draft-ietf-perc-double-04.txt   draft-ietf-perc-double-05.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: October 30, 2017 A. Roach Expires: December 31, 2017 A. Roach
Mozilla Mozilla
April 28, 2017 June 29, 2017
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-04 draft-ietf-perc-double-05
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some RTP parameters, while still providing to be able to manipulate some RTP parameters, while still providing
strong end-to-end security guarantees. This document defines SRTP strong end-to-end security guarantees. This document defines SRTP
procedures that use two separate but related cryptographic contexts procedures that use two separate but related cryptographic operations
to provide "hop-by-hop" and "end-to-end" security guarantees. Both to provide hop-by-hop and end-to-end security guarantees. Both the
the end-to-end and hop-by-hop cryptographic transforms can utilize an end-to-end and hop-by-hop cryptographic algorithms can utilize an
authenticated encryption with associated data scheme or take authenticated encryption with associated data scheme or take
advantage of future SRTP transforms with different properties. advantage of future SRTP transforms with different properties.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 30, 2017. This Internet-Draft will expire on December 31, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 3
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6
5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9
7. Recommended Inner and Outer Cryptographic Transforms . . . . 9 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7.2. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 10
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
11.1. Normative References . . . . . . . . . . . . . . . . . . 12 10.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11
11.2. Informative References . . . . . . . . . . . . . . . . . 13 10.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
12.1. Normative References . . . . . . . . . . . . . . . . . . 13
12.2. Informative References . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic context from the sending endpoint desirable to have one cryptographic key from the sending endpoint to
to the receiving endpoint that can encrypt and authenticate the media the receiving endpoint that can encrypt and authenticate the media
end-to-end while still allowing certain RTP header information to be end-to-end while still allowing certain RTP header information to be
changed by the Media Distributor. At the same time, a separate changed by the Media Distributor. At the same time, a separate
cryptographic context provides integrity and optional confidentiality cryptographic key provides integrity and optional confidentiality for
for the media flowing between the Media Distributor and the the media flowing between the Media Distributor and the endpoints.
endpoints. See the framework document that describes this concept in See the framework document that describes this concept in more detail
more detail in more detail in in more detail in [I-D.ietf-perc-private-media-framework].
[I-D.ietf-perc-private-media-framework].
This specification defines an SRTP transform that uses the AES-GCM This specification defines an SRTP transform that uses the AES-GCM
transform [RFC7714] to encrypt an RTP packet for the end-to-end algorithm [RFC7714] to provide encryption and integrity for an RTP
cryptographic context. The output of this is treated as an RTP packet for the end-to-end cryptographic key as well as a hop-by-hop
packet and again encrypted with an SRTP transform used in the hop-by- cryptographic encryption and integrity between the endpoint and the
hop cryptographic context between the endpoint and the Media Media Distributor. The Media Distributor decrypts and checks
Distributor. The Media Distributor decrypts and checks integrity of integrity of the hop-by-hop security. The Media Distributor MAY
the hop-by-hop security. The Media Distributor MAY change some of change some of the RTP header information that would impact the end-
the RTP header information that would impact the end-to-end to-end integrity. The original value of any RTP header field that is
integrity. The original value of any RTP header field that is
changed is included in a new RTP header extension called the Original changed is included in a new RTP header extension called the Original
Header Block. The new RTP packet is encrypted with the hop-by-hop Header Block. The new RTP packet is encrypted with the hop-by-hop
cryptographic transform before it is sent. The receiving endpoint cryptographic algorithm before it is sent. The receiving endpoint
decrypts and checks integrity using the hop-by-hop cryptographic decrypts and checks integrity using the hop-by-hop cryptographic
transform and then replaces any parameters the Media Distributor algorithm and then replaces any parameters the Media Distributor
changed using the information in the Original Header Block before changed using the information in the Original Header Block before
decrypting and checking the end-to-end integrity. decrypting and checking the end-to-end integrity.
