draft-ietf-avtcore-aria-srtp-09.txt   draft-ietf-avtcore-aria-srtp-10.txt 
AVTCore W. Kim AVTCore W. Kim
Internet-Draft J. Lee Internet-Draft J. Lee
Intended status: Informational J. Park Intended status: Informational J. Park
Expires: May 29, 2016 D. Kwon Expires: January 1, 2018 D. Kwon
NSRI NSRI
November 26, 2015 D. Kim
Kookmin Univ.
June 30, 2017
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with the Secure Real-time Transport
Protocol(SRTP) Protocol(SRTP)
draft-ietf-avtcore-aria-srtp-09 draft-ietf-avtcore-aria-srtp-10
Abstract Abstract
This document defines the use of the ARIA block cipher algorithm This document defines the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP). It details within the Secure Real-time Transport Protocol (SRTP). It details
two modes of operation (CTR, GCM) and a SRTP Key Derivation Function two modes of operation (CTR, GCM) and the SRTP Key Derivation
for ARIA. Additionally, this document defines DTLS-SRTP protection Functions for ARIA. Additionally, this document defines DTLS-SRTP
profiles and MIKEY parameter sets for the use with ARIA. protection profiles and MIKEY parameter sets for the use with ARIA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 29, 2016. This Internet-Draft will expire on January 1, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4
4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8
6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 11 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 11 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12
A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13
A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13 A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 14
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 14 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 15
A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 15 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 16
A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 15 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 16
A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 16 A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 17
A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 16 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 17
A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 17 A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 18
A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 19 A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
This document defines the use of the ARIA [RFC5794] block cipher This document defines the use of the ARIA [RFC5794] block cipher
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for the Real-time Transport Protocol
(RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP) (RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP)
[RFC3550] traffic. [RFC3550] traffic.
1.1. ARIA 1.1. ARIA
skipping to change at page 3, line 34 skipping to change at page 3, line 40
in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA- in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-
GCM). GCM).
2.1. ARIA-CTR 2.1. ARIA-CTR
Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption,
which it refers to as "AES_CM". Section 2 of [RFC6188] defines which it refers to as "AES_CM". Section 2 of [RFC6188] defines
"AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are "AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are
defined in the same manner except that each invocation of AES is defined in the same manner except that each invocation of AES is
replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR, replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR,
ARIA_192_CTR and ARIA_256_CTR respectively, according to the key ARIA_192_CTR, and ARIA_256_CTR, respectively, according to the key
lengths. The plaintext inputs to the block cipher are formed as in lengths. The plaintext inputs to the block cipher are formed as in
AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs
are processed as in AES-CTR. Note that, ARIA-CTR MUST be used only are processed as in AES-CTR. Note that, ARIA-CTR MUST be used only
in conjunction with an authentication transform. in conjunction with an authentication transform.
Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension
keystream generation. When ARIA-CTR is used, the header extension keystream generation. When ARIA-CTR is used, the header extension
keystream SHALL be generated in the same manner except that each keystream SHALL be generated in the same manner except that each
invocation of AES is replaced by that of ARIA [RFC5794]. invocation of AES is replaced by that of ARIA [RFC5794].
2.2. ARIA-GCM 2.2. ARIA-GCM
GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated
Encryption with Associated Data) block cipher mode. A detailed Encryption with Associated Data) block cipher mode. A detailed
description of ARIA-GCM is defined similarly as AES-GCM found in description of ARIA-GCM is defined similarly as AES-GCM found in
[RFC5116][RFC5282]. [RFC5116][RFC5282].
The document [I-D.ietf-avtcore-srtp-aes-gcm] describes the use of The document [RFC7714] describes the use of AES-GCM with SRTP
AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with SRTP is defined the
is defined the same as that of AES-GCM except that each invocation of same as that of AES-GCM except that each invocation of AES is
AES is replaced by ARIA [RFC5794]. When [RFC6904] is in use, a replaced by ARIA [RFC5794]. When encryption of header extensions
separate keystream to encrypt selected RTP header extension elements [RFC6904] is in use, a separate keystream to encrypt selected RTP
MUST be generated in the same manner defined in header extension elements MUST be generated in the same manner
[I-D.ietf-avtcore-srtp-aes-gcm] except that AES-CTR is replaced by defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR.
