draft-ietf-perc-double-00.txt   draft-ietf-perc-double-01.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: November 10, 2016 A. Roach Expires: January 9, 2017 A. Roach
Mozilla Mozilla
May 9, 2016 July 8, 2016
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-00 draft-ietf-perc-double-01
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some RTP parameters, while still providing to be able to manipulate some RTP parameters, while still providing
strong end-to-end security guarantees. This document defines SRTP strong end-to-end security guarantees. This document defines SRTP
procedures that use two separate but related cryptographic contexts procedures that use two separate but related cryptographic contexts
to provide "hop-by-hop" and "end-to-end" security guarantees. Both to provide "hop-by-hop" and "end-to-end" security guarantees. Both
the end-to-end and hop-by-hop cryptographic transforms can utilize an the end-to-end and hop-by-hop cryptographic transforms can utilize an
authenticated encryption with associated data scheme or take authenticated encryption with associated data scheme or take
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2016. This Internet-Draft will expire on January 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5
5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6 5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8
7. Recommended Inner and Outer Cryptographic Transforms . . . . 8 7. Recommended Inner and Outer Cryptographic Transforms . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10
9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 10 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.1. Normative References . . . . . . . . . . . . . . . . . . 12
11.2. Informative References . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central media distribution device (MDD) that receives media have a central Media Distributor device that receives media from
from endpoints and distributes it to other endpoints, but does not endpoints and distributes it to other endpoints, but does not need to
need to interpret or change the media content. For these systems, it interpret or change the media content. For these systems, it is
is desirable to have one cryptographic context from the sending desirable to have one cryptographic context from the sending endpoint
endpoint to the receiving endpoint that can encrypt and authenticate to the receiving endpoint that can encrypt and authenticate the media
the media end-to-end while still allowing certain RTP header end-to-end while still allowing certain RTP header information to be
information to be changed by the MDD. At the same time, a separate changed by the Media Distributor. At the same time, a separate
cryptographic context provides integrity and optional confidentiality cryptographic context provides integrity and optional confidentiality
for the media flowing between the MDD and the endpoints. See the for the media flowing between the Media Distributor and the
framework document that describes this concept in more detail in more endpoints. See the framework document that describes this concept in
detail in [I-D.jones-perc-private-media-framework]. more detail in more detail in
[I-D.jones-perc-private-media-framework].
This specification RECOMMENDS the SRTP AES-GCM transform [RFC7714] to This specification RECOMMENDS the SRTP AES-GCM transform [RFC7714] to
encrypt an RTP packet for the end-to-end cryptographic context. The encrypt an RTP packet for the end-to-end cryptographic context. The
output of this is treated as an RTP packet and again encrypted with output of this is treated as an RTP packet and again encrypted with
an SRTP transform used in the hop-by-hop cryptographic context an SRTP transform used in the hop-by-hop cryptographic context
between the endpoint and the MDD. The MDD decrypts and checks between the endpoint and the Media Distributor. The Media
integrity of the hop-by-hop security. The MDD MAY change some of the Distributor decrypts and checks integrity of the hop-by-hop security.
RTP header information that would impact the end-to-end integrity. The Media Distributor MAY change some of the RTP header information
The original value of any RTP header field that is changed is that would impact the end-to-end integrity. The original value of
included in a new RTP header extension called the Original Header any RTP header field that is changed is included in a new RTP header
Block. The new RTP packet is encrypted with the hop-by-hop extension called the Original Header Block. The new RTP packet is
cryptographic transform before it is sent. The receiving endpoint encrypted with the hop-by-hop cryptographic transform before it is
decrypts and checks integrity using the hop-by-hop cryptographic sent. The receiving endpoint decrypts and checks integrity using the
transform and then replaces any parameters the MDD changed using the hop-by-hop cryptographic transform and then replaces any parameters
information in the Original Header Block before decrypting and the Media Distributor changed using the information in the Original
checking the end-to-end integrity. Header Block before decrypting and checking the end-to-end integrity.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Terms used throughout this document include: Terms used throughout this document include:
o MDD: media distribution device that routes media from one endpoint o Media Distributor: media distribution device that routes media
to other endpoints from one endpoint to other endpoints
o E2E: end-to-end, meaning the link from one endpoint through one or o E2E: end-to-end, meaning the link from one endpoint through one or
more MDDs to the endpoint at the other end. more Media Distributors to the endpoint at the other end.
