draft-ietf-avtcore-srtp-aes-gcm-13.txt   draft-ietf-avtcore-srtp-aes-gcm-14.txt 
Network Working Group D. McGrew Network Working Group D. McGrew
Internet Draft Cisco Systems, Inc. Internet Draft Cisco Systems, Inc.
Intended Status: Standards Track K. Igoe Intended Status: Standards Track K. Igoe
Expires: December 25, 2014 National Security Agency Expires: January 29, 2015 National Security Agency
June 23, 2014 July 28, 2014
AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)
draft-ietf-avtcore-srtp-aes-gcm-13 draft-ietf-avtcore-srtp-aes-gcm-14
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current. Drafts is at http://datatracker.ietf.org/drafts/current.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 25, 2014. This Internet-Draft will expire on January 29, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 48 skipping to change at page 2, line 48
11. Constraints on AEAD for SRTP and SRTCP.........................17 11. Constraints on AEAD for SRTP and SRTCP.........................17
12. Key Derivation Functions.......................................18 12. Key Derivation Functions.......................................18
13. Summary of Algorithm Characteristics...........................18 13. Summary of Algorithm Characteristics...........................18
13.1. AES-GCM for SRTP/SRTCP....................................18 13.1. AES-GCM for SRTP/SRTCP....................................18
13.2. AES-CCM for SRTP/SRTCP....................................20 13.2. AES-CCM for SRTP/SRTCP....................................20
14. Security Considerations........................................23 14. Security Considerations........................................23
14.1. Handling of Security Critical Parameters..................23 14.1. Handling of Security Critical Parameters..................23
14.2. Size of the Authentication Tag............................24 14.2. Size of the Authentication Tag............................24
15. IANA Considerations............................................25 15. IANA Considerations............................................25
15.1. SDES......................................................25 15.1. SDES......................................................25
15.2. DTLS......................................................26 15.2. DTLS-SRTP.................................................26
15.3. MIKEY.....................................................29 15.3. MIKEY.....................................................29
15.4. AEAD registry.............................................29 15.4. AEAD registry.............................................29
16. Parameters for use with MIKEY..................................29 16. Parameters for use with MIKEY..................................29
17. Acknowledgements...............................................30 17. Acknowledgements...............................................30
18. References.....................................................31 18. References.....................................................31
18.1. Normative References......................................31 18.1. Normative References......................................31
18.2. Informative References....................................32 18.2. Informative References....................................32
1. Introduction 1. Introduction
skipping to change at page 4, line 47 skipping to change at page 4, line 47
value to form separate encryption keys, authentication keys value to form separate encryption keys, authentication keys
and salting keys for SRTP and for SRTCP (a total of six and salting keys for SRTP and for SRTCP (a total of six
keys). This process is described in section 4.3 of keys). This process is described in section 4.3 of
[RFC3711]. Since AEAD algorithms such as AES-CCM and AES-GCM [RFC3711]. Since AEAD algorithms such as AES-CCM and AES-GCM
combine encryption and authentication into a single process, combine encryption and authentication into a single process,
AEAD algorithms do not make use of the authentication keys. AEAD algorithms do not make use of the authentication keys.
The master key MUST be at least as large as the encryption The master key MUST be at least as large as the encryption
key derived from it. key derived from it.
d) Aside from making modifications to IANA registries to allow d) Aside from making modifications to IANA registries to allow
AES-GCM and AES-CCM to work with SDES, DTLS and MIKEY, the AES-GCM and AES-CCM to work with SDES, DTLS-SRTP and MIKEY,
details of how the master key is established and shared the details of how the master key is established and shared
between the participants are outside the scope of this between the participants are outside the scope of this
document. Similarly any mechanism for rekeying an existing document. Similarly any mechanism for rekeying an existing
session is outside the scope of the document. session is outside the scope of the document.
