draft-ietf-avtcore-srtp-aes-gcm-12.txt   draft-ietf-avtcore-srtp-aes-gcm-13.txt 
Network Working Group D. McGrew Network Working Group D. McGrew
Internet Draft Cisco Systems, Inc. Internet Draft Cisco Systems, Inc.
Intended Status: Standards Track K. Igoe Intended Status: Standards Track K. Igoe
Expires: November 22, 2014 National Security Agency Expires: December 25, 2014 National Security Agency
May 21, 2014 June 23, 2014
AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)
draft-ietf-avtcore-srtp-aes-gcm-12 draft-ietf-avtcore-srtp-aes-gcm-13
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current. Drafts is at http://datatracker.ietf.org/drafts/current.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 22, 2014. This Internet-Draft will expire on December 25, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
confidentiality and data authentication in the SRTP protocol. confidentiality and data authentication in the SRTP protocol.
Table of Contents Table of Contents
1. Introduction.....................................................3 1. Introduction.....................................................3
2. Conventions Used In This Document................................4 2. Conventions Used In This Document................................4
3. Overview of the SRTP/SRTCP AEAD security Architecture............4 3. Overview of the SRTP/SRTCP AEAD security Architecture............4
4. Terminology......................................................5 4. Terminology......................................................5
5. Generic AEAD Processing..........................................5 5. Generic AEAD Processing..........................................5
5.1. Types of Input Data.........................................5 5.1. Types of Input Data.........................................5
5.2. AEAD Invocation Inputs and Outputs..........................5 5.2. AEAD Invocation Inputs and Outputs..........................6
5.2.1. Encrypt Mode...........................................6 5.2.1. Encrypt Mode...........................................6
5.2.2. Decrypt Mode...........................................6 5.2.2. Decrypt Mode...........................................6
5.3. Handling of AEAD Authentication.............................7 5.3. Handling of AEAD Authentication.............................7
6. Counter Mode Encryption..........................................7 6. Counter Mode Encryption..........................................7
7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12......................8 7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12......................8
8. Unneeded SRTP/SRTCP Fields.......................................8 8. Unneeded SRTP/SRTCP Fields.......................................9
8.1. SRTP/SRTCP Authentication Field.............................9 8.1. SRTP/SRTCP Authentication Field.............................9
8.2. RTP Padding.................................................9 8.2. RTP Padding.................................................9
9. AES-GCM/CCM processing for SRTP..................................9 9. AES-GCM/CCM processing for SRTP.................................10
9.1. SRTP IV formation for AES-GCM and AES-CCM...................9 9.1. SRTP IV formation for AES-GCM and AES-CCM..................10
9.2. Data Types in SRTP Packets.................................10 9.2. Data Types in SRTP Packets.................................10
9.3. Handling Header Extensions.................................11 9.3. Handling Header Extensions.................................12
9.4. Prevention of SRTP IV Reuse................................12 9.4. Prevention of SRTP IV Reuse................................13
10. AES-GCM/CCM Processing of SRTCP Compound Packets...............13 10. AES-GCM/CCM Processing of SRTCP Compound Packets...............14
10.1. SRTCP IV formation for AES-GCM and AES-CCM................13 10.1. SRTCP IV formation for AES-GCM and AES-CCM................14
10.2. Data Types in Encrypted SRTCP Compound Packets............14 10.2. Data Types in Encrypted SRTCP Compound Packets............15
10.3. Data Types in Unencrypted SRTCP Compound Packets..........15 10.3. Data Types in Unencrypted SRTCP Compound Packets..........16
10.4. Prevention of SRTCP IV Reuse..............................16 10.4. Prevention of SRTCP IV Reuse..............................17
11. Constraints on AEAD for SRTP and SRTCP.........................16 11. Constraints on AEAD for SRTP and SRTCP.........................17
12. Key Derivation Functions.......................................17 12. Key Derivation Functions.......................................18
13. Summary of Algorithm Characteristics...........................17 13. Summary of Algorithm Characteristics...........................18
13.1. AES-GCM for SRTP/SRTCP....................................17 13.1. AES-GCM for SRTP/SRTCP....................................18
13.2. AES-CCM for SRTP/SRTCP....................................20 13.2. AES-CCM for SRTP/SRTCP....................................20
14. Security Considerations........................................22 14. Security Considerations........................................23
14.1. Handling of Security Critical Parameters..................23 14.1. Handling of Security Critical Parameters..................23
14.2. Size of the Authentication Tag............................23 14.2. Size of the Authentication Tag............................24
