draft-ietf-avtcore-aria-srtp-08.txt   draft-ietf-avtcore-aria-srtp-09.txt 
AVTCore W. Kim AVTCore W. Kim
Internet-Draft J. Lee Internet-Draft J. Lee
Intended status: Informational J. Park Intended status: Informational J. Park
Expires: November 30, 2015 D. Kwon Expires: May 29, 2016 D. Kwon
NSRI NSRI
May 29, 2015 November 26, 2015
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with the Secure Real-time Transport
Protocol(SRTP) Protocol(SRTP)
draft-ietf-avtcore-aria-srtp-08 draft-ietf-avtcore-aria-srtp-09
Abstract Abstract
This document defines the use of the ARIA block cipher algorithm This document defines the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP) for providing within the Secure Real-time Transport Protocol (SRTP). It details
confidentiality for the Real-time Transport Protocol (RTP) traffic two modes of operation (CTR, GCM) and a SRTP Key Derivation Function
and for the control traffic for RTP, the RTP Control Protocol (RTCP). for ARIA. Additionally, this document defines DTLS-SRTP protection
It details two modes of operation (CTR, GCM) and a SRTP Key profiles and MIKEY parameter sets for the use with ARIA.
Derivation Function for ARIA. Additionally, this document defines
DTLS-SRTP protection profiles and MIKEY parameter sets for the use
with ARIA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 30, 2015. This Internet-Draft will expire on May 29, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4
4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8
6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 11
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 11
A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13 A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12
A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 14 A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 15 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 14
A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 16 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 15
A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 16 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 15
A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 17 A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 16
A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 17 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 16
A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 18 A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 17
A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 20 A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
This document defines the use of the ARIA [RFC5794] block cipher This document defines the use of the ARIA [RFC5794] block cipher
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for the Real-time Transport Protocol
(RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP (RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP)
Control Protocol (RTCP) [RFC3550]. [RFC3550] traffic.
1.1. ARIA 1.1. ARIA
ARIA is a general-purpose block cipher algorithm developed by Korean ARIA is a general-purpose block cipher algorithm developed by Korean
cryptographers in 2003. It is an iterated block cipher with 128-, cryptographers in 2003. It is an iterated block cipher with 128-,
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16
rounds, depending on the key size. It is secure and suitable for rounds, depending on the key size. It is secure and suitable for
most software and hardware implementations on 32-bit and 8-bit most software and hardware implementations on 32-bit and 8-bit
processors. It was established as a Korean standard block cipher processors. It was established as a Korean standard block cipher
algorithm in 2004 [ARIAKS] and has been widely used in Korea, algorithm in 2004 [ARIAKS] and has been widely used in Korea,
skipping to change at page 5, line 6 skipping to change at page 4, line 48
the values to which they refer. The maximum_lifetime parameter the values to which they refer. The maximum_lifetime parameter
indicates the maximum number of packets that can be protected with indicates the maximum number of packets that can be protected with
each single set of keys when the parameter profile is in use. All of each single set of keys when the parameter profile is in use. All of
these parameters apply to both RTP and RTCP, unless the RTCP these parameters apply to both RTP and RTCP, unless the RTCP
parameters are separately specified. parameters are separately specified.