e) Each time an instantiation of AES-GCM or AES-CCM is invoked e) Each time an instantiation of AES-GCM or AES-CCM is invoked
to encrypt and authenticate an SRTP or SRTCP data packet a to encrypt and authenticate an SRTP or SRTCP data packet a
new IV is used. SRTP combines the 4-octet synchronization new IV is used. SRTP combines the 4-octet synchronization
source (SSRC) identifier, the 4-octet rollover counter (ROC), source (SSRC) identifier, the 4-octet rollover counter (ROC),
and the 2-octet sequence number (SEQ) with the 12-octet and the 2-octet sequence number (SEQ) with the 12-octet
encryption salt to form a 12-octet IV (see section 9.1). encryption salt to form a 12-octet IV (see section 9.1).
skipping to change at page 10, line 39 skipping to change at page 10, line 39
12-octet salt to form the 12-octet IV. 12-octet salt to form the 12-octet IV.
9.2. Data Types in SRTP Packets 9.2. Data Types in SRTP Packets
All SRTP packets MUST be both authenticated and encrypted. The data All SRTP packets MUST be both authenticated and encrypted. The data
fields within the SRTP packets are broken into Associated Data, fields within the SRTP packets are broken into Associated Data,
Plaintext and Raw Data as follows (see Figure 2): Plaintext and Raw Data as follows (see Figure 2):
Associated Data: The version V (2 bits), padding flag P (1 bit), Associated Data: The version V (2 bits), padding flag P (1 bit),
extension flag X (1 bit), CSRC count CC (4 bits), extension flag X (1 bit), CSRC count CC (4 bits),
marker M (1 bit), the Payload Type PT (8 bits), marker M (1 bit), the Payload Type PT (7 bits),
the sequence number (16 bits), timestamp (32 the sequence number (16 bits), timestamp (32
bits), SSRC (32 bits), optional contributing bits), SSRC (32 bits), optional contributing
source identifiers (CSRCs, 32 bits each), and source identifiers (CSRCs, 32 bits each), and
optional RTP extension (variable length). optional RTP extension (variable length).
Plaintext: The RTP payload (variable length), RTP padding Plaintext: The RTP payload (variable length), RTP padding
(if used, variable length), and RTP pad count ( (if used, variable length), and RTP pad count (
if used, 1 octet). if used, 1 octet).
Raw Data: The optional variable length SRTP MKI and SRTP Raw Data: The optional variable length SRTP MKI and SRTP
skipping to change at page 11, line 36 skipping to change at page 11, line 36
Figure 2: Structure of an SRTP packet before Authenticated Figure 2: Structure of an SRTP packet before Authenticated
Encryption Encryption
Since the AEAD ciphertext is larger than the plaintext by exactly the Since the AEAD ciphertext is larger than the plaintext by exactly the
length of the AEAD authentication tag, the corresponding SRTP length of the AEAD authentication tag, the corresponding SRTP
encrypted packet replaces the plaintext field by a slightly larger encrypted packet replaces the plaintext field by a slightly larger
field containing the cipher. Even if the plaintext field is empty, field containing the cipher. Even if the plaintext field is empty,
AEAD encryption must still be performed, with the resulting cipher AEAD encryption must still be performed, with the resulting cipher
consisting solely of the authentication tag. This tag is to be consisting solely of the authentication tag. This tag is to be
placed immediately before the optional SRTP MKI and SRTP placed immediately before the optional variable length SRTP MKI and
authentication tag fields. SRTP authentication tag fields.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A |V=2|P|X| CC |M| PT | sequence number | A |V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | timestamp | A | timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | synchronization source (SSRC) identifier | A | synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
skipping to change at page 15, line 54 skipping to change at page 15, line 54
When the encryption flag is set to 1, the SRTCP packet is broken into When the encryption flag is set to 1, the SRTCP packet is broken into
plaintext, associated data, and raw (untouched) data (as shown above plaintext, associated data, and raw (untouched) data (as shown above
in figure 5): in figure 5):
Associated Data: The packet version V (2 bits), padding flag P (1 Associated Data: The packet version V (2 bits), padding flag P (1
bit), reception report count RC (5 bits), packet bit), reception report count RC (5 bits), packet
type (8 bits), length (2 octets), SSRC (4 type (8 bits), length (2 octets), SSRC (4
octets), encryption flag (1 bit) and SRTCP index octets), encryption flag (1 bit) and SRTCP index
(31 bits). (31 bits).
