--- 1/draft-ietf-perc-double-04.txt 2017-06-29 13:13:12.731504626 -0700 +++ 2/draft-ietf-perc-double-05.txt 2017-06-29 13:13:12.763505401 -0700 @@ -1,180 +1,184 @@ Network Working Group C. Jennings Internet-Draft P. Jones Intended status: Standards Track Cisco Systems -Expires: October 30, 2017 A. Roach +Expires: December 31, 2017 A. Roach Mozilla - April 28, 2017 + June 29, 2017 SRTP Double Encryption Procedures - draft-ietf-perc-double-04 + draft-ietf-perc-double-05 Abstract In some conferencing scenarios, it is desirable for an intermediary to be able to manipulate some RTP parameters, while still providing strong end-to-end security guarantees. This document defines SRTP - procedures that use two separate but related cryptographic contexts - to provide "hop-by-hop" and "end-to-end" security guarantees. Both - the end-to-end and hop-by-hop cryptographic transforms can utilize an + procedures that use two separate but related cryptographic operations + to provide hop-by-hop and end-to-end security guarantees. Both the + end-to-end and hop-by-hop cryptographic algorithms can utilize an authenticated encryption with associated data scheme or take advantage of future SRTP transforms with different properties. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 30, 2017. + This Internet-Draft will expire on December 31, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 + 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 3 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 - 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 + 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9 - 7. Recommended Inner and Outer Cryptographic Transforms . . . . 9 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 - 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 - 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 - 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 - 11.2. Informative References . . . . . . . . . . . . . . . . . 13 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 + 7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 9 + 7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7.2. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 10 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 10.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 + 10.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 12 + 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 + 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 + 12.2. Informative References . . . . . . . . . . . . . . . . . 14 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction Cloud conferencing systems that are based on switched conferencing have a central Media Distributor device that receives media from endpoints and distributes it to other endpoints, but does not need to interpret or change the media content. For these systems, it is - desirable to have one cryptographic context from the sending endpoint - to the receiving endpoint that can encrypt and authenticate the media + desirable to have one cryptographic key from the sending endpoint to + the receiving endpoint that can encrypt and authenticate the media end-to-end while still allowing certain RTP header information to be changed by the Media Distributor. At the same time, a separate - cryptographic context provides integrity and optional confidentiality - for the media flowing between the Media Distributor and the - endpoints. See the framework document that describes this concept in - more detail in more detail in - [I-D.ietf-perc-private-media-framework]. + cryptographic key provides integrity and optional confidentiality for + the media flowing between the Media Distributor and the endpoints. + See the framework document that describes this concept in more detail + in more detail in [I-D.ietf-perc-private-media-framework]. This specification defines an SRTP transform that uses the AES-GCM - transform [RFC7714] to encrypt an RTP packet for the end-to-end - cryptographic context. The output of this is treated as an RTP - packet and again encrypted with an SRTP transform used in the hop-by- - hop cryptographic context between the endpoint and the Media - Distributor. The Media Distributor decrypts and checks integrity of - the hop-by-hop security. The Media Distributor MAY change some of - the RTP header information that would impact the end-to-end - integrity. The original value of any RTP header field that is + algorithm [RFC7714] to provide encryption and integrity for an RTP + packet for the end-to-end cryptographic key as well as a hop-by-hop + cryptographic encryption and integrity between the endpoint and the + Media Distributor. The Media Distributor decrypts and checks + integrity of the hop-by-hop security. The Media Distributor MAY + change some of the RTP header information that would impact the end- + to-end integrity. The original value of any RTP header field that is changed is included in a new RTP header extension called the Original Header Block. The