o HBH: hop-by-hop, meaning the link from the endpoint to or from the o HBH: hop-by-hop, meaning the link from the endpoint to or from the
MDD. Media Distributor.
o OHB: Original Header Block is an RTP header extension that o OHB: Original Header Block is an RTP header extension that
contains the original values from the RTP header that might have contains the original values from the RTP header that might have
been changed by an MDD. been changed by a Media Distributor.
3. Cryptographic Contexts 3. Cryptographic Contexts
This specification uses two cryptographic contexts: an inner ("end- This specification uses two cryptographic contexts: an inner ("end-
to-end") context that is used by endpoints that originate and consume to-end") context that is used by endpoints that originate and consume
media to ensure the integrity of media end-to-end, and an outer media to ensure the integrity of media end-to-end, and an outer
("hop-by-hop") context that is used between endpoints and MDDs to ("hop-by-hop") context that is used between endpoints and Media
ensure the integrity of media over a single hop and to enable an MDD Distributors to ensure the integrity of media over a single hop and
to modify certain RTP header fields. RTCP is also encrypted using to enable a Media Distributor to modify certain RTP header fields.
the hop-by-hop cryptographic context. The RECOMMENDED cipher for the RTCP is also encrypted using the hop-by-hop cryptographic context.
hop-by-hop and end-to-end contexts is AES-GCM. Other combinations of The RECOMMENDED cipher for the hop-by-hop and end-to-end contexts is
SRTP ciphers that support the procedures in this document can be AES-GCM. Other combinations of SRTP ciphers that support the
added to the IANA registry. procedures in this document can be added to the IANA registry.
The keys and salt for these contexts are generated with the following The keys and salt for these contexts are generated with the following
steps: steps:
o Generate key and salt values of the length required for the o Generate key and salt values of the length required for the
combined inner (end-to-end) and outer (hop-by-hop) transforms. combined inner (end-to-end) and outer (hop-by-hop) transforms.
o Assign the key and salt values generated for the inner (end-to- o Assign the key and salt values generated for the inner (end-to-
end) transform. end) transform.
o Assign the key and salt values for the outer (hop-by-hop) o Assign the key and salt values for the outer (hop-by-hop)
transform. transform.
Obviously, if the MDD is to be able to modify header fields but not Obviously, if the Media Distributor is to be able to modify header
decrypt the payload, then it must have cryptographic context for the fields but not decrypt the payload, then it must have cryptographic
outer transform, but not the inner transform. This document does not context for the outer transform, but not the inner transform. This
define how the MDD should be provisioned with this information. One document does not define how the Media Distributor should be
possible way to provide keying material for the outer ("hop-by-hop") provisioned with this information. One possible way to provide
transform is to use [I-D.jones-perc-dtls-tunnel]. keying material for the outer ("hop-by-hop") transform is to use
[I-D.jones-perc-dtls-tunnel].
4. Original Header Block 4. Original Header Block
Any SRTP packet processed following these procedures MAY contain an Any SRTP packet processed following these procedures MAY contain an
Original Header Block (OHB) RTP header extension. Original Header Block (OHB) RTP header extension.
The OHB contains the original values of any modified header fields The OHB contains the original values of any modified header fields
and MUST be placed after any already-existing RTP header extensions. and MUST be placed after any already-existing RTP header extensions.
