found in Step 4 with the index encryption key and salt (if used) found in Step 4 with the index
from Step 2. from Step 2.
(Note that the order of decryption and TESLA verification is not
mandated. It is up to the application if to perform decryption
immediately after the successful SRTP integrity protection
verification and then get informed if the TESLA authentication for
that packet has failed, or if to wait and TESLA- verify the packet
before further processing).
Update the rollover counter and highest sequence number, s_l, in the Update the rollover counter and highest sequence number, s_l, in the
cryptographic context, using the packet index estimated in Step 2. cryptographic context, using the packet index estimated in Step 2.
If replay protection is provided, also update the Replay List (i.e., If replay protection is provided, also update the Replay List (i.e.,
the Replay List is updated after the TESLA authentication is the Replay List is updated after the TESLA authentication is
successfully verified). successfully verified).
4.5. SRTCP Packet Format 4.5. SRTCP Packet Format
Figure 3 illustrates the format of the SRTCP packet when TESLA is Figure 3 illustrates the format of the SRTCP packet when TESLA is
applied. The TESLA authentication extension SHALL be inserted applied. The TESLA authentication extension SHALL be inserted
before the MKI and authentication tag. Recall from [SRTP] that in before the MKI and authentication tag. Recall from [RFC3711] that
SRTCP the MKI is OPTIONAL, while the E-bit, the SRTCP index, and the in SRTCP the MKI is OPTIONAL, while the E-bit, the SRTCP index, and
authentication tag are MANDATORY. the authentication tag are MANDATORY.
As in SRTP, the "Encrypted Portion" of an SRTCP packet consists of
the encryption of the RTCP payload of the equivalent compound RTCP
packet, from the first RTCP packet, i.e., from the ninth (9) octet
to the end of the compound packet.
The "Authenticated Portion" of an SRTCP packet consists of the
entire equivalent (eventually compound) RTCP packet, the E flag, the
SRTCP index (after any encryption has been applied to the payload),
and the TESLA extension. Note that the definition is extended from
[RFC3711] by the inclusion of the TESLA authentication extension.
We define the "TESLA Authenticated Portion" of an SRTCP packet as
consisting of the RTCP header (first 8 bytes), the Encrypted Portion
of the SRTCP packet, and the I field.
Processing of an SRTCP packets is similar to the SRTP processing
(Section 4.3), but there are SRTCP-specific changes described in
Section 3.4 of the SRTP specification [RFC3711] and in Section 4.6
of this memo.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
|V=2|P| RC | PT=SR or RR | length | | | |V=2|P| RC | PT=SR or RR | length | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| SSRC of sender | | | | SSRC of sender | | |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |
| ~ sender info ~ | | | ~ sender info ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
skipping to change at page 10, line 30 skipping to change at page 11, line 30
| |V=2|P| SC | PT=SDES=202 | length | | | | |V=2|P| SC | PT=SDES=202 | length | | |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |
| | SSRC/CSRC_1 | | | | | SSRC/CSRC_1 | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ SDES items ~ | | | ~ SDES items ~ | |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |
| ~ ... ~ | | | ~ ... ~ | |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | |
| |E| SRTCP index | | | | |E| SRTCP index | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Id (OPTIONAL) | | | | | I | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ Disclosed Key ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ |
| ~ Disclosed Key ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| ~ TESLA MAC ~ | | | ~ TESLA MAC ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+
| ~ SRTCP MKI ~ | | | ~ SRTCP MKI ~ | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| : authentication tag : | | | : authentication tag : | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | | | | |
+-- Encrypted Portion TESLA Authenticated Portion -----+ | +-- Encrypted Portion TESLA Authenticated Portion -----+ |
| |
Authenticated Portion -------+ Authenticated Portion -------+
Figure 3. The format of the SRTCP packet when TESLA is applied. Figure 3. The format of the SRTCP packet when TESLA is applied.
Note that it is OPTIONAL to apply TESLA, i.e. the TESLA fields are Note that it is OPTIONAL to apply TESLA, i.e. the TESLA fields are
OPTIONAL. OPTIONAL.
As in SRTP, the "Encrypted Portion" of an SRTCP packet consists of
the encryption of the RTCP payload of the equivalent compound RTCP
packet, from the first RTCP packet, i.e., from the ninth (9) octet
to the end of the compound packet.