One can think of the double as a normal SRTP transform as encrypting One can think of the double as a normal SRTP transform for encrypting
the RTP in a way where things that only know half of the key, can the RTP in a way where things that only know half of the key, can
decrypt and modify part of the RTP packet but not other parts of if decrypt and modify part of the RTP packet but not other parts of if
including the media payload. including the media payload.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Terms used throughout this document include: Terms used throughout this document include:
o Media Distributor: media distribution device that routes media o Media Distributor: media distribution device that routes media
from one endpoint to other endpoints from one endpoint to other endpoints
o E2E: end-to-end, meaning the link from one endpoint through one or o end-to-end: meaning the link from one endpoint through one or more
more Media Distributors to the endpoint at the other end. Media Distributors to the endpoint at the other end.
o HBH: hop-by-hop, meaning the link from the endpoint to or from the o hop-by-hop: meaning the link from the endpoint to or from the
Media Distributor. Media Distributor.
o OHB: Original Header Block is an RTP header extension that o OHB: Original Header Block is an RTP header extension that
contains the original values from the RTP header that might have contains the original values from the RTP header that might have
been changed by a Media Distributor. been changed by a Media Distributor.
3. Cryptographic Contexts 3. Cryptographic Context
This specification uses two cryptographic contexts: an inner ("end- This specification uses a cryptographic context with two parts: an
to-end") context that is used by endpoints that originate and consume inner (end-to-end) part that is used by endpoints that originate and
media to ensure the integrity of media end-to-end, and an outer consume media to ensure the integrity of media end-to-end, and an
("hop-by-hop") context that is used between endpoints and Media outer (hop-by-hop) part that is used between endpoints and Media
Distributors to ensure the integrity of media over a single hop and Distributors to ensure the integrity of media over a single hop and
to enable a Media Distributor to modify certain RTP header fields. to enable a Media Distributor to modify certain RTP header fields.
RTCP is also encrypted using the hop-by-hop cryptographic context. RTCP is also handled using the hop-by-hop cryptographic part. The
RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is
The RECOMMENDED cipher for the hop-by-hop and end-to-end contexts is
AES-GCM. Other combinations of SRTP ciphers that support the AES-GCM. Other combinations of SRTP ciphers that support the
procedures in this document can be added to the IANA registry. procedures in this document can be added to the IANA registry.
The keys and salt for these contexts are generated with the following The keys and salt for these algorithms are generated with the
steps: following steps:
o Generate key and salt values of the length required for the o Generate key and salt values of the length required for the
combined inner (end-to-end) and outer (hop-by-hop) transforms. combined inner (end-to-end) and outer (hop-by-hop) algorithms.
o Assign the key and salt values generated for the inner (end-to- o Assign the key and salt values generated for the inner (end-to-
end) transform to the first half of the key and salt for the end) algorithm to the first half of the key and salt for the
double transform. double algorithm.
o Assign the key and salt values for the outer (hop-by-hop) o Assign the key and salt values for the outer (hop-by-hop)
transform to the second half of the key and salt for the double algorithm to the second half of the key and salt for the double
transform. algorithm. The first half of the key is revered to as the inner
key while the second out half is referred to as the outer key.
When a key is used by a cryptographic algorithm, the salt used is
the part of the salt generated with that key.
Obviously, if the Media Distributor is to be able to modify header Obviously, if the Media Distributor is to be able to modify header
fields but not decrypt the payload, then it must have cryptographic fields but not decrypt the payload, then it must have cryptographic
context for the outer transform, but not the inner transform. This key for the outer algorithm, but not the inner (end-to-end)
document does not define how the Media Distributor should be algorithm. This document does not define how the Media Distributor
provisioned with this information. One possible way to provide should be provisioned with this information. One possible way to
keying material for the outer ("hop-by-hop") transform is to use provide keying material for the outer (hop-by-hop) algorithm is to
[I-D.ietf-perc-dtls-tunnel]. use [I-D.ietf-perc-dtls-tunnel].