Placement of the OHB after any original header extensions is Placement of the OHB after any original header extensions is
important so that the receiving endpoint can properly authenticate important so that the receiving endpoint can properly authenticate
the original packet and any originally included RTP header the original packet and any originally included RTP header
extensions. The receiving endpoint will authenticate the original extensions. The receiving endpoint will authenticate the original
packet by restoring the modified RTP header field values and header packet by restoring the modified RTP header field values and header
extensions. It does this by copying the original values from the OHB extensions. It does this by copying the original values from the OHB
and then removing the OHB extension and any other RTP header and then removing the OHB extension and any other RTP header
extensions that appear after the OHB extension. extensions that appear after the OHB extension.
The MDD is only permitted to modify the extension (X) bit, payload The Media Distributor is only permitted to modify the extension (X)
type (PT) field, and the RTP sequence number field. bit, payload type (PT) field, and the RTP sequence number field.
The OHB extension is either one octet in length, two octets in The OHB extension is either one octet in length, two octets in
length, or three octets in length. The length of the OHB indicates length, or three octets in length. The length of the OHB indicates
what data is contained in the extension. what data is contained in the extension.
If the OHB is one octet in length, it contains both the original X If the OHB is one octet in length, it contains the original PT field
bit and PT field value. In this case, the OHB has this form: value. In this case, the OHB has this form:
0 0
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+---------------+ +---------------+
|X| PT | |R| PT |
+---------------+ +---------------+
Note that "R" indicates a reserved bit that MUST be set to zero when
sending a packet and ignored upon receipt.
If the OHB is two octets in length, it contains the original RTP If the OHB is two octets in length, it contains the original RTP
packet sequence number. In this case, the OHB has this form: packet sequence number. In this case, the OHB has this form:
0 1 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-------------------------------+ +-------------------------------+
| Sequence Number | | Sequence Number |
+-------------------------------+ +-------------------------------+
If the OHB is three octets in length, it contains the original X bit, If the OHB is three octets in length, it contains the original PT
PT field value, and RTP packet sequence number. In this case, the field value and RTP packet sequence number. In this case, the OHB
OHB has this form: has this form:
0 1 2 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+---------------+-------------------------------+ +---------------+-------------------------------+
|X| PT | Sequence Number | |R| PT | Sequence Number |
+---------------+-------------------------------+ +---------------+-------------------------------+
If an MDD modifies an original RTP header value, the MDD MUST include If a Media Distributor modifies an original RTP header value, the
the OHB extension to reflect the changed value. If another MDD along Media Distributor MUST include the OHB extension to reflect the
the media path makes additional changes to the RTP header and any changed value, setting the X bit in the RTP header to 1 if no header
original value is not already present in the OHB, the MDD must extend extensions were originally present. If another Media Distributor
the OHB by adding the changed value to the OHB. To properly preserve along the media path makes additional changes to the RTP header and
original RTP header values, an MDD MUST NOT change a value already any original value is not already present in the OHB, the Media
present in the OHB extension. Distributor must extend the OHB by adding the changed value to the
OHB. To properly preserve original RTP header values, a Media
Distributor MUST NOT change a value already present in the OHB
extension.
5. RTP Operations 5. RTP Operations
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner To encrypt a packet, the endpoint encrypts the packet using the inner
cryptographic context and then encrypts using the outer cryptographic cryptographic context and then encrypts using the outer cryptographic
context. The processes is as follows: context. The processes is as follows:
o Form an RTP packet. If there are any header extensions, they MUST o Form an RTP packet. If there are any header extensions, they MUST
use [RFC5285]. use [RFC5285].
o Apply the inner cryptographic transform to the RTP packet. If o Apply the inner cryptographic transform to the RTP packet. If
encrypting RTP header extensions end-to-end, then [RFC6904] MUST encrypting RTP header extensions end-to-end, then [RFC6904] MUST
be used when encrypting the RTP packet using the inner be used when encrypting the RTP packet using the inner
cryptographic context. cryptographic context.
