draft-ietf-perc-double-12.txt   rfc8723.txt 
Network Working Group C. Jennings Internet Engineering Task Force (IETF) C. Jennings
Internet-Draft P. Jones Request for Comments: 8723 P. Jones
Intended status: Standards Track R. Barnes Category: Standards Track R. Barnes
Expires: March 1, 2020 Cisco Systems ISSN: 2070-1721 Cisco Systems
A. Roach A.B. Roach
Mozilla Mozilla
August 29, 2019 April 2020
SRTP Double Encryption Procedures Double Encryption Procedures for the Secure Real-Time Transport Protocol
draft-ietf-perc-double-12 (SRTP)
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some parameters in Real Time Protocol (RTP) to be able to manipulate some parameters in Real-time Transport
packets, while still providing strong end-to-end security guarantees. Protocol (RTP) packets, while still providing strong end-to-end
This document defines a cryptographic transform for the Secure Real security guarantees. This document defines a cryptographic transform
Time Protocol (SRTP) that uses two separate but related cryptographic for the Secure Real-time Transport Protocol (SRTP) that uses two
operations to provide hop-by-hop and end-to-end security guarantees. separate but related cryptographic operations to provide hop-by-hop
Both the end-to-end and hop-by-hop cryptographic algorithms can and end-to-end security guarantees. Both the end-to-end and hop-by-
utilize an authenticated encryption with associated data (AEAD) hop cryptographic algorithms can utilize an authenticated encryption
algorithm or take advantage of future SRTP transforms with different with associated data (AEAD) algorithm or take advantage of future
properties. SRTP transforms with different properties.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on March 1, 2020. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8723.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology
3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4 3. Cryptographic Context
3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5 3.1. Key Derivation
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5 4. Original Header Block
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 5. RTP Operations
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 7 5.1. Encrypting a Packet
5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 8 5.2. Relaying a Packet
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 9 5.3. Decrypting a Packet
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 10 6. RTCP Operations
7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 11 7. Use with Other RTP Mechanisms
7.1. RTP Retransmission (RTX) . . . . . . . . . . . . . . . . 11 7.1. RTP Retransmission (RTX)
7.2. Redundant Audio Data (RED) . . . . . . . . . . . . . . . 11 7.2. Redundant Audio Data (RED)
7.3. Forward Error Correction (FEC) . . . . . . . . . . . . . 12 7.3. Forward Error Correction (FEC)
7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.4. DTMF
8. Recommended Inner and Outer Cryptographic Algorithms . . . . 12 8. Recommended Inner and Outer Cryptographic Algorithms
9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 9. Security Considerations
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 10. IANA Considerations
10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 14 10.1. DTLS-SRTP
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 11. References
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 11.1. Normative References
12.1. Normative References . . . . . . . . . . . . . . . . . . 15 11.2. Informative References
12.2. Informative References . . . . . . . . . . . . . . . . . 16 Appendix A. Encryption Overview
Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 17 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor (MD) device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic key that enables encryption and desirable to have one cryptographic key that enables encryption and
authentication of the media end-to-end while still allowing certain authentication of the media end-to-end while still allowing certain
information in the header of a Real Time Protocol (RTP) packet to be information in the header of an RTP packet to be changed by the MD.
changed by the Media Distributor. At the same time, a separate At the same time, a separate cryptographic key provides integrity and
cryptographic key provides integrity and optional confidentiality for optional confidentiality for the media flowing between the MD and the
the media flowing between the Media Distributor and the endpoints. endpoints. The framework document [PRIVATE-MEDIA-FRAMEWORK]
The framework document [I-D.ietf-perc-private-media-framework]
describes this concept in more detail. describes this concept in more detail.
This specification defines a transform for the Secure Real Time This specification defines a transform for SRTP that uses 1) the AES
Protocol (SRTP) that uses the AES-GCM algorithm [RFC7714] to provide Galois/Counter Mode (AES-GCM) algorithm [RFC7714] to provide
encryption and integrity for an RTP packet for the end-to-end encryption and integrity for an RTP packet for the end-to-end
cryptographic key as well as a hop-by-hop cryptographic encryption cryptographic key and 2) a hop-by-hop cryptographic encryption and
and integrity between the endpoint and the Media Distributor. The integrity between the endpoint and the MD. The MD decrypts and
Media Distributor decrypts and checks integrity of the hop-by-hop checks integrity of the hop-by-hop security. The MD MAY change some
security. The Media Distributor MAY change some of the RTP header of the RTP header information that would impact the end-to-end
information that would impact the end-to-end integrity. In that integrity. In that case, the original value of any RTP header field
case, the original value of any RTP header field that is changed is that is changed is included in an "Original Header Block" that is
included in an "Original Header Block" that is added to the packet. added to the packet. The new RTP packet is encrypted with the hop-
The new RTP packet is encrypted with the hop-by-hop cryptographic by-hop cryptographic algorithm before it is sent. The receiving
algorithm before it is sent. The receiving endpoint decrypts and endpoint decrypts and checks integrity using the hop-by-hop
checks integrity using the hop-by-hop cryptographic algorithm and cryptographic algorithm and then replaces any parameters the MD
then replaces any parameters the Media Distributor changed using the changed using the information in the Original Header Block before
information in the Original Header Block before decrypting and decrypting and checking the end-to-end integrity.
checking the end-to-end integrity.
One can think of the double as a normal SRTP transform for encrypting One can think of the double transform as a normal SRTP transform for
the RTP in a way where things that only know half of the key, can encrypting the RTP in a way such that things that only know half of
decrypt and modify part of the RTP packet but not other parts, the key, can decrypt and modify part of the RTP packet but not other
including the media payload. parts, including the media payload.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Terms used throughout this document include: Terms used throughout this document include:
o Media Distributor: A device that receives media from endpoints and Media Distributor (MD): A device that receives media from endpoints
distributes it to other endpoints, but does not need to interpret and distributes it to other endpoints, but does not need to
or change the media content (see also interpret or change the media content (see also
[I-D.ietf-perc-private-media-framework]) [PRIVATE-MEDIA-FRAMEWORK]).
o end-to-end: The path from one endpoint through one or more Media end-to-end: The path from one endpoint through one or more MDs to
Distributors to the endpoint at the other end. the endpoint at the other end.
o hop-by-hop: The path from the endpoint to or from the Media hop-by-hop: The path from the endpoint to or from the MD.