4. Original Header Block 4. Original Header Block
Any SRTP packet processed following these procedures MAY contain an Any SRTP packet processed following these procedures MAY contain an
Original Header Block (OHB) RTP header extension. Original Header Block (OHB) RTP header extension.
The OHB contains the original values of any modified header fields The OHB contains the original values of any modified header fields
and MUST be placed after any already-existing RTP header extensions. and MUST be placed after any already-existing RTP header extensions.
Placement of the OHB after any original header extensions is Placement of the OHB after any original header extensions is
important so that the receiving endpoint can properly authenticate important so that the receiving endpoint can properly authenticate
skipping to change at page 6, line 4 skipping to change at page 6, line 8
changed value, setting the X bit in the RTP header to 1 if no header changed value, setting the X bit in the RTP header to 1 if no header
extensions were originally present. If another Media Distributor extensions were originally present. If another Media Distributor
along the media path makes additional changes to the RTP header and along the media path makes additional changes to the RTP header and
any original value is already present in the OHB, the Media any original value is already present in the OHB, the Media
Distributor must extend the OHB by adding the changed value to the Distributor must extend the OHB by adding the changed value to the
OHB. To properly preserve original RTP header values, a Media OHB. To properly preserve original RTP header values, a Media
Distributor MUST NOT change a value already present in the OHB Distributor MUST NOT change a value already present in the OHB
extension. extension.
5. RTP Operations 5. RTP Operations
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner To encrypt a packet, the endpoint encrypts the packet using the inner
cryptographic context and then encrypts using the outer cryptographic (end-to-end) cryptographic key and then encrypts using the outer
context. The processes is as follows: (hop-by-hop) cryptographic key. The processes is as follows:
o Form an RTP packet. If there are any header extensions, they MUST o Form an RTP packet. If there are any header extensions, they MUST
use [RFC5285]. use [RFC5285].
o Apply the inner cryptographic transform to the RTP packet. If
encrypting RTP header extensions end-to-end, then [RFC6904] MUST
be used when encrypting the RTP packet using the inner
cryptographic context.
o If the endpoint wishes to insert header extensions that can be o If the endpoint wishes to insert header extensions that can be
modified by an Media Distributor, it MUST insert an OHB header modified by an Media Distributor, it MUST insert an OHB header
extension at the end of any header extensions protected end-to-end extension at the end of any header extensions protected end-to-end
(if any), then add any Media Distributor-modifiable header (if any), then add any Media Distributor-modifiable header
extensions. In other cases, the endpoint SHOULD still insert an extensions. In other cases, the endpoint SHOULD still insert an
OHB header extension. The OHB MUST replicate the information OHB header extension. The OHB MUST replicate the information
found in the RTP header following the application of the inner found in the RTP header following the application of the inner
cryptographic transform. If not already set, the endpoint MUST cryptographic algorithm. If not already set, the endpoint MUST
set the X bit in the RTP header to 1 when introducing the OHB set the X bit in the RTP header to 1 when introducing the OHB
extension. extension.
o Apply the outer cryptographic transform to the RTP packet. If o Apply the inner cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions end-to-end, then [RFC6904] MUST
be used when encrypting the RTP packet using the inner
cryptographic key.
o Apply the outer cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic context. cryptographic key.
When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes
after the SRTP packet exactly like using EKT with any other SRTP after the SRTP packet exactly like using EKT with any other SRTP
transform. transform.
5.2. Relaying a Packet 5.2. Relaying a Packet
The Media Distributor does not have a notion of outer or inner The Media Distributor does has the part of the key for the outer
cryptographic contexts. Rather, the Media Distributor has a single (hop-by-hop) but does not have the part of the key for the (end-to-
cryptographic context. The cryptographic transform and key used to end) cryptographic algorithm. The cryptographic algorithm and key
decrypt a packet and any encrypted RTP header extensions would be the used to decrypt a packet and any encrypted RTP header extensions
same as those used in the endpoint's outer cryptographic context. would be the same as those used in the endpoint's outer algorithm and
key.