ARIA-CTR.
3. Key Derivation Functions 3. Key Derivation Functions
Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key
derivation function, which it refers to as "AES-CM PRF". Section 3 derivation function, which it refers to as "AES-CM PRF". Section 3
of [RFC6188] defines the AES-192 counter mode key derivation function of [RFC6188] defines the AES-192 counter mode key derivation function
and the AES-256 counter mode key derivation function, which it refers and the AES-256 counter mode key derivation function, which it refers
to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA-
CTR PRF is defined in a same manner except that each invocation of CTR PRF is defined in a same manner except that each invocation of
AES replaced by that of ARIA. According to the key lengths of AES is replaced by that of ARIA. According to the key lengths of
underlying encryption algorithm, ARIA-CTR PRFs are denoted by underlying encryption algorithm, ARIA-CTR PRFs are denoted by
"ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The "ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The
usage requirements of [RFC6188][I-D.ietf-avtcore-srtp-aes-gcm] usage requirements of [RFC6188][RFC7714] regarding the AES-CM PRF
regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. apply to the ARIA-CTR PRF as well.
4. Protection Profiles 4. Protection Profiles
This section defines SRTP Protection Profiles that use the ARIA This section defines SRTP Protection Profiles that use the ARIA
transforms and key derivation functions defined in this document. transforms and key derivation functions defined in this document.
The following list indicates the SRTP transform parameters for each The following list indicates the SRTP transform parameters for each
protection profile. Those are described for use with DTLS-SRTP protection profile. Those are described for use with DTLS-SRTP
[RFC5764]. [RFC5764].
The parameters cipher_key_length, cipher_salt_length, The parameters cipher_key_length, cipher_salt_length,
skipping to change at page 6, line 45 skipping to change at page 6, line 50
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
The ARIA-CTR protection profiles use the same authentication The ARIA-CTR protection profiles use the same authentication
transform that is mandatory to implement in SRTP, HMAC-SHA1 with a transform that is mandatory to implement in SRTP, HMAC-SHA1 with a
160-bit key. 160-bit key.
Note that SRTP Protection Profiles which use AEAD algorithms do not Note that SRTP Protection Profiles that use AEAD algorithms do not
specify an auth_function, auth_key_length, or auth_tag_length, since specify an auth_function, auth_key_length, or auth_tag_length, since
they do not use a separate auth_function, auth_key, or auth_tag. The they do not use a separate auth_function, auth_key, or auth_tag. The
term aead_auth_tag_length is used to emphasize that this refers to term aead_auth_tag_length is used to emphasize that this refers to
the authentication tag provided by the AEAD algorithm and that this the authentication tag provided by the AEAD algorithm and that this
tag is not located in the authentication tag field provided by SRTP/ tag is not located in the authentication tag field provided by SRTP/
SRTCP. SRTCP.
The PRFs for ARIA protect profiles with SRTP are defined by ARIA-CTR The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of
PRF of the equal key length with the encryption algorithm (see the equal key length with the encryption algorithm (see Section 2).
Section 2). SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the
use the ARIA_128_CTR_PRF Key Derivation Function. ARIA_128_CTR_PRF Key Derivation Function. SRTP_ARIA_192_CTR_HMAC
SRTP_ARIA_192_CTR_HMAC MUST use that ARIA_192_CTR_PRF Key Derivation MUST use the ARIA_192_CTR_PRF Key Derivation Function. And
Function. And SRTP_ARIA_256_CTR_HMAC and SRTP_AEAD_ARIA_256_GCM MUST SRTP_ARIA_256_CTR_HMAC and SRTP_AEAD_ARIA_256_GCM MUST use the
use the ARIA_256_CTR_PRF Key Derivation Function. ARIA_256_CTR_PRF Key Derivation Function.
MIKEY specifies the SRTP protection profile definition separately MIKEY specifies the SRTP protection profile definition separately
from the key length (which is specified by the Session Encryption key from the key length (which is specified by the Session Encryption key
length) and the authentication tag length. The DTLS-SRTP [RFC5764] length) and the authentication tag length. The DTLS-SRTP [RFC5764]
protection profiles are mapped to MIKEY parameter sets as shown protection profiles are mapped to MIKEY parameter sets as shown
below. below.
