draft-ietf-perc-double-05.txt   draft-ietf-perc-double-06.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track Cisco Systems Intended status: Standards Track R. Barnes
Expires: December 31, 2017 A. Roach Expires: February 9, 2018 Cisco Systems
A. Roach
Mozilla Mozilla
June 29, 2017 August 8, 2017
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-05 draft-ietf-perc-double-06
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some RTP parameters, while still providing to be able to manipulate some RTP parameters, while still providing
strong end-to-end security guarantees. This document defines SRTP strong end-to-end security guarantees. This document defines SRTP
procedures that use two separate but related cryptographic operations procedures that use two separate but related cryptographic operations
to provide hop-by-hop and end-to-end security guarantees. Both the to provide hop-by-hop and end-to-end security guarantees. Both the
end-to-end and hop-by-hop cryptographic algorithms can utilize an end-to-end and hop-by-hop cryptographic algorithms can utilize an
authenticated encryption with associated data scheme or take authenticated encryption with associated data scheme or take
skipping to change at page 1, line 39 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2017. This Internet-Draft will expire on February 9, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 3 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5
5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8
7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 9 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 8
7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.2. RED . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8. Recommended Inner and Outer Cryptographic Algorithms . . . . 10 7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8. Recommended Inner and Outer Cryptographic Algorithms . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
10.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 10.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11
10.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 12 10.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 11
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
12.1. Normative References . . . . . . . . . . . . . . . . . . 13 12.1. Normative References . . . . . . . . . . . . . . . . . . 13
12.2. Informative References . . . . . . . . . . . . . . . . . 14 12.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic key from the sending endpoint to desirable to have one cryptographic key from the sending endpoint to
the receiving endpoint that can encrypt and authenticate the media the receiving endpoint that can encrypt and authenticate the media
skipping to change at page 3, line 43 skipping to change at page 3, line 46
o Media Distributor: media distribution device that routes media o Media Distributor: media distribution device that routes media
from one endpoint to other endpoints from one endpoint to other endpoints
o end-to-end: meaning the link from one endpoint through one or more o end-to-end: meaning the link from one endpoint through one or more
Media Distributors to the endpoint at the other end. Media Distributors to the endpoint at the other end.
o hop-by-hop: meaning the link from the endpoint to or from the o hop-by-hop: meaning the link from the endpoint to or from the
Media Distributor. Media Distributor.
o OHB: Original Header Block is an RTP header extension that o OHB: Original Header Block is an octet string that contains the
contains the original values from the RTP header that might have original values from the RTP header that might have been changed
been changed by a Media Distributor. by a Media Distributor.
3. Cryptographic Context 3. Cryptographic Context
This specification uses a cryptographic context with two parts: an This specification uses a cryptographic context with two parts: an
inner (end-to-end) part that is used by endpoints that originate and inner (end-to-end) part that is used by endpoints that originate and
consume media to ensure the integrity of media end-to-end, and an consume media to ensure the integrity of media end-to-end, and an
outer (hop-by-hop) part that is used between endpoints and Media outer (hop-by-hop) part that is used between endpoints and Media
Distributors to ensure the integrity of media over a single hop and Distributors to ensure the integrity of media over a single hop and
to enable a Media Distributor to modify certain RTP header fields. to enable a Media Distributor to modify certain RTP header fields.
RTCP is also handled using the hop-by-hop cryptographic part. The RTCP is also handled using the hop-by-hop cryptographic part. The
skipping to change at page 4, line 23 skipping to change at page 4, line 30
o Generate key and salt values of the length required for the o Generate key and salt values of the length required for the
combined inner (end-to-end) and outer (hop-by-hop) algorithms. combined inner (end-to-end) and outer (hop-by-hop) algorithms.
o Assign the key and salt values generated for the inner (end-to- o Assign the key and salt values generated for the inner (end-to-
end) algorithm to the first half of the key and salt for the end) algorithm to the first half of the key and salt for the
double algorithm. double algorithm.
o Assign the key and salt values for the outer (hop-by-hop) o Assign the key and salt values for the outer (hop-by-hop)
algorithm to the second half of the key and salt for the double algorithm to the second half of the key and salt for the double
algorithm. The first half of the key is revered to as the inner algorithm. The first half of the key is referred to as the inner
key while the second out half is referred to as the outer key. key while the second half is referred to as the outer key. When a
When a key is used by a cryptographic algorithm, the salt used is key is used by a cryptographic algorithm, the salt used is the
the part of the salt generated with that key. part of the salt generated with that key.