Raw Data: The 32-bit optional SRTCP MKI index and 32-bit Raw Data: The optional variable length SRTCP MKI and SRTCP
SRTCP authentication tag (whose use is NOT authentication tag (whose use is NOT
RECOMMENDED). RECOMMENDED).
Plaintext: All other data. Plaintext: All other data.
Note that the plaintext comes in one contiguous field. Since the Note that the plaintext comes in one contiguous field. Since the
AEAD cipher is larger than the plaintext by exactly the length of the AEAD cipher is larger than the plaintext by exactly the length of the
AEAD authentication tag, the corresponding SRTCP encrypted packet AEAD authentication tag, the corresponding SRTCP encrypted packet
replaces the plaintext field with a slightly larger field containing replaces the plaintext field with a slightly larger field containing
the cipher. Even if the plaintext field is empty, AEAD encryption the cipher. Even if the plaintext field is empty, AEAD encryption
must still be performed, with the resulting cipher consisting solely must still be performed, with the resulting cipher consisting solely
skipping to change at page 16, line 44 skipping to change at page 16, line 44
A |V=2|P| SC | Packet Type | length | A |V=2|P| SC | Packet Type | length |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A | SSRC/CSRC_1 | A | SSRC/CSRC_1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | SDES items : A | SDES items :
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A | ... : A | ... :
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A |0| SRTCP index | A |0| SRTCP index |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R | SRTCP MKI (optional)index :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R : authentication tag (NOT RECOMMENDED) : R : authentication tag (NOT RECOMMENDED) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A = Associated Data (to be authenticated only) A = Associated Data (to be authenticated only)
R = neither encrypted nor authenticated, added after R = neither encrypted nor authenticated, added after
encryption encryption
Figure 6: AEAD SRTCP inputs when encryption flag = 0 Figure 6: AEAD SRTCP inputs when encryption flag = 0
When the encryption flag is set to 0, the SRTCP compound packet is When the encryption flag is set to 0, the SRTCP compound packet is
broken into plaintext, associated data, and raw (untouched) data as broken into plaintext, associated data, and raw (untouched) data as
follows (see figure 6): follows (see figure 6):
Plaintext: None. Plaintext: None.
Raw Data: The variable length optional SRTCP MKI index and Raw Data: The variable length optional SRTCP MKI and SRTCP
SRTCP authentication tag (whose use is NOT authentication tag (whose use is NOT
RECOMMENDED). RECOMMENDED).
Associated Data: All other data. Associated Data: All other data.
Even though there is no plaintext in this RTCP packet, AEAD Even though there is no plaintext in this RTCP packet, AEAD
encryption returns a cipher field which is precisely the length of encryption returns a cipher field which is precisely the length of
the AEAD authentication tag. This cipher is to be placed before the the AEAD authentication tag. This cipher is to be placed before the
Encryption flag and the SRTCP index in the authenticated SRTCP Encryption flag and the SRTCP index in the authenticated SRTCP
packet. packet.
skipping to change at page 19, line 26 skipping to change at page 19, line 26
tags), and it MAY support the four other variants shown in table 1. tags), and it MAY support the four other variants shown in table 1.
