draft-ietf-perc-double-07.txt   draft-ietf-perc-double-08.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft P. Jones Internet-Draft P. Jones
Intended status: Standards Track R. Barnes Intended status: Standards Track R. Barnes
Expires: March 5, 2018 Cisco Systems Expires: September 6, 2018 Cisco Systems
A. Roach A. Roach
Mozilla Mozilla
September 1, 2017 March 5, 2018
SRTP Double Encryption Procedures SRTP Double Encryption Procedures
draft-ietf-perc-double-07 draft-ietf-perc-double-08
Abstract Abstract
In some conferencing scenarios, it is desirable for an intermediary In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some RTP parameters, while still providing to be able to manipulate some RTP parameters, while still providing
strong end-to-end security guarantees. This document defines SRTP strong end-to-end security guarantees. This document defines SRTP
procedures that use two separate but related cryptographic operations procedures that use two separate but related cryptographic operations
to provide hop-by-hop and end-to-end security guarantees. Both the to provide hop-by-hop and end-to-end security guarantees. Both the
end-to-end and hop-by-hop cryptographic algorithms can utilize an end-to-end and hop-by-hop cryptographic algorithms can utilize an
authenticated encryption with associated data scheme or take authenticated encryption with associated data scheme or take
advantage of future SRTP transforms with different properties. advantage of future SRTP transforms with different properties.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 5, 2018. This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4 3. Cryptographic Context . . . . . . . . . . . . . . . . . . . . 4
4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 3.1. Key Derivation . . . . . . . . . . . . . . . . . . . . . 5
5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 5
5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6
5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 7
6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8
7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 8 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9
7. Use with Other RTP Mechanisms . . . . . . . . . . . . . . . . 9
7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. RTX . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2. RED . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.2. RED . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.3. FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.4. DTMF . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8. Recommended Inner and Outer Cryptographic Algorithms . . . . 9 8. Recommended Inner and Outer Cryptographic Algorithms . . . . 11
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. Security Considerations . . . . . . . . . . . . . . . . . . . 11
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
10.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 10.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 13
10.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . 11 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 12.1. Normative References . . . . . . . . . . . . . . . . . . 14
12.1. Normative References . . . . . . . . . . . . . . . . . . 13 12.2. Informative References . . . . . . . . . . . . . . . . . 14
12.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 16
Appendix A. Encryption Overview . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
Cloud conferencing systems that are based on switched conferencing Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need to endpoints and distributes it to other endpoints, but does not need to
interpret or change the media content. For these systems, it is interpret or change the media content. For these systems, it is
desirable to have one cryptographic key from the sending endpoint to desirable to have one cryptographic key from the sending endpoint to
the receiving endpoint that can encrypt and authenticate the media the receiving endpoint that can encrypt and authenticate the media
end-to-end while still allowing certain RTP header information to be end-to-end while still allowing certain RTP header information to be
changed by the Media Distributor. At the same time, a separate changed by the Media Distributor. At the same time, a separate
cryptographic key provides integrity and optional confidentiality for cryptographic key provides integrity and optional confidentiality for
the media flowing between the Media Distributor and the endpoints. the media flowing between the Media Distributor and the endpoints.
See the framework document that describes this concept in more detail The framework document [I-D.ietf-perc-private-media-framework]
in more detail in [I-D.ietf-perc-private-media-framework]. describes this concept in more detail.
This specification defines an SRTP transform that uses the AES-GCM This specification defines an SRTP transform that uses the AES-GCM
algorithm [RFC7714] to provide encryption and integrity for an RTP algorithm [RFC7714] to provide encryption and integrity for an RTP
packet for the end-to-end cryptographic key as well as a hop-by-hop packet for the end-to-end cryptographic key as well as a hop-by-hop
cryptographic encryption and integrity between the endpoint and the cryptographic encryption and integrity between the endpoint and the
Media Distributor. The Media Distributor decrypts and checks Media Distributor. The Media Distributor decrypts and checks
integrity of the hop-by-hop security. The Media Distributor MAY integrity of the hop-by-hop security. The Media Distributor MAY
change some of the RTP header information that would impact the end- change some of the RTP header information that would impact the end-
to-end integrity. The original value of any RTP header field that is to-end integrity. The original value of any RTP header field that is
changed is included in a new RTP header extension called the Original changed is included in a new RTP header extension called the Original
skipping to change at page 4, line 25 skipping to change at page 4, line 25
AES-GCM. Other combinations of SRTP ciphers that support the AES-GCM. Other combinations of SRTP ciphers that support the
procedures in this document can be added to the IANA registry. procedures in this document can be added to the IANA registry.