o If the endpoint wishes to insert header extensions that can be o If the endpoint wishes to insert header extensions that can be
modified by an MDD, it MUST insert an OHB header extension at the modified by an Media Distributor, it MUST insert an OHB header
end of any header extensions protected end-to-end, then add any extension at the end of any header extensions protected end-to-end
MDD-modifiable header extensions. The OHB MUST replicate the (if any), then add any Media Distributor-modifiable header
information found in the RTP header following the application of extensions. The OHB MUST replicate the information found in the
the inner cryptographic transform. For example, if the packet had RTP header following the application of the inner cryptographic
no header extensions when the inner cryptographic transform was transform. If not already set, the endpoint MUST set the X bit in
applied, the X bit would be 0. If the endpoint introduces an OHB the RTP header to 1 when introducing the OHB extension.
and then adds MDD-modifiable header extensions, the X bit in the
OHB would be 0. After introducing the OHB and MDD-modifiable
header extensions, of course, the X bit in the RTP header would be
set to 1.
o Apply the outer cryptographic transform to the RTP packet. If o Apply the outer cryptographic transform to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic context. cryptographic context.
5.2. Modifying a Packet 5.2. Modifying a Packet
The MDD does not have a notion of outer or inner cryptographic The Media Distributor does not have a notion of outer or inner
contexts. Rather, the MDD has a single cryptographic context. The cryptographic contexts. Rather, the Media Distributor has a single
cryptographic transform and key used to decrypt a packet and any cryptographic context. The cryptographic transform and key used to
encrypted RTP header extensions would be the same as those used in decrypt a packet and any encrypted RTP header extensions would be the
the endpoint's outer cryptographic context. same as those used in the endpoint's outer cryptographic context.
In order to modify a packet, the MDD decrypts the packet, modifies In order to modify a packet, the Media Distributor decrypts the
the packet, updates the OHB with any modifications not already packet, modifies the packet, updates the OHB with any modifications
present in the OHB, and re-encrypts the packet using the not already present in the OHB, and re-encrypts the packet using the
cryptographic context used for next hop. cryptographic context used for next hop.
o Apply the cryptographic transform to the packet. If decrypting o Apply the cryptographic transform to the packet. If decrypting
RTP header extensions hop-by-hop, then [RFC6904] MUST be used. RTP header extensions hop-by-hop, then [RFC6904] MUST be used.
o Change any required parameters o Change any required parameters
o If a changed RTP header field is not already in the OHB, add it o If a changed RTP header field is not already in the OHB, add it
with its original value to the OHB. An MDD MAY add information to with its original value to the OHB. A Media Distributor can add
the OHB, but MUST NOT change existing information in the OHB. information to the OHB, but MUST NOT change existing information
in the OHB.
o If the MDD resets a parameter to its original value, it MAY drop o If the Media Distributor resets a parameter to its original value,
it from the OHB as long as there are no other header extensions it MAY drop it from the OHB as long as there are no other header
following the OHB. Note that this might result in a decrease in extensions following the OHB. Note that this might result in a
the size of the OHB. decrease in the size of the OHB. It is also possible for the
Media Distributor to remove the OHB entirely if all parameters in
the RTP header are reset to their original values and no other
header extensions follow the OHB. If the OHB is removed and no
other extension is present, the X bit in the RTP header MUST be
set to 0.
o The MDD MUST NOT delete any header extensions before the OHB, but o The Media Distributor MUST NOT delete any header extensions before
MAY add, delete, or modify any that follow the OHB. the OHB, but MAY add, delete, or modify any that follow the OHB.
* If the MDD adds any header extensions, it must append them and * If the Media Distributor adds any header extensions, it must
it must maintain the order of the original header extensions in append them and it must maintain the order of the original
the [RFC5285] block. header extensions in the [RFC5285] block.
