draft-ietf-avtcore-aria-srtp-05.txt   draft-ietf-avtcore-aria-srtp-06.txt 
AVTCore W. Kim AVTCore W. Kim
Internet-Draft J. Lee Internet-Draft J. Lee
Intended status: Standards Track D. Kim Intended status: Standards Track D. Kim
Expires: March 29, 2014 J. Park Expires: May 23, 2014 J. Park
D. Kwon D. Kwon
NSRI NSRI
September 25, 2013 November 19, 2013
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with the Secure Real-time Transport
Protocol(SRTP) Protocol(SRTP)
draft-ietf-avtcore-aria-srtp-05 draft-ietf-avtcore-aria-srtp-06
Abstract Abstract
This document describes the use of the ARIA block cipher algorithm This document defines the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP) for providing within the Secure Real-time Transport Protocol (SRTP) for providing
confidentiality for the Real-time Transport Protocol (RTP) traffic confidentiality for the Real-time Transport Protocol (RTP) traffic
and for the control traffic for RTP, the RTP Control Protocol (RTCP). and for the control traffic for RTP, the RTP Control Protocol (RTCP).
It details three modes of operation (CTR, CCM, GCM) and a SRTP Key It details three modes of operation (CTR, CCM, GCM) and a SRTP Key
Derivation Function for ARIA. Derivation Function for ARIA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 29, 2014. This Internet-Draft will expire on May 23, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 11 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 12
4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
5.1. Security Descriptions (SDES) . . . . . . . . . . . . . . 12 5.1. Security Descriptions (SDES) . . . . . . . . . . . . . . 12
5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 13 5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.1. Normative References . . . . . . . . . . . . . . . . . . 20 6.1. Normative References . . . . . . . . . . . . . . . . . . 20
6.2. Informative References . . . . . . . . . . . . . . . . . 21 6.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21
A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22
A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22
A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 24 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 24
A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24 A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24
A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 25 A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 25
A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25 A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25
A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 26 A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 26
A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26 A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26
A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26 A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26
A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 27 A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 27
A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27 A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27
A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 28 A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 27
A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 28 A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 28
A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28 A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28
A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29 A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29
A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 31 A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
This document describes the use of the ARIA [RFC5794] block cipher This document defines the use of the ARIA [RFC5794] block cipher
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for the Real-time Transport Protocol
(RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP (RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP
Control Protocol (RTCP) [RFC3550]. Control Protocol (RTCP) [RFC3550].
1.1. ARIA 1.1. ARIA
ARIA is a general-purpose block cipher algorithm developed by Korean ARIA is a general-purpose block cipher algorithm developed by Korean
cryptographers in 2003. It is an iterated block cipher with 128-, cryptographers in 2003. It is an iterated block cipher with 128-,
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16
skipping to change at page 3, line 42 skipping to change at page 3, line 42
define three modes of running ARIA within the SRTP protocol, (1) ARIA define three modes of running ARIA within the SRTP protocol, (1) ARIA
in Counter Mode (ARIA-CTR), (2) ARIA in Counter with CBC-MAC Mode in Counter Mode (ARIA-CTR), (2) ARIA in Counter with CBC-MAC Mode
(ARIA-CCM) and (3) ARIA in Galois/Counter Mode (ARIA-GCM). (ARIA-CCM) and (3) ARIA in Galois/Counter Mode (ARIA-GCM).
2.1. ARIA-CTR 2.1. ARIA-CTR
Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption,
which it refers to as "AES_CM". Section 2 of [RFC6188] defines which it refers to as "AES_CM". Section 2 of [RFC6188] defines
"AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are
defined in the same manner except that each invocation of AES is defined in the same manner except that each invocation of AES is
replaced by that of ARIA, and are denoted by ARIA_128_CTR, replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR,
ARIA_192_CTR and ARIA_256_CTR respectively, according to the key ARIA_192_CTR and ARIA_256_CTR respectively, according to the key
lengths. The plaintext inputs to the block cipher are formed as in lengths. The plaintext inputs to the block cipher are formed as in
AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs
are processed as in AES-CTR. are processed as in AES-CTR.