In order to modify a packet, the Media Distributor decrypts the In order to modify a packet, the Media Distributor decrypts the
packet, modifies the packet, updates the OHB with any modifications packet, modifies the packet, updates the OHB with any modifications
not already present in the OHB, and re-encrypts the packet using the not already present in the OHB, and re-encrypts the packet using the
cryptographic context used for next hop. cryptographic using the outer (hop-by-hop) key.
o Apply the cryptographic transform to the packet. If decrypting o Apply the outer (bop-by-hop) cryptographic algorithm to decrypt
RTP header extensions hop-by-hop, then [RFC6904] MUST be used. the packet. If decrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used.
o Change any required parameters o Change any parts of the RTP packet that the relay wishes to change
and are allowed to be changed.
o If a changed RTP header field is not already in the OHB, add it o If a changed RTP header field is not already in the OHB, add it
with its original value to the OHB. A Media Distributor can add with its original value to the OHB. A Media Distributor can add
information to the OHB, but MUST NOT change existing information information to the OHB, but MUST NOT change existing information
in the OHB. in the OHB.
o If the Media Distributor resets a parameter to its original value, o If the Media Distributor resets a parameter to its original value,
it MAY drop it from the OHB as long as there are no other header it MAY drop it from the OHB as long as there are no other header
extensions following the OHB. Note that this might result in a extensions following the OHB. Note that this might result in a
decrease in the size of the OHB. It is also possible for the decrease in the size of the OHB. It is also possible for the
skipping to change at page 7, line 44 skipping to change at page 7, line 51
OHB merely replicates the original header field values, and OHB merely replicates the original header field values, and
append the new extensions following the OHB. The OHB serves as append the new extensions following the OHB. The OHB serves as
a demarcation point between original RTP header extensions a demarcation point between original RTP header extensions
introduced by the endpoint and those introduced by a Media introduced by the endpoint and those introduced by a Media
Distributor. Distributor.
o The Media Distributor MAY modify any header extension appearing o The Media Distributor MAY modify any header extension appearing
after the OHB, but MUST NOT modify header extensions that are after the OHB, but MUST NOT modify header extensions that are
present before the OHB. present before the OHB.
o Apply the cryptographic transform to the packet. If the RTP o Apply the outer (hop-by-hop) cryptographic algorithm to the
Sequence Number has been modified, SRTP processing happens as packet. If the RTP Sequence Number has been modified, SRTP
defined in SRTP and will end up using the new Sequence Number. If processing happens as defined in SRTP and will end up using the
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST new Sequence Number. If encrypting RTP header extensions hop-by-
be used. hop, then [RFC6904] MUST be used.
5.3. Decrypting a Packet 5.3. Decrypting a Packet
To decrypt a packet, the endpoint first decrypts and verifies using To decrypt a packet, the endpoint first decrypts and verifies using
the outer cryptographic context, then uses the OHB to reconstruct the the outer (hop-by-hop) cryptographic key, then uses the OHB to
original packet, which it decrypts and verifies with the inner reconstruct the original packet, which it decrypts and verifies with
cryptographic context. the inner (end-to-end) cryptographic key.
o Apply the outer cryptographic transform to the packet. If the o Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
this is referred to as the outer SRTP packet. If decrypting RTP this is referred to as the outer SRTP packet. If decrypting RTP
header extensions hop-by-hop, then [RFC6904] MUST be used when header extensions hop-by-hop, then [RFC6904] MUST be used when
decrypting the RTP packet using the outer cryptographic context. decrypting the RTP packet using the outer cryptographic key.
o Form a new synthetic SRTP packet with: o Form a new synthetic SRTP packet with:
* Header = Received header, with header fields replaced with * Header = Received header, with header fields replaced with
values from OHB (if present). values from OHB (if present).
