--- 1/draft-ietf-perc-double-01.txt 2016-10-31 15:16:43.773390678 -0700 +++ 2/draft-ietf-perc-double-02.txt 2016-10-31 15:16:43.801391373 -0700 @@ -1,20 +1,20 @@ Network Working Group C. Jennings Internet-Draft P. Jones Intended status: Standards Track Cisco Systems -Expires: January 9, 2017 A. Roach +Expires: May 4, 2017 A. Roach Mozilla - July 8, 2016 + October 31, 2016 SRTP Double Encryption Procedures - draft-ietf-perc-double-01 + draft-ietf-perc-double-02 Abstract In some conferencing scenarios, it is desirable for an intermediary to be able to manipulate some RTP parameters, while still providing strong end-to-end security guarantees. This document defines SRTP procedures that use two separate but related cryptographic contexts to provide "hop-by-hop" and "end-to-end" security guarantees. Both the end-to-end and hop-by-hop cryptographic transforms can utilize an authenticated encryption with associated data scheme or take @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 9, 2017. + This Internet-Draft will expire on May 4, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -53,33 +53,33 @@ described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 - 5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6 + 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 7. Recommended Inner and Outer Cryptographic Transforms . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10 - 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 + 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 10 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 11 11.2. Informative References . . . . . . . . . . . . . . . . . 12 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction Cloud conferencing systems that are based on switched conferencing have a central Media Distributor device that receives media from endpoints and distributes it to other endpoints, but does not need to interpret or change the media content. For these systems, it is desirable to have one cryptographic context from the sending endpoint to the receiving endpoint that can encrypt and authenticate the media end-to-end while still allowing certain RTP header information to be @@ -211,21 +211,21 @@ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +---------------+-------------------------------+ |R| PT | Sequence Number | +---------------+-------------------------------+ If a Media Distributor modifies an original RTP header value, the Media Distributor MUST include the OHB extension to reflect the changed value, setting the X bit in the RTP header to 1 if no header extensions were originally present. If another Media Distributor along the media path makes additional changes to the RTP header and - any original value is not already present in the OHB, the Media + any original value is already present in the OHB, the Media Distributor must extend the OHB by adding the changed value to the OHB. To properly preserve original RTP header values, a Media Distributor MUST NOT change a value already present in the OHB extension. 5. RTP Operations 5.1. Encrypting a Packet To encrypt a packet, the endpoint encrypts the packet using the inner @@ -247,21 +247,21 @@ extensions. The OHB MUST replicate the information found in the RTP header following the application of the inner cryptographic transform. If not already set, the endpoint MUST set the X bit in the RTP header to 1 when introducing the OHB extension. o Apply the outer cryptographic transform to the RTP packet. If encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST be used when encrypting the RTP packet using the outer cryptographic context. -5.2. Modifying a Packet +5.2. Relaying a Packet The Media Distributor does not have a notion of outer or inner cryptographic contexts. Rather, the Media Distributor has a single cryptographic context. The cryptographic transform and key used to decrypt a packet and any encrypted RTP header extensions would be the same as those used in the endpoint's outer cryptographic context. In order to modify a packet, the Media Distributor decrypts the packet, modifies the packet, updates the OHB with any modifications not already present in the OHB, and re-encrypts the packet using the @@ -301,23 +301,23 @@ a demarcation point between original RTP header extensions introduced by the endpoint and those introduced by a Media Distributor. o The Media Distributor MAY modify any header extension appearing after the OHB, but MUST NOT modify header extensions that are present before the OHB. o Apply the cryptographic transform to the packet. If the RTP Sequence Number has been modified, SRTP processing happens as - defined in SRTP and which will end up using the new Sequence - Number. If encrypting RTP header extensions hop-by-hop, then - [RFC6904] MUST be used. + defined in SRTP and will end up using the new Sequence Number. If + encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST + be used. 5.3. Decrypting a Packet To decrypt a packet, the endpoint first decrypts and verifies using the outer cryptographic context, then uses the OHB to reconstruct the original packet, which it decrypts and verifies with the inner cryptographic context. o Apply the outer cryptographic transform to the packet. If the integrity check does not pass, discard the packet. The result of @@ -331,46 +331,46 @@ values from OHB (if present). * Insert all header extensions up to the OHB extension, but exclude the OHB and any header extensions that follow the OHB. If there are no extensions remaining, then the X bit MUST bet set to 0. If there are extensions remaining, then the remaining extensions MUST be padded to the first 32-bit boundary and the overall length of the header extensions adjusted accordingly. - * Payload is the original encrypted payload. + * Payload is the encrypted payload from the outer SRTP packet. o Apply the inner cryptographic transform to this synthetic SRTP packet. Note if the RTP Sequence Number was changed by the Media - Distributor, the syntetic packet has the original Sequence Number. - If the integrity check does not pass, discard the packet. If - decrypting RTP header extensions end-to-end, then [RFC6904] MUST - be used when decrypting the RTP packet using the inner + Distributor, the synthetic packet has the original Sequence + Number. If the integrity check does not pass, discard the packet. + If decrypting RTP header extensions end-to-end, then [RFC6904] + MUST be used when decrypting the RTP packet using the inner cryptographic context. - Once the packet has successfully decrypted, the application needs to - be careful about which information it uses to get the correct - behavior. The application MUST use only the information found in the - synthetic SRTP packet and MUST NOT use the other data that was in the - outer SRTP packet with the following exceptions: + Once the packet has been successfully decrypted, the application + needs to be careful about which information it uses to get the + correct behavior. The application MUST use only the information + found in the synthetic SRTP packet and MUST NOT use the other data + that was in the outer SRTP packet with the following exceptions: o The PT from the outer SRTP packet is used for normal matching to SDP and codec selection. o The sequence number from the outer SRTP packet is used for normal RTP ordering. If any of the following RTP headers extensions are found in the outer SRTP packet, they MAY be used: - o TBD + o Mixer-to-client audio level indicators (See [RFC6465]) 6. RTCP Operations Unlike RTP, which is encrypted both hop-by-hop and end-to-end using two separate cryptographic contexts, RTCP is encrypted using only the outer (HBH) cryptographic context. The procedures for RTCP encryption are specified in [RFC3711] and this document introduces no additional steps. 7. Recommended Inner and Outer Cryptographic Transforms @@ -398,30 +398,20 @@ encrypted by the E2E. The AES-GCM cryptographic transform introduces an additional 16 octets to the length of the packet. When using AES-GCM for both the inner and outer cryptographic transforms, the total additional length is 32 octets. If no other header extensions are present in the packet and the OHB is introduced, that will consume an additional 8 octets. If other extensions are already present, the OHB will consume up to 4 additional octets. - Open Issue: For an audio confernce using opus in a narrowband - configuration at TBD kbps with 20 ms packetizaton, the total - bandwidth of the RTP would change from TBD to TBD. Do we want to - consider having some AES-GCM transfroms with reduced length - authentication tags for the HBH. Since the actual authentication is - provided by the E2E check, and tampering with the the HBH can only - result in the wrong packet being selected as the loudest speaker, it - might be desirable to have 64 bits or even less of securiyt for the - HBH portion of the authentication. - 8. Security Considerations To summarize what is encrypted and authenticated, we will refer to all the RTP fields and headers created by the sender and before the pay load as the initial envelope and the RTP payload information with the media as the payload. Any additional headers added by the Media Distributor are referred to as the extra envelope. The sender uses the E2E key to encrypts the payload and authenticate the payload + initial envelope which using an AEAD cipher results in a slight longer new payload. Then the sender uses the HBH key to encrypt the @@ -429,30 +419,30 @@ The Media Distributor has the HBH key so it can check the authentication of the received packet across the initial envelope and payload data but it can't decrypt the payload as it does not have the E2E key. It can add extra envelope information. It then authenticates the initial plus extra envelope information plus payload with a HBH key. This HBH for the outgoing packet is typically different than the HBH key for the incoming packet. The receiver can check the authentication of the initial and extra - envelope information. This, along with the OBH, i used to construct - a synthetic packet that is should be identital to one the sender + envelope information. This, along with the OBH, is used to construct + a synthetic packet that is should be identical to one the sender created and the receiver can check that it is identical and then decrypt the original payload. The end result is that if the authentications succeed, the receiver knows exactly what the original sender sent, as well as exactly which modifications were made by the Media Distributor. - It is obviously critical that the intermediary have only the outer + It is obviously critical that the intermediary has only the outer transform parameters and not the inner transform parameters. We rely on an external key management protocol to assure this property. Modifications by the intermediary result in the recipient getting two values for changed parameters (original and modified). The recipient will have to choose which to use; there is risk in using either that depends on the session setup. The security properties for both the inner and outer key holders are the same as the security properties of classic SRTP. @@ -521,69 +511,73 @@ 10. Acknowledgments Many thanks to review from Suhas Nandakumar, David Benham, Magnus Westerlund and significant text from Richard Barnes. 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ - RFC2119, March 1997, + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, . [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July 2008, . [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure - Real-time Transport Protocol (SRTP)", RFC 5764, DOI - 10.17487/RFC5764, May 2010, + Real-time Transport Protocol (SRTP)", RFC 5764, + DOI 10.17487/RFC5764, May 2010, . [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure - Real-time Transport Protocol (SRTP)", RFC 6904, DOI - 10.17487/RFC6904, April 2013, + Real-time Transport Protocol (SRTP)", RFC 6904, + DOI 10.17487/RFC6904, April 2013, . [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption - in the Secure Real-time Transport Protocol (SRTP)", RFC - 7714, DOI 10.17487/RFC7714, December 2015, + in the Secure Real-time Transport Protocol (SRTP)", + RFC 7714, DOI 10.17487/RFC7714, December 2015, . 11.2. Informative References [I-D.jones-perc-dtls-tunnel] - Jones, P., "DTLS Tunnel between Media Distribution Device - and Key Management Function to Facilitate Key Exchange", - draft-jones-perc-dtls-tunnel-02 (work in progress), March - 2016. + Jones, P., "A DTLS Tunnel between Media Distributor and + Key Distributor to Facilitate Key Exchange", draft-jones- + perc-dtls-tunnel-03 (work in progress), July 2016. [I-D.jones-perc-private-media-framework] Jones, P. and D. Benham, "A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing", draft-jones- perc-private-media-framework-02 (work in progress), March 2016. + [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- + time Transport Protocol (RTP) Header Extension for Mixer- + to-Client Audio Level Indication", RFC 6465, + DOI 10.17487/RFC6465, December 2011, + . + Authors' Addresses Cullen Jennings Cisco Systems Email: fluffy@iii.ca - Paul E. Jones Cisco Systems Email: paulej@packetizer.com Adam Roach Mozilla Email: adam@nostrum.com