When ARIA-CTR is used, it MUST be used only in conjunction with an When ARIA-CTR is used, it MUST be used only in conjunction with an
authentication function. The ARIA-CTR crypto suites with HMAC-SHA1 authentication function. The ARIA-CTR crypto suites with HMAC-SHA1
as an authentication function are listed below. The authentication as an authentication function are listed below. The authentication
key length of all crypto suites is 20 octets. key length of all crypto suites is 20 octets.
Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension
keystream generation. When ARIA-CTR is used, the header extension keystream generation. When ARIA-CTR is used, the header extension
keystream SHALL be generated in the same manner except that each keystream SHALL be generated in the same manner except that each
invocation of AES is replaced by that of ARIA. invocation of AES is replaced by that of ARIA [RFC5794].
+---------------------------+-----------------+------------------+ +---------------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+---------------------------+-----------------+------------------+ +---------------------------+-----------------+------------------+
| ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets | | ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets |
| ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets | | ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets |
| ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets | | ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets |
| ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets | | ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets |
| ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets | | ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets |
| ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets | | ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets |
skipping to change at page 6, line 48 skipping to change at page 7, line 8
2.2. ARIA-GCM 2.2. ARIA-GCM
GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated
encryption with associated data) block cipher mode. A detailed encryption with associated data) block cipher mode. A detailed
description of ARIA-GCM is defined similarly as AES-GCM found in description of ARIA-GCM is defined similarly as AES-GCM found in
[RFC5116][RFC5282]. [RFC5116][RFC5282].
The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use
of AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with of AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with
SRTP is defined the same as that of AES-GCM except that each SRTP is defined the same as that of AES-GCM except that each
invocation of AES is replaced by ARIA. invocation of AES is replaced by ARIA [RFC5794]. When [RFC6904] is
in use, a separate keystream to encrypt selected RTP header extension
elements MUST be generated in the same manner defined in
[I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by
ARIA-CTR.
The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP: The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP:
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| AEAD_ARIA_128_GCM | 16 octets | 16 octets | | AEAD_ARIA_128_GCM | 16 octets | 16 octets |
| AEAD_ARIA_256_GCM | 32 octets | 16 octets | | AEAD_ARIA_256_GCM | 32 octets | 16 octets |
| AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets | | AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets |
| AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets | | AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets |
skipping to change at page 9, line 19 skipping to change at page 9, line 43
2.3. ARIA-CCM 2.3. ARIA-CCM
CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block
cipher mode. A detailed description of ARIA-CCM is defined similarly cipher mode. A detailed description of ARIA-CCM is defined similarly
as AES-CCM found in [RFC5116] [RFC6655] as AES-CCM found in [RFC5116] [RFC6655]
[I-D.ietf-avtcore-srtp-aes-gcm]. [I-D.ietf-avtcore-srtp-aes-gcm].
The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use
of AES-CCM with SRTP [RFC3711][RFC6904]. The use of ARIA-CCM with of AES-CCM with SRTP [RFC3711][RFC6904]. The use of ARIA-CCM with
SRTP is defined the same as that of AES-CCM except that each SRTP is defined the same as that of AES-CCM except that each
invocation of AES is replaced by ARIA. invocation of AES is replaced by ARIA [RFC5794]. When [RFC6904] is
in use, a separate keystream to encrypt selected RTP header extension
elements MUST be generated in the same manner defined in
[I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by
ARIA-CTR.
The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP: The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP:
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| AEAD_ARIA_128_CCM | 16 octets | 16 octets | | AEAD_ARIA_128_CCM | 16 octets | 16 octets |
| AEAD_ARIA_256_CCM | 32 octets | 16 octets | | AEAD_ARIA_256_CCM | 32 octets | 16 octets |
| AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets | | AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets |
| AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets | | AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets |
skipping to change at page 13, line 14 skipping to change at page 13, line 28
"AEAD_ARIA_128_CCM_8" / "AEAD_ARIA_128_CCM_8" /
"AEAD_ARIA_256_CCM_8" / "AEAD_ARIA_256_CCM_8" /
"AEAD_ARIA_128_CCM_12" / "AEAD_ARIA_128_CCM_12" /
"AEAD_ARIA_256_CCM_12" / "AEAD_ARIA_256_CCM_12" /
srtp-crypto-suite-ext srtp-crypto-suite-ext
5.2. DTLS-SRTP 5.2. DTLS-SRTP
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile".