The "Authenticated Portion" of an SRTCP packet consists of the
entire equivalent (eventually compound) RTCP packet, the E flag, the
SRTCP index (after any encryption has been applied to the payload),
and the TESLA extension. Note that the definition is extended from
[SRTP] by the inclusion of the TESLA authentication extension.
We define the "TESLA Authenticated Portion" of an SRTCP packet as
consisting of the RTCP header (first 8 bytes), the Encrypted Portion
of the SRTCP packet, the Id field, and the TESLA disclosed key.
Processing of an SRTCP packets is similar to the SRTP processing
(Section 4.3), but there are SRTCP-specific changes described in
Section 3.4 of the SRTP specification [SRTP] and in Section 4.6 of
this memo.
4.6. TESLA MAC 4.6. TESLA MAC
Let M' denote packet data to be TESLA-authenticated. In the case of Let M' denote packet data to be TESLA-authenticated. In the case of
SRTP, M' SHALL consist of the SRTP TESLA Authenticated Portion (RTP SRTP, M' SHALL consist of the SRTP TESLA Authenticated Portion (RTP
header, SRTP Encrypted Portion, TESLA Id, and disclosed key) of the header, SRTP Encrypted Portion, and I field) shown in Figure 1 or
packet concatenated with the ROC of the same packet: Figure 2) of the packet concatenated with the ROC of the same
packet:
M' = ROC || TESLA Authenticated Portion. M' = ROC || TESLA Authenticated Portion.
In the case of SRTCP, M' SHALL consist of the SRTCP TESLA In the case of SRTCP, M' SHALL consist of the SRTCP TESLA
Authenticated Portion only (RTCP header, SRTCP Encrypted Portion, Authenticated Portion only (RTCP header, SRTCP Encrypted Portion,
TESLA Id, and disclosed key). and I field).
The normal authentication tag SHALL be applied with the same The normal authentication tag SHALL be applied with the same
coverage as specified in [SRTP], i.e. Authenticated Portion || ROC coverage as specified in [RFC3711], i.e.:
for SRTP, and Authenticated Portion for SRTCP.
- for SRTP: Authenticated Portion || ROC (with the extended
definition of SRTP Authentication Portion as for Section 4.2)
- for SRTCP: Authenticated Portion (with the extended definition of
SRTCP Authentication Portion as for Section 4.2).
The pre-defined authentication transform in SRTP, HMAC-SHA1 The pre-defined authentication transform in SRTP, HMAC-SHA1
[RFC2104], is also used to generate the TESLA MAC. For SRTP [RFC2104], is also used to generate the TESLA MAC. For SRTP
(respectively SRTCP), the HMAC SHALL be applied to the key in the (respectively SRTCP), the HMAC SHALL be applied to the key in the
TESLA chain corresponding to a particular time interval, and M' as TESLA chain corresponding to a particular time interval, and M' as
specified above. The HMAC output SHALL then be truncated to the n_m specified above. The HMAC output SHALL then be truncated to the n_m
left-most bits. Default values are in Section 6.2. left-most bits. Default values are in Section 6.2.
4.7. PRFs 4.7. PRFs
skipping to change at page 12, line 4 skipping to change at page 12, line 39
[RFC2104], is also used to generate the TESLA MAC. For SRTP [RFC2104], is also used to generate the TESLA MAC. For SRTP
(respectively SRTCP), the HMAC SHALL be applied to the key in the (respectively SRTCP), the HMAC SHALL be applied to the key in the
TESLA chain corresponding to a particular time interval, and M' as TESLA chain corresponding to a particular time interval, and M' as
specified above. The HMAC output SHALL then be truncated to the n_m specified above. The HMAC output SHALL then be truncated to the n_m
left-most bits. Default values are in Section 6.2. left-most bits. Default values are in Section 6.2.
4.7. PRFs 4.7. PRFs
TESLA requires two pseudo-random functions (PRFs), f and f', to TESLA requires two pseudo-random functions (PRFs), f and f', to
implement implement
* one one-way function F(x) to derive the key chain, and * one one-way function F(x) to derive the key chain, and
* one one-way function F'(x) to derive (from each key of the chain) * one one-way function F'(x) to derive (from each key of the chain)
the key that is actually used to calculate the TESLA MAC. the key that is actually used to calculate the TESLA MAC.