Obviously, if the Media Distributor is to be able to modify header Obviously, if the Media Distributor is to be able to modify header
fields but not decrypt the payload, then it must have cryptographic fields but not decrypt the payload, then it must have cryptographic
key for the outer algorithm, but not the inner (end-to-end) key for the outer algorithm, but not the inner (end-to-end)
algorithm. This document does not define how the Media Distributor algorithm. This document does not define how the Media Distributor
should be provisioned with this information. One possible way to should be provisioned with this information. One possible way to
provide keying material for the outer (hop-by-hop) algorithm is to provide keying material for the outer (hop-by-hop) algorithm is to
use [I-D.ietf-perc-dtls-tunnel]. use [I-D.ietf-perc-dtls-tunnel].
4. Original Header Block 4. Original Header Block
Any SRTP packet processed following these procedures MAY contain an The Original Header Block (OHB) contains the original values of any
Original Header Block (OHB) RTP header extension. modified header fields. In the encryption process, the OHB is
appended to the RTP payload. In the decryption process, the
receiving endpoint uses it to reconstruct the original RTP header, so
that it can pass the proper AAD value to the inner transform.
The OHB contains the original values of any modified header fields The OHB can reflect modifications to the following fields in an RTP
and MUST be placed after any already-existing RTP header extensions. header: the payload type, the sequence number, and the marker bit.
Placement of the OHB after any original header extensions is
important so that the receiving endpoint can properly authenticate
the original packet and any originally included RTP header
extensions. The receiving endpoint will authenticate the original
packet by restoring the modified RTP header field values and header
extensions. It does this by copying the original values from the OHB
and then removing the OHB extension and any other RTP header
extensions that appear after the OHB extension.
The Media Distributor is only permitted to modify the extension (X) All other fields in the RTP header MUST remain unmodified; since the
bit, payload type (PT) field, and the RTP sequence number field. OHB cannot reflect their original values, the receiver will be unable
to verify the E2E integrity of the packet.
The OHB extension is either one octet in length, two octets in The OHB has the following syntax (in ABNF):
length, or three octets in length. The length of the OHB indicates
what data is contained in the extension.
If the OHB is one octet in length, it contains the original PT field BYTE = %x00-FF
value. In this case, the OHB has this form:
0 1 PT = BYTE
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 SEQ = 2BYTE
+-+-+-+-+-+-+-+-+---------------+ Config = BYTE
| ID | len=0 |R| PT |
+-+-+-+-+-+-+-+-+---------------+
Note that "R" indicates a reserved bit that MUST be set to zero when OHB = ?PT ?SEQ Config
sending a packet and ignored upon receipt. ID is the RTP Header
Extension identifier negotiated in the SDP.
If the OHB is two octets in length, it contains the original RTP If present, the PT and SEQ parts of the OHB contain the original
packet sequence number. In this case, the OHB has this form: payload type and sequence number fields, respectively. The final
"config" octet of the OHB specifies whether these fields are present,
and the original value of the marker bit (if necessary):
0 1 2 +-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 |R R R R B M P Q|
+-+-+-+-+-+-+-+-+-------------------------------+ +-+-+-+-+-+-+-+-+
| ID | len=1 | Sequence Number |
+-+-+-+-+-+-+-+-+-------------------------------+
If the OHB is three octets in length, it contains the original PT o P: PT is present
field value and RTP packet sequence number. In this case, the OHB
has this form:
0 1 2 3 o Q: SEQ is present
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 6 4 5 6 7 8 9 1
+-+-+-+-+-+-+-+-+---------------+-------------------------------+
| ID | len=2 |R| PT | Sequence Number |
+-+-+-+-+-+-+-+-+---------------+-------------------------------+
If a Media Distributor modifies an original RTP header value, the o M: Marker bit is present
Media Distributor MUST include the OHB extension to reflect the
changed value, setting the X bit in the RTP header to 1 if no header o B: Value of marker bit
extensions were originally present. If another Media Distributor
along the media path makes additional changes to the RTP header and o R: Reserved, MUST be set to 0
any original value is already present in the OHB, the Media
Distributor must extend the OHB by adding the changed value to the In particular, an all-zero OHB config octet (0x00) indicates that
OHB. To properly preserve original RTP header values, a Media there have been no modifications from the original header.
Distributor MUST NOT change a value already present in the OHB
extension.