In order to allow the use of the algorithms defined in this document In order to allow the use of the algorithms defined in this document
in DTLS-SRTP, IANA is requested to add the below crypto suite to the in DTLS-SRTP, IANA is requested to add the below protection profiles
"DTLS-SRTP Protection Profiles" created by [RFC5764], at time of to the "DTLS-SRTP Protection Profiles" created by [RFC5764], at time
writing located on the following IANA page: http://www.iana.org/ of writing located on the following IANA page: http://www.iana.org/
assignments/srtp-protection/srtp-protection.xml#srtp-protection-1 assignments/srtp-protection/srtp-protection.xml#srtp-protection-1
[2]. [2].
SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} SRTP_AEAD_ARIA_128_GCM = {TBD,TBD}
skipping to change at page 14, line 49 skipping to change at page 15, line 13
auth_key_length: 160 bits auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits SRTCP auth_tag_length: 80 bits
SRTP_ARIA_256_CTR_HMAC_SHA1_80 SRTP_ARIA_256_CTR_HMAC_SHA1_80
cipher: ARIA_256_CTR cipher: ARIA_256_CTR
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets maximum_lifetime: 2^31 packets
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
auth_function: HMAC-SHA auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
auth_tag_length: 80 bits auth_tag_length: 80 bits
SRTP_ARIA_256_CTR_HMAC_SHA1_32 SRTP_ARIA_256_CTR_HMAC_SHA1_32
cipher: ARIA_256_CTR cipher: ARIA_256_CTR
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets maximum_lifetime: 2^31 packets
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
skipping to change at page 18, line 15 skipping to change at page 18, line 29
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 96 bits aead_auth_tag_length: 96 bits
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
Note that these SRTP Protection Profiles do not specify an Note that SRTP Protection Profiles which use AEAD algorithms do not
auth_function, auth_key_length, or auth_tag_length because all of specify an auth_function, auth_key_length, or auth_tag_length, since
these profiles use AEAD algorithms, and thus do not use a separate they do not use a separate auth_function, auth_key, or auth_tag. The
auth_function, auth_key, or auth_tag. The term aead_auth_tag_length term aead_auth_tag_length is used to emphasize that this refers to
is used to emphasize that this refers to the authentication tag the authentication tag provided by the AEAD algorithm and that this
provided by the AEAD algorithm and that this tag is not located in tag is not located in the authentication tag field provided by SRTP/
the authentication tag field provided by SRTP/SRTCP. SRTCP.
5.3. MIKEY 5.3. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the below defined in this document in MIKEY, IANA is requested to add the below
crypto suites to the "MIKEY Security Protocol Parameters SRTP Type 0 three encryption algorithms to the "MIKEY Security Protocol
(Encryption algorithm)" and to add the below PRF to the "MIKEY Parameters SRTP Type 0 (Encryption algorithm)" and to add the below
Security Protocol Parameters SRTP Type 5 (Pseudo Random Function)" PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo
created by [RFC3830], at time of writing located on the following Random Function)" created by [RFC3830], at time of writing located on
IANA page: http://www.iana.org/assignments/mikey-payloads/mikey- the following IANA page: http://www.iana.org/assignments/mikey-
payloads.xml#mikey-payloads-26 [3]. payloads/mikey-payloads.xml#mikey-payloads-26 [3].
+---------------+-------+ +---------------+-------+
| SRTP Enc. alg | Value | | SRTP Enc. alg | Value |
+---------------+-------+ +---------------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | TBD |
| ARIA-CCM | TBD | | ARIA-CCM | TBD |
| ARIA-GCM | TBD | | ARIA-GCM | TBD |
+---------------+-------+ +---------------+-------+
Default session encryption key length is 16 octets. Default session encryption key length is 16 octets.