15. IANA Considerations............................................24 15. IANA Considerations............................................25
15.1. SDES......................................................25 15.1. SDES......................................................25
15.2. DTLS......................................................25 15.2. DTLS......................................................26
15.3. MIKEY.....................................................28 15.3. MIKEY.....................................................29
15.4. AEAD registry.............................................29 15.4. AEAD registry.............................................29
16. Parameters for use with MIKEY..................................29 16. Parameters for use with MIKEY..................................29
17. Acknowledgements...............................................30 17. Acknowledgements...............................................30
18. References.....................................................31 18. References.....................................................31
18.1. Normative References......................................31 18.1. Normative References......................................31
18.2. Informative References....................................32 18.2. Informative References....................................32
1. Introduction 1. Introduction
The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile
skipping to change at page 3, line 35 skipping to change at page 3, line 35
provides a high level of security, and can accept different key provides a high level of security, and can accept different key
sizes. Two families of AEAD algorithm families, AES Galois/Counter sizes. Two families of AEAD algorithm families, AES Galois/Counter
Mode (AES-GCM) [GCM] and AES Counter with Cipher Block Mode (AES-GCM) [GCM] and AES Counter with Cipher Block
Chaining-Message Authentication Code (AES-CCM) [RFC3610] are based Chaining-Message Authentication Code (AES-CCM) [RFC3610] are based
upon AES. This specification makes use of the AES versions that use upon AES. This specification makes use of the AES versions that use
128-bit and 256-bit keys, which we call AES-128 and AES-256, 128-bit and 256-bit keys, which we call AES-128 and AES-256,
respectively. respectively.
Any AEAD algorithm provides an intrinsic authentication tag. In many Any AEAD algorithm provides an intrinsic authentication tag. In many
applications the authentication tag is truncated to less than full applications the authentication tag is truncated to less than full
length. This document only allows three values for the length of the length. When CCM is being used there are three allowed values for
authentication tag: the length of the authentication tags MUST be the length of the authentication tag. A CCM authentication tag MUST
either 8 octets, 12 octets, or 16 octets in length. As with the size be either 8 octets, 12 octets or 16 octets in length. But when GCM
of the key, the length of the authentication tag size is set when the is being used only two values are permitted. A GCM authentication
session is initiated and SHOULD NOT be altered. Thus each algorithm tag MUST be either 12 octets or 16 octets in length. Thus CCM will
AEAD will have a total of six configurations, reflecting the two have a total of six configurations, reflecting the two choices for
choices for key size (either 128 or 256 bits) and the three choices key size (either 128 or 256 bits) and the three choices for the
for the length of the authentication tag (either 8, 12 or 16 length of the CCM authentication tag (either 8, 12 or 16 octets), and
octets). GCM will have four configurations reflecting two choices for the key
size and two choices for the length of the GCM authentication tag
(either 12 or 16 octets). The key size and the length of the
authentication tag are set when the session is initiated and SHOULD
NOT be altered.
The Galois/Counter Mode of operation (GCM) and the Counter with The Galois/Counter Mode of operation (GCM) and the Counter with
Cipher Block Chaining-Message Authentication Code mode of operation Cipher Block Chaining-Message Authentication Code mode of operation
(CCM) are both AEAD modes of operation for block ciphers. Both use (CCM) are both AEAD modes of operation for block ciphers. Both use
counter mode to encrypt the data, an operation that can be counter mode to encrypt the data, an operation that can be
efficiently pipelined. Further, GCM authentication uses operations efficiently pipelined. Further, GCM authentication uses operations
that are particularly well suited to efficient implementation in that are particularly well suited to efficient implementation in
hardware, making it especially appealing for high-speed hardware, making it especially appealing for high-speed
implementations, or for implementations in an efficient and compact implementations, or for implementations in an efficient and compact
circuit. CCM is well suited for use in compact software circuit. CCM is well suited for use in compact software
skipping to change at page 6, line 26 skipping to change at page 6, line 29
length(Plaintext)+tag_length length(Plaintext)+tag_length
(*) CCM mode requires tag length to be explicitly input to (*) CCM mode requires tag length to be explicitly input to
the algorithm, whereas with GCM, the tag is simply truncated. the algorithm, whereas with GCM, the tag is simply truncated.
For GCM, the algorithm choice determines the tag size. For GCM, the algorithm choice determines the tag size.