5. RTP Operations 5. RTP Operations
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner To encrypt a packet, the endpoint encrypts the packet using the inner
(end-to-end) cryptographic key and then encrypts using the outer (end-to-end) cryptographic key and then encrypts using the outer
(hop-by-hop) cryptographic key. The processes is as follows: (hop-by-hop) cryptographic key. The encryption also supports a mode
for repair packets that only does the outer (hop-by-hop) encryption.
The processes is as follows:
o Form an RTP packet. If there are any header extensions, they MUST 1. Form an RTP packet. If there are any header extensions, they
use [RFC5285]. MUST use [RFC5285].
o If the endpoint wishes to insert header extensions that can be 2. If the packet is for repair mode data, skip to step 6.
modified by an Media Distributor, it MUST insert an OHB header
extension at the end of any header extensions protected end-to-end
(if any), then add any Media Distributor-modifiable header
extensions. In other cases, the endpoint SHOULD still insert an
OHB header extension. The OHB MUST replicate the information
found in the RTP header following the application of the inner
cryptographic algorithm. If not already set, the endpoint MUST
set the X bit in the RTP header to 1 when introducing the OHB
extension.
o Apply the inner cryptographic algorithm to the RTP packet. If 3. Form a synthetic RTP packet with the following contents:
encrypting RTP header extensions end-to-end, then [RFC6904] MUST
be used when encrypting the RTP packet using the inner
cryptographic key.
o Apply the outer cryptographic algorithm to the RTP packet. If * Header: The RTP header of the original packet with the
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST following modifications:
be used when encrypting the RTP packet using the outer
cryptographic key. * The X bit is set to zero
* The header is truncated to remove any extensions (12 + 4 * CC
bytes)
* Payload: The RTP payload of the original packet
4. Apply the inner cryptographic algorithm to the RTP packet.
5. Replace the header of the protected RTP packet with the header of
the original packet, and append to the payload of the packet (1)
the authentication tag from the original transform, and (2) an
empty OHB (0x00).
6. Apply the outer cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer
cryptographic key.
When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes
after the SRTP packet exactly like using EKT with any other SRTP after the SRTP packet exactly like using EKT with any other SRTP
transform. transform.
5.2. Relaying a Packet 5.2. Relaying a Packet
The Media Distributor does has the part of the key for the outer The Media Distributor has the part of the key for the outer (hop-by-
(hop-by-hop) but does not have the part of the key for the (end-to- hop), but it does not have the part of the key for the (end-to-end)
end) cryptographic algorithm. The cryptographic algorithm and key cryptographic algorithm. The cryptographic algorithm and key used to
used to decrypt a packet and any encrypted RTP header extensions decrypt a packet and any encrypted RTP header extensions would be the
would be the same as those used in the endpoint's outer algorithm and same as those used in the endpoint's outer algorithm and key.
key.
In order to modify a packet, the Media Distributor decrypts the In order to modify a packet, the Media Distributor decrypts the
packet, modifies the packet, updates the OHB with any modifications packet, modifies the packet, updates the OHB with any modifications
not already present in the OHB, and re-encrypts the packet using the not already present in the OHB, and re-encrypts the packet using the
cryptographic using the outer (hop-by-hop) key. cryptographic using the outer (hop-by-hop) key.
o Apply the outer (bop-by-hop) cryptographic algorithm to decrypt 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt
the packet. If decrypting RTP header extensions hop-by-hop, then the packet. If decrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used. [RFC6904] MUST be used. Note that the RTP payload produced by
this decryption operation contains the original encrypted payload
o Change any parts of the RTP packet that the relay wishes to change with the tag from the inner transform and the OHB appended.
and are allowed to be changed.
o If a changed RTP header field is not already in the OHB, add it
with its original value to the OHB. A Media Distributor can add
information to the OHB, but MUST NOT change existing information
in the OHB.
o If the Media Distributor resets a parameter to its original value,
it MAY drop it from the OHB as long as there are no other header
extensions following the OHB. Note that this might result in a
decrease in the size of the OHB. It is also possible for the
Media Distributor to remove the OHB entirely if all parameters in
the RTP header are reset to their original values and no other
header extensions follow the OHB. If the OHB is removed and no
other extension is present, the X bit in the RTP header MUST be
set to 0.
o The Media Distributor MUST NOT delete any header extensions before
the OHB, but MAY add, delete, or modify any that follow the OHB.
* If the Media Distributor adds any header extensions, it must 2. Change any parts of the RTP packet that the relay wishes to
append them and it must maintain the order of the original change and are allowed to be changed.
header extensions in the [RFC5285] block.