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | Auth. | | Encryption | Encryption | Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
skipping to change at page 7, line 46 skipping to change at page 8, line 8
+======================================+ +======================================+
SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets |
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY parameters to AEAD algorithm
5. Security Considerations 5. Security Considerations
At the time of writing this document no security problem has been At the time of writing this document no security problem has been
found on ARIA (see [TSL]). found on ARIA. Previous security analysis results are summarized in
[ATY].
The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188] The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188]
[RFC6904] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this document as [RFC6904] [RFC7714] apply to this document as well. Protection
well. Protection profiles with short tag length may be considered profiles with short tag length may be considered for specific
for specific application environments stated in Section 7.5 of application environments stated in Section 7.5 of [RFC3711], but the
risk of weak authentication described in Section 9.5.1 of [RFC3711]
[RFC3711], but the risk of weak authentication described in should be taken into account.
Section 9.5.1 of [RFC3711] should be taken into account.
6. IANA Considerations 6. IANA Considerations
6.1. DTLS-SRTP 6.1. DTLS-SRTP
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile".
In order to allow the use of the algorithms defined in this document In order to allow the use of the algorithms defined in this document
in DTLS-SRTP, IANA is requested to add the below protection profiles in DTLS-SRTP, IANA is requested to add the protection profiles below
to the "DTLS-SRTP Protection Profiles" created by [RFC5764], at time to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located
of writing located on the following IANA page: on the following IANA page at time of writing:
http://www.iana.org/assignments/srtp-protection/ . http://www.iana.org/assignments/srtp-protection/.
SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} SRTP_AEAD_ARIA_128_GCM = {TBD,TBD}
SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} SRTP_AEAD_ARIA_256_GCM = {TBD,TBD}
6.2. MIKEY 6.2. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the below defined in this document in MIKEY, IANA is requested to add the two
three encryption algorithms to the "MIKEY Security Protocol encryption algorithms below to the "MIKEY Security Protocol
Parameters SRTP Type 0 (Encryption algorithm)" and to add the below Parameters SRTP Type 0 (Encryption algorithm)" and to add the PRF
PRF to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo below to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo
Random Function)" created by [RFC3830], at time of writing located on Random Function)" created by [RFC3830], located on the following IANA
the following IANA page: http://www.iana.org/assignments/mikey- page at time of writing: http://www.iana.org/assignments/mikey-
payloads/ . payloads/.
+---------------+-------+ +---------------+-------+
| SRTP Enc. alg | Value | | SRTP Enc. alg | Value |
+---------------+-------+ +---------------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | TBD |
| ARIA-GCM | TBD | | ARIA-GCM | TBD |
+---------------+-------+ +---------------+-------+
Default session encryption key length is 16 octets. Default session encryption key length is 16 octets.
skipping to change at page 9, line 19 skipping to change at page 9, line 28
+----------+-------+ +----------+-------+
7. References 7. References
7.1. Normative References 7.1. Normative References
[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC", NIST Operation: Galois/Counter Mode (GCM) and GMAC", NIST
SP 800-38D, November 2007. SP 800-38D, November 2007.
[I-D.ietf-avtcore-srtp-aes-gcm]
McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-aes-gcm-17
(work in progress), June 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <http://www.rfc-editor.org/info/rfc3550>.
skipping to change at page 10, line 11 skipping to change at page 10, line 17
Exchange version 2 (IKEv2) Protocol", RFC 5282, Exchange version 2 (IKEv2) Protocol", RFC 5282,
DOI 10.17487/RFC5282, August 2008, DOI 10.17487/RFC5282, August 2008,
<http://www.rfc-editor.org/info/rfc5282>. <http://www.rfc-editor.org/info/rfc5282>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>. <http://www.rfc-editor.org/info/rfc5764>.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794,
DOI 10.17487/RFC5794, March 2010,
<http://www.rfc-editor.org/info/rfc5794>.
[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011,
<http://www.rfc-editor.org/info/rfc6188>. <http://www.rfc-editor.org/info/rfc6188>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <http://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)",
RFC 7714, DOI 10.17487/RFC7714, December 2015,
<http://www.rfc-editor.org/info/rfc7714>.