new RTP packet is encrypted with the hop-by-hop - cryptographic transform before it is sent. The receiving endpoint + cryptographic algorithm before it is sent. The receiving endpoint decrypts and checks integrity using the hop-by-hop cryptographic - transform and then replaces any parameters the Media Distributor + algorithm and then replaces any parameters the Media Distributor changed using the information in the Original Header Block before decrypting and checking the end-to-end integrity. - One can think of the double as a normal SRTP transform as encrypting + One can think of the double as a normal SRTP transform for encrypting the RTP in a way where things that only know half of the key, can decrypt and modify part of the RTP packet but not other parts of if including the media payload. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Terms used throughout this document include: o Media Distributor: media distribution device that routes media from one endpoint to other endpoints - o E2E: end-to-end, meaning the link from one endpoint through one or - more Media Distributors to the endpoint at the other end. + o end-to-end: meaning the link from one endpoint through one or more + Media Distributors to the endpoint at the other end. - o HBH: hop-by-hop, meaning the link from the endpoint to or from the + o hop-by-hop: meaning the link from the endpoint to or from the Media Distributor. o OHB: Original Header Block is an RTP header extension that contains the original values from the RTP header that might have been changed by a Media Distributor. -3. Cryptographic Contexts +3. Cryptographic Context - This specification uses two cryptographic contexts: an inner ("end- - to-end") context that is used by endpoints that originate and consume - media to ensure the integrity of media end-to-end, and an outer - ("hop-by-hop") context that is used between endpoints and Media + This specification uses a cryptographic context with two parts: an + inner (end-to-end) part that is used by endpoints that originate and + consume media to ensure the integrity of media end-to-end, and an + outer (hop-by-hop) part that is used between endpoints and Media Distributors to ensure the integrity of media over a single hop and to enable a Media Distributor to modify certain RTP header fields. - RTCP is also encrypted using the hop-by-hop cryptographic context. - - The RECOMMENDED cipher for the hop-by-hop and end-to-end contexts is + RTCP is also handled using the hop-by-hop cryptographic part. The + RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is AES-GCM. Other combinations of SRTP ciphers that support the procedures in this document can be added to the IANA registry. - The keys and salt for these contexts are generated with the following - steps: + The keys and salt for these algorithms are generated with the + following steps: o Generate key and salt values of the length required for the - combined inner (end-to-end) and outer (hop-by-hop) transforms. + combined inner (end-to-end) and outer (hop-by-hop) algorithms. o Assign the key and salt values generated for the inner (end-to- - end) transform to the first half of the key and salt for the - double transform. + end) algorithm to the first half of the key and salt for the + double algorithm. o Assign the key and salt values for the outer (hop-by-hop) - transform to the second half of the key and salt for the double - transform. + algorithm to the second half of the key and salt for the double + algorithm. The first half of the key is revered to as the inner + key while the second out half is referred to as the outer key. + When a key is used by a cryptographic algorithm, the salt used is + the part of the salt generated with that key. Obviously, if the Media Distributor is to be able to modify header fields but not decrypt the payload, then it must have cryptographic - context for the outer transform, but not the inner transform. This - document does not define how the Media Distributor should be - provisioned with this information. One possible way to provide - keying material for the outer ("hop-by-hop") transform is to use - [I-D.ietf-perc-dtls-tunnel]. + key for the outer algorithm, but not the inner (end-to-end) + algorithm. This document does not define how the Media Distributor + should be provisioned with this information. One possible way to + provide keying material for the outer (hop-by-hop) algorithm is to + use [I-D.ietf-perc-dtls-tunnel]. 4. Original Header Block Any SRTP packet processed following these procedures MAY contain an Original Header Block (OHB) RTP header extension. The OHB contains the original values of any modified header fields and MUST be placed after any already-existing RTP header extensions. Placement of the OHB after any original header extensions is important so that the receiving endpoint can properly authenticate @@ -229,71 +233,75 @@ changed value, setting the X bit in the RTP header to 1 if no header extensions were originally present. If another Media Distributor along the media path makes additional changes to the RTP header and any original value is already present in the OHB, the Media Distributor must extend the OHB by adding the changed value to the OHB. To properly preserve original RTP header values, a Media Distributor MUST NOT change a value already present in the OHB extension. 