* If the Media Distributor appends header extensions, then it 3. If a changed RTP header field is not already in the OHB, add it
MUST add the OHB header extension (if not present), even if the with its original value to the OHB. A Media Distributor can add
OHB merely replicates the original header field values, and information to the OHB, but MUST NOT change existing information
append the new extensions following the OHB. The OHB serves as in the OHB.
a demarcation point between original RTP header extensions
introduced by the endpoint and those introduced by a Media
Distributor.
o The Media Distributor MAY modify any header extension appearing 4. If the Media Distributor resets a parameter to its original
after the OHB, but MUST NOT modify header extensions that are value, it MAY drop it from the OHB. Note that this might result
present before the OHB. in a decrease in the size of the OHB.
o Apply the outer (hop-by-hop) cryptographic algorithm to the 5. Apply the outer (hop-by-hop) cryptographic algorithm to the
packet. If the RTP Sequence Number has been modified, SRTP packet. If the RTP Sequence Number has been modified, SRTP
processing happens as defined in SRTP and will end up using the processing happens as defined in SRTP and will end up using the
new Sequence Number. If encrypting RTP header extensions hop-by- new Sequence Number. If encrypting RTP header extensions hop-by-
hop, then [RFC6904] MUST be used. hop, then [RFC6904] MUST be used.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
the outer (hop-by-hop) cryptographic key, then uses the OHB to the outer (hop-by-hop) cryptographic key, then uses the OHB to
reconstruct the original packet, which it decrypts and verifies with reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key. the inner (end-to-end) cryptographic key.
o Apply the outer cryptographic algorithm to the packet. If the 1. Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
this is referred to as the outer SRTP packet. If decrypting RTP this is referred to as the outer SRTP packet. If decrypting RTP
header extensions hop-by-hop, then [RFC6904] MUST be used when header extensions hop-by-hop, then [RFC6904] MUST be used when
decrypting the RTP packet using the outer cryptographic key. decrypting the RTP packet using the outer cryptographic key.
o Form a new synthetic SRTP packet with: 2. If the packet is for repair mode data, skip the rest of the
steps.
* Header = Received header, with header fields replaced with 3. Remove the inner authentication tag and the OHB from the end of
values from OHB (if present). the payload of the outer SRTP packet.
* Insert all header extensions up to the OHB extension, but 4. Form a new synthetic SRTP packet with:
exclude the OHB and any header extensions that follow the OHB.
If there are no extensions remaining, then the X bit MUST bet
set to 0. If there are extensions remaining, then the
remaining extensions MUST be padded to the first 32-bit
boundary and the overall length of the header extensions
adjusted accordingly.
* Payload is the encrypted payload from the outer SRTP packet. * Header = Received header, with the following modifications:
o Apply the inner cryptographic algorithm to this synthetic SRTP * Header fields replaced with values from OHB (if any)
packet. Note if the RTP Sequence Number was changed by the Media
Distributor, the synthetic packet has the original Sequence * The X bit is set to zero
Number. If the integrity check does not pass, discard the packet.
If decrypting RTP header extensions end-to-end, then [RFC6904] * The header is truncated to remove any extensions (12 + 4 * CC
MUST be used when decrypting the RTP packet using the inner bytes)
cryptographic key.
* Payload is the encrypted payload from the outer SRTP packet
(after the inner tag and OHB have been stripped).
* Authentication tag is the inner authentication tag from the
outer SRTP packet.
5. Apply the inner cryptographic algorithm to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the Media
Distributor, the synthetic packet has the original Sequence
Number. If the integrity check does not pass, discard the
packet.
Once the packet has been successfully decrypted, the application Once the packet has been successfully decrypted, the application
needs to be careful about which information it uses to get the needs to be careful about which information it uses to get the
correct behaviour. The application MUST use only the information correct behaviour. The application MUST use only the information
found in the synthetic SRTP packet and MUST NOT use the other data found in the synthetic SRTP packet and MUST NOT use the other data
that was in the outer SRTP packet with the following exceptions: that was in the outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to o The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. SDP and codec selection.
skipping to change at page 9, line 28 skipping to change at page 8, line 49
Unlike RTP, which is encrypted both hop-by-hop and end-to-end using Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic key, RTCP is encrypted using only the two separate cryptographic key, RTCP is encrypted using only the
outer (hop-by-hop) cryptographic key. The procedures for RTCP outer (hop-by-hop) cryptographic key. The procedures for RTCP
encryption are specified in [RFC3711] and this document introduces no encryption are specified in [RFC3711] and this document introduces no
additional steps. additional steps.
