draft-ietf-avtcore-aria-srtp-10.txt   draft-ietf-avtcore-aria-srtp-11.txt 
AVTCore W. Kim AVTCore W. Kim
Internet-Draft J. Lee Internet-Draft J. Lee
Intended status: Informational J. Park Intended status: Informational J. Park
Expires: January 1, 2018 D. Kwon Expires: February 9, 2018 D. Kwon
NSRI NSRI
D. Kim D. Kim
Kookmin Univ. Kookmin Univ.
June 30, 2017 August 8, 2017
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with the Secure Real-time Transport
Protocol(SRTP) Protocol(SRTP)
draft-ietf-avtcore-aria-srtp-10 draft-ietf-avtcore-aria-srtp-11
Abstract Abstract
This document defines the use of the ARIA block cipher algorithm This document defines the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP). It details within the Secure Real-time Transport Protocol (SRTP). It details
two modes of operation (CTR, GCM) and the SRTP Key Derivation two modes of operation (CTR, GCM) and the SRTP Key Derivation
Functions for ARIA. Additionally, this document defines DTLS-SRTP Functions for ARIA. Additionally, this document defines DTLS-SRTP
protection profiles and MIKEY parameter sets for the use with ARIA. protection profiles and MIKEY parameter sets for the use with ARIA.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2018. This Internet-Draft will expire on February 9, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4
4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 11
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 11
A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13 A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12
A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 14 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 13
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 15 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 14
A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 16 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 14
A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 16 A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 15
A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 17 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 15
A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 17 A.3.2. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 16
A.3.2. ARIA_192_CTR_PRF . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
A.3.3. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
This document defines the use of the ARIA [RFC5794] block cipher This document defines the use of the ARIA [RFC5794] block cipher
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for the Real-time Transport Protocol
(RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP) (RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP)
[RFC3550] traffic. [RFC3550] traffic.
1.1. ARIA 1.1. ARIA
skipping to change at page 3, line 37 skipping to change at page 3, line 31
mode, key size, and block size. ARIA does not have any restrictions mode, key size, and block size. ARIA does not have any restrictions
for modes of operation that are used with this block cipher. We for modes of operation that are used with this block cipher. We
define two modes of running ARIA within the SRTP protocol, (1) ARIA define two modes of running ARIA within the SRTP protocol, (1) ARIA
in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA- in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-
GCM). GCM).
2.1. ARIA-CTR 2.1. ARIA-CTR
Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption,
which it refers to as "AES_CM". Section 2 of [RFC6188] defines which it refers to as "AES_CM". Section 2 of [RFC6188] defines
"AES_192_CM" and "AES_256_CM" in SRTP. ARIA counter modes are "AES_256_CM" in SRTP. ARIA counter modes are defined in the same
defined in the same manner except that each invocation of AES is manner except that each invocation of AES is replaced by that of ARIA
replaced by that of ARIA [RFC5794], and are denoted by ARIA_128_CTR, [RFC5794], and are denoted by ARIA_128_CTR and ARIA_256_CTR,
ARIA_192_CTR, and ARIA_256_CTR, respectively, according to the key respectively, according to the key lengths. The plaintext inputs to
lengths. The plaintext inputs to the block cipher are formed as in the block cipher are formed as in AES-CTR(AES_CM, AES_256_CM) and the
AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs block cipher outputs are processed as in AES-CTR. Note that, ARIA-
are processed as in AES-CTR. Note that, ARIA-CTR MUST be used only CTR MUST be used only in conjunction with an authentication
in conjunction with an authentication transform. transform.
Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension
keystream generation. When ARIA-CTR is used, the header extension keystream generation. When ARIA-CTR is used, the header extension
keystream SHALL be generated in the same manner except that each keystream SHALL be generated in the same manner except that each
invocation of AES is replaced by that of ARIA [RFC5794]. invocation of AES is replaced by that of ARIA [RFC5794].