5. RTP Operations + 5.1. Encrypting a Packet To encrypt a packet, the endpoint encrypts the packet using the inner - cryptographic context and then encrypts using the outer cryptographic - context. The processes is as follows: + (end-to-end) cryptographic key and then encrypts using the outer + (hop-by-hop) cryptographic key. The processes is as follows: o Form an RTP packet. If there are any header extensions, they MUST use [RFC5285]. - o Apply the inner cryptographic transform to the RTP packet. If - encrypting RTP header extensions end-to-end, then [RFC6904] MUST - be used when encrypting the RTP packet using the inner - cryptographic context. - o If the endpoint wishes to insert header extensions that can be modified by an Media Distributor, it MUST insert an OHB header extension at the end of any header extensions protected end-to-end (if any), then add any Media Distributor-modifiable header extensions. In other cases, the endpoint SHOULD still insert an OHB header extension. The OHB MUST replicate the information found in the RTP header following the application of the inner - cryptographic transform. If not already set, the endpoint MUST + cryptographic algorithm. If not already set, the endpoint MUST set the X bit in the RTP header to 1 when introducing the OHB extension. - o Apply the outer cryptographic transform to the RTP packet. If + o Apply the inner cryptographic algorithm to the RTP packet. If + encrypting RTP header extensions end-to-end, then [RFC6904] MUST + be used when encrypting the RTP packet using the inner + cryptographic key. + + o Apply the outer cryptographic algorithm to the RTP packet. If encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST be used when encrypting the RTP packet using the outer - cryptographic context. + cryptographic key. When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes after the SRTP packet exactly like using EKT with any other SRTP transform. 5.2. Relaying a Packet - The Media Distributor does not have a notion of outer or inner - cryptographic contexts. Rather, the Media Distributor has a single - cryptographic context. The cryptographic transform and key used to - decrypt a packet and any encrypted RTP header extensions would be the - same as those used in the endpoint's outer cryptographic context. + The Media Distributor does has the part of the key for the outer + (hop-by-hop) but does not have the part of the key for the (end-to- + end) cryptographic algorithm. The cryptographic algorithm and key + used to decrypt a packet and any encrypted RTP header extensions + would be the same as those used in the endpoint's outer algorithm and + key. In order to modify a packet, the Media Distributor decrypts the packet, modifies the packet, updates the OHB with any modifications not already present in the OHB, and re-encrypts the packet using the - cryptographic context used for next hop. + cryptographic using the outer (hop-by-hop) key. - o Apply the cryptographic transform to the packet. If decrypting - RTP header extensions hop-by-hop, then [RFC6904] MUST be used. + o Apply the outer (bop-by-hop) cryptographic algorithm to decrypt + the packet. If decrypting RTP header extensions hop-by-hop, then + [RFC6904] MUST be used. - o Change any required parameters + o Change any parts of the RTP packet that the relay wishes to change + and are allowed to be changed. o If a changed RTP header field is not already in the OHB, add it with its original value to the OHB. A Media Distributor can add information to the OHB, but MUST NOT change existing information in the OHB. o If the Media Distributor resets a parameter to its original value, it MAY drop it from the OHB as long as there are no other header extensions following the OHB. Note that this might result in a decrease in the size of the OHB. It is also possible for the @@ -315,193 +323,236 @@ OHB merely replicates the original header field values, and append the new extensions following the OHB. The OHB serves as a demarcation point between original RTP header extensions introduced by the endpoint and those introduced by a Media Distributor. o The Media Distributor MAY modify any header extension appearing after the OHB, but MUST NOT modify header extensions that are present before the OHB. - o Apply the cryptographic transform to the packet. If the RTP - Sequence Number has been modified, SRTP processing happens as - defined in SRTP and will end up using the new Sequence Number. If - encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST - be used. + o Apply the outer (hop-by-hop) cryptographic algorithm to the + packet. If the RTP Sequence Number has been modified, SRTP + processing happens as defined in SRTP and will end up using the + new Sequence Number. If encrypting RTP header extensions hop-by- + hop, then [RFC6904] MUST be used. 5.3. Decrypting a Packet To decrypt a packet, the endpoint first decrypts and verifies using - the outer cryptographic context, then uses the OHB to reconstruct the - original packet, which it decrypts and verifies with the inner - cryptographic context. + the outer (hop-by-hop) cryptographic key, then uses the OHB to + reconstruct the original packet, which it decrypts and verifies with + the inner (end-to-end) cryptographic key. - o Apply the outer cryptographic transform to the packet. If the + o Apply the outer cryptographic algorithm to the packet. If the integrity check does not pass, discard the packet. The result of this is referred to as the outer SRTP packet. If decrypting RTP header extensions hop-by-hop, then [RFC6904] MUST be used when - decrypting the RTP packet using the outer cryptographic context. + decrypting the RTP packet using the outer cryptographic key. o Form a new synthetic SRTP packet with: * Header = Received header, with header fields replaced with values from OHB (if present). * Insert all header extensions up to the OHB extension, but exclude the OHB and any header extensions that follow the OHB. If there are no extensions remaining, then the X bit MUST bet set to 0. If there are extensions remaining, then the remaining extensions MUST be padded to the first 32-bit boundary and the overall length of the header extensions adjusted accordingly. * Payload is the encrypted payload from the outer SRTP packet. - o Apply the inner cryptographic transform to this synthetic SRTP + o Apply the inner cryptographic algorithm to this synthetic SRTP packet. Note if the RTP Sequence Number was changed by the Media Distributor, the synthetic packet has the original Sequence Number. If the integrity check does not pass, discard the packet. If decrypting RTP header extensions end-to-end, then [RFC6904] MUST be used when decrypting the RTP packet using the inner - cryptographic context. + cryptographic key. Once the packet has been successfully decrypted, the application needs to be careful about which information it uses to get the - correct behavior. The application MUST use only the information + correct behaviour. The application MUST use only the information found in the synthetic SRTP packet and MUST NOT use the other data that was in the outer SRTP packet with the following exceptions: o The PT from the outer SRTP packet is used for normal matching to SDP and codec selection. o The sequence number from the outer SRTP packet is used for normal RTP ordering. The PT and sequence number from the inner SRTP packet can be used for collection of various statistics. If any of the following RTP headers extensions are found in the outer SRTP packet, they MAY be used: o Mixer-to-client audio level indicators (See [RFC6465]) 6. RTCP Operations Unlike RTP, which is encrypted both hop-by-hop and end-to-end using - two separate cryptographic contexts, RTCP is encrypted using only the - outer (HBH) cryptographic context. The procedures for RTCP + two separate cryptographic key, RTCP is encrypted using only the + outer (hop-by-hop) cryptographic key. The procedures for RTCP encryption are specified in [RFC3711] and this document introduces no additional steps. -7. Recommended Inner and Outer Cryptographic Transforms +7. Use with Other RTP Mechanisms + + There are some RTP related extensions that need special consideration + to be used by a relay when using the double transform due to the end- + to-end protection of the RTP. + +7.1. RTX + + RTX [RFC4588] is not useable by the relay for hop-by-hop repair. + Some modification or extension would be need to be made to RTX before + it could be used in this way. The problem in using RTX is that the + relay would need to be able to read the first two byes of the payload + of the retransmissions packet which contain the original sequence + number. However, this data is end-to-end encrypted so the relay can + not read it. + +7.2. DTMF + + When DTMF is sent with [RFC4733], it is end-to-end encrypted and the + relay can not read it so it can not be used to controll the relay. + Other out of band methods to controll the relay can be used instead. + +7.3. FEC + + The algorithms recommended in [I-D.ietf-rtcweb-fec] for audio work + with no additional considerations. + + The algorithm recommend in [I-D.ietf-rtcweb-fec] for video is Flex + FEC [I-D.ietf-payload-flexible-fec-scheme]. + + Open Issue: The WG is currently considering how to handle Flex FEC. + The main issue of concern is that the FEC Header, which is needed for + repair, is part of the RTP payload. Flex FEC and be done before or + after the SRTP process with the order controlled by signalling. + [I-D.ietf-rtcweb-fec] recommends not using additional FEC only m-line + in SDP for the repair packets. + +8. Recommended Inner and Outer Cryptographic Algorithms This