Distributor.
o Original Header Block (OHB): An octet string that contains the Original Header Block (OHB): An octet string that contains the
original values from the RTP header that might have been changed original values from the RTP header that might have been changed
by a Media Distributor. by an MD.
3. Cryptographic Context 3. Cryptographic Context
This specification uses a cryptographic context with two parts: This specification uses a cryptographic context with two parts:
o An inner (end-to-end) part that is used by endpoints that * An inner (end-to-end) part that is used by endpoints that
originate and consume media to ensure the integrity of media end- originate and consume media to ensure the integrity of media end-
to-end, and to-end, and
o An outer (hop-by-hop) part that is used between endpoints and * An outer (hop-by-hop) part that is used between endpoints and MDs
Media Distributors to ensure the integrity of media over a single to ensure the integrity of media over a single hop and to enable
hop and to enable a Media Distributor to modify certain RTP header an MD to modify certain RTP header fields. RTCP is also handled
fields. RTCP is also handled using the hop-by-hop cryptographic using the hop-by-hop cryptographic part.
part.
The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithms
AES-GCM. Other combinations of SRTP ciphers that support the is AES-GCM. Other combinations of SRTP ciphers that support the
procedures in this document can be added to the IANA registry. procedures in this document can be added to the IANA registry.
The keys and salt for these algorithms are generated with the The keys and salt for these algorithms are generated with the
following steps: following steps:
o Generate key and salt values of the length required for the * Generate key and salt values of the length required for the
combined inner (end-to-end) and outer (hop-by-hop) algorithms. combined inner (end-to-end) and outer (hop-by-hop) algorithms.
o Assign the key and salt values generated for the inner (end-to- * Assign the key and salt values generated for the inner (end-to-
end) algorithm to the first half of the key and the first half of end) algorithm to the first half of the key and the first half of
the salt for the double algorithm. the salt for the double algorithm.
o Assign the key and salt values for the outer (hop-by-hop) * Assign the key and salt values for the outer (hop-by-hop)
algorithm to the second half of the key and second half of the algorithm to the second half of the key and second half of the
salt for the double algorithm. The first half of the key is salt for the double algorithm. The first half of the key is
referred to as the inner key while the second half is referred to referred to as the inner key while the second half is referred to
as the outer key. When a key is used by a cryptographic as the outer key. When a key is used by a cryptographic
algorithm, the salt used is the part of the salt generated with algorithm, the salt that is used is the part of the salt generated
that key. with that key.
o the SSRC is the same for both the inner and out outer algorithms * the synchronization source (SSRC) is the same for both the inner
as it can not be changed. and outer algorithms as it cannot be changed.
o The SEQ and ROC are tracked independently for the inner and outer * The sequence number (SEQ) and rollover counter (ROC) are tracked
algorithms. independently for the inner and outer algorithms.
If the Media Distributor is to be able to modify header fields but If the MD is to be able to modify header fields but not decrypt the
not decrypt the payload, then it must have cryptographic key for the payload, then it must have a cryptographic key for the outer
outer algorithm, but not the inner (end-to-end) algorithm. This algorithm but not the inner (end-to-end) algorithm. This document
document does not define how the Media Distributor should be does not define how the MD should be provisioned with this
provisioned with this information. One possible way to provide information. One possible way to provide keying material for the
keying material for the outer (hop-by-hop) algorithm is to use outer (hop-by-hop) algorithm is to use [DTLS-TUNNEL].
[I-D.ietf-perc-dtls-tunnel].
3.1. Key Derivation 3.1. Key Derivation
Although SRTP uses a single master key to derive keys for an SRTP Although SRTP uses a single master key to derive keys for an SRTP
session, this transform requires separate inner and outer keys. In session, this transform requires separate inner and outer keys. In
order to allow the inner and outer keys to be managed independently order to allow the inner and outer keys to be managed independently
via the master key, the transforms defined in this document MUST be via the master key, the transforms defined in this document MUST be
used with the following pseudo-random function (PRF), which preserves used with the following pseudorandom function (PRF), which preserves
the separation between the two halves of the key. Given a positive the separation between the two halves of the key. Given a positive
integer "n" representing the desired output length, a master key integer "n" representing the desired output length, a master key
"k_master", and an input "x": "k_master", and an input "x":
PRF\_double\_n(k\_master,x) = PRF\_(n/2)(inner(k\_master),x) || PRF_double_n(k_master,x) = PRF_(n/2)(inner(k_master),x) ||
PRF\_(n/2)(outer(k\_master),x) PRF_(n/2)(outer(k_master),x)
Here "PRF_n(k, x)" represents the AES_CM PRF KDF (see Section 4.3.3 Here "PRF_double_n(k_master, x)" represents the AES_CM PRF Key
of [RFC3711]) for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm Derivation Function (KDF) (see Section 4.3.3 of [RFC3711]) for
and AES_256_CM_PRF KDF [RFC6188] for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm. "inner(key)" KDF [RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm.
represents the first half of the key, and "outer(key)" represents the The term "inner(k_master)" represents the first half of the key;
second half of the key. "outer(k_master)" represents the second half of the key.
4. Original Header Block 4. Original Header Block
The Original Header Block (OHB) contains the original values of any The OHB contains the original values of any modified RTP header
modified RTP header fields. In the encryption process, the OHB is fields. In the encryption process, the OHB is included in an SRTP
included in an SRTP packet as described in Section 5. In the packet as described in Section 5. In the decryption process, the
decryption process, the receiving endpoint uses it to reconstruct the receiving endpoint uses it to reconstruct the original RTP header so
original RTP header, so that it can pass the proper AAD value to the that it can pass the proper additional authenticated data (AAD) value
inner transform. to the inner transform.