In both CCM and GCM, the algorithm negotiation selects what tag size In both CCM and GCM, the algorithm negotiation selects what tag size
is to be used. In GCM, the authentication tag is simply truncated to is to be used. In GCM, the authentication tag is simply truncated to
the appropriate length, but CCM requires that the tag length be an the appropriate length, but CCM requires that the tag length be an
explicitly input to the algorithm as the Tag_Size_Field. For the explicitly input to the algorithm as the Tag_Size_Field. For the
three tag lengths allowed in this document the corresponding three tag lengths allowed for CCM in this document the corresponding
Tag_Size_Flag values are as follows: Tag_Size_Flag values are as follows:
Tag Length | Tag_Size_Flag (hex) Tag Length | Tag_Size_Flag (hex)
----------------------------------- -----------------------------------
8 octets | 5A 8 octets | 5A
12 octets | 6A 12 octets | 6A
16 octets | 7A 16 octets | 7A
Once an SRTP/SRTCP session has been initiated the length of the tag Once an SRTP/SRTCP session has been initiated the length of the tag
is a fixed value and MUST NOT be altered. is a fixed value and MUST NOT be altered.
skipping to change at page 7, line 7 skipping to change at page 7, line 10
Tag_Size_Flag (CCM only*) One octet Tag_Size_Flag (CCM only*) One octet
Outputs Outputs
Plaintext Octet string, length = Plaintext Octet string, length =
length(Ciphertext)-tag_length length(Ciphertext)-tag_length
Validity_Flag Boolean, TRUE if valid, Validity_Flag Boolean, TRUE if valid,
FALSE otherwise FALSE otherwise
(*) For GCM, the algorithm choice determines the tag size. (*) For GCM, the algorithm choice determines the tag size.
As mentioned in section 5.2.1, only three tag lengths are supported As mentioned in section 5.2.1, in SRTP/SRTCP CCM supports three tag
for use in SRTP/SRTCP, namely 8 octets, 12 octets and 16 octets. lengths (8 octets, 12 octets and 16 octets) while GCM only supports
two tag sizes (12 octets and 16 octets).
5.3. Handling of AEAD Authentication 5.3. Handling of AEAD Authentication
AEAD requires that all incoming packets MUST pass AEAD authentication AEAD requires that all incoming packets MUST pass AEAD authentication
before any other action takes place. Plaintext and associated data before any other action takes place. Plaintext and associated data
MUST NOT be released until the AEAD authentication tag has been MUST NOT be released until the AEAD authentication tag has been
validated. Further the ciphertext MUST NOT be decrypted until the validated. Further the ciphertext MUST NOT be decrypted until the
AEAD tag has been validated. AEAD tag has been validated.
Should the AEAD tag prove to be invalid, the packet in question is to Should the AEAD tag prove to be invalid, the packet in question is to
skipping to change at page 8, line 21 skipping to change at page 8, line 25
first_key_block = AES_ENC( data=0x02||IV||block_counter, first_key_block = AES_ENC( data=0x02||IV||block_counter,
key=Encryption_key ) key=Encryption_key )
while len(key_stream)<Plaintext_len: while len(key_stream)<Plaintext_len:
block_counter = block_counter + 1 block_counter = block_counter + 1
key_block = AES_ENC( data=0x02||IV||block_counter, key_block = AES_ENC( data=0x02||IV||block_counter,
key=Encryption_key ) key=Encryption_key )
key_stream = key_stream || key_block key_stream = key_stream || key_block
key_stream = truncate( key_stream, Plaintext_len ) key_stream = truncate( key_stream, Plaintext_len )
return (first_key_block, key_stream ) return (first_key_block, key_stream )
These keystream generation processes allow for a keystream of length In theory these keystream generation processes allow for each packet
up to (2^24)-1 octets for AES-CCM and up to (2^36)-32 octets for to use s keystream of length up to (2^24)-1 octets per invocation for
AES-GCM. AES-CCM and up to (2^36)-32 octets per invocation for AES-GCM, far
longer than is actually required.
With any counter mode, if the same (IV, Encryption_key) pair is used With any counter mode, if the same (IV, Encryption_key) pair is used
twice, precisely the same keystream is formed. As explained in twice, precisely the same keystream is formed. As explained in
section 9.1 of RFC 3711, this is a cryptographic disaster. For GCM section 9.1 of RFC 3711, this is a cryptographic disaster. For GCM
the consequences are even worse since such a reuse compromises GCM's the consequences are even worse since such a reuse compromises GCM's
integrity mechanism not only for the current packet stream but for integrity mechanism not only for the current packet stream but for
all future uses of the current encryption_key. all future uses of the current encryption_key.