specification recommends and defines AES-GCM as both the inner - and outer cryptographic transforms, identified as + and outer cryptographic algorithms, identified as DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and - DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These transforms provide + DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide for authenticated encryption and will consume additional processing - time double-encrypting for HBH and E2E. However, the approach is - secure and simple, and is thus viewed as an acceptable trade-off in - processing efficiency. + time double-encrypting for hop-by-hop and end-to-end. However, the + approach is secure and simple, and is thus viewed as an acceptable + trade-off in processing efficiency. Note that names for the cryptographic transforms are of the form - DOUBLE_(inner transform)_(outer transform). + DOUBLE_(inner algorithm)_(outer algorithm). While this document only defines a profile based on AES-GCM, it is possible for future documents to define further profiles with - different inner and outer transforms in this same framework. For + different inner and outer crypto in this same framework. For example, if a new SRTP transform was defined that encrypts some or all of the RTP header, it would be reasonable for systems to have the - option of using that for the outer transform. Similarly, if a new + option of using that for the outer algorithm. Similarly, if a new transform was defined that provided only integrity, that would also - be reasonable to use for the HBH as the payload data is already - encrypted by the E2E. + be reasonable to use for the hop-by-hop as the payload data is + already encrypted by the end-to-end. - The AES-GCM cryptographic transform introduces an additional 16 + The AES-GCM cryptographic algorithm introduces an additional 16 octets to the length of the packet. When using AES-GCM for both the - inner and outer cryptographic transforms, the total additional length + inner and outer cryptographic algorithms, the total additional length is 32 octets. If no other header extensions are present in the packet and the OHB is introduced, that will consume an additional 8 octets. If other extensions are already present, the OHB will consume up to 4 additional octets. -8. Security Considerations +9. Security Considerations To summarize what is encrypted and authenticated, we will refer to all the RTP fields and headers created by the sender and before the pay load as the initial envelope and the RTP payload information with the media as the payload. Any additional headers added by the Media Distributor are referred to as the extra envelope. The sender uses - the E2E key to encrypts the payload and authenticate the payload + - initial envelope which using an AEAD cipher results in a slight - longer new payload. Then the sender uses the HBH key to encrypt the - new payload and authenticate the initial envelope and new payload. + the end-to-end key to encrypts the payload and authenticate the + payload + initial envelope which using an AEAD cipher results in a + slight longer new payload. Then the sender uses the hop-by-hop key + to encrypt the new payload and authenticate the initial envelope and + new payload. - The Media Distributor has the HBH key so it can check the + The Media Distributor has the hop-by-hop key so it can check the authentication of the received packet across the initial envelope and payload data but it can't decrypt the payload as it does not have the - E2E key. It can add extra envelope information. It then + end-to-end key. It can add extra envelope information. It then authenticates the initial plus extra envelope information plus - payload with a HBH key. This HBH for the outgoing packet is - typically different than the HBH key for the incoming packet. + payload with a hop-by-hop key. This hop-by-hop for the outgoing + packet is typically different than the hop-by-hop key for the + incoming packet. The receiver can check the authentication of the initial and extra envelope information. This, along with the OHB, is used to construct a synthetic packet that is should be identical to one the sender created and the receiver can check that it is identical and then decrypt the original payload. The end result is that if the authentications succeed, the receiver knows exactly what the original sender sent, as well as exactly which modifications were made by the Media Distributor. It is obviously critical that the intermediary has only the outer - transform parameters and not the inner transform parameters. We rely - on an external key management protocol to assure this property. + (hop-by-hop) algorithm key and not the half of the key for the the + inner (end-to-end) algorithm. We rely on an external key management + protocol to assure this property. Modifications by the intermediary result in the recipient getting two values for changed parameters (original and modified). The recipient will have to choose which to use; there