draft-ietf-perc-double-01.txt   draft-ietf-perc-double-02.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: January 9, 2017 A. Roach Expires: May 4, 2017 A. Roach
Mozilla Mozilla
July 8, 2016 October 31, 2016
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-01 draft-ietf-perc-double-02
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some RTP parameters, while still providing to be able to manipulate some RTP parameters, while still providing
strong end-to-end security guarantees. This document defines SRTP strong end-to-end security guarantees. This document defines SRTP
procedures that use two separate but related cryptographic contexts procedures that use two separate but related cryptographic contexts
to provide "hop-by-hop" and "end-to-end" security guarantees. Both to provide "hop-by-hop" and "end-to-end" security guarantees. Both
the end-to-end and hop-by-hop cryptographic transforms can utilize an the end-to-end and hop-by-hop cryptographic transforms can utilize an
authenticated encryption with associated data scheme or take authenticated encryption with associated data scheme or take
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017. This Internet-Draft will expire on May 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5
5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8
7. Recommended Inner and Outer Cryptographic Transforms . . . . 8 7. Recommended Inner and Outer Cryptographic Transforms . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10
9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 10
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
11.1. Normative References . . . . . . . . . . . . . . . . . . 12 11.1. Normative References . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic context from the sending endpoint desirable to have one cryptographic context from the sending endpoint
to the receiving endpoint that can encrypt and authenticate the media to the receiving endpoint that can encrypt and authenticate the media
end-to-end while still allowing certain RTP header information to be end-to-end while still allowing certain RTP header information to be
skipping to change at page 5, line 31 skipping to change at page 5, line 31
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+---------------+-------------------------------+ +---------------+-------------------------------+
|R| PT | Sequence Number | |R| PT | Sequence Number |
+---------------+-------------------------------+ +---------------+-------------------------------+
If a Media Distributor modifies an original RTP header value, the If a Media Distributor modifies an original RTP header value, the
Media Distributor MUST include the OHB extension to reflect the Media Distributor MUST include the OHB extension to reflect the
changed value, setting the X bit in the RTP header to 1 if no header changed value, setting the X bit in the RTP header to 1 if no header
extensions were originally present. If another Media Distributor extensions were originally present. If another Media Distributor
along the media path makes additional changes to the RTP header and along the media path makes additional changes to the RTP header and
any original value is not already present in the OHB, the Media any original value is already present in the OHB, the Media
Distributor must extend the OHB by adding the changed value to the Distributor must extend the OHB by adding the changed value to the
OHB. To properly preserve original RTP header values, a Media OHB. To properly preserve original RTP header values, a Media
Distributor MUST NOT change a value already present in the OHB Distributor MUST NOT change a value already present in the OHB
extension. extension.
5. RTP Operations 5. RTP Operations
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner To encrypt a packet, the endpoint encrypts the packet using the inner
skipping to change at page 6, line 19 skipping to change at page 6, line 19
extensions. The OHB MUST replicate the information found in the extensions. The OHB MUST replicate the information found in the
RTP header following the application of the inner cryptographic RTP header following the application of the inner cryptographic
transform. If not already set, the endpoint MUST set the X bit in transform. If not already set, the endpoint MUST set the X bit in
the RTP header to 1 when introducing the OHB extension. the RTP header to 1 when introducing the OHB extension.
o Apply the outer cryptographic transform to the RTP packet. If o Apply the outer cryptographic transform to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic context. cryptographic context.
5.2. Modifying a Packet 5.2. Relaying a Packet
The Media Distributor does not have a notion of outer or inner The Media Distributor does not have a notion of outer or inner
cryptographic contexts. Rather, the Media Distributor has a single cryptographic contexts. Rather, the Media Distributor has a single
cryptographic context. The cryptographic transform and key used to cryptographic context. The cryptographic transform and key used to
decrypt a packet and any encrypted RTP header extensions would be the decrypt a packet and any encrypted RTP header extensions would be the
same as those used in the endpoint's outer cryptographic context. same as those used in the endpoint's outer cryptographic context.