The keys and salt for these algorithms are generated with the The keys and salt for these algorithms are generated with the
following steps: following steps:
o Generate key and salt values of the length required for the o Generate key and salt values of the length required for the
combined inner (end-to-end) and outer (hop-by-hop) algorithms. combined inner (end-to-end) and outer (hop-by-hop) algorithms.
o Assign the key and salt values generated for the inner (end-to- o Assign the key and salt values generated for the inner (end-to-
end) algorithm to the first half of the key and salt for the end) algorithm to the first half of the key and the first half of
double algorithm. the salt for the double algorithm.
o Assign the key and salt values for the outer (hop-by-hop) o Assign the key and salt values for the outer (hop-by-hop)
algorithm to the second half of the key and salt for the double algorithm to the second half of the key and second half of the
algorithm. The first half of the key is referred to as the inner salt for the double algorithm. The first half of the key is
key while the second half is referred to as the outer key. When a referred to as the inner key while the second half is referred to
key is used by a cryptographic algorithm, the salt used is the as the outer key. When a key is used by a cryptographic
part of the salt generated with that key. algorithm, the salt used is the part of the salt generated with
that key.
o the SSRC is the same for both the inner and out outer algorithms
as it can not be changed.
o The SEQ and ROC are tracked independently for the inner and outer
algorithms.
Obviously, if the Media Distributor is to be able to modify header Obviously, if the Media Distributor is to be able to modify header
fields but not decrypt the payload, then it must have cryptographic fields but not decrypt the payload, then it must have cryptographic
key for the outer algorithm, but not the inner (end-to-end) key for the outer algorithm, but not the inner (end-to-end)
algorithm. This document does not define how the Media Distributor algorithm. This document does not define how the Media Distributor
should be provisioned with this information. One possible way to should be provisioned with this information. One possible way to
provide keying material for the outer (hop-by-hop) algorithm is to provide keying material for the outer (hop-by-hop) algorithm is to
use [I-D.ietf-perc-dtls-tunnel]. use [I-D.ietf-perc-dtls-tunnel].
3.1. Key Derivation
In order to allow the inner and outer keys to be managed
independently via the master key, the transforms defined in this
document MUST be used with the following PRF, which preserves the
separation between the two halves of the key:
PRF_double_n(k_master,x) = PRF_inner_(n/2)(k_master,x) ||
PRF_outer_(n/2)(k_master,x)
PRF_inner_n(k_master,x) = PRF_n(inner(k_master),x)
PRF_outer_n(k_master,x) = PRF_n(outer(k_master),x)
Here "PRF_n(k, x)" represents the default SRTP PRF [RFC3711],
"inner(key)" represents the first half of the key, and "outer(key)"
represents the second half of the key.
4. Original Header Block 4. Original Header Block
The Original Header Block (OHB) contains the original values of any The Original Header Block (OHB) contains the original values of any
modified header fields. In the encryption process, the OHB is modified header fields. In the encryption process, the OHB is
appended to the RTP payload. In the decryption process, the appended to the RTP payload. In the decryption process, the
receiving endpoint uses it to reconstruct the original RTP header, so receiving endpoint uses it to reconstruct the original RTP header, so
that it can pass the proper AAD value to the inner transform. that it can pass the proper AAD value to the inner transform.
The OHB can reflect modifications to the following fields in an RTP The OHB can reflect modifications to the following fields in an RTP
header: the payload type, the sequence number, and the marker bit. header: the payload type, the sequence number, and the marker bit.
skipping to change at page 5, line 52 skipping to change at page 6, line 33
5.1. Encrypting a Packet 5.1. Encrypting a Packet
To encrypt a packet, the endpoint encrypts the packet using the inner To encrypt a packet, the endpoint encrypts the packet using the inner
(end-to-end) cryptographic key and then encrypts using the outer (end-to-end) cryptographic key and then encrypts using the outer
(hop-by-hop) cryptographic key. The encryption also supports a mode (hop-by-hop) cryptographic key. The encryption also supports a mode
for repair packets that only does the outer (hop-by-hop) encryption. for repair packets that only does the outer (hop-by-hop) encryption.