7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12 7. AEAD_AES_128_CCM_12 and AEAD_AES_256_CCM_12
skipping to change at page 11, line 37 skipping to change at page 12, line 28
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C | cipher | C | cipher |
C | ... | C | ... |
C | | C | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R : SRTP MKI (OPTIONAL) : R : SRTP MKI (OPTIONAL) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R : SRTP authentication tag (NOT RECOMMENDED) : R : SRTP authentication tag (NOT RECOMMENDED) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C = Cipertext (encrypted and authenticated) C = Ciphertext (encrypted and authenticated)
A = Associated Data (authenticated only) A = Associated Data (authenticated only)
R = neither encrypted nor authenticated, added R = neither encrypted nor authenticated, added
after authenticated encryption completed after authenticated encryption completed
Figure 3: Structure of an SRTP packet after Authenticated Figure 3: Structure of an SRTP packet after Authenticated
Encryption Encryption
9.3. Handling Header Extensions 9.3. Handling Header Extensions
RTP header extensions were first defined in RFC 3550. RFC 6904 RTP header extensions were first defined in RFC 3550. RFC 6904
skipping to change at page 17, line 9 skipping to change at page 18, line 9
length length
N_MAX maximum nonce (IV) MUST be 12 octets. N_MAX maximum nonce (IV) MUST be 12 octets.
length length
P_MAX maximum plaintext GCM: MUST be <= 2^36-32 octets. P_MAX maximum plaintext GCM: MUST be <= 2^36-32 octets.
length per invocation CCM: MUST be <= 2^24-1 octets. length per invocation CCM: MUST be <= 2^24-1 octets.
C_MAX maximum ciphertext GCM: MUST be <= 2^36-16 octets. C_MAX maximum ciphertext GCM: MUST be <= 2^36-16 octets.
length per invocation CCM: MUST be <= 2^24+15 octets. length per invocation CCM: MUST be <= 2^24+15 octets.
For GCM the value of P_MAX is based on purely cryptographic For GCM the value of P_MAX is based on purely cryptographic
considerations. CCM requires the lenght of the plaintext, measured considerations. CCM requires the length of the plaintext, measured
in octets, must fit in a 24-bit field. Hence P_MAX is 2^24-1.. in octets, must fit in a 24-bit field. Hence P_MAX is 2^24-1..
For sake of clarity we specify two additional parameters: For sake of clarity we specify two additional parameters:
AEAD Authentication Tag Length MUST be either 8, 12, or 16 AEAD Authentication Tag Length CCM: MUST be 8, 12, or 16 octets,
octets GCM: MUST be 12 or 16 octets.
Maximum number of invocations MUST be at most 2^48 for SRTP Maximum number of invocations SRTP: MUST be at most 2^48,
for a given instantiation MUST be at most 2^31 for SRTCP for a given instantiation SRTCP: MUST be at most 2^31.
Block Counter size MUST be 24 bits for CCM, Block Counter size CCM: MUST be 24 bits,
MUST be 32 bits for GCM GCM: MUST be 32 bits.
The reader is reminded that the ciphertext is longer than the The reader is reminded that the ciphertext is longer than the
plaintext by exactly the length of the AEAD authentication tag. plaintext by exactly the length of the AEAD authentication tag.
12. Key Derivation Functions 12. Key Derivation Functions
A Key Derivation Function (KDF) is used to derive all of the required A Key Derivation Function (KDF) is used to derive all of the required
encryption and authentication keys from a secret value shared by the encryption and authentication keys from a secret value shared by the
endpoints. Both the AEAD_AES_128_GCM algorithms and the endpoints. Both the AEAD_AES_128_GCM algorithms and the
AEAD_AES_128_CCM algorithms MUST use the (128-bit) AES_CM_PRF Key AEAD_AES_128_CCM algorithms MUST use the (128-bit) AES_CM_PRF Key
skipping to change at page 18, line 6 skipping to change at page 19, line 9
cipher algorithm. AES-GCM uses AES counter mode for encryption and cipher algorithm. AES-GCM uses AES counter mode for encryption and
Galois Message Authentication Code (GMAC) for authentication. A Galois Message Authentication Code (GMAC) for authentication. A
detailed description of the AES-GCM family can be found in detailed description of the AES-GCM family can be found in
[RFC5116]. The following members of the AES-GCM family may be used [RFC5116]. The following members of the AES-GCM family may be used
with SRTP/SRTCP: with SRTP/SRTCP:
Name Key Size AEAD Tag Size Reference Name Key Size AEAD Tag Size Reference
================================================================ ================================================================
AEAD_AES_128_GCM 16 octets 16 octets [RFC5116] AEAD_AES_128_GCM 16 octets 16 octets [RFC5116]
AEAD_AES_256_GCM 32 octets 16 octets [RFC5116] AEAD_AES_256_GCM 32 octets 16 octets [RFC5116]
AEAD_AES_128_GCM_8 16 octets 8 octets [RFC5282]
AEAD_AES_256_GCM_8 32 octets 8 octets [RFC5282]
AEAD_AES_128_GCM_12 16 octets 12 octets [RFC5282] AEAD_AES_128_GCM_12 16 octets 12 octets [RFC5282]
AEAD_AES_256_GCM_12 32 octets 12 octets [RFC5282] AEAD_AES_256_GCM_12 32 octets 12 octets [RFC5282]
Table 1: AES-GCM algorithms for SRTP/SRTCP Table 1: AES-GCM algorithms for SRTP/SRTCP
Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM
and AEAD_AES_256_GCM (the versions with 16 octet AEAD authentication and AEAD_AES_256_GCM (the versions with 16 octet AEAD authentication
tags), and it MAY support the four other variants shown in table 1. tags), and it MAY support the four other variants shown in table 1.