When TESLA is used within SRTP, the default choice of the two PRFs When TESLA is used within SRTP, the default choice of the two PRFs
SHALL be HMAC-SHA1. Default values are in Section 6.2. SHALL be HMAC-SHA1. Default values are in Section 6.2.
Other PRFs can be chosen, and their use SHALL follow the common Other PRFs can be chosen, and their use SHALL follow the common
guidelines in [SRTP] when adding new security parameter. guidelines in [RFC3711] when adding new security parameters.
5. TESLA Bootstrapping 5. TESLA Bootstrapping
The extensions to the SRTP cryptographic context include a set of The extensions to the SRTP cryptographic context include a set of
TESLA parameters that are listed in section 4.3 of this document. TESLA parameters that are listed in section 4.3 of this document.
Key management procedures establish these parameters prior to the Furthermore, TESLA MUST be bootstrapped at session set-up (for the
commencement of an SRTP session where TESLA authentication is used. parameter exchange and the initial key commitment) through a regular
data authentication system (a digital signature algorithm is
RECOMMENDED). Key management procedures can take care of this
bootstrapping prior to the commencement of an SRTP session where
TESLA authentication is used. The bootstrapping mechanism is out of
scope for this document.
A critical factor for the security of TESLA is that the sender and A critical factor for the security of TESLA is that the sender and
receiver need to be loosely synchronized. TESLA assumes that the receiver need to be loosely synchronized. TESLA assumes that the
local internal clocks do not drift too much during the session. Use local internal clocks do not drift too much during the session. Use
of TESLA in SRTP assumes that the time synchronization is guaranteed of TESLA in SRTP assumes that the time synchronization is guaranteed
by out-of-band schemes, i.e. it is not in the scope of SRTP. The by out-of-band schemes (e.g. key management), i.e. it is not in the
TESLA overview specification [TESLA2] describes some methods, which scope of SRTP.
might be accomplished as part of SRTP key management. At least one
SRTP key management protocol, MIKEY, requires time synchronization
[MIKEY].
6. SRTP TESLA Default parameters 6. SRTP TESLA Default parameters
Key management procedures establish SRTP TESLA operating parameters Key management procedures establish SRTP TESLA operating parameters
listed in section 4.3 of this document. The operating parameters listed in section 4.3 of this document. The operating parameters
appear in the SRTP cryptographic context and have the following appear in the SRTP cryptographic context and have the following
default values. In the future, an Internet RFC MAY define default values. In the future, an Internet RFC MAY define
alternative settings for SRTP TESLA that are different than those alternative settings for SRTP TESLA that are different than those
specified here. In particular, it should be noted that the settings specified here. In particular, it should be noted that the settings
defined in this memo can have a large impact on bandwidth, as it defined in this memo can have a large impact on bandwidth, as it
adds 38 bytes to each packet (when the field length values are the adds 38 bytes to each packet (when the field length values are the
default ones) . For certain applications, this overhead may default ones) . For certain applications, this overhead may
represent more than a 50% increase in packet size. Alternative represent more than a 50% increase in packet size. Alternative
settings might seek to reduce the number and length of various TESLA settings might seek to reduce the number and length of various TESLA
fields and outputs. No such optimizations are considered in this fields and outputs. No such optimizations are considered in this
memo. memo.
6.1 Transform-independent Parameter: SRTP MAC with TESLA MAC It is RECOMMENDED that the SRTP MAC be truncated to 32 bits since the
SRTP MAC provides only group authentication and serves only as
protection against external DoS.
Section 3.2.1 of the SRTP specification identifies "message 6.1 Transform-independent Parameters
authentication" as one of the transform-independent parameters. By
default, this is HMAC-SHA1 for SRTP. With the addition of TESLA,
SRTP message authentication becomes a compound parameter since it is
necessary to identify two message authentication algorithms, one for
the SRTP MAC and one for the TESLA MAC. Thus, the use or non-use of
TESLA SHALL be indicated by the presence of a TESLA bit in the SRTP
cryptographic context. When this bit is set, the SRTP
implementation MUST inspect the TESLA transform-dependent parameters
to determine the particular TESLA configuration.