is risk in using either that depends on the session setup. - The security properties for both the inner and outer key holders are - the same as the security properties of classic SRTP. + The security properties for both the inner (end-to-end) and outer + (hop-by-hop) key holders are the same as the security properties of + classic SRTP. -9. IANA Considerations -9.1. RTP Header Extension +10. IANA Considerations + +10.1. RTP Header Extension This document defines a new extension URI in the RTP Compact Header Extensions part of the Real-Time Transport Protocol (RTP) Parameters registry, according to the following data: Extension URI: urn:ietf:params:rtp-hdrext:ohb Description: Original Header Block - Contact: Cullen Jennings Reference: RFCXXXX Note to RFC Editor: Replace RFCXXXX with the RFC number of this specification. -9.2. DTLS-SRTP +10.2. DTLS-SRTP We request IANA to add the following values to defines a DTLS-SRTP "SRTP Protection Profile" defined in [RFC5764]. - +-------+------------------------------------------+-----------+ + +------------+------------------------------------------+-----------+ | Value | Profile | Reference | - +-------+------------------------------------------+-----------+ - | {TBD} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | - | {TBD} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | - +-------+------------------------------------------+-----------+ + +------------+------------------------------------------+-----------+ + | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | + | 0x09} | | | + | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | + | 0x0A} | | | + +------------+------------------------------------------+-----------+ Note to IANA: Please assign value RFCXXXX and update table to point at this RFC for these values. The SRTP transform parameters for each of these protection are: DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM cipher: AES_128_GCM then AES_128_GCM cipher_key_length: 256 bits cipher_salt_length: 192 bits @@ -516,33 +567,34 @@ cipher: AES_256_GCM then AES_256_GCM cipher_key_length: 512 bits cipher_salt_length: 192 bits aead_auth_tag_length: 32 octets auth_function: NULL auth_key_length: N/A auth_tag_length: N/A maximum lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets - The first half of the key and salt is used for the inner (E2E) - transform and the second half is used for the outer (HBH) transform. + The first half of the key and salt is used for the inner (end-to-end) + algorithm and the second half is used for the outer (hop-by-hop) + algorithm. -10. Acknowledgments +11. Acknowledgments Many thanks to Richard Barnes for sending significant text for this specification. Thank you for reviews and improvements from David Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus Westerlund. -11. References +12. References -11.1. Normative References +12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, . @@ -560,38 +612,59 @@ [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)", RFC 6904, DOI 10.17487/RFC6904, April 2013, . [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)", RFC 7714, DOI 10.17487/RFC7714, December 2015, . -11.2. Informative References +12.2. Informative References + + [I-D.ietf-payload-flexible-fec-scheme] + Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP + Payload Format for Flexible Forward Error Correction + (FEC)", draft-ietf-payload-flexible-fec-scheme-04 (work in + progress), March 2017. [I-D.ietf-perc-dtls-tunnel] Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel between a Media Distributor and Key Distributor to - Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-00 - (work in progress), March 2017. + Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 + (work in progress), April 2017. [I-D.ietf-perc-private-media-framework] Jones, P., Benham, D., and C. Groves, "A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing", draft-ietf-perc-private-media-framework-03 (work in progress), March 2017. [I-D.ietf-perc-srtp-ekt-diet] Jennings, C., Mattsson, J., McGrew, D., and D. Wing, - "Encrypted Key Transport for Secure RTP", draft-ietf-perc- - srtp-ekt-diet-03 (work in progress), March 2017. + "Encrypted Key Transport for DTLS and Secure RTP", draft- + ietf-perc-srtp-ekt-diet-04 (work in progress), April 2017. + + [I-D.ietf-rtcweb-fec] + Uberti, J., "WebRTC Forward Error Correction + Requirements", draft-ietf-rtcweb-fec-05 (work in + progress), May 2017. + + [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. + Hakenberg, "RTP Retransmission Payload Format", RFC 4588, + DOI 10.17487/RFC4588, July 2006, + . + + [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF + Digits, Telephony Tones, and Telephony Signals", RFC 4733, + DOI 10.17487/RFC4733, December 2006, + . [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- time Transport Protocol (RTP) Header Extension for Mixer- to-Client Audio Level Indication", RFC 6465, DOI 10.17487/RFC6465, December 2011, . Authors' Addresses Cullen Jennings