The OHB can reflect modifications to the following fields in an RTP The OHB can reflect modifications to the following fields in an RTP
header: the payload type, the sequence number, and the marker bit. header: the payload type (PT), the SEQ, and the marker bit. All
All other fields in the RTP header MUST remain unmodified; since the other fields in the RTP header MUST remain unmodified; since the OHB
OHB cannot reflect their original values, the receiver will be unable cannot reflect their original values, the receiver will be unable to
to verify the E2E integrity of the packet. verify the end-to-end integrity of the packet.
The OHB has the following syntax (in ABNF [RFC5234]): The OHB has the following syntax (in ABNF [RFC5234]):
OCTET = %x00-FF OCTET = %x00-FF
PT = OCTET PT = OCTET
SEQ = 2OCTET SEQ = 2OCTET
Config = OCTET Config = OCTET
OHB = [ PT ] [ SEQ ] Config OHB = [ PT ] [ SEQ ] Config
If present, the PT and SEQ parts of the OHB contain the original If present, the PT and SEQ parts of the OHB contain the original
payload type and sequence number fields, respectively. The final payload type and sequence number fields, respectively. The final
"config" octet of the OHB specifies whether these fields are present, "Config" octet of the OHB specifies whether these fields are present,
and the original value of the marker bit (if necessary): and the original value of the marker bit (if necessary):
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|R R R R B M P Q| |R R R R B M P Q|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
o P: PT is present * P: PT is present
o Q: SEQ is present * Q: SEQ is present
o M: Marker bit is present * M: Marker bit is present
o B: Value of marker bit * B: Value of marker bit
o R: Reserved, MUST be set to 0 * R: Reserved, MUST be set to 0
In particular, an all-zero OHB config octet (0x00) indicates that In particular, an all-zero OHB Config octet ("0x00") indicates that
there have been no modifications from the original header. there have been no modifications from the original header.
If the marker bit is not present (M=0), then B MUST be set to zero. If the marker bit is not present (M=0), then "B" MUST be set to zero.
That is, if "C" represents the value of the config octet, then the That is, if "C" represents the value of the Config octet, then the
masked value "C & 0x0C" MUST NOT have the value "0x80". masked value "C & 0x0C" MUST NOT have the value "0x80".
5. RTP Operations 5. RTP Operations
As implied by the use of the word "double" above, this transform As implied by the use of the word "double" above, this transform
applies AES-GCM to the SRTP packet twice. This allows media applies AES-GCM to the SRTP packet twice. This allows media
distributors to be able to modify some header fields while allowing distributors to be able to modify some header fields while allowing
endpoints to verify the end-to-end integrity of a packet. endpoints to verify the end-to-end integrity of a packet.
The first, "inner" application of AES-GCM encrypts the SRTP payload The first, "inner" application of AES-GCM encrypts the SRTP payload
and integrity-protects a version of the SRTP header with extensions and protects the integrity of a version of the SRTP header with
truncated. Omitting extensions from the inner integrity check means extensions truncated. Omitting extensions from the inner integrity
that they can be modified by a media distributor holding only the check means that they can be modified by an MD holding only the outer
"outer" key. key.
The second, "outer" application of AES-GCM encrypts the ciphertext The second, "outer" application of AES-GCM encrypts the ciphertext
produced by the inner encryption (i.e., the encrypted payload and produced by the inner encryption (i.e., the encrypted payload and
authentication tag), plus an OHB that expresses any changes made authentication tag), plus an OHB that expresses any changes made
between the inner and outer transforms. between the inner and outer transforms.
A media distributor that has the outer key but not the inner key may An MD that has the outer key but not the inner key may modify the
modify the header fields that can be included in the OHB by header fields that can be included in the OHB by decrypting,
decrypting, modifying, and re-encrypting the packet. modifying, and re-encrypting the packet.
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner An endpoint encrypts a packet by using the inner (end-to-end)
(end-to-end) cryptographic key and then encrypts using the outer cryptographic key and then the outer (hop-by-hop) cryptographic key.
(hop-by-hop) cryptographic key. The encryption also supports a mode The encryption also supports a mode for repair packets that only does
for repair packets that only does the outer (hop-by-hop) encryption. the outer (hop-by-hop) encryption. The processes is as follows:
The processes is as follows:
1. Form an RTP packet. If there are any header extensions, they 1. Form an RTP packet. If there are any header extensions, they
MUST use [RFC8285]. MUST use [RFC8285].
2. If the packet is for repair mode data, skip to step 6. 2. If the packet is for repair mode data, skip to step 6.
3. Form a synthetic RTP packet with the following contents: 3. Form a synthetic RTP packet with the following contents:
* Header: The RTP header of the original packet with the * Header: The RTP header of the original packet with the
following modifications: following modifications:
* The X bit is set to zero - The X bit is set to zero.
* The header is truncated to remove any extensions (i.e., keep - The header is truncated to remove any extensions (i.e.,
only the first 12 + 4 * CC bytes of the header) keep only the first 12 + 4 * CSRC count (CC) bytes of the
header).
* Payload: The RTP payload of the original packet (including * Payload: The RTP payload of the original packet (including
padding when present) padding when present).
4. Apply the inner cryptographic algorithm to the synthetic RTP 4. Apply the inner cryptographic algorithm to the synthetic RTP
packet from the previous step. packet from the previous step.
5. Replace the header of the protected RTP packet with the header of 5. Replace the header of the protected RTP packet with the header of
the original packet (to restore any header extensions and reset the original packet (to restore any header extensions and reset
the X bit), and append an empty OHB (0x00) to the encrypted the X bit), and append an empty OHB ("0x00") to the encrypted
payload (with the authentication tag) obtained from the step 4. payload (with the authentication tag) obtained from step 4.
6. Apply the outer cryptographic algorithm to the RTP packet. If 6. Apply the outer cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic key. cryptographic key.
When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes When using Encrypted Key Transport (EKT) [EKT-SRTP], the EKTField
after the SRTP packet exactly like using EKT with any other SRTP comes after the SRTP packet, exactly like using EKT with any other
transform. SRTP transform.