In order to modify a packet, the Media Distributor decrypts the In order to modify a packet, the Media Distributor decrypts the
packet, modifies the packet, updates the OHB with any modifications packet, modifies the packet, updates the OHB with any modifications
not already present in the OHB, and re-encrypts the packet using the not already present in the OHB, and re-encrypts the packet using the
skipping to change at page 7, line 26 skipping to change at page 7, line 26
a demarcation point between original RTP header extensions a demarcation point between original RTP header extensions
introduced by the endpoint and those introduced by a Media introduced by the endpoint and those introduced by a Media
Distributor. Distributor.
o The Media Distributor MAY modify any header extension appearing o The Media Distributor MAY modify any header extension appearing
after the OHB, but MUST NOT modify header extensions that are after the OHB, but MUST NOT modify header extensions that are
present before the OHB. present before the OHB.
o Apply the cryptographic transform to the packet. If the RTP o Apply the cryptographic transform to the packet. If the RTP
Sequence Number has been modified, SRTP processing happens as Sequence Number has been modified, SRTP processing happens as
defined in SRTP and which will end up using the new Sequence defined in SRTP and will end up using the new Sequence Number. If
Number. If encrypting RTP header extensions hop-by-hop, then encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
[RFC6904] MUST be used. be used.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
the outer cryptographic context, then uses the OHB to reconstruct the the outer cryptographic context, then uses the OHB to reconstruct the
original packet, which it decrypts and verifies with the inner original packet, which it decrypts and verifies with the inner
cryptographic context. cryptographic context.
o Apply the outer cryptographic transform to the packet. If the o Apply the outer cryptographic transform to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
skipping to change at page 8, line 7 skipping to change at page 8, line 7
values from OHB (if present). values from OHB (if present).
* Insert all header extensions up to the OHB extension, but * Insert all header extensions up to the OHB extension, but
exclude the OHB and any header extensions that follow the OHB. exclude the OHB and any header extensions that follow the OHB.
If there are no extensions remaining, then the X bit MUST bet If there are no extensions remaining, then the X bit MUST bet
set to 0. If there are extensions remaining, then the set to 0. If there are extensions remaining, then the
remaining extensions MUST be padded to the first 32-bit remaining extensions MUST be padded to the first 32-bit
boundary and the overall length of the header extensions boundary and the overall length of the header extensions
adjusted accordingly. adjusted accordingly.
* Payload is the original encrypted payload. * Payload is the encrypted payload from the outer SRTP packet.
o Apply the inner cryptographic transform to this synthetic SRTP o Apply the inner cryptographic transform to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the Media packet. Note if the RTP Sequence Number was changed by the Media
Distributor, the syntetic packet has the original Sequence Number. Distributor, the synthetic packet has the original Sequence
If the integrity check does not pass, discard the packet. If Number. If the integrity check does not pass, discard the packet.
decrypting RTP header extensions end-to-end, then [RFC6904] MUST If decrypting RTP header extensions end-to-end, then [RFC6904]
be used when decrypting the RTP packet using the inner MUST be used when decrypting the RTP packet using the inner
cryptographic context. cryptographic context.
Once the packet has successfully decrypted, the application needs to Once the packet has been successfully decrypted, the application
be careful about which information it uses to get the correct needs to be careful about which information it uses to get the
behavior. The application MUST use only the information found in the correct behavior. The application MUST use only the information
synthetic SRTP packet and MUST NOT use the other data that was in the found in the synthetic SRTP packet and MUST NOT use the other data
outer SRTP packet with the following exceptions: that was in the outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to o The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. SDP and codec selection.
o The sequence number from the outer SRTP packet is used for normal o The sequence number from the outer SRTP packet is used for normal
RTP ordering. RTP ordering.