7. Use with Other RTP Mechanisms 7. Use with Other RTP Mechanisms
There are some RTP related extensions that need special consideration There are some RTP related extensions that need special consideration
to be used by a relay when using the double transform due to the end- to be used by a relay when using the double transform due to the end-
to-end protection of the RTP. to-end protection of the RTP. The repair mechanism, when used with
double, typically operate on the double encrypted data then take the
results of theses operations and encrypted them using only the HBH
key. This results in three cryptography operation happening to the
repair data sent over the wire.
7.1. RTX 7.1. RTX
RTX [RFC4588] is not useable by the relay for hop-by-hop repair. When using RTX [RFC4588] with double, the cached payloads MUST be the
Some modification or extension would be need to be made to RTX before encrypted packets with the bits that are sent over the wire to the
it could be used in this way. The problem in using RTX is that the other side. When encrypting a retransmission packet, it MUST be
relay would need to be able to read the first two byes of the payload encrypted in repair mode packet.
of the retransmissions packet which contain the original sequence
number. However, this data is end-to-end encrypted so the relay can
not read it.
7.2. DTMF 7.2. RED
When DTMF is sent with [RFC4733], it is end-to-end encrypted and the TODO - Add text to explain how to use RED as described in Option A of
relay can not read it so it can not be used to controll the relay. slides presented at IETF 99.
Other out of band methods to controll the relay can be used instead.
7.3. FEC 7.3. FEC
The algorithms recommended in [I-D.ietf-rtcweb-fec] for audio work When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
with no additional considerations. double, the negotiation of double for the crypto is the out of band
signaling that indicates that the repair packets MUST use the order
of operations of SRTP followed by FEC when encrypting. This is to
ensure that the original media is not reveled to the Media
Distributor but at the same time allow the Media Distributor to
repair media. When encrypting a packet that contains the Flex FEC
data, which is already encrypted, it MUST be encrypted in repair mode
packet.
The algorithm recommend in [I-D.ietf-rtcweb-fec] for video is Flex The algorithm recommend in [I-D.ietf-rtcweb-fec] for repair of video
FEC [I-D.ietf-payload-flexible-fec-scheme]. is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that for
interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends not
using additional FEC only m-line in SDP for the repair packets.
Open Issue: The WG is currently considering how to handle Flex FEC. 7.4. DTMF
The main issue of concern is that the FEC Header, which is needed for
repair, is part of the RTP payload. Flex FEC and be done before or When DTMF is sent with [RFC4733], it is end-to-end encrypted and the
after the SRTP process with the order controlled by signalling. relay can not read it so it can not be used to controll the relay.
[I-D.ietf-rtcweb-fec] recommends not using additional FEC only m-line Other out of band methods to controll the relay need to be used
in SDP for the repair packets. instead.
8. Recommended Inner and Outer Cryptographic Algorithms 8. Recommended Inner and Outer Cryptographic Algorithms
This specification recommends and defines AES-GCM as both the inner This specification recommends and defines AES-GCM as both the inner
and outer cryptographic algorithms, identified as and outer cryptographic algorithms, identified as
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide
for authenticated encryption and will consume additional processing for authenticated encryption and will consume additional processing
time double-encrypting for hop-by-hop and end-to-end. However, the time double-encrypting for hop-by-hop and end-to-end. However, the
approach is secure and simple, and is thus viewed as an acceptable approach is secure and simple, and is thus viewed as an acceptable
skipping to change at page 13, line 21 skipping to change at page 13, line 10
Many thanks to Richard Barnes for sending significant text for this Many thanks to Richard Barnes for sending significant text for this
specification. Thank you for reviews and improvements from David specification. Thank you for reviews and improvements from David
Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus
Westerlund. Westerlund.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
DOI 10.17487/RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <http://www.rfc-editor.org/info/rfc3711>.
[RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP
Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July
2008, <http://www.rfc-editor.org/info/rfc5285>. 2008, <http://www.rfc-editor.org/info/rfc5285>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764, DOI
DOI 10.17487/RFC5764, May 2010, 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>. <http://www.rfc-editor.org/info/rfc5764>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904, DOI
DOI 10.17487/RFC6904, April 2013, 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <http://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)", in the Secure Real-time Transport Protocol (SRTP)", RFC
RFC 7714, DOI 10.17487/RFC7714, December 2015, 7714, DOI 10.17487/RFC7714, December 2015,
<http://www.rfc-editor.org/info/rfc7714>. <http://www.rfc-editor.org/info/rfc7714>.