* Insert all header extensions up to the OHB extension, but * Insert all header extensions up to the OHB extension, but
exclude the OHB and any header extensions that follow the OHB. exclude the OHB and any header extensions that follow the OHB.
If there are no extensions remaining, then the X bit MUST bet If there are no extensions remaining, then the X bit MUST bet
set to 0. If there are extensions remaining, then the set to 0. If there are extensions remaining, then the
remaining extensions MUST be padded to the first 32-bit remaining extensions MUST be padded to the first 32-bit
boundary and the overall length of the header extensions boundary and the overall length of the header extensions
adjusted accordingly. adjusted accordingly.
* Payload is the encrypted payload from the outer SRTP packet. * Payload is the encrypted payload from the outer SRTP packet.
o Apply the inner cryptographic transform to this synthetic SRTP o Apply the inner cryptographic algorithm to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the Media packet. Note if the RTP Sequence Number was changed by the Media
Distributor, the synthetic packet has the original Sequence Distributor, the synthetic packet has the original Sequence
Number. If the integrity check does not pass, discard the packet. Number. If the integrity check does not pass, discard the packet.
If decrypting RTP header extensions end-to-end, then [RFC6904] If decrypting RTP header extensions end-to-end, then [RFC6904]
MUST be used when decrypting the RTP packet using the inner MUST be used when decrypting the RTP packet using the inner
cryptographic context. cryptographic key.
Once the packet has been successfully decrypted, the application Once the packet has been successfully decrypted, the application
needs to be careful about which information it uses to get the needs to be careful about which information it uses to get the
correct behavior. The application MUST use only the information correct behaviour. The application MUST use only the information
found in the synthetic SRTP packet and MUST NOT use the other data found in the synthetic SRTP packet and MUST NOT use the other data
that was in the outer SRTP packet with the following exceptions: that was in the outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to o The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. SDP and codec selection.
o The sequence number from the outer SRTP packet is used for normal o The sequence number from the outer SRTP packet is used for normal
RTP ordering. RTP ordering.
The PT and sequence number from the inner SRTP packet can be used for The PT and sequence number from the inner SRTP packet can be used for
collection of various statistics. collection of various statistics.
If any of the following RTP headers extensions are found in the outer If any of the following RTP headers extensions are found in the outer
SRTP packet, they MAY be used: SRTP packet, they MAY be used:
o Mixer-to-client audio level indicators (See [RFC6465]) o Mixer-to-client audio level indicators (See [RFC6465])
6. RTCP Operations 6. RTCP Operations
Unlike RTP, which is encrypted both hop-by-hop and end-to-end using Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic contexts, RTCP is encrypted using only the two separate cryptographic key, RTCP is encrypted using only the
outer (HBH) cryptographic context. The procedures for RTCP outer (hop-by-hop) cryptographic key. The procedures for RTCP
encryption are specified in [RFC3711] and this document introduces no encryption are specified in [RFC3711] and this document introduces no
additional steps. additional steps.
7. Recommended Inner and Outer Cryptographic Transforms 7. Use with Other RTP Mechanisms
There are some RTP related extensions that need special consideration
to be used by a relay when using the double transform due to the end-
to-end protection of the RTP.
7.1. RTX
RTX [RFC4588] is not useable by the relay for hop-by-hop repair.
Some modification or extension would be need to be made to RTX before
it could be used in this way. The problem in using RTX is that the
relay would need to be able to read the first two byes of the payload
of the retransmissions packet which contain the original sequence
number. However, this data is end-to-end encrypted so the relay can
not read it.
7.2. DTMF
When DTMF is sent with [RFC4733], it is end-to-end encrypted and the
relay can not read it so it can not be used to controll the relay.
Other out of band methods to controll the relay can be used instead.