* If the MDD appends header extensions, then it MUST add the OHB * If the Media Distributor appends header extensions, then it
header extension (if not present), even if the OHB merely MUST add the OHB header extension (if not present), even if the
replicates the original header field values, and append the new OHB merely replicates the original header field values, and
extensions following the OHB. The OHB serves as a demarcation append the new extensions following the OHB. The OHB serves as
point between original RTP header extensions introduced by the a demarcation point between original RTP header extensions
endpoint and those introduced by an MDD. introduced by the endpoint and those introduced by a Media
Distributor.
o The MDD MAY modify any header extension appearing after the OHB, o The Media Distributor MAY modify any header extension appearing
but MUST NOT modify header extensions that are present before the after the OHB, but MUST NOT modify header extensions that are
OHB. present before the OHB.
o Apply the cryptographic transform to the packet. If the RTP o Apply the cryptographic transform to the packet. If the RTP
Sequence Number has been modified, SRTP processing happens as Sequence Number has been modified, SRTP processing happens as
defined in SRTP and which will end up using the new Sequence defined in SRTP and which will end up using the new Sequence
Number. If encrypting RTP header extensions hop-by-hop, then Number. If encrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used. [RFC6904] MUST be used.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
skipping to change at page 7, line 42 skipping to change at page 7, line 50
header extensions hop-by-hop, then [RFC6904] MUST be used when header extensions hop-by-hop, then [RFC6904] MUST be used when
decrypting the RTP packet using the outer cryptographic context. decrypting the RTP packet using the outer cryptographic context.
o Form a new synthetic SRTP packet with: o Form a new synthetic SRTP packet with:
* Header = Received header, with header fields replaced with * Header = Received header, with header fields replaced with
values from OHB (if present). values from OHB (if present).
* Insert all header extensions up to the OHB extension, but * Insert all header extensions up to the OHB extension, but
exclude the OHB and any header extensions that follow the OHB. exclude the OHB and any header extensions that follow the OHB.
If the original X bit is 1, then the remaining extensions MUST If there are no extensions remaining, then the X bit MUST bet
be padded to the first 32-bit boundary and the overall length set to 0. If there are extensions remaining, then the
of the header extensions adjusted accordingly. If the original remaining extensions MUST be padded to the first 32-bit
X bit is 0, then the header extensions would be removed boundary and the overall length of the header extensions
entirely. adjusted accordingly.
* Payload is the original encrypted payload. * Payload is the original encrypted payload.
o Apply the inner cryptographic transform to this synthetic SRTP o Apply the inner cryptographic transform to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the MDD, packet. Note if the RTP Sequence Number was changed by the Media
the syntetic packet has the original Sequence Number. If the Distributor, the syntetic packet has the original Sequence Number.
integrity check does not pass, discard the packet. If decrypting If the integrity check does not pass, discard the packet. If
RTP header extensions end-to-end, then [RFC6904] MUST be used when decrypting RTP header extensions end-to-end, then [RFC6904] MUST
decrypting the RTP packet using the inner cryptographic context. be used when decrypting the RTP packet using the inner
cryptographic context.
Once the packet has successfully decrypted, the application needs to Once the packet has successfully decrypted, the application needs to
be careful about which information it uses to get the correct be careful about which information it uses to get the correct
behavior. The application MUST use only the information found in the behavior. The application MUST use only the information found in the
synthetic SRTP packet and MUST NOT use the other data that was in the synthetic SRTP packet and MUST NOT use the other data that was in the
outer SRTP packet with the following exceptions: outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to o The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. SDP and codec selection.
skipping to change at page 9, line 21 skipping to change at page 9, line 30
inner and outer cryptographic transforms, the total additional length inner and outer cryptographic transforms, the total additional length
is 32 octets. If no other header extensions are present in the is 32 octets. If no other header extensions are present in the
packet and the OHB is introduced, that will consume an additional 8 packet and the OHB is introduced, that will consume an additional 8
octets. If other extensions are already present, the OHB will octets. If other extensions are already present, the OHB will
consume up to 4 additional octets. consume up to 4 additional octets.