SRTP_ARIA_128_CTR_HMAC_SHA1_80 SRTP_ARIA_128_CTR_HMAC_SHA1_80
cipher: ARIA_128_CTR cipher: ARIA_128_CTR
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_128_CTR_PRF key derivation function: ARIA_128_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
auth_tag_length: 80 bits auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_128_CTR_HMAC_SHA1_32 SRTP_ARIA_128_CTR_HMAC_SHA1_32
cipher: ARIA_128_CTR cipher: ARIA_128_CTR
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_128_CTR_PRF key derivation function: ARIA_128_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits SRTCP auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_192_CTR_HMAC_SHA1_80 SRTP_ARIA_192_CTR_HMAC_SHA1_80
cipher: ARIA_192_CTR cipher: ARIA_192_CTR
cipher_key_length: 192 bits cipher_key_length: 192 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_192_CTR_PRF key derivation function: ARIA_192_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
auth_tag_length: 80 bits auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_192_CTR_HMAC_SHA1_32 SRTP_ARIA_192_CTR_HMAC_SHA1_32
cipher: ARIA_192_CTR cipher: ARIA_192_CTR
cipher_key_length: 192 bits cipher_key_length: 192 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_192_CTR_PRF key derivation function: ARIA_192_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits SRTCP auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_256_CTR_HMAC_SHA1_80 SRTP_ARIA_256_CTR_HMAC_SHA1_80
cipher: ARIA_256_CTR cipher: ARIA_256_CTR
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
auth_tag_length: 80 bits auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_256_CTR_HMAC_SHA1_32 SRTP_ARIA_256_CTR_HMAC_SHA1_32
cipher: ARIA_256_CTR cipher: ARIA_256_CTR
cipher_key_length: 128 bits cipher_key_length: 256 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
maximum_lifetime: 2^31 packets
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits SRTCP auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_AEAD_ARIA_128_GCM SRTP_AEAD_ARIA_128_GCM
cipher: ARIA_128_GCM cipher: ARIA_128_GCM
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 128 bits aead_auth_tag_length: 128 bits
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
key derivation function: ARIA_128_CTR_PRF key derivation function: ARIA_128_CTR_PRF
skipping to change at page 6, line 41 skipping to change at page 6, line 41
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 128 bits aead_auth_tag_length: 128 bits
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
SRTP_AEAD_ARIA_128_GCM_8
cipher: ARIA_128_GCM
cipher_key_length: 128 bits
cipher_salt_length: 96 bits
aead_auth_tag_length: 64 bits
auth_function: NULL
auth_key_length: N/A
auth_tag_length: N/A
key derivation function: ARIA_128_CTR_PRF
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
The ARIA-CTR protection profiles use the same authentication The ARIA-CTR protection profiles use the same authentication
transform that is mandatory to implement in SRTP, HMAC-SHA1 with a transform that is mandatory to implement in SRTP, HMAC-SHA1 with a
160-bit key. 160-bit key.
Note that SRTP Protection Profiles which use AEAD algorithms do not Note that SRTP Protection Profiles which use AEAD algorithms do not
specify an auth_function, auth_key_length, or auth_tag_length, since specify an auth_function, auth_key_length, or auth_tag_length, since
they do not use a separate auth_function, auth_key, or auth_tag. The they do not use a separate auth_function, auth_key, or auth_tag. The
term aead_auth_tag_length is used to emphasize that this refers to term aead_auth_tag_length is used to emphasize that this refers to
the authentication tag provided by the AEAD algorithm and that this the authentication tag provided by the AEAD algorithm and that this
tag is not located in the authentication tag field provided by SRTP/ tag is not located in the authentication tag field provided by SRTP/
skipping to change at page 8, line 4 skipping to change at page 7, line 32
+======================================+ +======================================+
SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets |
SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets |
SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets | SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets |
SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets | SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets |
SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets |
SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets |
+======================================+ +======================================+
Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | AEAD Auth. | | Encryption | Encryption | AEAD Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets |
SRTP_AEAD_ARIA_128_GCM_8 | ARIA-GCM | 16 octets | 8 octets |
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY parameters to AEAD algorithm
5. Security Considerations 5. Security Considerations
At the time of writing this document no security problem has been At the time of writing this document no security problem has been
found on ARIA (see [TSL]). found on ARIA (see [TSL]).
skipping to change at page 8, line 46 skipping to change at page 8, line 27
http://www.iana.org/assignments/srtp-protection/ . http://www.iana.org/assignments/srtp-protection/ .
SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} SRTP_AEAD_ARIA_128_GCM = {TBD,TBD}
SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} SRTP_AEAD_ARIA_256_GCM = {TBD,TBD}
SRTP_AEAD_ARIA_128_GCM_8 = {TBD,TBD}
6.2. MIKEY 6.2. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the below defined in this document in MIKEY, IANA is requested to add the below
three encryption algorithms to the "MIKEY Security Protocol three encryption algorithms to the "MIKEY Security Protocol
Parameters SRTP Type 0 (Encryption algorithm)" and to add the below Parameters SRTP Type 0 (Encryption algorithm)" and to add the below
PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo
Random Function)" created by [RFC3830], at time of writing located on Random Function)" created by [RFC3830], at time of writing located on
skipping to change at page 9, line 37 skipping to change at page 9, line 16
| SRTP PRF | Value | | SRTP PRF | Value |
+----------+-------+ +----------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | TBD |
+----------+-------+ +----------+-------+
7. References 7. References
7.1. Normative References 7.1. Normative References
[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP Operation: Galois/Counter Mode (GCM) and GMAC", NIST
800-38D, November 2007. SP 800-38D, November 2007.