5.2. Relaying a Packet 5.2. Relaying a Packet
The Media Distributor has the part of the key for the outer (hop-by- The MD has the part of the key for the outer (hop-by-hop)
hop) cryptographic algorithm, but it does not have the part of the cryptographic algorithm, but it does not have the part of the key for
key for the (end-to-end) cryptographic algorithm. The cryptographic the inner (end-to-end) cryptographic algorithm. The cryptographic
algorithm and key used to decrypt a packet and any encrypted RTP algorithm and key used to decrypt a packet and any encrypted RTP
header extensions would be the same as those used in the endpoint's header extensions would be the same as those used in the endpoint's
outer algorithm and key. outer algorithm and key.
In order to modify a packet, the Media Distributor decrypts the In order to modify a packet, the MD decrypts the received packet,
received packet, modifies the packet, updates the OHB with any modifies the packet, updates the OHB with any modifications not
modifications not already present in the OHB, and re-encrypts the already present in the OHB, and re-encrypts the packet using the
packet using the the outer (hop-by-hop) cryptographic key before outer (hop-by-hop) cryptographic key before transmitting using the
transmitting. following steps:
1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt
the packet. If decrypting RTP header extensions hop-by-hop, then the packet. If decrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used. Note that the RTP payload produced by [RFC6904] MUST be used. Note that the RTP payload produced by
this decryption operation contains the original encrypted payload this decryption operation contains the original encrypted payload
with the tag from the inner transform and the OHB appended. with the tag from the inner transform and the OHB appended.
2. Make any desired changes to the fields are allowed to be changed, 2. Make any desired changes to the fields that are allowed to be
i.e., PT, SEQ, and M. The Media Distributor MAY also make changed, i.e., PT, SEQ, and M. The MD MAY also make
modifications to header extensions, without the need to reflect modifications to header extensions, without the need to reflect
these changes in the OHB. these changes in the OHB.
3. Reflect any changes to header fields in the OHB: 3. Reflect any changes to header fields in the OHB:
* If Media Distributor changed a field that is not already in * If the MD changed a field that is not already in the OHB, then
the OHB, then it MUST add the original value of the field to it MUST add the original value of the field to the OHB. Note
the OHB. Note that this might result in an increase in the that this might result in an increase in the size of the OHB.
size of the OHB.
* If the Media Distributor took a field that had previously been * If the MD took a field that had previously been modified and
modified and reset to its original value, then it SHOULD drop reset to its original value, then it SHOULD drop the
the corresponding information from the OHB. Note that this corresponding information from the OHB. Note that this might
might result in a decrease in the size of the OHB. result in a decrease in the size of the OHB.
* Otherwise, the Media Distributor MUST NOT modify the OHB. * Otherwise, the MD MUST NOT modify the OHB.
4. Apply the outer (hop-by-hop) cryptographic algorithm to the 4. Apply the outer (hop-by-hop) cryptographic algorithm to the
packet. If the RTP Sequence Number has been modified, SRTP packet. If the RTP sequence number has been modified, SRTP
processing happens as defined in SRTP and will end up using the processing happens as defined in SRTP and will end up using the
new Sequence Number. If encrypting RTP header extensions hop-by- new sequence number. If encrypting RTP header extensions hop-by-
hop, then [RFC6904] MUST be used. hop, then [RFC6904] MUST be used.
In order to avoid nonce reuse, the cryptographic contexts used in In order to avoid nonce reuse, the cryptographic contexts used in
step 1 and step 5 MUST use different, independent master keys. Note steps 1 and 4 MUST use different, independent master keys. Note that
that this means that the key used for decryption by the MD MUST be this means that the key used for decryption by the MD MUST be
different from the key used for re-encryption to the end recipient. different from the key used for re-encryption to the end recipient.
Note that if multiple MDs modify the same packet, then the first MD Note that if multiple MDs modify the same packet, then the first MD
to alter a given header field is the one that adds it to the OHB. If to alter a given header field is the one that adds it to the OHB. If
a subsequent MD changes the value of a header field that has already a subsequent MD changes the value of a header field that has already
been changed, then the original value will already be in the OHB, so been changed, then the original value will already be in the OHB, so
no update to the OHB is required. no update to the OHB is required.
A Media Distributor that decrypts, modifies, and re-encrypts packets An MD that decrypts, modifies, and re-encrypts packets in this way
in this way MUST use an independent key for each recipient, and MUST MUST use an independent key for each recipient, and MUST NOT re-
NOT re-encrypt the packet using the sender's keys. If the Media encrypt the packet using the sender's keys. If the MD decrypts and
Distributor decrypts and re-encrypts with the same key and salt, it re-encrypts with the same key and salt, it will result in the reuse
will result in the reuse of a (key, nonce) pair, undermining the of a (key, nonce) pair, undermining the security of AES-GCM.
security of AES-GCM.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
the outer (hop-by-hop) cryptographic key, then uses the OHB to the outer (hop-by-hop) cryptographic key, then uses the OHB to
reconstruct the original packet, which it decrypts and verifies with reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key. the inner (end-to-end) cryptographic key using the following steps:
1. Apply the outer cryptographic algorithm to the packet. If the 1. Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
this is referred to as the outer SRTP packet. If decrypting RTP this is referred to as the outer SRTP packet. If decrypting RTP
header extensions hop-by-hop, then [RFC6904] MUST be used when header extensions hop-by-hop, then [RFC6904] MUST be used when
decrypting the RTP packet using the outer cryptographic key. decrypting the RTP packet using the outer cryptographic key.
2. If the packet is for repair mode data, skip the rest of the 2. If the packet is for repair mode data, skip the rest of the
steps. Note that the packet that results from the repair steps. Note that the packet that results from the repair
algorithm will still have encrypted data that needs to be algorithm will still have encrypted data that needs to be
decrypted as specified by the repair algorithm sections. decrypted as specified by the repair algorithm sections.
3. Remove the inner authentication tag and the OHB from the end of 3. Remove the inner authentication tag and the OHB from the end of
the payload of the outer SRTP packet. the payload of the outer SRTP packet.