Below we summarize parameters associated with these six GCM Below we summarize parameters associated with these four GCM
algorithms: algorithms:
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Default key lifetime (SRTP) | 2^48 packets | | Default key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Default key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_8 |
| AEAD authentication tag length | 64 bits |
+--------------------------------+------------------------------+
Table 2: The AEAD_AES_128_GCM_8 Crypto Suite
+--------------------------------+------------------------------+
| Parameter | Value |
+--------------------------------+------------------------------+
| Master key length | 128 bits |
| Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] |
| Default key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 3: The AEAD_AES_128_GCM_12 Crypto Suite Table 2: The AEAD_AES_128_GCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Default key lifetime (SRTP) | 2^48 packets | | Default key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Default key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 4: The AEAD_AES_128_GCM Crypto Suite Table 3: The AEAD_AES_128_GCM Crypto Suite
+--------------------------------+------------------------------+
| Parameter | Value |
+--------------------------------+------------------------------+
| Master key length | 256 bits |
| Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Default key lifetime (SRTP) | 2^17 packets |
| Default key lifetime (SRTCP) | 2^17 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_8 |
| AEAD authentication tag length | 64 bits |
+--------------------------------+------------------------------+
Table 5: The AEAD_AES_256_GCM_8 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Default key lifetime (SRTP) | 2^48 packets | | Default key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Default key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 6: The AEAD_AES_256_GCM_12 Crypto Suite Table 4: The AEAD_AES_256_GCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Default key lifetime (SRTP) | 2^48 packets | | Default key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Default key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 7: The AEAD_AES_256_GCM Crypto Suite Table 5: The AEAD_AES_256_GCM Crypto Suite
13.2. AES-CCM for SRTP/SRTCP 13.2. AES-CCM for SRTP/SRTCP
AES-CCM is another family of AEAD algorithms built around the AES AES-CCM is another family of AEAD algorithms built around the AES
block cipher algorithm. AES-CCM uses AES counter mode for encryption block cipher algorithm. AES-CCM uses AES counter mode for encryption
and AES Cipher Block Chaining Message Authentication Code (CBC-MAC) and AES Cipher Block Chaining Message Authentication Code (CBC-MAC)
for authentication. A detailed description of the AES-CCM family can for authentication. A detailed description of the AES-CCM family can
be found in [RFC5116]. Four of the six CCM algorithms used in this be found in [RFC5116]. Four of the six CCM algorithms used in this
document are defined in previous RFCs, while two, AEAD_AES_128_CCM_12 document are defined in previous RFCs, while two, AEAD_AES_128_CCM_12
and AEAD_AES_256_CCM_12, are defined in section 7 of this document. and AEAD_AES_256_CCM_12, are defined in section 7 of this document.