Below we summarize parameters associated with these four GCM Below we summarize parameters associated with these four GCM
algorithms: algorithms:
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Default key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 2: The AEAD_AES_128_GCM_12 Crypto Suite Table 2: The AEAD_AES_128_GCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 128 bits | | Master key length | 128 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_CM_PRF [RFC3711] | | Key Derivation Function | AES_CM_PRF [RFC3711] |
| Default key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 3: The AEAD_AES_128_GCM Crypto Suite Table 3: The AEAD_AES_128_GCM Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Default key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_12 | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM_12 |
| AEAD authentication tag length | 96 bits | | AEAD authentication tag length | 96 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 4: The AEAD_AES_256_GCM_12 Crypto Suite Table 4: The AEAD_AES_256_GCM_12 Crypto Suite
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Parameter | Value | | Parameter | Value |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
| Master key length | 256 bits | | Master key length | 256 bits |
| Master salt length | 96 bits | | Master salt length | 96 bits |
| Key Derivation Function | AES_256_CM_PRF [RFC6188] | | Key Derivation Function | AES_256_CM_PRF [RFC6188] |
| Default key lifetime (SRTP) | 2^48 packets | | Maximum key lifetime (SRTP) | 2^48 packets |
| Default key lifetime (SRTCP) | 2^31 packets | | Maximum key lifetime (SRTCP) | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM | | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM |
| AEAD authentication tag length | 128 bits | | AEAD authentication tag length | 128 bits |
+--------------------------------+------------------------------+ +--------------------------------+------------------------------+
Table 5: The AEAD_AES_256_GCM Crypto Suite Table 5: The AEAD_AES_256_GCM Crypto Suite
13.2. AES-CCM for SRTP/SRTCP 13.2. AES-CCM for SRTP/SRTCP
AES-CCM is another family of AEAD algorithms built around the AES AES-CCM is another family of AEAD algorithms built around the AES
block cipher algorithm. AES-CCM uses AES counter mode for encryption block cipher algorithm. AES-CCM uses AES counter mode for encryption
and AES Cipher Block Chaining Message Authentication Code (CBC-MAC) and AES Cipher Block Chaining Message Authentication Code (CBC-MAC)
skipping to change at page 25, line 9 skipping to change at page 25, line 9
It should be noted that the cryptographic properties of the GHASH It should be noted that the cryptographic properties of the GHASH
algorithm used in GCM reduces the effective authentication tag size algorithm used in GCM reduces the effective authentication tag size
(in bits) by the log base 2 of the of blocks of encrypted and/or (in bits) by the log base 2 of the of blocks of encrypted and/or
authenticated data in a packet. In practice an SRTP payload will be authenticated data in a packet. In practice an SRTP payload will be
less than 2^16 bytes, because of the 16-bit IPv4 and UDP length less than 2^16 bytes, because of the 16-bit IPv4 and UDP length
fields. The exception to this case is IPv6 jumbograms [RFC2675], fields. The exception to this case is IPv6 jumbograms [RFC2675],
which is unlikely to be used for RTP-based multimedia traffic which is unlikely to be used for RTP-based multimedia traffic
[RFC3711]. This corresponds to 2^12 blocks of data, so the effective [RFC3711]. This corresponds to 2^12 blocks of data, so the effective
GCM authentication tag size is reduced by at most 12 bits. GCM authentication tag size is reduced by at most 12 bits.