It is RECOMMENDED that the SRTP MAC be truncated to four bytes since The value of the flag indicating the use of TESLA in SRTP is by
the SRTP MAC provides only group authentication and serves only as default zero (TESLA not used).
protection against DoS.
6.2 Transform-dependent Parameters for TESLA MAC 6.2 Transform-dependent Parameters for TESLA MAC
The default values for the security parameters are listed in the The default values for the security parameters are listed in the
following. "OWF" denotes a one-way function. following. "OWF" denotes a one-way function.
Parameter Mandatory-to-support Default Parameter Mandatory-to-support Default
--------- -------------------- ------- --------- -------------------- -------
TESLA KEYCHAIN OWF (F(x)) HMAC-SHA1 HMAC-SHA1 TESLA KEYCHAIN OWF (F(x)) HMAC-SHA1 HMAC-SHA1
OUTPUT LENGTH 160 160 OUTPUT LENGTH 160 160
TESLA MAC KEY OWF (F'(F(x))) HMAC-SHA1 HMAC-SHA1 TESLA MAC KEY OWF (F'(F(x))) HMAC-SHA1 HMAC-SHA1
OUTPUT LENGTH n_f 160 160 OUTPUT LENGTH n_f 160 160
TESLA MAC HMAC-SHA1 HMAC-SHA1 TESLA MAC HMAC-SHA1 HMAC-SHA1
(TRUNCATED) OUTPUT LENGTH n_m 80 80 (TRUNCATED) OUTPUT LENGTH n_m 80 80
id_j
TI_j
T_int
id_n
d_n
As shown above, TESLA implementations MUST support HMAC-SHA1 for the As shown above, TESLA implementations MUST support HMAC-SHA1 for the
TESLA MAC, the MAC key generator, and the TESLA keychain generator TESLA MAC, the MAC key generator, and the TESLA keychain generator
one-way function. The TESLA keychain generator is recursively one-way function. The TESLA keychain generator is recursively
defined as follows. defined as follows [TESLA].
K_i=HMAC_SHA1(K_{i+1},0), i=0..N-1 K_i=HMAC_SHA1(K_{i+1},0), i=0..N-1
The TESLA MAC key generator is defined as follows. where N-1=n_c from the cryptographic context.
The TESLA MAC key generator is defined as follows [TESLA].
K'_i=HMAC_SHA1(K_i,1) K'_i=HMAC_SHA1(K_i,1)
The TESLA MAC uses a truncated output of ten bytes [RFC2104] and is The TESLA MAC uses a truncated output of ten bytes [RFC2104] and is
defined as follows. defined as follows.
HMAC_SHA1(K'_i, M') HMAC_SHA1(K'_i, M')
where M' is as specified in Section 4.6. where M' is as specified in Section 4.6.
The TESLA interval parameters are id_j and id_n, both are 32 bits in
length. The times associated with the intervals are TI_j, T_int,
and d_n, which are 64-bit values in Network Time Protocol (NTP)
format.
7. Security Considerations 7. Security Considerations
Denial of Service (DoS) attacks when delayed authentication is used Denial of Service (DoS) attacks when delayed authentication is used
are discussed in [PCST]. TESLA requires receiver's buffering before are discussed in [PCST]. TESLA requires receiver's buffering before
authentication, therefore the receiver can suffer a denial of authentication, therefore the receiver can suffer a denial of
service attack due to a flood of bogus packets. To address this service attack due to a flood of bogus packets. To address this
problem, the current specification REQUIRES the use of a four-byte problem, the current specification REQUIRES the use of a 32-bit SRTP
SRTP MAC in addition to TESLA MAC. The shorter size of the SRTP MAC MAC in addition to TESLA MAC. The shorter size of the SRTP MAC is
is here motivated by the fact that that MAC served purely for DoS here motivated by the fact that that MAC served purely for DoS
prevention from attackers external to the group. prevention from attackers external to the group.
The use of TESLA in SRTP defined in this specification is subject to
the security considerations discussed in the SRTP specification
[RFC3711] an in the TESLA specification [TESLA]. In particular, it
must be noted that the all TESLA security is dependent on the
computation of the "safety condition" as defined in Section 3.5 of
[TESLA].