Open Issue: For an audio confernce using opus in a narrowband Open Issue: For an audio confernce using opus in a narrowband
configuration at TBD kbps with 20 ms packetizaton, the total configuration at TBD kbps with 20 ms packetizaton, the total
bandwidth of the RTP would change from TBD to TBD. Do we want to bandwidth of the RTP would change from TBD to TBD. Do we want to
consider having some AES-GCM transfroms with reduced length consider having some AES-GCM transfroms with reduced length
authentication tags? authentication tags for the HBH. Since the actual authentication is
provided by the E2E check, and tampering with the the HBH can only
result in the wrong packet being selected as the loudest speaker, it
might be desirable to have 64 bits or even less of securiyt for the
HBH portion of the authentication.
8. Security Considerations 8. Security Considerations
To summarize what is encrypted and authenticated, we will refer to To summarize what is encrypted and authenticated, we will refer to
all the RTP fields and headers created by the sender and before the all the RTP fields and headers created by the sender and before the
pay load as the initial envelope and the RTP payload information with pay load as the initial envelope and the RTP payload information with
the media as the payload. Any additional headers added by the MDD the media as the payload. Any additional headers added by the Media
are referred to as the extra envelope. The sender uses the E2E key Distributor are referred to as the extra envelope. The sender uses
to encrypts the payload and authenticate the payload + initial the E2E key to encrypts the payload and authenticate the payload +
envelope which using an AEAD cipher results in a slight longer new initial envelope which using an AEAD cipher results in a slight
payload. Then the sender uses the HBH key to encrypt the new payload longer new payload. Then the sender uses the HBH key to encrypt the
and authenticate the initial envelope and new payload. new payload and authenticate the initial envelope and new payload.
The MDD has the HBH key so it can check the authentication of the The Media Distributor has the HBH key so it can check the
received packet across the initial envelope and payload data but it authentication of the received packet across the initial envelope and
can't decrypt the payload as it does not have the E2E key. It can payload data but it can't decrypt the payload as it does not have the
add extra envelope information. It then authenticates the initial E2E key. It can add extra envelope information. It then
plus extra envelope information plus payload with a HBH key. This authenticates the initial plus extra envelope information plus
HBH for the outgoing packet is typically different than the HBH key payload with a HBH key. This HBH for the outgoing packet is
for the incoming packet. typically different than the HBH key for the incoming packet.
The receiver can check the authentication of the initial and extra The receiver can check the authentication of the initial and extra
envelope information. This, along with the OBH, i used to construct envelope information. This, along with the OBH, i used to construct
a synthetic packet that is should be identital to one the sender a synthetic packet that is should be identital to one the sender
created and the receiver can check that it is identical and then created and the receiver can check that it is identical and then
decrypt the original payload. decrypt the original payload.
The end result is that if the authentications succeed, the receiver The end result is that if the authentications succeed, the receiver
knows exactly what the original sender sent, as well as exactly which knows exactly what the original sender sent, as well as exactly which
modifications were made by the MDD. modifications were made by the Media Distributor.
It is obviously critical that the intermediary have only the outer It is obviously critical that the intermediary have only the outer
transform parameters and not the inner transform parameters. We rely transform parameters and not the inner transform parameters. We rely
on an external key management protocol to assure this property. on an external key management protocol to assure this property.
Modifications by the intermediary result in the recipient getting two Modifications by the intermediary result in the recipient getting two
values for changed parameters (original and modified). The recipient values for changed parameters (original and modified). The recipient
will have to choose which to use; there is risk in using either that will have to choose which to use; there is risk in using either that
depends on the session setup. depends on the session setup.
 End of changes. 38 change blocks. 
127 lines changed or deleted 143 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/