2.2. ARIA-GCM 2.2. ARIA-GCM
GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated
Encryption with Associated Data) block cipher mode. A detailed Encryption with Associated Data) block cipher mode. A detailed
skipping to change at page 4, line 24 skipping to change at page 4, line 17
same as that of AES-GCM except that each invocation of AES is same as that of AES-GCM except that each invocation of AES is
replaced by ARIA [RFC5794]. When encryption of header extensions replaced by ARIA [RFC5794]. When encryption of header extensions
[RFC6904] is in use, a separate keystream to encrypt selected RTP [RFC6904] is in use, a separate keystream to encrypt selected RTP
header extension elements MUST be generated in the same manner header extension elements MUST be generated in the same manner
defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR. defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR.
3. Key Derivation Functions 3. Key Derivation Functions
Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key
derivation function, which it refers to as "AES-CM PRF". Section 3 derivation function, which it refers to as "AES-CM PRF". Section 3
of [RFC6188] defines the AES-192 counter mode key derivation function of [RFC6188] defines the AES-256 counter mode key derivation
and the AES-256 counter mode key derivation function, which it refers function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR PRF
to as "AES_192_CM_PRF" and "AES_256_CM_PRF" respectively. The ARIA- is defined in a same manner except that each invocation of AES is
CTR PRF is defined in a same manner except that each invocation of replaced by that of ARIA. According to the key lengths of underlying
AES is replaced by that of ARIA. According to the key lengths of encryption algorithm, ARIA-CTR PRFs are denoted by "ARIA_128_CTR_PRF"
underlying encryption algorithm, ARIA-CTR PRFs are denoted by and "ARIA_256_CTR_PRF". The usage requirements of [RFC6188][RFC7714]
"ARIA_128_CTR_PRF", "ARIA_192_CTR_PRF" and "ARIA_256_CTR_PRF". The regarding the AES-CM PRF apply to the ARIA-CTR PRF as well.
usage requirements of [RFC6188][RFC7714] regarding the AES-CM PRF
apply to the ARIA-CTR PRF as well.
4. Protection Profiles 4. Protection Profiles
This section defines SRTP Protection Profiles that use the ARIA This section defines SRTP Protection Profiles that use the ARIA
transforms and key derivation functions defined in this document. transforms and key derivation functions defined in this document.
The following list indicates the SRTP transform parameters for each The following list indicates the SRTP transform parameters for each
protection profile. Those are described for use with DTLS-SRTP protection profile. Those are described for use with DTLS-SRTP
[RFC5764]. [RFC5764].
The parameters cipher_key_length, cipher_salt_length, The parameters cipher_key_length, cipher_salt_length,
skipping to change at page 5, line 24 skipping to change at page 5, line 15
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
key derivation function: ARIA_128_CTR_PRF key derivation function: ARIA_128_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits SRTCP auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
SRTP_ARIA_192_CTR_HMAC_SHA1_80
cipher: ARIA_192_CTR
cipher_key_length: 192 bits
cipher_salt_length: 112 bits
key derivation function: ARIA_192_CTR_PRF
auth_function: HMAC-SHA1
auth_key_length: 160 bits
auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_192_CTR_HMAC_SHA1_32
cipher: ARIA_192_CTR
cipher_key_length: 192 bits
cipher_salt_length: 112 bits
key derivation function: ARIA_192_CTR_PRF
auth_function: HMAC-SHA1
auth_key_length: 160 bits
SRTP auth_tag_length: 32 bits
SRTCP auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets
SRTP_ARIA_256_CTR_HMAC_SHA1_80 SRTP_ARIA_256_CTR_HMAC_SHA1_80
cipher: ARIA_256_CTR cipher: ARIA_256_CTR
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 112 bits cipher_salt_length: 112 bits
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
auth_function: HMAC-SHA1 auth_function: HMAC-SHA1
auth_key_length: 160 bits auth_key_length: 160 bits
auth_tag_length: 80 bits auth_tag_length: 80 bits
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
skipping to change at page 7, line 13 skipping to change at page 6, line 29
specify an auth_function, auth_key_length, or auth_tag_length, since specify an auth_function, auth_key_length, or auth_tag_length, since
they do not use a separate auth_function, auth_key, or auth_tag. The they do not use a separate auth_function, auth_key, or auth_tag. The
term aead_auth_tag_length is used to emphasize that this refers to term aead_auth_tag_length is used to emphasize that this refers to
the authentication tag provided by the AEAD algorithm and that this the authentication tag provided by the AEAD algorithm and that this
tag is not located in the authentication tag field provided by SRTP/ tag is not located in the authentication tag field provided by SRTP/
SRTCP. SRTCP.