If any of the following RTP headers extensions are found in the outer If any of the following RTP headers extensions are found in the outer
SRTP packet, they MAY be used: SRTP packet, they MAY be used:
o TBD o Mixer-to-client audio level indicators (See [RFC6465])
6. RTCP Operations 6. RTCP Operations
Unlike RTP, which is encrypted both hop-by-hop and end-to-end using Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic contexts, RTCP is encrypted using only the two separate cryptographic contexts, RTCP is encrypted using only the
outer (HBH) cryptographic context. The procedures for RTCP outer (HBH) cryptographic context. The procedures for RTCP
encryption are specified in [RFC3711] and this document introduces no encryption are specified in [RFC3711] and this document introduces no
additional steps. additional steps.
7. Recommended Inner and Outer Cryptographic Transforms 7. Recommended Inner and Outer Cryptographic Transforms
skipping to change at page 9, line 26 skipping to change at page 9, line 26
encrypted by the E2E. encrypted by the E2E.
The AES-GCM cryptographic transform introduces an additional 16 The AES-GCM cryptographic transform introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic transforms, the total additional length inner and outer cryptographic transforms, the total additional length
is 32 octets. If no other header extensions are present in the is 32 octets. If no other header extensions are present in the
packet and the OHB is introduced, that will consume an additional 8 packet and the OHB is introduced, that will consume an additional 8
octets. If other extensions are already present, the OHB will octets. If other extensions are already present, the OHB will
consume up to 4 additional octets. consume up to 4 additional octets.
Open Issue: For an audio confernce using opus in a narrowband
configuration at TBD kbps with 20 ms packetizaton, the total
bandwidth of the RTP would change from TBD to TBD. Do we want to
consider having some AES-GCM transfroms with reduced length
authentication tags for the HBH. Since the actual authentication is
provided by the E2E check, and tampering with the the HBH can only
result in the wrong packet being selected as the loudest speaker, it
might be desirable to have 64 bits or even less of securiyt for the
HBH portion of the authentication.
8. Security Considerations 8. Security Considerations
To summarize what is encrypted and authenticated, we will refer to To summarize what is encrypted and authenticated, we will refer to
all the RTP fields and headers created by the sender and before the all the RTP fields and headers created by the sender and before the
pay load as the initial envelope and the RTP payload information with pay load as the initial envelope and the RTP payload information with
the media as the payload. Any additional headers added by the Media the media as the payload. Any additional headers added by the Media
Distributor are referred to as the extra envelope. The sender uses Distributor are referred to as the extra envelope. The sender uses
the E2E key to encrypts the payload and authenticate the payload + the E2E key to encrypts the payload and authenticate the payload +
initial envelope which using an AEAD cipher results in a slight initial envelope which using an AEAD cipher results in a slight
longer new payload. Then the sender uses the HBH key to encrypt the longer new payload. Then the sender uses the HBH key to encrypt the
skipping to change at page 10, line 8 skipping to change at page 9, line 47
The Media Distributor has the HBH key so it can check the The Media Distributor has the HBH key so it can check the
authentication of the received packet across the initial envelope and authentication of the received packet across the initial envelope and
payload data but it can't decrypt the payload as it does not have the payload data but it can't decrypt the payload as it does not have the
E2E key. It can add extra envelope information. It then E2E key. It can add extra envelope information. It then
authenticates the initial plus extra envelope information plus authenticates the initial plus extra envelope information plus
payload with a HBH key. This HBH for the outgoing packet is payload with a HBH key. This HBH for the outgoing packet is
typically different than the HBH key for the incoming packet. typically different than the HBH key for the incoming packet.
The receiver can check the authentication of the initial and extra The receiver can check the authentication of the initial and extra
envelope information. This, along with the OBH, i used to construct envelope information. This, along with the OBH, is used to construct
a synthetic packet that is should be identital to one the sender a synthetic packet that is should be identical to one the sender
created and the receiver can check that it is identical and then created and the receiver can check that it is identical and then
decrypt the original payload. decrypt the original payload.