skipping to change at page 20, line 41 skipping to change at page 21, line 14
Name Key Size AEAD Tag Size Reference Name Key Size AEAD Tag Size Reference
================================================================ ================================================================
AEAD_AES_128_CCM 128 bits 16 octets [RFC5116] AEAD_AES_128_CCM 128 bits 16 octets [RFC5116]
AEAD_AES_256_CCM 256 bits 16 octets [RFC5116] AEAD_AES_256_CCM 256 bits 16 octets [RFC5116]
AEAD_AES_128_CCM_12 128 bits 12 octets see section 7 AEAD_AES_128_CCM_12 128 bits 12 octets see section 7
AEAD_AES_256_CCM_12 256 bits 12 octets see section 7 AEAD_AES_256_CCM_12 256 bits 12 octets see section 7
AEAD_AES_128_CCM_8 128 bits 8 octets [RFC6655] AEAD_AES_128_CCM_8 128 bits 8 octets [RFC6655]
AEAD_AES_256_CCM_8 256 bits 8 octets [RFC6655] AEAD_AES_256_CCM_8 256 bits 8 octets [RFC6655]
Table 8: AES-CCM algorithms for SRTP/SRTCP Table 6: AES-CCM algorithms for SRTP/SRTCP
In addition to the flag octet used in counter mode encryption, In addition to the flag octet used in counter mode encryption,
AES-CCM authentications also uses a flag octet that conveys AES-CCM authentications also uses a flag octet that conveys
information about the length of the authentication tag, length of the information about the length of the authentication tag, length of the
block counter, and presence of additional authenticated data (see block counter, and presence of additional authenticated data (see
section 2.2 of [RFC3610]). For AES-CCM in SRTP/SRTCP, the flag octet section 2.2 of [RFC3610]). For AES-CCM in SRTP/SRTCP, the flag octet
has the hex value 5A if an 8-octet AEAD authentication tag is used, has the hex value 5A if an 8-octet AEAD authentication tag is used,
6A if a 12-octet AEAD authentication tag is used, and 7A if a 6A if a 12-octet AEAD authentication tag is used, and 7A if a
16-octet AEAD authentication tag is used. The flag octet is one of 16-octet AEAD authentication tag is used. The flag octet is one of
the inputs to AES during the counter mode encryption of the the inputs to AES during the counter mode encryption of the
skipping to change at page 21, line 18 skipping to change at page 21, line 39
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_8 | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_8 |
| AEAD authentication tag length | 64 bits | | AEAD authentication tag length | 64 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 9: The AEAD_AES_128_CCM_8 Crypto Suite Table 7: The AEAD_AES_128_CCM_8 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 10: The AEAD_AES_128_CCM_12 Crypto Suite Table 8: The AEAD_AES_128_CCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_CCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 11: The AEAD_AES_128_CCM Crypto Suite Table 9: The AEAD_AES_128_CCM Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_8 | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_8 |
| AEAD authentication tag length | 64 bits | | AEAD authentication tag length | 64 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 12: The AEAD_AES_256_CCM_8 Crypto Suite Table 10: The AEAD_AES_256_CCM_8 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 13: The AEAD_AES_256_CCM_12 Crypto Suite Table 11: The AEAD_AES_256_CCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Maximum key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Maximum key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_CCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 14: The AEAD_AES_256_CCM Crypto Suite Table 12: The AEAD_AES_256_CCM Crypto Suite
14. Security Considerations 14. Security Considerations
14.1. Handling of Security Critical Parameters 14.1. Handling of Security Critical Parameters
As with any security process, the implementer must take care to As with any security process, the implementer must take care to
ensure cryptographically sensitive parameters are properly handled. ensure cryptographically sensitive parameters are properly handled.
Many of these recommendations hold for all SRTP cryptographic Many of these recommendations hold for all SRTP cryptographic
algorithms, but we include them here to emphasize their importance. algorithms, but we include them here to emphasize their importance.
- If the master salt is to be kept secret, it MUST be properly - If the master salt is to be kept secret, it MUST be properly
erased when no longer needed. erased when no longer needed.
- The secret master key and all keys derived from it MUST be kept - The secret master key and all keys derived from it MUST be kept
skipping to change at page 24, line 50 skipping to change at page 25, line 33
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
| | 96 (CCM) | 2^66 tries | 2^76 tries | 2^86 tries | | | 96 (CCM) | 2^66 tries | 2^76 tries | 2^86 tries |
| 12 +-------------+------------+-------------+-------------| | 12 +-------------+------------+-------------+-------------|
| | 84 (GCM) | 2^54 tries | 2^64 tries | 2^74 tries | | | 84 (GCM) | 2^54 tries | 2^64 tries | 2^74 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
| | 128 (CCM) | 2^86 tries | 2^96 tries | 2^106 tries | | | 128 (CCM) | 2^86 tries | 2^96 tries | 2^106 tries |
| 16 +-------------+------------+-------------+-------------| | 16 +-------------+------------+-------------+-------------|
| | 116 (GCM) | 2^98 tries | 2^108 tries | 2^118 tries | | | 116 (GCM) | 2^98 tries | 2^108 tries | 2^118 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
Table 15: Number of forgery attempts needed to achieve a given Table 13: Number of forgery attempts needed to achieve a given
probability of success for various tag sizes. probability of success for various tag sizes.