The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of
the equal key length with the encryption algorithm (see Section 2). the equal key length with the encryption algorithm (see Section 2).
SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the
ARIA_128_CTR_PRF Key Derivation Function. SRTP_ARIA_192_CTR_HMAC ARIA_128_CTR_PRF Key Derivation Function. And SRTP_ARIA_256_CTR_HMAC
MUST use the ARIA_192_CTR_PRF Key Derivation Function. And and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF Key
SRTP_ARIA_256_CTR_HMAC and SRTP_AEAD_ARIA_256_GCM MUST use the Derivation Function.
ARIA_256_CTR_PRF Key Derivation Function.
MIKEY specifies the SRTP protection profile definition separately MIKEY specifies the SRTP protection profile definition separately
from the key length (which is specified by the Session Encryption key from the key length (which is specified by the Session Encryption key
length) and the authentication tag length. The DTLS-SRTP [RFC5764] length) and the authentication tag length. The DTLS-SRTP [RFC5764]
protection profiles are mapped to MIKEY parameter sets as shown protection profiles are mapped to MIKEY parameter sets as shown
below. below.
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | Auth. | | Encryption | Encryption | Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets |
SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets |
SRTP_ARIA_192_CTR_HMAC_80 | ARIA-CTR | 24 octets | 10 octets |
SRTP_ARIA_192_CTR_HMAC_32 | ARIA-CTR | 24 octets | 4 octets |
SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets |
SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets |
+======================================+ +======================================+
Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | AEAD Auth. | | Encryption | Encryption | AEAD Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets |
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY parameters to AEAD algorithm
skipping to change at page 8, line 7 skipping to change at page 7, line 16
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets |
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY parameters to AEAD algorithm
5. Security Considerations 5. Security Considerations
At the time of writing this document no security problem has been At the time of publication of this document no security problem has
found on ARIA. Previous security analysis results are summarized in been found on ARIA. Previous security analysis results are
[ATY]. summarized in [ATY].
The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188] The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188]
[RFC6904] [RFC7714] apply to this document as well. Protection [RFC6904] [RFC7714] apply to this document as well. This document
profiles with short tag length may be considered for specific includes crypto suites with authentication tags of length less than
application environments stated in Section 7.5 of [RFC3711], but the 80 bits. These suites MAY be used for certain application contexts
risk of weak authentication described in Section 9.5.1 of [RFC3711] where longer authentication tags may be undesirable, for example,
should be taken into account. those mentioned in [RFC3711] section 7.5. Otherwise, short
authentication tags SHOULD NOT be used, since may reduce
authentication strength. See [RFC3711] section 9.5 for a discussion
of risks related to weak authentication in SRTP.
At the time of publication of this document, SRTP recommends HMAC-
SHA1 as the default and mandatory-to-implement MAC algorithm. All
currently registered SRTP crypto suites except the GCM based ones use
HMAC-SHA1 as their HMAC algorithm to provide message authentication.
Due to security concerns with SHA-1 [RFC6194], the IETF is gradually
moving away from SHA-1 and towards stronger hash algorithms such as
SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in
the calculation of an HMAC, and no security issue is known for this
usage at the time of this publication.
6. IANA Considerations 6. IANA Considerations
6.1. DTLS-SRTP 6.1. DTLS-SRTP
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile".