The end result is that if the authentications succeed, the receiver The end result is that if the authentications succeed, the receiver
knows exactly what the original sender sent, as well as exactly which knows exactly what the original sender sent, as well as exactly which
modifications were made by the Media Distributor. modifications were made by the Media Distributor.
It is obviously critical that the intermediary have only the outer It is obviously critical that the intermediary has only the outer
transform parameters and not the inner transform parameters. We rely transform parameters and not the inner transform parameters. We rely
on an external key management protocol to assure this property. on an external key management protocol to assure this property.
Modifications by the intermediary result in the recipient getting two Modifications by the intermediary result in the recipient getting two
values for changed parameters (original and modified). The recipient values for changed parameters (original and modified). The recipient
will have to choose which to use; there is risk in using either that will have to choose which to use; there is risk in using either that
depends on the session setup. depends on the session setup.
The security properties for both the inner and outer key holders are The security properties for both the inner and outer key holders are
the same as the security properties of classic SRTP. the same as the security properties of classic SRTP.
skipping to change at page 12, line 10 skipping to change at page 11, line 45
10. Acknowledgments 10. Acknowledgments
Many thanks to review from Suhas Nandakumar, David Benham, Magnus Many thanks to review from Suhas Nandakumar, David Benham, Magnus
Westerlund and significant text from Richard Barnes. Westerlund and significant text from Richard Barnes.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <http://www.rfc-editor.org/info/rfc3711>.
[RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP
Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July
2008, <http://www.rfc-editor.org/info/rfc5285>. 2008, <http://www.rfc-editor.org/info/rfc5285>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, DOI Real-time Transport Protocol (SRTP)", RFC 5764,
10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>. <http://www.rfc-editor.org/info/rfc5764>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, DOI Real-time Transport Protocol (SRTP)", RFC 6904,
10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <http://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)", RFC in the Secure Real-time Transport Protocol (SRTP)",
7714, DOI 10.17487/RFC7714, December 2015, RFC 7714, DOI 10.17487/RFC7714, December 2015,
<http://www.rfc-editor.org/info/rfc7714>. <http://www.rfc-editor.org/info/rfc7714>.
11.2. Informative References 11.2. Informative References
[I-D.jones-perc-dtls-tunnel] [I-D.jones-perc-dtls-tunnel]
Jones, P., "DTLS Tunnel between Media Distribution Device Jones, P., "A DTLS Tunnel between Media Distributor and
and Key Management Function to Facilitate Key Exchange", Key Distributor to Facilitate Key Exchange", draft-jones-
draft-jones-perc-dtls-tunnel-02 (work in progress), March perc-dtls-tunnel-03 (work in progress), July 2016.
2016.
[I-D.jones-perc-private-media-framework] [I-D.jones-perc-private-media-framework]
Jones, P. and D. Benham, "A Solution Framework for Private Jones, P. and D. Benham, "A Solution Framework for Private
Media in Privacy Enhanced RTP Conferencing", draft-jones- Media in Privacy Enhanced RTP Conferencing", draft-jones-
perc-private-media-framework-02 (work in progress), March perc-private-media-framework-02 (work in progress), March
2016. 2016.
[RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real-
time Transport Protocol (RTP) Header Extension for Mixer-
to-Client Audio Level Indication", RFC 6465,
DOI 10.17487/RFC6465, December 2011,
<http://www.rfc-editor.org/info/rfc6465>.
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
Email: fluffy@iii.ca Email: fluffy@iii.ca
Paul E. Jones Paul E. Jones
Cisco Systems Cisco Systems
Email: paulej@packetizer.com Email: paulej@packetizer.com
Adam Roach Adam Roach
Mozilla Mozilla
Email: adam@nostrum.com Email: adam@nostrum.com
 End of changes. 25 change blocks. 
51 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/