The processes is as follows: The processes is as follows:
1. Form an RTP packet. If there are any header extensions, they 1. Form an RTP packet. If there are any header extensions, they
MUST use [RFC5285]. MUST use [RFC8285].
2. If the packet is for repair mode data, skip to step 6. 2. If the packet is for repair mode data, skip to step 6.
3. Form a synthetic RTP packet with the following contents: 3. Form a synthetic RTP packet with the following contents:
* Header: The RTP header of the original packet with the * Header: The RTP header of the original packet with the
following modifications: following modifications:
* The X bit is set to zero * The X bit is set to zero
* The header is truncated to remove any extensions (12 + 4 * CC * The header is truncated to remove any extensions (12 + 4 * CC
bytes) bytes)
* Payload: The RTP payload of the original packet * Payload: The RTP payload of the original packet
4. Apply the inner cryptographic algorithm to the RTP packet. 4. Apply the inner cryptographic algorithm to the synthetic RTP
packet from the previous step.
5. Replace the header of the protected RTP packet with the header of 5. Replace the header of the protected RTP packet with the header of
the original packet, and append to the payload of the packet (1) the original packet, and append to the payload of the packet (1)
the authentication tag from the original transform, and (2) an the authentication tag from the original transform, and (2) an
empty OHB (0x00). empty OHB (0x00).
6. Apply the outer cryptographic algorithm to the RTP packet. If 6. Apply the outer cryptographic algorithm to the RTP packet. If
encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic key. cryptographic key.
skipping to change at page 7, line 6 skipping to change at page 7, line 39
not already present in the OHB, and re-encrypts the packet using the not already present in the OHB, and re-encrypts the packet using the
cryptographic using the outer (hop-by-hop) key. cryptographic using the outer (hop-by-hop) key.
1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt
the packet. If decrypting RTP header extensions hop-by-hop, then the packet. If decrypting RTP header extensions hop-by-hop, then
[RFC6904] MUST be used. Note that the RTP payload produced by [RFC6904] MUST be used. Note that the RTP payload produced by
this decryption operation contains the original encrypted payload this decryption operation contains the original encrypted payload
with the tag from the inner transform and the OHB appended. with the tag from the inner transform and the OHB appended.
2. Change any parts of the RTP packet that the relay wishes to 2. Change any parts of the RTP packet that the relay wishes to
change and are allowed to be changed. change and should be changed.
3. If a changed RTP header field is not already in the OHB, add it 3. A Media Distributor can add information to the OHB, but MUST NOT
with its original value to the OHB. A Media Distributor can add change existing information in the OHB. If RTP value is changed
information to the OHB, but MUST NOT change existing information and not already in the OHB, then add it with its original value
in the OHB. to the OHB.
4. If the Media Distributor resets a parameter to its original 4. If the Media Distributor resets a parameter to its original
value, it MAY drop it from the OHB. Note that this might result value, it MAY drop it from the OHB. Note that this might result
in a decrease in the size of the OHB. in a decrease in the size of the OHB.
5. Apply the outer (hop-by-hop) cryptographic algorithm to the 5. Apply the outer (hop-by-hop) cryptographic algorithm to the
packet. If the RTP Sequence Number has been modified, SRTP packet. If the RTP Sequence Number has been modified, SRTP
processing happens as defined in SRTP and will end up using the processing happens as defined in SRTP and will end up using the
new Sequence Number. If encrypting RTP header extensions hop-by- new Sequence Number. If encrypting RTP header extensions hop-by-
hop, then [RFC6904] MUST be used. hop, then [RFC6904] MUST be used.
skipping to change at page 7, line 37 skipping to change at page 8, line 21
reconstruct the original packet, which it decrypts and verifies with reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key. the inner (end-to-end) cryptographic key.