7.3. FEC
The algorithms recommended in [I-D.ietf-rtcweb-fec] for audio work
with no additional considerations.
The algorithm recommend in [I-D.ietf-rtcweb-fec] for video is Flex
FEC [I-D.ietf-payload-flexible-fec-scheme].
Open Issue: The WG is currently considering how to handle Flex FEC.
The main issue of concern is that the FEC Header, which is needed for
repair, is part of the RTP payload. Flex FEC and be done before or
after the SRTP process with the order controlled by signalling.
[I-D.ietf-rtcweb-fec] recommends not using additional FEC only m-line
in SDP for the repair packets.
8. Recommended Inner and Outer Cryptographic Algorithms
This specification recommends and defines AES-GCM as both the inner This specification recommends and defines AES-GCM as both the inner
and outer cryptographic transforms, identified as and outer cryptographic algorithms, identified as
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These transforms provide DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide
for authenticated encryption and will consume additional processing for authenticated encryption and will consume additional processing
time double-encrypting for HBH and E2E. However, the approach is time double-encrypting for hop-by-hop and end-to-end. However, the
secure and simple, and is thus viewed as an acceptable trade-off in approach is secure and simple, and is thus viewed as an acceptable
processing efficiency. trade-off in processing efficiency.
Note that names for the cryptographic transforms are of the form Note that names for the cryptographic transforms are of the form
DOUBLE_(inner transform)_(outer transform). DOUBLE_(inner algorithm)_(outer algorithm).
While this document only defines a profile based on AES-GCM, it is While this document only defines a profile based on AES-GCM, it is
possible for future documents to define further profiles with possible for future documents to define further profiles with
different inner and outer transforms in this same framework. For different inner and outer crypto in this same framework. For
example, if a new SRTP transform was defined that encrypts some or example, if a new SRTP transform was defined that encrypts some or
all of the RTP header, it would be reasonable for systems to have the all of the RTP header, it would be reasonable for systems to have the
option of using that for the outer transform. Similarly, if a new option of using that for the outer algorithm. Similarly, if a new
transform was defined that provided only integrity, that would also transform was defined that provided only integrity, that would also
be reasonable to use for the HBH as the payload data is already be reasonable to use for the hop-by-hop as the payload data is
encrypted by the E2E. already encrypted by the end-to-end.
The AES-GCM cryptographic transform introduces an additional 16 The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic transforms, the total additional length inner and outer cryptographic algorithms, the total additional length
is 32 octets. If no other header extensions are present in the is 32 octets. If no other header extensions are present in the
packet and the OHB is introduced, that will consume an additional 8 packet and the OHB is introduced, that will consume an additional 8
octets. If other extensions are already present, the OHB will octets. If other extensions are already present, the OHB will
consume up to 4 additional octets. consume up to 4 additional octets.
8. Security Considerations 9. Security Considerations
To summarize what is encrypted and authenticated, we will refer to To summarize what is encrypted and authenticated, we will refer to
all the RTP fields and headers created by the sender and before the all the RTP fields and headers created by the sender and before the
pay load as the initial envelope and the RTP payload information with pay load as the initial envelope and the RTP payload information with
the media as the payload. Any additional headers added by the Media the media as the payload. Any additional headers added by the Media
Distributor are referred to as the extra envelope. The sender uses Distributor are referred to as the extra envelope. The sender uses
the E2E key to encrypts the payload and authenticate the payload + the end-to-end key to encrypts the payload and authenticate the
initial envelope which using an AEAD cipher results in a slight payload + initial envelope which using an AEAD cipher results in a
longer new payload. Then the sender uses the HBH key to encrypt the slight longer new payload. Then the sender uses the hop-by-hop key
new payload and authenticate the initial envelope and new payload. to encrypt the new payload and authenticate the initial envelope and
new payload.