In order to allow the use of the algorithms defined in this document In order to allow the use of the algorithms defined in this document
in DTLS-SRTP, IANA is requested to add the protection profiles below in DTLS-SRTP, IANA is requested to add the protection profiles below
to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located
on the following IANA page at time of writing: on the following IANA page at time of writing:
http://www.iana.org/assignments/srtp-protection/. http://www.iana.org/assignments/srtp-protection/.
SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_192_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD}
SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD}
SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} SRTP_AEAD_ARIA_128_GCM = {TBD,TBD}
SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} SRTP_AEAD_ARIA_256_GCM = {TBD,TBD}
6.2. MIKEY 6.2. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the two defined in this document in MIKEY, IANA is requested to add the two
skipping to change at page 12, line 5 skipping to change at page 10, line 31
linear cryptanalysis of round-reduced ARIA", Information linear cryptanalysis of round-reduced ARIA", Information
Security - ISC 2016, Lecture Notes in Computer Science Security - ISC 2016, Lecture Notes in Computer Science
(LNCS) Vol. 9866, pp. 18-34, September 2016. (LNCS) Vol. 9866, pp. 18-34, September 2016.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, in Multimedia Internet KEYing (MIKEY)", RFC 5748,
DOI 10.17487/RFC5748, August 2010, DOI 10.17487/RFC5748, August 2010,
<http://www.rfc-editor.org/info/rfc5748>. <http://www.rfc-editor.org/info/rfc5748>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<http://www.rfc-editor.org/info/rfc6194>.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal and represented by the network order All values are in hexadecimal and represented by the network order
(called big endian). (called big endian).
A.1. ARIA-CTR Test Vectors A.1. ARIA-CTR Test Vectors
Common values are organized as follows: Common values are organized as follows:
Rollover Counter: 00000000 Rollover Counter: 00000000
skipping to change at page 13, line 32 skipping to change at page 12, line 32
fbad87888820b86037311fa44330e18a fbad87888820b86037311fa44330e18a
59a1e1338ba2c21458493a57463475c5 59a1e1338ba2c21458493a57463475c5
4691f91cec785429119e0dfcd9048f90 4691f91cec785429119e0dfcd9048f90
e07fecd50b528e8c62ee6e71445de5d7 e07fecd50b528e8c62ee6e71445de5d7
f659405135aff3604c2ca4ff4aaca408 f659405135aff3604c2ca4ff4aaca408
09cb9eee42cc4ad23230757081ca289f 09cb9eee42cc4ad23230757081ca289f
2851d3315e9568b501fdce6d00000000 2851d3315e9568b501fdce6d00000000
Authentication Tag: f9de4e729054672b0e35 Authentication Tag: f9de4e729054672b0e35
A.1.2. SRTP_ARIA_192_CTR_HMAC_SHA1_80 A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80
Session Key: 0c5ffd37a11edc42c325287fc0604f2e
3e8cd5671a00fe32
Encrypted RTP Payload: 86f4556486642caa67e9b40fef2acda0
6d442517d8d58c15e3e0b5c13a78b8b2
838b7b96961e11acb2af81348272888c
fd9d168ba091fe3e4f7f83c7871570a9
aa9f995036e44c35cb742b601e8d8d08
48320bad732929103f1bfbb1ae873178
0479c5df2d4d41f78f6b96d6832db3db
6af8b3612b27e18a0a29a8a1d280437e
b8dad58e78658ec3b069d7329431c356
c5e612b3dde5bd3f6c9f42f39cf35d3a
Authenticated portion || Rollover Counter:
8008315ebf2e6fe020e8f5eb86f45564
86642caa67e9b40fef2acda06d442517
d8d58c15e3e0b5c13a78b8b2838b7b96