7.2. Informative References 7.2. Informative References
[ARIAKS] Korean Agency for Technology and Standards, "128 bit block [ARIAKS] Korean Agency for Technology and Standards, "128 bit block
encryption algorithm ARIA - Part 1: General (in Korean)", encryption algorithm ARIA - Part 1: General (in Korean)",
KS X 1213-1:2009, December 2009. KS X 1213-1:2009, December 2009.
[ARIAPKCS] [ARIAPKCS]
RSA Laboratories, "Additional PKCS #11 Mechanisms", RSA Laboratories, "Additional PKCS #11 Mechanisms",
PKCS #11 v2.20 Amendment 3 Revision 1, January 2007. PKCS #11 v2.20 Amendment 3 Revision 1, January 2007.
[ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved
linear cryptanalysis of round-reduced ARIA", Information
Security - ISC 2016, Lecture Notes in Computer Science
(LNCS) Vol. 9866, pp. 18-34, September 2016.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, in Multimedia Internet KEYing (MIKEY)", RFC 5748,
DOI 10.17487/RFC5748, August 2010, DOI 10.17487/RFC5748, August 2010,
<http://www.rfc-editor.org/info/rfc5748>. <http://www.rfc-editor.org/info/rfc5748>.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794,
DOI 10.17487/RFC5794, March 2010,
<http://www.rfc-editor.org/info/rfc5794>.
[TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in-
the-middle attack on reduced-round ARIA", The Journal of
Systems and Software Vol.84(10), pp. 1685-1692, October
2011.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal and represented by the network order All values are in hexadecimal and represented by the network order
(called big endian). (called big endian).
A.1. ARIA-CTR Test Vectors A.1. ARIA-CTR Test Vectors
Common values are organized as follows: Common values are organized as follows:
Rollover Counter: 00000000 Rollover Counter: 00000000
skipping to change at page 15, line 24 skipping to change at page 16, line 24
5ae5fdd5fd5ac5d56ae56ad5c572d54a 5ae5fdd5fd5ac5d56ae56ad5c572d54a
e54ac55a956afd6aed5a4ac562957a95 e54ac55a956afd6aed5a4ac562957a95
16991691d572fd14e97ae962ed7a9f4a 16991691d572fd14e97ae962ed7a9f4a
955af572e162f57a956666e17ae1f54a 955af572e162f57a956666e17ae1f54a
95f566d54a66e16e4afd6a9f7ae1c5c5 95f566d54a66e16e4afd6a9f7ae1c5c5
5ae5d56afde916c5e94a6ec56695e14a 5ae5d56afde916c5e94a6ec56695e14a
fde1148416e94ad57ac5146ed59d1cc5 fde1148416e94ad57ac5146ed59d1cc5
Associated Data: 8008315ebf2e6fe020e8f5eb Associated Data: 8008315ebf2e6fe020e8f5eb
The length of encrypted payload is larger than that of payload by 16 The length of encrypted payload is larger than that of payload by 16
octets which the length of the tag from GCM. octets that is the length of the tag from GCM.
A.2.1. SRTP_AEAD_ARIA_128_GCM A.2.1. SRTP_AEAD_ARIA_128_GCM
Key: e91e5e75da65554a48181f3846349562 Key: e91e5e75da65554a48181f3846349562
Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c
d6f7da34f2fe1b3db7cb3dfb9697102e d6f7da34f2fe1b3db7cb3dfb9697102e
a0f3c1fc2dbc873d44bceeae8e444297 a0f3c1fc2dbc873d44bceeae8e444297
4ba21ff6789d3272613fb9631a7cf3f1 4ba21ff6789d3272613fb9631a7cf3f1
4bacbeb421633a90ffbe58c2fa6bdca5 4bacbeb421633a90ffbe58c2fa6bdca5
skipping to change at page 16, line 22 skipping to change at page 17, line 22
083d66363a46e3726af217d3a00275ad 083d66363a46e3726af217d3a00275ad
5bf772c7610ea4c23006878f0ee69a83 5bf772c7610ea4c23006878f0ee69a83
97703169a419303f40b72e4573714d19 97703169a419303f40b72e4573714d19
e2697df61e7c7252e5abc6bade876ac4 e2697df61e7c7252e5abc6bade876ac4
961bfac4d5e867afca351a48aed52822 961bfac4d5e867afca351a48aed52822
e210d6ced2cf430ff841472915e7ef48 e210d6ced2cf430ff841472915e7ef48
A.3. Key Derivation Test Vector A.3. Key Derivation Test Vector
This section provides test vectors for the default key derivation This section provides test vectors for the default key derivation
function, which uses ARIA in Counter Mode. In the following, we walk function that uses ARIA in Counter Mode. In the following, we walk
through the initial key derivation for the ARIA Counter Mode cipher, through the initial key derivation for the ARIA Counter Mode cipher
which requires a 16/24/32 octet session encryption key according to that requires a 16/24/32 octet session encryption key according to
the session encryption key length and a 14 octet session salt, and an the session encryption key length and a 14 octet session salt, and an
authentication function which requires a 94 octet session authentication function that requires a 94 octet session
authentication key. These values are called the cipher key, the authentication key. These values are called the cipher key, the
cipher salt, and the auth key in the following. The test vectors are cipher salt, and the auth key in the following. The test vectors are
generated in the same way with the test vectors of key derivation generated in the same way with the test vectors of key derivation
functions in [RFC3711] and [RFC6188] but with each invocation of AES functions in [RFC3711] and [RFC6188] but with each invocation of AES
replaced with an invocation of ARIA. replaced with an invocation of ARIA.