4. Form a new synthetic SRTP packet with: 4. Form a new synthetic SRTP packet with:
* Header = Received header, with the following modifications: * Header = Received header, with the following modifications:
* Header fields replaced with values from OHB (if any) - Header fields replaced with values from OHB (if any).
* The X bit is set to zero
* The header is truncated to remove any extensions (i.e., keep - The X bit is set to zero.
only the first 12 + 4 * CC bytes of the header)
- The header is truncated to remove any extensions (i.e.,
keep only the first 12 + 4 * CC bytes of the header).
* Payload is the encrypted payload from the outer SRTP packet * Payload is the encrypted payload from the outer SRTP packet
(after the inner tag and OHB have been stripped). (after the inner tag and OHB have been stripped).
* Authentication tag is the inner authentication tag from the * Authentication tag is the inner authentication tag from the
outer SRTP packet. outer SRTP packet.
5. Apply the inner cryptographic algorithm to this synthetic SRTP 5. Apply the inner cryptographic algorithm to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the Media packet. Note if the RTP sequence number was changed by the MD,
Distributor, the synthetic packet has the original Sequence the synthetic packet has the original sequence number. If the
Number. If the integrity check does not pass, discard the integrity check does not pass, discard the packet.
packet.
Once the packet has been successfully decrypted, the application Once the packet has been successfully decrypted, the application
needs to be careful about which information it uses to get the needs to be careful about which information it uses to get the
correct behavior. The application MUST use only the information correct behavior. The application MUST use only the information
found in the synthetic SRTP packet and MUST NOT use the other data found in the synthetic SRTP packet and MUST NOT use the other data
that was in the outer SRTP packet with the following exceptions: that was in the outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to * The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. Session Description Protocol (SDP) and codec selection.
o The sequence number from the outer SRTP packet is used for normal * The sequence number from the outer SRTP packet is used for normal
RTP ordering. RTP ordering.
The PT and sequence number from the inner SRTP packet can be used for The PT and sequence number from the inner SRTP packet can be used for
collection of various statistics. collection of various statistics.
If the RTP header of the outer packet contains extensions, they MAY If the RTP header of the outer packet contains extensions, they MAY
be used. However, because extensions are not protected end-to-end, be used. However, because extensions are not protected end-to-end,
implementations SHOULD reject an RTP packet containing headers that implementations SHOULD reject an RTP packet containing headers that
would require end-to-end protection. would require end-to-end protection.
6. RTCP Operations 6. RTCP Operations
Unlike RTP, which is encrypted both hop-by-hop and end-to-end using Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic keys, RTCP is encrypted using only the two separate cryptographic keys, RTCP is encrypted using only the
outer (hop-by-hop) cryptographic key. The procedures for RTCP outer (hop-by-hop) cryptographic key. The procedures for RTCP
encryption are specified in [RFC3711] and this document introduces no encryption are specified in [RFC3711], and this document introduces
additional steps. no additional steps.
7. Use with Other RTP Mechanisms 7. Use with Other RTP Mechanisms
Media Distributors sometimes interact with RTP media packets sent by MDs sometimes interact with RTP media packets sent by endpoints,
endpoints, e.g., to provide recovery or receive commands via DTMF. e.g., to provide recovery or receive commands via dual-tone multi-
When media packets are encrypted end-to-end, these procedures require frequency (DTMF) signaling. When media packets are encrypted end-to-
modification. (End-to-end interactions, including end-to-end end, these procedures require modification. (End-to-end
recovery, are not affected by end-to-end encryption.) interactions, including end-to-end recovery, are not affected by end-
to-end encryption.)
Repair mechanisms, in general, will need to perform recovery on Repair mechanisms, in general, will need to perform recovery on
encrypted packets (double-encrypted when using this transform), since encrypted packets (double-encrypted when using this transform), since
the Media Distributor does not have access to the plaintext of the the MD does not have access to the plaintext of the packet, only an
packet, only an intermediate, E2E-encrypted form. intermediate, E2E-encrypted form.
When the recovery mechanism calls for the recovery packet itself to When the recovery mechanism calls for the recovery packet itself to
be encrypted, it is encrypted with only the outer, hop-by-hop key. be encrypted, it is encrypted with only the outer, hop-by-hop key.
This allows a media distributor to generate recovery packets without This allows an MD to generate recovery packets without having access
having access to the inner, end-to-end keys. However, it also to the inner, end-to-end keys. However, it also results in recovery
results in recovery packets being triple-encrypted, twice for the packets being triple-encrypted, twice for the base transform, and
base transform, and once for the recovery protection. once for the recovery protection.
7.1. RTP Retransmission (RTX) 7.1. RTP Retransmission (RTX)
When using RTX [RFC4588] with double, the cached payloads MUST be the When using RTX [RFC4588] with the double transform, the cached
double-encrypted packets, i.e., the bits that are sent over the wire payloads MUST be the double-encrypted packets, i.e., the bits that
to the other side. When encrypting a retransmission packet, it MUST are sent over the wire to the other side. When encrypting a
be encrypted the packet in repair mode (i.e., with only the hop-by- retransmission packet, it MUST be encrypted like a packet in repair
hop key). mode (i.e., with only the hop-by-hop key).
If the Media Distributor were to cache the inner, E2E-encrypted If the MD were to cache the inner, E2E-encrypted payload and
payload and retransmit that with an RTX OSN field prepended, then the retransmit it with an RTX original sequence number field prepended,
modifications to the payload would cause the inner integrity check to then the modifications to the payload would cause the inner integrity
fail at the receiver. check to fail at the receiver.
A typical RTX receiver would decrypt the packet, undo the RTX A typical RTX receiver would decrypt the packet, undo the RTX
transformation, then process the resulting packet normally by using transformation, then process the resulting packet normally by using
the steps in Section 5.3. the steps in Section 5.3.
7.2. Redundant Audio Data (RED) 7.2. Redundant Audio Data (RED)
When using RED [RFC2198] with double, the processing at the sender When using RED [RFC2198] with the double transform, the processing at
and receiver is the same as when using RED with any other SRTP the sender and receiver is the same as when using RED with any other
transform. SRTP transform.