+----------+-------+ +----------+-------+
| SRTP PRF | Value | | SRTP PRF | Value |
+----------+-------+ +----------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | TBD |
+----------+-------+ +----------+-------+
MIKEY specifies the algorithm family separately from the key length MIKEY specifies the algorithm family separately from the key length
(which is specified by the Session Encryption key length) and the (which is specified by the Session Encryption key length) and the
authentication tag length. authentication tag length. The SDP Security Descriptions [RFC4568]
crypto suits and corresponding DTLS-SRTP [RFC5764] protection
profiles are mapped to MIKEY parameter sets as shown below.
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | Auth. | | Encryption | Encryption | Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets |
SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets |
SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets |
SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets |
SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets |
skipping to change at page 20, line 4 skipping to change at page 20, line 9
SRTP_AEAD_ARIA_256_CCM | ARIA-CCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_CCM | ARIA-CCM | 32 octets | 16 octets |
SRTP_AEAD_ARIA_256_GCM_12 | ARIA-GCM | 32 octets | 12 octets | SRTP_AEAD_ARIA_256_GCM_12 | ARIA-GCM | 32 octets | 12 octets |
SRTP_AEAD_ARIA_256_CCM_12 | ARIA-CCM | 32 octets | 12 octets | SRTP_AEAD_ARIA_256_CCM_12 | ARIA-CCM | 32 octets | 12 octets |
SRTP_AEAD_ARIA_256_GCM_8 | ARIA-GCM | 32 octets | 8 octets | SRTP_AEAD_ARIA_256_GCM_8 | ARIA-GCM | 32 octets | 8 octets |
SRTP_AEAD_ARIA_256_CCM_8 | ARIA-CCM | 32 octets | 8 octets | SRTP_AEAD_ARIA_256_CCM_8 | ARIA-CCM | 32 octets | 8 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY parameters to AEAD algorithm
6. References 6. References
6.1. Normative References 6.1. Normative References
[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP
800-38D, November 2007. 800-38D, November 2007.
[I-D.ietf-avtcore-srtp-aes-gcm]
McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated
Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-
aes-gcm-10 (work in progress), September 2013.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003. Applications", STD 64, RFC 3550, July 2003.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004. RFC 3711, March 2004.
skipping to change at page 20, line 41 skipping to change at page 21, line 5
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282, August Exchange version 2 (IKEv2) Protocol", RFC 5282, August
2008. 2008.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. Real-time Transport Protocol (SRTP)", RFC 5764, May 2010.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794,
March 2010.
[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", RFC 6188, March 2011. RTP", RFC 6188, March 2011.
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
Transport Layer Security (TLS)", RFC 6655, July 2012. Transport Layer Security (TLS)", RFC 6655, July 2012.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, April Real-time Transport Protocol (SRTP)", RFC 6904, April
2013. 2013.
6.2. Informative References 6.2. Informative References
[ARIAKS] Korean Agency for Technology and Standards, "128 bit block [ARIAKS] Korean Agency for Technology and Standards, "128 bit block
encryption algorithm ARIA - Part 1: General (in Korean)", encryption algorithm ARIA - Part 1: General (in Korean)",
KS X 1213-1:2009, December 2009. KS X 1213-1:2009, December 2009.
[ARIAPKCS] [ARIAPKCS]
RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS
#11 v2.20 Amendment 3 Revision 1, January 2007. #11 v2.20 Amendment 3 Revision 1, January 2007.
[I-D.ietf-avtcore-srtp-aes-gcm]
McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated
Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-
aes-gcm-10 (work in progress), September 2013.
[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003. CBC-MAC (CCM)", RFC 3610, September 2003.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, August in Multimedia Internet KEYing (MIKEY)", RFC 5748, August
2010. 2010.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794,
March 2010.
[TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in-
the-middle attack on reduced-round ARIA", The Journal of the-middle attack on reduced-round ARIA", The Journal of
Systems and Software Vol.84(10), pp. 1685-1692, October Systems and Software Vol.84(10), pp. 1685-1692, October
2011. 2011.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal and represented by the network order All values are in hexadecimal and represented by the network order
(called big endian). (called big endian).
 End of changes. 25 change blocks. 
42 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/