The Media Distributor has the HBH key so it can check the The Media Distributor has the hop-by-hop key so it can check the
authentication of the received packet across the initial envelope and authentication of the received packet across the initial envelope and
payload data but it can't decrypt the payload as it does not have the payload data but it can't decrypt the payload as it does not have the
E2E key. It can add extra envelope information. It then end-to-end key. It can add extra envelope information. It then
authenticates the initial plus extra envelope information plus authenticates the initial plus extra envelope information plus
payload with a HBH key. This HBH for the outgoing packet is payload with a hop-by-hop key. This hop-by-hop for the outgoing
typically different than the HBH key for the incoming packet. packet is typically different than the hop-by-hop key for the
incoming packet.
The receiver can check the authentication of the initial and extra The receiver can check the authentication of the initial and extra
envelope information. This, along with the OHB, is used to construct envelope information. This, along with the OHB, is used to construct
a synthetic packet that is should be identical to one the sender a synthetic packet that is should be identical to one the sender
created and the receiver can check that it is identical and then created and the receiver can check that it is identical and then
decrypt the original payload. decrypt the original payload.
The end result is that if the authentications succeed, the receiver The end result is that if the authentications succeed, the receiver
knows exactly what the original sender sent, as well as exactly which knows exactly what the original sender sent, as well as exactly which
modifications were made by the Media Distributor. modifications were made by the Media Distributor.
It is obviously critical that the intermediary has only the outer It is obviously critical that the intermediary has only the outer
transform parameters and not the inner transform parameters. We rely (hop-by-hop) algorithm key and not the half of the key for the the
on an external key management protocol to assure this property. inner (end-to-end) algorithm. We rely on an external key management
protocol to assure this property.
Modifications by the intermediary result in the recipient getting two Modifications by the intermediary result in the recipient getting two
values for changed parameters (original and modified). The recipient values for changed parameters (original and modified). The recipient
will have to choose which to use; there is risk in using either that will have to choose which to use; there is risk in using either that
depends on the session setup. depends on the session setup.
The security properties for both the inner and outer key holders are The security properties for both the inner (end-to-end) and outer
the same as the security properties of classic SRTP. (hop-by-hop) key holders are the same as the security properties of
classic SRTP.
9. IANA Considerations 10. IANA Considerations
9.1. RTP Header Extension
10.1. RTP Header Extension
This document defines a new extension URI in the RTP Compact Header This document defines a new extension URI in the RTP Compact Header
Extensions part of the Real-Time Transport Protocol (RTP) Parameters Extensions part of the Real-Time Transport Protocol (RTP) Parameters
registry, according to the following data: registry, according to the following data:
Extension URI: urn:ietf:params:rtp-hdrext:ohb Extension URI: urn:ietf:params:rtp-hdrext:ohb
Description: Original Header Block Description: Original Header Block
Contact: Cullen Jennings <mailto:fluffy@iii.ca> Contact: Cullen Jennings <mailto:fluffy@iii.ca>
Reference: RFCXXXX Reference: RFCXXXX
Note to RFC Editor: Replace RFCXXXX with the RFC number of this Note to RFC Editor: Replace RFCXXXX with the RFC number of this
specification. specification.
9.2. DTLS-SRTP 10.2. DTLS-SRTP
We request IANA to add the following values to defines a DTLS-SRTP We request IANA to add the following values to defines a DTLS-SRTP
"SRTP Protection Profile" defined in [RFC5764]. "SRTP Protection Profile" defined in [RFC5764].
+-------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| Value | Profile | Reference | | Value | Profile | Reference |
+-------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| {TBD} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX |
| {TBD} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | | 0x09} | | |
+-------+------------------------------------------+-----------+ | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX |
| 0x0A} | | |
+------------+------------------------------------------+-----------+
Note to IANA: Please assign value RFCXXXX and update table to point Note to IANA: Please assign value RFCXXXX and update table to point
at this RFC for these values. at this RFC for these values.