The main difference between double and any other transform is that in The main difference between the double transform and any other
an intermediated environment, usage of RED must be end-to-end. A transform is that in an intermediated environment, usage of RED must
Media Distributor cannot synthesize RED packets, because it lacks be end-to-end. An MD cannot synthesize RED packets, because it lacks
access to the plaintext media payloads that are combined to form a access to the plaintext media payloads that are combined to form a
RED payload. RED payload.
Note that FlexFEC may often provide similar or better repair Note that Flexible Forward Error Correction (Flex FEC) may often
capabilities compared to RED. For most applications, FlexFEC is a provide similar or better repair capabilities compared to RED. For
better choice than RED; in particular, FlexFEC has modes in which the most applications, Flex FEC is a better choice than RED; in
Media Distributor can synthesize recovery packets. particular, Flex FEC has modes in which the MD can synthesize
recovery packets.
7.3. Forward Error Correction (FEC) 7.3. Forward Error Correction (FEC)
When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with When using Flex FEC [RFC8627] with the double transform, repair
double, repair packets MUST be constructed by first double-encrypting packets MUST be constructed by first double-encrypting the packet,
the packet, then performing FEC. Processing of repair packets then performing FEC. Processing of repair packets proceeds in the
proceeds in the opposite order, performing FEC recovery and then opposite order, performing FEC recovery and then decrypting. This
decrypting. This ensures that the original media is not revealed to ensures that the original media is not revealed to the MD but, at the
the Media Distributor but at the same time allows the Media same time, allows the MD to repair media. When encrypting a packet
Distributor to repair media. When encrypting a packet that contains that contains the Flex FEC data, which is already encrypted, it MUST
the Flex FEC data, which is already encrypted, it MUST be encrypted be encrypted with only the outer, hop-by-hop transform.
with only the outer, hop-by-hop transform.
The algorithm recommended in [I-D.ietf-rtcweb-fec] for repair of The algorithm recommended in [WEBRTC-FEC] for repair of video is Flex
video is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that FEC [RFC8627]. Note that for interoperability with WebRTC,
for interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends [WEBRTC-FEC] recommends not using additional FEC-only "m=" lines in
not using additional FEC only m-line in SDP for the repair packets. SDP for the repair packets.
7.4. DTMF 7.4. DTMF
When DTMF is sent using the mechanism in [RFC4733], it is end-to-end When DTMF is sent using the mechanism in [RFC4733], it is end-to-end
encrypted and the relay can not read it, so it cannot be used to encrypted; the relay cannot read it, so it cannot be used to control
control the relay. Other out of band methods to control the relay the relay. Other out-of-band methods to control the relay need to be
need to be used instead. used instead.
8. Recommended Inner and Outer Cryptographic Algorithms 8. Recommended Inner and Outer Cryptographic Algorithms
This specification recommends and defines AES-GCM as both the inner This specification recommends and defines AES-GCM as both the inner
and outer cryptographic algorithms, identified as and outer cryptographic algorithms, identified as
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithms provide
for authenticated encryption and will consume additional processing for authenticated encryption and will consume additional processing
time double-encrypting for hop-by-hop and end-to-end. However, the time double-encrypting for hop-by-hop and end-to-end. However, the
approach is secure and simple, and is thus viewed as an acceptable approach is secure and simple; thus, it is viewed as an acceptable
trade-off in processing efficiency. trade-off in processing efficiency.
Note that names for the cryptographic transforms are of the form Note that names for the cryptographic transforms are of the form
DOUBLE_(inner algorithm)_(outer algorithm). DOUBLE_(inner algorithm)_(outer algorithm).
While this document only defines a profile based on AES-GCM, it is While this document only defines a profile based on AES-GCM, it is
possible for future documents to define further profiles with possible for future documents to define further profiles with
different inner and outer algorithms in this same framework. For different inner and outer algorithms in this same framework. For
example, if a new SRTP transform was defined that encrypts some or example, if a new SRTP transform were defined that encrypts some or
all of the RTP header, it would be reasonable for systems to have the all of the RTP header, it would be reasonable for systems to have the
option of using that for the outer algorithm. Similarly, if a new option of using that for the outer algorithm. Similarly, if a new
transform was defined that provided only integrity, that would also transform were defined that provided only integrity, that would also
be reasonable to use for the outer transform as the payload data is be reasonable to use for the outer transform as the payload data is
already encrypted by the inner transform. already encrypted by the inner transform.
The AES-GCM cryptographic algorithm introduces an additional 16 The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic algorithms, the total additional length inner and outer cryptographic algorithms, the total additional length
is 32 octets. The OHB will consume an additional 1-4 octets. is 32 octets. The OHB will consume an additional 1-4 octets.
Packets in repair mode will carry additional repair data, further Packets in repair mode will carry additional repair data, further
increasing their size. increasing their size.
9. Security Considerations 9. Security Considerations
This SRTP transform provides protection against two classes of This SRTP transform provides protection against two classes of
attacker: An network attacker that knows neither the inner nor outer attacker: a network attacker that knows neither the inner nor outer
keys, and a malicious MD that knows the outer key. Obviously, it keys and a malicious MD that knows the outer key. Obviously, it
provides no protections against an attacker that holds both the inner provides no protections against an attacker that holds both the inner
and outer keys. and outer keys.
The protections with regard to the network are the same as with the The protections with regard to the network are the same as with the
normal SRTP AES-GCM transforms. The major difference is that the normal SRTP AES-GCM transforms. The major difference is that the
double transforms are designed to work better in a group context. In double transforms are designed to work better in a group context. In
such contexts, it is important to note that because these transforms such contexts, it is important to note that because these transforms
are symmetric, they do not protect against attacks within the group. are symmetric, they do not protect against attacks within the group.
Any member of the group can generate valid SRTP packets for any SSRC Any member of the group can generate valid SRTP packets for any SSRC
in use by the group. in use by the group.