SRTP TESLA depends on the effective security of the systems that SRTP TESLA depends on the effective security of the systems that
perform bootstrapping (time synchronization) and key management. perform bootstrapping (time synchronization) and key management.
These systems are external to SRTP and are not considered in this These systems are external to SRTP and are not considered in this
specification. specification.
8. IANA Considerations 8. IANA Considerations
No IANA registration is required. No IANA registration is required.
9. Acknowledgements 9. Acknowledgements
The authors would like to thanks Karl Norrman, Mats Näslund, and Ran The authors would like to thanks Ran Canetti, Karl Norrman, Mats
Canetti, for their valuable help. N„slund, and Fredrik Lindholm for their valuable help.
10. Author's Addresses 10. Author's Addresses
Questions and comments should be directed to the authors and Questions and comments should be directed to the authors and
msec@ietf.org: msec@ietf.org:
Mark Baugher Mark Baugher
Cisco Systems, Inc. Cisco Systems, Inc.
5510 SW Orchid Street Phone: +1 408-853-4418 5510 SW Orchid Street Phone: +1 408-853-4418
Portland, OR 97219 USA Email: mbaugher@cisco.com Portland, OR 97219 USA Email: mbaugher@cisco.com
skipping to change at page 15, line 28 skipping to change at page 16, line 13
Sweden EMail: elisabetta.carrara@ericsson.com Sweden EMail: elisabetta.carrara@ericsson.com
11. References 11. References
Normative Normative
[PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and [PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and
Secure Source Authentication for Multicast", in Proc. of Network and Secure Source Authentication for Multicast", in Proc. of Network and
Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001. Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001.
[SRTP] Baugher, McGrew, Carrara, Naslund, Norrman, "The Secure Real- [RFC1305] Mills D., Network Time Protocol (Version 3)
time Transport Protocol", July 2003, <draft-ietf-avt-srtp-09.txt>. Specification, Implementation and Analysis, RFC 1305, March, 1992.
http://www.ietf.org/rfc/rfc1305.txt
[TESLA1] Perrig, Canetti, Song, Tygar, Briscoe, "TESLA: Multicast [RFC3711] Baugher, McGrew, Naslund, Carrara, Norrman, "The Secure
Source Authentication Transform Introduction", October 2002, draft- Real-time Transport Protocol", RFC 3711, March 2004.
ietf-msec-tesla-intro-01.txt.
[TESLA2] Perrig, Canetti, Whillock, "TESLA: Multicast Source [TESLA] Perrig, Canetti, Song, Tygar, Briscoe, "TESLA: Multicast
Authentication Transform Specification", October 2002, draft-ietf- Source Authentication Transform Introduction", October 2002, draft-
msec-tesla-spec-00.txt ietf-msec-tesla-intro-02.txt.
Informative Informative
[gkmarch] Baugher, Canetti, Dondeti, Lindholm, "MSEC Group Key [gkmarch] Baugher, Canetti, Dondeti, Lindholm, "MSEC Group Key
Management Architecture", January 2003, <draft-ietf-msec-gkmarch- Management Architecture", June 2004, <draft-ietf-msec-gkmarch-
07.txt>. 08.txt>.
[GDOI] Baugher, Weis, Hardjono, Harney, "The Group Domain of [GDOI] Baugher, Weis, Hardjono, Harney, "The Group Domain of
Interpretation", RFC 3547, July 2003. Interpretation", RFC 3547, July 2003.
[MESP] Baugher, Canetti, Cheng, Rohatgi, "MESP: A Multicast [MIKEY] Arkko et al., "MIKEY: Multimedia Internet KEYing", December
Framework for the IPsec ESP", March 2003, <draft-ietf-msec-mesp- 2003, <draft-ietf-msec-mikey-08.txt>
01.txt>.
[MIKEY] Arkko, Carrara, Lindholm, Naslund, Norrman, "MIKEY:
Multimedia Internet KEYing", December 2003, <draft-ietf-msec-mikey-
08.txt>
Intellectual Property Right Considerations
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). This document is subject
This document and translations of it may be copied and furnished to to the rights, licenses and restrictions contained in BCP 78, and
others, and derivative works that comment on or otherwise explain it except as set forth therein, the authors retain all their rights.
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be Disclaimer of Validity
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein are provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
This draft expires in August 2004. This draft expires in January 2005.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/