1. Apply the outer cryptographic algorithm to the packet. If the 1. Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
this is referred to as the outer SRTP packet. If decrypting RTP this is referred to as the outer SRTP packet. If decrypting RTP
header extensions hop-by-hop, then [RFC6904] MUST be used when header extensions hop-by-hop, then [RFC6904] MUST be used when
decrypting the RTP packet using the outer cryptographic key. decrypting the RTP packet using the outer cryptographic key.
2. If the packet is for repair mode data, skip the rest of the 2. If the packet is for repair mode data, skip the rest of the
steps. steps. Note that the packet that results from the repair
algorithm will still have encrypted data that needs to be
decrypted as specified by the repair algorithm sections.
3. Remove the inner authentication tag and the OHB from the end of 3. Remove the inner authentication tag and the OHB from the end of
the payload of the outer SRTP packet. the payload of the outer SRTP packet.
4. Form a new synthetic SRTP packet with: 4. Form a new synthetic SRTP packet with:
* Header = Received header, with the following modifications: * Header = Received header, with the following modifications:
* Header fields replaced with values from OHB (if any) * Header fields replaced with values from OHB (if any)
skipping to change at page 8, line 19 skipping to change at page 9, line 7
outer SRTP packet. outer SRTP packet.
5. Apply the inner cryptographic algorithm to this synthetic SRTP 5. Apply the inner cryptographic algorithm to this synthetic SRTP
packet. Note if the RTP Sequence Number was changed by the Media packet. Note if the RTP Sequence Number was changed by the Media
Distributor, the synthetic packet has the original Sequence Distributor, the synthetic packet has the original Sequence
Number. If the integrity check does not pass, discard the Number. If the integrity check does not pass, discard the
packet. packet.
Once the packet has been successfully decrypted, the application Once the packet has been successfully decrypted, the application
needs to be careful about which information it uses to get the needs to be careful about which information it uses to get the
correct behaviour. The application MUST use only the information correct behavior. The application MUST use only the information
found in the synthetic SRTP packet and MUST NOT use the other data found in the synthetic SRTP packet and MUST NOT use the other data
that was in the outer SRTP packet with the following exceptions: that was in the outer SRTP packet with the following exceptions:
o The PT from the outer SRTP packet is used for normal matching to o The PT from the outer SRTP packet is used for normal matching to
SDP and codec selection. SDP and codec selection.
o The sequence number from the outer SRTP packet is used for normal o The sequence number from the outer SRTP packet is used for normal
RTP ordering. RTP ordering.
The PT and sequence number from the inner SRTP packet can be used for The PT and sequence number from the inner SRTP packet can be used for
skipping to change at page 9, line 12 skipping to change at page 9, line 48
double, typically operate on the double encrypted data then take the double, typically operate on the double encrypted data then take the
results of theses operations and encrypted them using only the HBH results of theses operations and encrypted them using only the HBH
key. This results in three cryptography operation happening to the key. This results in three cryptography operation happening to the
repair data sent over the wire. repair data sent over the wire.
7.1. RTX 7.1. RTX
When using RTX [RFC4588] with double, the cached payloads MUST be the When using RTX [RFC4588] with double, the cached payloads MUST be the
encrypted packets with the bits that are sent over the wire to the encrypted packets with the bits that are sent over the wire to the
other side. When encrypting a retransmission packet, it MUST be other side. When encrypting a retransmission packet, it MUST be
encrypted in repair mode packet. encrypted in packet repair mode.
A typical RTX receiver would decrypt the packet, undo the RTX
transformation, then process the resulting packet using the normally
by using the steps in Section 5.3.
7.2. RED 7.2. RED
TODO - Add text to explain how to use RED as described in Option A of When using RED [RFC2198] with double, the primary encoding MAY
slides presented at IETF 99. contain RTP header extensions and CSRC identifiers but non primary
encodings can not.
The sender takes encrypted payloads from the cached packets to form
the RED payload. Any header extensions from the primary encoding are
copied to the RTP packet that will cary the RED payload and the other
RTP header information such as SSRC, SEQ, CSRC, etc are set to the
same as the primary payload. The RED RTP packet is then encrypted in
repair mode and sent.