+===========+=============+========================================+ +===========+=============+========================================+
| Auth. Tag | Eff. Tag | Number of Forgery Attempts | | Auth. Tag | Eff. Tag | Number of Forgery Attempts |
| Size | Tag Size | Needed to Achieve a Given | | Size | Tag Size | Needed to Achieve a Given |
| (bytes) | (bits) | Probability of Success | | (bytes) | (bits) | Probability of Success |
|-----------+-------------+------------+-------------+-------------| |-----------+-------------+------------+-------------+-------------|
| | prob=2^-30 | prob=2^-20 | prob=2^-10 | | | prob=2^-30 | prob=2^-20 | prob=2^-10 |
|===========+=============+=============+============+=============| |===========+=============+=============+============+=============|
| | 32 (CCM) | 2^2 tries | 2^12 tries | 2^22 tries | | | 32 (CCM) | 2^2 tries | 2^12 tries | 2^22 tries |
| 4 +-------------+------------+-------------+-------------| | 4 +-------------+------------+-------------+-------------|
| | 20 (GCM) | 1 try | 1 try | 2^10 tries | | | 20 (GCM) | 1 try | 1 try | 2^10 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
| | 64 (CCM) | 2^34 tries | 2^44 tries | 2^54 tries | | | 64 (CCM) | 2^34 tries | 2^44 tries | 2^54 tries |
| 8 +-------------+------------+-------------+-------------| | 8 +-------------+------------+-------------+-------------|
| | 52 (GCM) | 2^22 tries | 2^32 tries | 2^42 tries | | | 52 (GCM) | 2^22 tries | 2^32 tries | 2^42 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
| | 96 (CCM) | 2^66 tries | 2^76 tries | 2^86 tries | | | 96 (CCM) | 2^66 tries | 2^76 tries | 2^86 tries |
| 12 +-------------+------------+-------------+-------------| | 12 +-------------+------------+-------------+-------------|
| | 84 (GCM) | 2^54 tries | 2^64 tries | 2^74 tries | | | 84 (GCM) | 2^54 tries | 2^64 tries | 2^74 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
| | 128 (CCM) | 2^86 tries | 2^96 tries | 2^106 tries | | | 128 (CCM) | 2^98 tries | 2^108 tries | 2^118 tries |
| 16 +-------------+------------+-------------+-------------| | 16 +-------------+------------+-------------+-------------|
| | 116 (GCM) | 2^98 tries | 2^108 tries | 2^118 tries | | | 116 (GCM) | 2^86 tries | 2^96 tries | 2^106 tries |
|===========+=============+============+=============+=============| |===========+=============+============+=============+=============|
Table 13: Number of forgery attempts needed to achieve a given Table 13: Number of forgery attempts needed to achieve a given
probability of success for various tag sizes. probability of success for various tag sizes.
15. IANA Considerations 15. IANA Considerations
15.1. SDES 15.1. SDES
SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". A
crypto suite corresponds to a particular AEAD algorithm in SRTP. In crypto suite corresponds to a particular AEAD algorithm in SRTP. In
order to allow Security Descriptions to signal the use of the order to allow Security Descriptions to signal the use of the
algorithms defined in this document, IANA will register the following algorithms defined in this document, IANA will register the following
crypto suites into the "SRTP Crypto Suite Registrations" subregistry crypto suites into the "SRTP Crypto Suite Registrations" subregistry
skipping to change at page 26, line 17 skipping to change at page 26, line 17
"AEAD_AES_128_GCM_12" / "AEAD_AES_128_GCM_12" /
"AEAD_AES_256_GCM_12" / "AEAD_AES_256_GCM_12" /
"AEAD_AES_128_CCM" / "AEAD_AES_128_CCM" /
"AEAD_AES_256_CCM" / "AEAD_AES_256_CCM" /
"AEAD_AES_128_CCM_8" / "AEAD_AES_128_CCM_8" /
"AEAD_AES_256_CCM_8" / "AEAD_AES_256_CCM_8" /
"AEAD_AES_128_CCM_12" / "AEAD_AES_128_CCM_12" /
"AEAD_AES_256_CCM_12" / "AEAD_AES_256_CCM_12" /
srtp-crypto-suite-ext srtp-crypto-suite-ext
15.2. DTLS 15.2. DTLS-SRTP
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile".
These also correspond to the use of an AEAD algorithm in SRTP. In These also correspond to the use of an AEAD algorithm in SRTP. In
order to allow the use of the algorithms defined in this document in order to allow the use of the algorithms defined in this document in
DTLS-SRTP, we request IANA register the following SRTP Protection DTLS-SRTP, we request IANA register the following SRTP Protection
Profiles: Profiles:
AEAD_AES_128_GCM = {TBD, TBD } AEAD_AES_128_GCM = {TBD, TBD }
AEAD_AES_256_GCM = {TBD, TBD } AEAD_AES_256_GCM = {TBD, TBD }
AEAD_AES_128_GCM_12 = {TBD, TBD } AEAD_AES_128_GCM_12 = {TBD, TBD }
 End of changes. 17 change blocks. 
49 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/