[I-D.ietf-avtcore-srtp-aes-gcm] [I-D.ietf-avtcore-srtp-aes-gcm]
McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-aes-gcm-15 in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-aes-gcm-17
(work in progress), April 2015. (work in progress), June 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003. Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004. RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
August 2004. DOI 10.17487/RFC3830, August 2004,
<http://www.rfc-editor.org/info/rfc3830>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008. Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<http://www.rfc-editor.org/info/rfc5116>.
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282, August Exchange version 2 (IKEv2) Protocol", RFC 5282,
2008. DOI 10.17487/RFC5282, August 2008,
<http://www.rfc-editor.org/info/rfc5282>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>.
[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", RFC 6188, March 2011. RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011,
<http://www.rfc-editor.org/info/rfc6188>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, April Real-time Transport Protocol (SRTP)", RFC 6904,
2013. DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>.
7.2. Informative References 7.2. Informative References
[ARIAKS] Korean Agency for Technology and Standards, "128 bit block [ARIAKS] Korean Agency for Technology and Standards, "128 bit block
encryption algorithm ARIA - Part 1: General (in Korean)", encryption algorithm ARIA - Part 1: General (in Korean)",
KS X 1213-1:2009, December 2009. KS X 1213-1:2009, December 2009.
[ARIAPKCS] [ARIAPKCS]
RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS RSA Laboratories, "Additional PKCS #11 Mechanisms",
#11 v2.20 Amendment 3 Revision 1, January 2007. PKCS #11 v2.20 Amendment 3 Revision 1, January 2007.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, August in Multimedia Internet KEYing (MIKEY)", RFC 5748,
2010. DOI 10.17487/RFC5748, August 2010,
<http://www.rfc-editor.org/info/rfc5748>.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794, Description of the ARIA Encryption Algorithm", RFC 5794,
March 2010. DOI 10.17487/RFC5794, March 2010,
<http://www.rfc-editor.org/info/rfc5794>.
[TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in-
the-middle attack on reduced-round ARIA", The Journal of the-middle attack on reduced-round ARIA", The Journal of
Systems and Software Vol.84(10), pp. 1685-1692, October Systems and Software Vol.84(10), pp. 1685-1692, October
2011. 2011.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal and represented by the network order All values are in hexadecimal and represented by the network order
(called big endian). (called big endian).
skipping to change at page 16, line 24 skipping to change at page 15, line 24
5ae5fdd5fd5ac5d56ae56ad5c572d54a 5ae5fdd5fd5ac5d56ae56ad5c572d54a
e54ac55a956afd6aed5a4ac562957a95 e54ac55a956afd6aed5a4ac562957a95
16991691d572fd14e97ae962ed7a9f4a 16991691d572fd14e97ae962ed7a9f4a
955af572e162f57a956666e17ae1f54a 955af572e162f57a956666e17ae1f54a
95f566d54a66e16e4afd6a9f7ae1c5c5 95f566d54a66e16e4afd6a9f7ae1c5c5
5ae5d56afde916c5e94a6ec56695e14a 5ae5d56afde916c5e94a6ec56695e14a
fde1148416e94ad57ac5146ed59d1cc5 fde1148416e94ad57ac5146ed59d1cc5
Associated Data: 8008315ebf2e6fe020e8f5eb Associated Data: 8008315ebf2e6fe020e8f5eb
The length of encrypted payload is larger than that of payload by 16 The length of encrypted payload is larger than that of payload by 16
octets which the length of the tag from GCM. For other GCM octets which the length of the tag from GCM.
protection profiles with shorter tag length than 16 octets, test
vectors can be obtained by truncation from ARIA-GCM test verctors.
A.2.1. SRTP_AEAD_ARIA_128_GCM A.2.1. SRTP_AEAD_ARIA_128_GCM
Key: e91e5e75da65554a48181f3846349562 Key: e91e5e75da65554a48181f3846349562
Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c
d6f7da34f2fe1b3db7cb3dfb9697102e d6f7da34f2fe1b3db7cb3dfb9697102e
a0f3c1fc2dbc873d44bceeae8e444297 a0f3c1fc2dbc873d44bceeae8e444297
4ba21ff6789d3272613fb9631a7cf3f1 4ba21ff6789d3272613fb9631a7cf3f1
4bacbeb421633a90ffbe58c2fa6bdca5 4bacbeb421633a90ffbe58c2fa6bdca5
 End of changes. 43 change blocks. 
74 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/