The receiver decrypts the payload to find the RED payload. Note a
media relay can do this decryption as the packet was sent in repair
mode that only needs the hop-by-hop key. The RTP headers and header
extensions along with the primary payload and PT from inside the RED
payload are used to form the encrypted primary RTP packet which can
then be decrypted with double. The RTP headers (but not header
extensions or CSRC) along with PT from inside the RED payload are
used for from the non primary payloads. The time offset information
in the RED data MUST be used to adjust the sequence number in the RTP
header by using the timestamp offset and packet rate to find a
sequence number offset to adjust by. At this point the non primary
packets can be decrypted with double.
Note that Flex FEC [I-D.ietf-payload-flexible-fec-scheme] is a
superset of the capabilities of RED. For most applications, FlexFEC
is a better choice than RED.
7.3. FEC 7.3. FEC
When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
double, the negotiation of double for the crypto is the out of band double, the negotiation of double for the crypto is the out of band
signalling that indicates that the repair packets MUST use the order signaling that indicates that the repair packets MUST use the order
of operations of SRTP followed by FEC when encrypting. This is to of operations of SRTP followed by FEC when encrypting. This is to
ensure that the original media is not revealed to the Media ensure that the original media is not revealed to the Media
Distributor but at the same time allow the Media Distributor to Distributor but at the same time allow the Media Distributor to
repair media. When encrypting a packet that contains the Flex FEC repair media. When encrypting a packet that contains the Flex FEC
data, which is already encrypted, it MUST be encrypted in repair mode data, which is already encrypted, it MUST be encrypted in repair mode
packet. packet.
The algorithm recommend in [I-D.ietf-rtcweb-fec] for repair of video The algorithm recommend in [I-D.ietf-rtcweb-fec] for repair of video
is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that for is Flex FEC [I-D.ietf-payload-flexible-fec-scheme]. Note that for
interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends not interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends not
skipping to change at page 10, line 26 skipping to change at page 11, line 42
transform was defined that provided only integrity, that would also transform was defined that provided only integrity, that would also
be reasonable to use for the hop-by-hop as the payload data is be reasonable to use for the hop-by-hop as the payload data is
already encrypted by the end-to-end. already encrypted by the end-to-end.
The AES-GCM cryptographic algorithm introduces an additional 16 The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic algorithms, the total additional length inner and outer cryptographic algorithms, the total additional length
is 32 octets. If no other header extensions are present in the is 32 octets. If no other header extensions are present in the
packet and the OHB is introduced, that will consume an additional 8 packet and the OHB is introduced, that will consume an additional 8
octets. If other extensions are already present, the OHB will octets. If other extensions are already present, the OHB will
consume up to 4 additional octets. consume up to 4 additional octets. For packets in repair mode, the
data they are caring is often already encrypted further increasing
the size.
9. Security Considerations 9. Security Considerations
To summarize what is encrypted and authenticated, we will refer to To summarize what is encrypted and authenticated, we will refer to
all the RTP fields and headers created by the sender and before the all the RTP fields except headers created by the sender and before
pay load as the initial envelope and the RTP payload information with the pay load as the initial envelope and the RTP payload information
the media as the payload. Any additional headers added by the Media with the media as the payload. Any additional headers added by the
Distributor are referred to as the extra envelope. The sender uses sender or Media Distributor are referred to as the extra envelope.
the end-to-end key to encrypts the payload and authenticate the
payload + initial envelope which using an AEAD cipher results in a The sender uses the end-to-end key to encrypts the payload and
slight longer new payload. Then the sender uses the hop-by-hop key authenticate the payload + initial envelope which using an AEAD
to encrypt the new payload and authenticate the initial envelope and cipher results in a slight longer new payload. Then the sender uses
new payload. the hop-by-hop key to encrypt the new payload and authenticate the
initial envelope extra envelope and the new payload.
The Media Distributor has the hop-by-hop key so it can check the The Media Distributor has the hop-by-hop key so it can check the
authentication of the received packet across the initial envelope and authentication of the received packet across the initial envelope,
payload data but it can't decrypt the payload as it does not have the extra envelope and payload data but it can't decrypt the payload as
end-to-end key. It can add extra envelope information. It then it does not have the end-to-end key. It can add or change extra
authenticates the initial plus extra envelope information plus envelope information. It then authenticates the initial plus extra
payload with a hop-by-hop key. This hop-by-hop for the outgoing envelope information plus payload with a hop-by-hop key. This hop-
packet is typically different than the hop-by-hop key for the by-hop for the outgoing packet is typically different than the hop-
incoming packet. by-hop key for the incoming packet.