With regard to a malicious MD, the recipient can verify the integrity With regard to a malicious MD, the recipient can verify the integrity
of the base header fields and confidentiality and integrity of the of the base header fields and confidentiality and integrity of the
payload. The recipient has no assurance, however, of the integrity payload. The recipient has no assurance, however, of the integrity
of the header extensions in the packet. of the header extensions in the packet.
The main innovation of this transform relative to other SRTP The main innovation of this transform relative to other SRTP
transforms is that it allows a partly-trusted MD to decrypt, modify, transforms is that it allows a partly trusted MD to decrypt, modify,
and re-encrypt a packet. When this is done, the cryptographic and re-encrypt a packet. When this is done, the cryptographic
contexts used for decryption and re-encryption MUST use different, contexts used for decryption and re-encryption MUST use different,
independent master keys. If the same context is used, the nonce independent master keys. If the same context is used, the nonce
formation rules for SRTP will cause the same key and nonce to be used formation rules for SRTP will cause the same key and nonce to be used
with two different plaintexts, which substantially degrades the with two different plaintexts, which substantially degrades the
security of AES-GCM. security of AES-GCM.
In other words, from the perspective of the MD, re-encrypting packets In other words, from the perspective of the MD, re-encrypting packets
using this protocol will involve the same cryptographic operations as using this protocol will involve the same cryptographic operations as
if it had established independent AES-GCM crypto contexts with the if it had established independent AES-GCM crypto contexts with the
sender and the receiver. If the MD doesn't modify any header fields, sender and the receiver. This property allows the use of an MD that
then an MD that supports AES-GCM could be unused unmodified. supports AES-GCM but does not modify any header fields, without
requiring any modification to the MD.
10. IANA Considerations 10. IANA Considerations
10.1. DTLS-SRTP 10.1. DTLS-SRTP
We request IANA to add the following values to defines a DTLS-SRTP IANA has added the following protection profiles to the "DTLS-SRTP
"SRTP Protection Profile" defined in [RFC5764]. Protection Profiles" registry defined in [RFC5764].
+------------+------------------------------------------+-----------+ +--------+------------------------------------------+-----------+
| Value | Profile | Reference | | Value | Profile | Reference |
+------------+------------------------------------------+-----------+ +========+==========================================+===========+
| {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFC 8723 |
| 0x09} | | | | 0x09} | | |
| {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | +--------+------------------------------------------+-----------+
| 0x0A} | | | | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFC 8723 |
+------------+------------------------------------------+-----------+ | 0x0A} | | |
+--------+------------------------------------------+-----------+
Note to IANA: Please assign value RFCXXXX and update table to point Table 1: Updates to the DTLS-SRTP Protection Profiles Registry
at this RFC for these values.
The SRTP transform parameters for each of these protection are: The SRTP transform parameters for each of these protection profiles
are:
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM +---------------------------------------------------------+
cipher: AES_128_GCM then AES_128_GCM | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM |
cipher_key_length: 256 bits +-----------------------+---------------------------------+
cipher_salt_length: 192 bits | cipher: | AES_128_GCM then AES_128_GCM |
aead_auth_tag_length: 256 bits +-----------------------+---------------------------------+
auth_function: NULL | cipher_key_length: | 256 bits |
auth_key_length: N/A +-----------------------+---------------------------------+
auth_tag_length: N/A | cipher_salt_length: | 192 bits |
maximum lifetime: at most 2^31 SRTCP packets and +-----------------------+---------------------------------+
at most 2^48 SRTP packets | aead_auth_tag_length: | 256 bits |
+-----------------------+---------------------------------+
| auth_function: | NULL |
+-----------------------+---------------------------------+
| auth_key_length: | N/A |
+-----------------------+---------------------------------+
| auth_tag_length: | N/A |
+-----------------------+---------------------------------+
| maximum lifetime: | at most 2^(31) SRTCP packets |
| | and at most 2^(48) SRTP packets |
+-----------------------+---------------------------------+
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM Table 2: SRTP Transform Parameters for
cipher: AES_256_GCM then AES_256_GCM DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM
cipher_key_length: 512 bits
cipher_salt_length: 192 bits +---------------------------------------------------------+
aead_auth_tag_length: 256 bits | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM |
auth_function: NULL +-----------------------+---------------------------------+
auth_key_length: N/A | cipher: | AES_256_GCM then AES_256_GCM |
auth_tag_length: N/A +-----------------------+---------------------------------+
maximum lifetime: at most 2^31 SRTCP packets and | cipher_key_length: | 512 bits |
at most 2^48 SRTP packets +-----------------------+---------------------------------+
| cipher_salt_length: | 192 bits |
+-----------------------+---------------------------------+
| aead_auth_tag_length: | 256 bits |
+-----------------------+---------------------------------+
| auth_function: | NULL |
+-----------------------+---------------------------------+
| auth_key_length: | N/A |
+-----------------------+---------------------------------+
| auth_tag_length: | N/A |
+-----------------------+---------------------------------+
| maximum lifetime: | at most 2^(31) SRTCP packets |
| | and at most 2^(48) SRTP packets |
+-----------------------+---------------------------------+
Table 3: SRTP Transform Parameters for
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM
The first half of the key and salt is used for the inner (end-to-end) The first half of the key and salt is used for the inner (end-to-end)
algorithm and the second half is used for the outer (hop-by-hop) algorithm and the second half is used for the outer (hop-by-hop)
algorithm. algorithm.
11. Acknowledgments 11. References
Thank you for reviews and improvements to this specification from
Alex Gouaillard, David Benham, Magnus Westerlund, Nils Ohlmeier, Paul
Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to
Sergio Garcia Murillo proposed the change of transporting the OHB
information in the RTP payload instead of the RTP header.
12. References
12.1. Normative References 11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
skipping to change at page 16, line 10 skipping to change at line 723
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General
Mechanism for RTP Header Extensions", RFC 8285, Mechanism for RTP Header Extensions", RFC 8285,
DOI 10.17487/RFC8285, October 2017, DOI 10.17487/RFC8285, October 2017,
<https://www.rfc-editor.org/info/rfc8285>. <https://www.rfc-editor.org/info/rfc8285>.