15. IANA Considerations 15. IANA Considerations
15.1. SDES 15.1. SDES
SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A
crypto suite corresponds to a particular AEAD algorithm in SRTP. In crypto suite corresponds to a particular AEAD algorithm in SRTP. In
order to allow Security Descriptions to signal the use of the order to allow Security Descriptions to signal the use of the
algorithms defined in this document, IANA will register the following algorithms defined in this document, IANA will register the following
crypto suites into the "SRTP Crypto Suite Registrations" subregistry crypto suites into the "SRTP Crypto Suite Registrations" subregistry
of the "Session Description Protocol (SDP) Security Descriptions" of the "Session Description Protocol (SDP) Security Descriptions"
registry. registry.
skipping to change at page 25, line 16 skipping to change at page 26, line 7
SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A
crypto suite corresponds to a particular AEAD algorithm in SRTP. In crypto suite corresponds to a particular AEAD algorithm in SRTP. In
order to allow Security Descriptions to signal the use of the order to allow Security Descriptions to signal the use of the
algorithms defined in this document, IANA will register the following algorithms defined in this document, IANA will register the following
crypto suites into the "SRTP Crypto Suite Registrations" subregistry crypto suites into the "SRTP Crypto Suite Registrations" subregistry
of the "Session Description Protocol (SDP) Security Descriptions" of the "Session Description Protocol (SDP) Security Descriptions"
registry. registry.
srtp-crypto-suite-ext = "AEAD_AES_128_GCM" / srtp-crypto-suite-ext = "AEAD_AES_128_GCM" /
"AEAD_AES_256_GCM" / "AEAD_AES_256_GCM" /
"AEAD_AES_128_GCM_8" /
"AEAD_AES_256_GCM_8" /
"AEAD_AES_128_GCM_12" / "AEAD_AES_128_GCM_12" /
"AEAD_AES_256_GCM_12" / "AEAD_AES_256_GCM_12" /
"AEAD_AES_128_CCM" / "AEAD_AES_128_CCM" /
"AEAD_AES_256_CCM" / "AEAD_AES_256_CCM" /
"AEAD_AES_128_CCM_8" / "AEAD_AES_128_CCM_8" /
"AEAD_AES_256_CCM_8" / "AEAD_AES_256_CCM_8" /
"AEAD_AES_128_CCM_12" / "AEAD_AES_128_CCM_12" /
"AEAD_AES_256_CCM_12" / "AEAD_AES_256_CCM_12" /
srtp-crypto-suite-ext srtp-crypto-suite-ext
15.2. DTLS 15.2. DTLS
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile".
These also correspond to the use of an AEAD algorithm in SRTP. In These also correspond to the use of an AEAD algorithm in SRTP. In
order to allow the use of the algorithms defined in this document in order to allow the use of the algorithms defined in this document in
DTLS-SRTP, we request IANA register the following SRTP Protection DTLS-SRTP, we request IANA register the following SRTP Protection
Profiles: Profiles:
AEAD_AES_128_GCM = {TBD, TBD } AEAD_AES_128_GCM = {TBD, TBD }
AEAD_AES_256_GCM = {TBD, TBD } AEAD_AES_256_GCM = {TBD, TBD }
AEAD_AES_128_GCM_8 = {TBD, TBD }
AEAD_AES_256_GCM_8 = {TBD, TBD }
AEAD_AES_128_GCM_12 = {TBD, TBD } AEAD_AES_128_GCM_12 = {TBD, TBD }
AEAD_AES_256_GCM_12 = {TBD, TBD } AEAD_AES_256_GCM_12 = {TBD, TBD }
AEAD_AES_128_CCM = {TBD, TBD } AEAD_AES_128_CCM = {TBD, TBD }
AEAD_AES_256_CCM = {TBD, TBD } AEAD_AES_256_CCM = {TBD, TBD }
AEAD_AES_128_CCM_8 = {TBD, TBD } AEAD_AES_128_CCM_8 = {TBD, TBD }
AEAD_AES_256_CCM_8 = {TBD, TBD } AEAD_AES_256_CCM_8 = {TBD, TBD }
AEAD_AES_128_CCM_12 = {TBD, TBD } AEAD_AES_128_CCM_12 = {TBD, TBD }
AEAD_AES_256_CCM_12 = {TBD, TBD } AEAD_AES_256_CCM_12 = {TBD, TBD }
Below we list the SRTP transform parameters for each of these Below we list the SRTP transform parameters for each of these
protection profile. Unless separate parameters for SRTCP and SRTCP protection profile. Unless separate parameters for SRTCP and SRTCP
are explicitly listed, these parameters apply to both SRTP and are explicitly listed, these parameters apply to both SRTP and
SRTCP. Note that GCM with an 8 octet auth_tag_length has a smaller SRTCP.
than anticipated maximum lifetime due to the constraints imposed by
NIST SP 800-38D appendix C.