12.2. Informative References 12.2. Informative References
[I-D.ietf-payload-flexible-fec-scheme] [I-D.ietf-payload-flexible-fec-scheme]
Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction Payload Format for Flexible Forward Error Correction
(FEC)", draft-ietf-payload-flexible-fec-scheme-04 (work in (FEC)", draft-ietf-payload-flexible-fec-scheme-05 (work in
progress), March 2017. progress), July 2017.
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01
(work in progress), April 2017. (work in progress), April 2017.
[I-D.ietf-perc-private-media-framework] [I-D.ietf-perc-private-media-framework]
Jones, P., Benham, D., and C. Groves, "A Solution Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy Enhanced RTP Framework for Private Media in Privacy Enhanced RTP
Conferencing", draft-ietf-perc-private-media-framework-03 Conferencing", draft-ietf-perc-private-media-framework-04
(work in progress), March 2017. (work in progress), July 2017.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., and D. Wing, Jennings, C., Mattsson, J., McGrew, D., and D. Wing,
"Encrypted Key Transport for DTLS and Secure RTP", draft- "Encrypted Key Transport for DTLS and Secure RTP", draft-
ietf-perc-srtp-ekt-diet-04 (work in progress), April 2017. ietf-perc-srtp-ekt-diet-05 (work in progress), June 2017.
[I-D.ietf-rtcweb-fec] [I-D.ietf-rtcweb-fec]
Uberti, J., "WebRTC Forward Error Correction Uberti, J., "WebRTC Forward Error Correction
Requirements", draft-ietf-rtcweb-fec-05 (work in Requirements", draft-ietf-rtcweb-fec-06 (work in
progress), May 2017. progress), July 2017.
[RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
Hakenberg, "RTP Retransmission Payload Format", RFC 4588, Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
DOI 10.17487/RFC4588, July 2006, DOI 10.17487/RFC4588, July 2006,
<http://www.rfc-editor.org/info/rfc4588>. <http://www.rfc-editor.org/info/rfc4588>.
[RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
Digits, Telephony Tones, and Telephony Signals", RFC 4733, Digits, Telephony Tones, and Telephony Signals", RFC 4733,
DOI 10.17487/RFC4733, December 2006, DOI 10.17487/RFC4733, December 2006,
<http://www.rfc-editor.org/info/rfc4733>. <http://www.rfc-editor.org/info/rfc4733>.
[RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real-
time Transport Protocol (RTP) Header Extension for Mixer- time Transport Protocol (RTP) Header Extension for Mixer-
to-Client Audio Level Indication", RFC 6465, to-Client Audio Level Indication", RFC 6465, DOI 10.17487/
DOI 10.17487/RFC6465, December 2011, RFC6465, December 2011,
<http://www.rfc-editor.org/info/rfc6465>. <http://www.rfc-editor.org/info/rfc6465>.
Appendix A. Encryption Overview
The following figure shows a double encrypted SRTP packet. The sides
indicate the parts of the packet that are encrypted and authenticated
by the hob-by-hop and end-to-end operations.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
|V=2|P|X| CC |M| PT | sequence number | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| timestamp | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| synchronization source (SSRC) identifier | I O
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
| contributing source (CSRC) identifiers | I O
| .... | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| RTP extension (OPTIONAL) ... | | O
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
O I | payload ... | I O
O I | +-------------------------------+ I O
O I | | RTP padding | RTP pad count | I O
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
O | | E2E authentication tag | | O
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
O | | OHB ... | | O
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+
| | | HBH authentication tag | | |
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | | |
| +- E2E Encrypted Portion E2E Authenticated Portion ---+ |
| |
+--- HBH Encrypted Portion HBH Authenticated Portion -----+
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
Email: fluffy@iii.ca Email: fluffy@iii.ca
Paul E. Jones Paul E. Jones
Cisco Systems Cisco Systems
Email: paulej@packetizer.com Email: paulej@packetizer.com
Richard Barnes
Cisco Systems
Email: rlb@ipv.sx
Adam Roach Adam Roach
Mozilla Mozilla
Email: adam@nostrum.com Email: adam@nostrum.com
 End of changes. 60 change blocks. 
206 lines changed or deleted 227 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/