The SRTP transform parameters for each of these protection are: The SRTP transform parameters for each of these protection are:
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM
cipher: AES_128_GCM then AES_128_GCM cipher: AES_128_GCM then AES_128_GCM
cipher_key_length: 256 bits cipher_key_length: 256 bits
cipher_salt_length: 192 bits cipher_salt_length: 192 bits
skipping to change at page 12, line 27 skipping to change at page 13, line 5
cipher: AES_256_GCM then AES_256_GCM cipher: AES_256_GCM then AES_256_GCM
cipher_key_length: 512 bits cipher_key_length: 512 bits
cipher_salt_length: 192 bits cipher_salt_length: 192 bits
aead_auth_tag_length: 32 octets aead_auth_tag_length: 32 octets
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
maximum lifetime: at most 2^31 SRTCP packets and maximum lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
The first half of the key and salt is used for the inner (E2E) The first half of the key and salt is used for the inner (end-to-end)
transform and the second half is used for the outer (HBH) transform. algorithm and the second half is used for the outer (hop-by-hop)
algorithm.
10. Acknowledgments 11. Acknowledgments
Many thanks to Richard Barnes for sending significant text for this Many thanks to Richard Barnes for sending significant text for this
specification. Thank you for reviews and improvements from David specification. Thank you for reviews and improvements from David
Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus
Westerlund. Westerlund.
11. References 12. References
11.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <http://www.rfc-editor.org/info/rfc3711>.
skipping to change at page 13, line 25 skipping to change at page 14, line 5
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <http://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)", in the Secure Real-time Transport Protocol (SRTP)",
RFC 7714, DOI 10.17487/RFC7714, December 2015, RFC 7714, DOI 10.17487/RFC7714, December 2015,
<http://www.rfc-editor.org/info/rfc7714>. <http://www.rfc-editor.org/info/rfc7714>.
11.2. Informative References 12.2. Informative References
[I-D.ietf-payload-flexible-fec-scheme]
Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction
(FEC)", draft-ietf-payload-flexible-fec-scheme-04 (work in
progress), March 2017.
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-00 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01
(work in progress), March 2017. (work in progress), April 2017.
[I-D.ietf-perc-private-media-framework] [I-D.ietf-perc-private-media-framework]
Jones, P., Benham, D., and C. Groves, "A Solution Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy Enhanced RTP Framework for Private Media in Privacy Enhanced RTP
Conferencing", draft-ietf-perc-private-media-framework-03 Conferencing", draft-ietf-perc-private-media-framework-03
(work in progress), March 2017. (work in progress), March 2017.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., and D. Wing, Jennings, C., Mattsson, J., McGrew, D., and D. Wing,
"Encrypted Key Transport for Secure RTP", draft-ietf-perc- "Encrypted Key Transport for DTLS and Secure RTP", draft-
srtp-ekt-diet-03 (work in progress), March 2017. ietf-perc-srtp-ekt-diet-04 (work in progress), April 2017.
[I-D.ietf-rtcweb-fec]
Uberti, J., "WebRTC Forward Error Correction
Requirements", draft-ietf-rtcweb-fec-05 (work in
progress), May 2017.
[RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
DOI 10.17487/RFC4588, July 2006,
<http://www.rfc-editor.org/info/rfc4588>.
[RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
Digits, Telephony Tones, and Telephony Signals", RFC 4733,
DOI 10.17487/RFC4733, December 2006,
<http://www.rfc-editor.org/info/rfc4733>.
[RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real-
time Transport Protocol (RTP) Header Extension for Mixer- time Transport Protocol (RTP) Header Extension for Mixer-
to-Client Audio Level Indication", RFC 6465, to-Client Audio Level Indication", RFC 6465,
DOI 10.17487/RFC6465, December 2011, DOI 10.17487/RFC6465, December 2011,
<http://www.rfc-editor.org/info/rfc6465>. <http://www.rfc-editor.org/info/rfc6465>.
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
 End of changes. 70 change blocks. 
140 lines changed or deleted 213 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/