12.2. Informative References 11.2. Informative References
[I-D.ietf-payload-flexible-fec-scheme]
Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction
(FEC)", draft-ietf-payload-flexible-fec-scheme-20 (work in
progress), May 2019.
[I-D.ietf-perc-dtls-tunnel] [DTLS-TUNNEL]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-05 Facilitate Key Exchange", Work in Progress, Internet-
(work in progress), April 2019. Draft, draft-ietf-perc-dtls-tunnel-06, 16 October 2019,
<https://tools.ietf.org/html/draft-ietf-perc-dtls-tunnel-
[I-D.ietf-perc-private-media-framework] 06>.
Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy Enhanced RTP
Conferencing (PERC)", draft-ietf-perc-private-media-
framework-12 (work in progress), June 2019.
[I-D.ietf-perc-srtp-ekt-diet] [EKT-SRTP] Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
Andreasen, "Encrypted Key Transport for DTLS and Secure Andreasen, "Encrypted Key Transport for DTLS and Secure
RTP", draft-ietf-perc-srtp-ekt-diet-10 (work in progress), RTP", Work in Progress, Internet-Draft, draft-ietf-perc-
July 2019. srtp-ekt-diet-10, 8 July 2019,
<https://tools.ietf.org/html/draft-ietf-perc-srtp-ekt-
diet-10>.
[I-D.ietf-rtcweb-fec] [PRIVATE-MEDIA-FRAMEWORK]
Uberti, J., "WebRTC Forward Error Correction Jones, P., Benham, D., and C. Groves, "A Solution
Requirements", draft-ietf-rtcweb-fec-10 (work in Framework for Private Media in Privacy Enhanced RTP
progress), July 2019. Conferencing (PERC)", Work in Progress, Internet-Draft,
draft-ietf-perc-private-media-framework-12, 5 June 2019,
<https://tools.ietf.org/html/draft-ietf-perc-private-
media-framework-12>.
[RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V.,
Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- Handley, M., Bolot, J.C., Vega-Garcia, A., and S. Fosse-
Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, Parisis, "RTP Payload for Redundant Audio Data", RFC 2198,
DOI 10.17487/RFC2198, September 1997, DOI 10.17487/RFC2198, September 1997,
<https://www.rfc-editor.org/info/rfc2198>. <https://www.rfc-editor.org/info/rfc2198>.
[RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
Hakenberg, "RTP Retransmission Payload Format", RFC 4588, Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
DOI 10.17487/RFC4588, July 2006, DOI 10.17487/RFC4588, July 2006,
<https://www.rfc-editor.org/info/rfc4588>. <https://www.rfc-editor.org/info/rfc4588>.
[RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
Digits, Telephony Tones, and Telephony Signals", RFC 4733, Digits, Telephony Tones, and Telephony Signals", RFC 4733,
DOI 10.17487/RFC4733, December 2006, DOI 10.17487/RFC4733, December 2006,
<https://www.rfc-editor.org/info/rfc4733>. <https://www.rfc-editor.org/info/rfc4733>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>. <https://www.rfc-editor.org/info/rfc5234>.
[RFC8627] Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction
(FEC)", RFC 8627, DOI 10.17487/RFC8627, July 2019,
<https://www.rfc-editor.org/info/rfc8627>.
[WEBRTC-FEC]
Uberti, J., "WebRTC Forward Error Correction
Requirements", Work in Progress, Internet-Draft, draft-
ietf-rtcweb-fec-10, 16 July 2019,
<https://tools.ietf.org/html/draft-ietf-rtcweb-fec-10>.
Appendix A. Encryption Overview Appendix A. Encryption Overview
The following figure shows a double encrypted SRTP packet. The sides The following figures show a double-encrypted SRTP packet. The sides
indicate the parts of the packet that are encrypted and authenticated indicate the parts of the packet that are encrypted and authenticated
by the hop-by-hop and end-to-end operations. by the hop-by-hop and end-to-end operations.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X| CC |M| PT | sequence number | IO |V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| timestamp | IO | timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| synchronization source (SSRC) identifier | IO | synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| contributing source (CSRC) identifiers | IO | contributing source (CSRC) identifiers |
| .... | IO | .... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RTP extension (OPTIONAL) ... | |O | RTP extension (OPTIONAL) ... |
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O I | payload ... | IO O I | payload ... |
O I | +-------------------------------+ IO O I | +-------------------------------+
O I | | RTP padding | RTP pad count | IO O I | | RTP padding | RTP pad count |
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O | | E2E authentication tag | |O O | | E2E authentication tag |
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O | | OHB ... | |O O | | OHB ... |
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+ +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | HBH authentication tag | || | | | HBH authentication tag |
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | || | |
| +- E2E Encrypted Portion E2E Authenticated Portion ---+| | +- E2E Encrypted Portion
| | |
+--- HBH Encrypted Portion HBH Authenticated Portion ----+ +--- HBH Encrypted Portion
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
|V=2|P|X| CC |M| PT | sequence number | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| timestamp | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| synchronization source (SSRC) identifier | I O
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
| contributing source (CSRC) identifiers | I O
| .... | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| RTP extension (OPTIONAL) ... | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| payload ... | I O
| +-------------------------------+ I O
| | RTP padding | RTP pad count | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| E2E authentication tag | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
| OHB ... | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+
| HBH authentication tag | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| |
E2E Authenticated Portion ---+ |
|
HBH Authenticated Portion -----+
Acknowledgments
Thank you to Alex Gouaillard, David Benham, Magnus Westerlund, Nils
Ohlmeier, Roni Even, and Suhas Nandakumar for reviews and
improvements to this specification. In addition, thank you to Sergio
Garcia Murillo, who proposed the change of transporting the OHB
information in the RTP payload instead of the RTP header.
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
Email: fluffy@iii.ca Email: fluffy@iii.ca
Paul E. Jones Paul E. Jones
Cisco Systems Cisco Systems
 End of changes. 104 change blocks. 
360 lines changed or deleted 414 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/