961e11acb2af81348272888cfd9d168b
a091fe3e4f7f83c7871570a9aa9f9950
36e44c35cb742b601e8d8d0848320bad
732929103f1bfbb1ae8731780479c5df
2d4d41f78f6b96d6832db3db6af8b361
2b27e18a0a29a8a1d280437eb8dad58e
78658ec3b069d7329431c356c5e612b3
dde5bd3f6c9f42f39cf35d3a00000000
Authentication Tag: 3935fa37ee96dbc550d5
A.1.3. SRTP_ARIA_256_CTR_HMAC_SHA1_80
Session Key: 0c5ffd37a11edc42c325287fc0604f2e Session Key: 0c5ffd37a11edc42c325287fc0604f2e
3e8cd5671a00fe3216aa5eb105783b54 3e8cd5671a00fe3216aa5eb105783b54
Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566
17ccd7471088af9debf07b55c750f804 17ccd7471088af9debf07b55c750f804
a5ac2b737be48140958a9b420524112a a5ac2b737be48140958a9b420524112a
e72e4da5bca59d2b1019ddd7dbdc30b4 e72e4da5bca59d2b1019ddd7dbdc30b4
3d5f046152ced40947d62d2c93e7b8e5 3d5f046152ced40947d62d2c93e7b8e5
0f02db2b6b61b010e4c1566884de1fa9 0f02db2b6b61b010e4c1566884de1fa9
702cdf8157e8aedfe3dd77c76bb50c25 702cdf8157e8aedfe3dd77c76bb50c25
skipping to change at page 18, line 40 skipping to change at page 16, line 40
auth key ARIA input blocks auth key ARIA input blocks
d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000
f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001
769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002
4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003
9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004
469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005
A.3.2. ARIA_192_CTR_PRF A.3.2. ARIA_256_CTR_PRF
The inputs to the key derivation function are the 24 octet master key
and the 14 octet master salt:
master key: 0c5ffd37a11edc42c325287fc0604f2e3e8cd5671a00fe32
master salt: 0ec675ad498afeebb6960b3aabe6
index DIV kdr: 000000000000
label: 00
master salt: 0ec675ad498afeebb6960b3aabe6
-----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: f320af2386a1cde64c3aa5f55d68002e (ARIA-CTR 1st output)
d13cbe548b627649 (ARIA-CTR 2nd Output)
ARIA-CTR protection profile requires a 14 octet cipher salt.
index DIV kdr: 000000000000
label: 02
master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
55c7e3555baf0fdc91c589cfb871b098 (ARIA-CTR output)
cipher salt: 55c7e3555baf0fdc91c589cfb871 (ARIA-CTR profile)
index DIV kdr: 000000000000
label: 01
master salt: 0ec675ad498afeebb6960b3aabe6
-----------------------------------------------
xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input)
Below, the auth key is shown on the left, while the corresponding
ARIA input blocks are shown on the right.
auth key ARIA input blocks
116902524517f7e767a979ad7678d53a 0ec675ad498afeeab6960b3aabe60000
8cae05a5c9a315d1304f634c81a06617 0ec675ad498afeeab6960b3aabe60001
31fe099d4dcd2202421fe01fc12c65ad 0ec675ad498afeeab6960b3aabe60002
009e920031654855af5d9e820a7831e0 0ec675ad498afeeab6960b3aabe60003
bc2b4744d2a33053eb685138252f2d82 0ec675ad498afeeab6960b3aabe60004
9a89f4a9aa4f97fde0cce9bad3d5 0ec675ad498afeeab6960b3aabe60005
A.3.3. ARIA_256_CTR_PRF
The inputs to the key derivation function are the 32 octet master key The inputs to the key derivation function are the 32 octet master key
and the 14 octet master salt: and the 14 octet master salt:
master key: 0c5ffd37a11edc42c325287fc0604f2e master key: 0c5ffd37a11edc42c325287fc0604f2e
3e8cd5671a00fe3216aa5eb105783b54 3e8cd5671a00fe3216aa5eb105783b54
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 00 label: 00
 End of changes. 21 change blocks. 
166 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/