AEAD_AES_128_CCM AEAD_AES_128_CCM
cipher: AES_128_CCM cipher: AES_128_CCM
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 16 octets aead_auth_tag_length: 16 octets
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and maximum lifetime: at most 2^31 SRTCP packets and
skipping to change at page 27, line 43 skipping to change at page 28, line 27
cipher: AES_256_GCM cipher: AES_256_GCM
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 16 octets aead_auth_tag_length: 16 octets
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and maximum lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
AEAD_AES_128_GCM_8
cipher: AES_128_GCM
cipher_key_length: 128 bits
cipher_salt_length: 96 bits
aead_auth_tag_length: 8 octets
auth_function: NULL
auth_key_length: N/A
auth_tag_length: N/A
maximum lifetime: at most 2^17 SRTCP packets and
at most 2^17 SRTP packets
AEAD_AES_256_GCM_8
cipher: AES_256_GCM
cipher_key_length: 256 bits
cipher_salt_length: 96 bits
aead_auth_tag_length: 8 octets
auth_function: NULL
auth_key_length: N/A
auth_tag_length: N/A
maximum lifetime: at most 2^17 SRTCP packets and
at most 2^17 SRTP packets
AEAD_AES_128_GCM_12 AEAD_AES_128_GCM_12
cipher: AES_128_GCM cipher: AES_128_GCM
cipher_key_length: 128 bits cipher_key_length: 128 bits
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 12 octets aead_auth_tag_length: 12 octets
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and maximum lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
skipping to change at page 30, line 17 skipping to change at page 30, line 17
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+============+=============+=============+ +============+=============+=============+
AEAD_AES_128_GCM | AES-GCM | 16 octets | 16 octets | AEAD_AES_128_GCM | AES-GCM | 16 octets | 16 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_128_CCM | AES-CCM | 16 octets | 16 octets | AEAD_AES_128_CCM | AES-CCM | 16 octets | 16 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_128_GCM_12 | AES-GCM | 16 octets | 12 octets | AEAD_AES_128_GCM_12 | AES-GCM | 16 octets | 12 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_128_CCM_12 | AES-CCM | 16 octets | 12 octets | AEAD_AES_128_CCM_12 | AES-CCM | 16 octets | 12 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_128_GCM_8 | AES-GCM | 16 octets | 8 octets |
+------------+-------------+-------------+
AEAD_AES_128_CCM_8 | AES-CCM | 16 octets | 8 octets | AEAD_AES_128_CCM_8 | AES-CCM | 16 octets | 8 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_256_GCM | AES-GCM | 32 octets | 16 octets | AEAD_AES_256_GCM | AES-GCM | 32 octets | 16 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_256_CCM | AES-CCM | 32 octets | 16 octets | AEAD_AES_256_CCM | AES-CCM | 32 octets | 16 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_256_GCM_12 | AES-GCM | 32 octets | 12 octets | AEAD_AES_256_GCM_12 | AES-GCM | 32 octets | 12 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_256_CCM_12 | AES-CCM | 32 octets | 12 octets | AEAD_AES_256_CCM_12 | AES-CCM | 32 octets | 12 octets |
+------------+-------------+-------------+ +------------+-------------+-------------+
AEAD_AES_256_GCM_8 | AES-GCM | 32 octets | 8 octets |
+------------+-------------+-------------+
AEAD_AES_256_CCM_8 | AES-CCM | 32 octets | 8 octets | AEAD_AES_256_CCM_8 | AES-CCM | 32 octets | 8 octets |
+============+=============+=============+ +============+=============+=============+
Table 16: Mapping MIKEY parameters to AEAD algorithm Table 14: Mapping MIKEY parameters to AEAD algorithm
Section 12 in this document restricts the choice of Key Derivation Section 12 in this document restricts the choice of Key Derivation
Function for AEAD algorithms. To enforce this restriction in MIKEY, Function for AEAD algorithms. To enforce this restriction in MIKEY,
we require that the SRTP PRF has value AES-CM whenever an AEAD we require that the SRTP PRF has value AES-CM whenever an AEAD
algorithm is used. Note that, according to Section 6.10.1 in algorithm is used. Note that, according to Section 6.10.1 in
[RFC3830], the input key length of the Key Derivation Function (i.e. [RFC3830], the input key length of the Key Derivation Function (i.e.
the SRTP master key length) is always equal to the session encryption the SRTP master key length) is always equal to the session encryption
key length. This means, for example, that AEAD_AES_256_GCM will use key length. This means, for example, that AEAD_AES_256_GCM will use
AES_256_CM_PRF as the Key Derivation Function. AES_256_CM_PRF as the Key Derivation Function.
 End of changes. 41 change blocks. 
124 lines changed or deleted 70 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/