A.3.1. ARIA_128_CTR_PRF A.3.1. ARIA_128_CTR_PRF
The inputs to the key derivation function are the 16 octet master key The inputs to the key derivation function are the 16 octet master key
and the 14 octet master salt: and the 14 octet master salt:
skipping to change at page 17, line 5 skipping to change at page 18, line 5
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 00 label: 00
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------- -----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output)
ARIA-CTR protection profile requires 14 octet cipher salt while ARIA- ARIA-CTR protection profile requires a 14 octet cipher salt while
GCM protection profile requires 12 octet cipher salt. ARIA-GCM protection profile requires a 12 octet cipher salt.
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 02 label: 02
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
---------------------------------------------- ----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output)
skipping to change at page 18, line 19 skipping to change at page 19, line 19
label: 00 label: 00
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------- -----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output) cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output)
d13cbe548b627649 (ARIA-CTR 2nd Output) d13cbe548b627649 (ARIA-CTR 2nd Output)
ARIA-CTR protection profile requires 14 octet cipher salt. ARIA-CTR protection profile requires a 14 octet cipher salt.
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 02 label: 02
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
---------------------------------------------- ----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output) 55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output)
skipping to change at page 19, line 25 skipping to change at page 20, line 25
label: 00 label: 00
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------- -----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output)
f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output)
ARIA-CTR protection profile requires 14 octet cipher salt while ARIA- ARIA-CTR protection profile requires a 14 octet cipher salt while
GCM protection profile requires 12 octet cipher salt. ARIA-GCM protection profile requires a 12 octet cipher salt.
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 02 label: 02
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
---------------------------------------------- ----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output)
skipping to change at page 20, line 19 skipping to change at page 21, line 19
9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002
e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003
fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004
80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005
Authors' Addresses Authors' Addresses
Woo-Hwan Kim Woo-Hwan Kim
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O.Box 1, Yuseong
Daejeon 305-350 Daejeon 34188
Korea Korea
EMail: whkim5@ensec.re.kr EMail: whkim5@nsr.re.kr
Jungkeun Lee Jungkeun Lee
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O.Box 1, Yuseong
Daejeon 305-350 Daejeon 34188
Korea Korea
EMail: jklee@ensec.re.kr EMail: jklee@nsr.re.kr
Je-Hong Park Je-Hong Park
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O.Box 1, Yuseong
Daejeon 305-350 Daejeon 34188
Korea Korea
EMail: jhpark@ensec.re.kr EMail: jhpark@nsr.re.kr
Daesung Kwon Daesung Kwon
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O.Box 1, Yuseong
Daejeon 305-350 Daejeon 34188
Korea Korea
EMail: ds_kwon@ensec.re.kr EMail: ds_kwon@nsr.re.kr
Dong-Chan Kim
Kookmin University
77 Jeongneung-ro, Seongbuk-gu
Seoul 02707
Korea
EMail: dckim@kookmin.ac.kr
 End of changes. 39 change blocks. 
94 lines changed or deleted 95 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/