The receiver can check the authentication of the initial and extra The receiver can check the authentication of the initial and extra
envelope information. This, along with the OHB, is used to construct envelope information from the Media Distributor. This, along with
a synthetic packet that is should be identical to one the sender the OHB, is used to construct a synthetic packet that is should be
created and the receiver can check that it is identical and then identical initial envelope plus payload to one the sender created and
decrypt the original payload. the receiver can check that it is identical and then decrypt the
original payload.
The end result is that if the authentications succeed, the receiver The end result is that if the authentications succeed, the receiver
knows exactly what the original sender sent, as well as exactly which knows exactly what the payload and initial envelope the sender sent,
modifications were made by the Media Distributor. as well as exactly which modifications were made by the Media
Distributor and what extra envelope the Media Distributor send. The
receive does not know exactly what extra envelope the sender sent.
It is obviously critical that the intermediary has only the outer It is obviously critical that the intermediary has only the outer
(hop-by-hop) algorithm key and not the half of the key for the the (hop-by-hop) algorithm key and not the half of the key for the the
inner (end-to-end) algorithm. We rely on an external key management inner (end-to-end) algorithm. We rely on an external key management
protocol to assure this property. protocol to assure this property.
Modifications by the intermediary result in the recipient getting two Modifications by the intermediary result in the recipient getting two
values for changed parameters (original and modified). The recipient values for changed parameters (original and modified). The recipient
will have to choose which to use; there is risk in using either that will have to choose which to use; there is risk in using either that
depends on the session setup. depends on the session setup.
The security properties for both the inner (end-to-end) and outer The security properties for both the inner (end-to-end) and outer
(hop-by-hop) key holders are the same as the security properties of (hop-by-hop) key holders are the same as the security properties of
classic SRTP. classic SRTP.
10. IANA Considerations 10. IANA Considerations
10.1. DTLS-SRTP
10.1. RTP Header Extension
This document defines a new extension URI in the RTP Compact Header
Extensions part of the Real-Time Transport Protocol (RTP) Parameters
registry, according to the following data:
Extension URI: urn:ietf:params:rtp-hdrext:ohb
Description: Original Header Block
Contact: Cullen Jennings <mailto:fluffy@iii.ca>
Reference: RFCXXXX
Note to RFC Editor: Replace RFCXXXX with the RFC number of this
specification.
10.2. DTLS-SRTP
We request IANA to add the following values to defines a DTLS-SRTP We request IANA to add the following values to defines a DTLS-SRTP
"SRTP Protection Profile" defined in [RFC5764]. "SRTP Protection Profile" defined in [RFC5764].
+------------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| Value | Profile | Reference | | Value | Profile | Reference |
+------------+------------------------------------------+-----------+ +------------+------------------------------------------+-----------+
| {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX |
| 0x09} | | | | 0x09} | | |
| {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX |
skipping to change at page 13, line 11 skipping to change at page 14, line 19
Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to
Sergio Garcia Murillo proposed the change of transporting the OHB Sergio Garcia Murillo proposed the change of transporting the OHB
information in the RTP payload instead of the RTP header. information in the RTP payload instead of the RTP header.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP
Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July
2008, <https://www.rfc-editor.org/info/rfc5285>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010, <https://www.rfc- DOI 10.17487/RFC5764, May 2010,
editor.org/info/rfc5764>. <https://www.rfc-editor.org/info/rfc5764>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, <https://www.rfc- DOI 10.17487/RFC6904, April 2013,
editor.org/info/rfc6904>. <https://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)", in the Secure Real-time Transport Protocol (SRTP)",
RFC 7714, DOI 10.17487/RFC7714, December 2015, RFC 7714, DOI 10.17487/RFC7714, December 2015,
<https://www.rfc-editor.org/info/rfc7714>. <https://www.rfc-editor.org/info/rfc7714>.
[RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General
Mechanism for RTP Header Extensions", RFC 8285,
DOI 10.17487/RFC8285, October 2017,
<https://www.rfc-editor.org/info/rfc8285>.
12.2. Informative References 12.2. Informative References
[I-D.ietf-payload-flexible-fec-scheme] [I-D.ietf-payload-flexible-fec-scheme]
Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP
Payload Format for Flexible Forward Error Correction Payload Format for Flexible Forward Error Correction
(FEC)", draft-ietf-payload-flexible-fec-scheme-05 (work in (FEC)", draft-ietf-payload-flexible-fec-scheme-05 (work in
progress), July 2017. progress), July 2017.
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-02
(work in progress), April 2017. (work in progress), October 2017.
[I-D.ietf-perc-private-media-framework] [I-D.ietf-perc-private-media-framework]
Jones, P., Benham, D., and C. Groves, "A Solution Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy Enhanced RTP Framework for Private Media in Privacy Enhanced RTP
Conferencing", draft-ietf-perc-private-media-framework-04 Conferencing", draft-ietf-perc-private-media-framework-05
(work in progress), July 2017. (work in progress), October 2017.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., and D. Wing, Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
"Encrypted Key Transport for DTLS and Secure RTP", draft- Andreasen, "Encrypted Key Transport for DTLS and Secure
ietf-perc-srtp-ekt-diet-05 (work in progress), June 2017. RTP", draft-ietf-perc-srtp-ekt-diet-06 (work in progress),
October 2017.
[I-D.ietf-rtcweb-fec] [I-D.ietf-rtcweb-fec]
Uberti, J., "WebRTC Forward Error Correction Uberti, J., "WebRTC Forward Error Correction
Requirements", draft-ietf-rtcweb-fec-06 (work in Requirements", draft-ietf-rtcweb-fec-08 (work in
progress), July 2017. progress), March 2018.
[RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V.,
Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse-
Parisis, "RTP Payload for Redundant Audio Data", RFC 2198,
DOI 10.17487/RFC2198, September 1997,
<https://www.rfc-editor.org/info/rfc2198>.
[RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R. [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
Hakenberg, "RTP Retransmission Payload Format", RFC 4588, Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
DOI 10.17487/RFC4588, July 2006, <https://www.rfc- DOI 10.17487/RFC4588, July 2006,
editor.org/info/rfc4588>. <https://www.rfc-editor.org/info/rfc4588>.
[RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
Digits, Telephony Tones, and Telephony Signals", RFC 4733, Digits, Telephony Tones, and Telephony Signals", RFC 4733,
DOI 10.17487/RFC4733, December 2006, <https://www.rfc- DOI 10.17487/RFC4733, December 2006,
editor.org/info/rfc4733>. <https://www.rfc-editor.org/info/rfc4733>.
[RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real-
time Transport Protocol (RTP) Header Extension for Mixer- time Transport Protocol (RTP) Header Extension for Mixer-
to-Client Audio Level Indication", RFC 6465, to-Client Audio Level Indication", RFC 6465,
DOI 10.17487/RFC6465, December 2011, <https://www.rfc- DOI 10.17487/RFC6465, December 2011,
editor.org/info/rfc6465>. <https://www.rfc-editor.org/info/rfc6465>.
Appendix A. Encryption Overview Appendix A. Encryption Overview
The following figure shows a double encrypted SRTP packet. The sides The following figure shows a double encrypted SRTP packet. The sides
indicate the parts of the packet that are encrypted and authenticated indicate the parts of the packet that are encrypted and authenticated
by the hob-by-hop and end-to-end operations. by the hob-by-hop and end-to-end operations.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++
|V=2|P|X| CC |M| PT | sequence number | I O |V=2|P|X| CC |M| PT | sequence number | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
| timestamp | I O | timestamp | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
| synchronization source (SSRC) identifier | I O | synchronization source (SSRC) identifier | IO
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO
| contributing source (CSRC) identifiers | I O | contributing source (CSRC) identifiers | IO
| .... | I O | .... | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
| RTP extension (OPTIONAL) ... | | O | RTP extension (OPTIONAL) ... | |O
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O I | payload ... | I O O I | payload ... | IO
O I | +-------------------------------+ I O O I | +-------------------------------+ IO
O I | | RTP padding | RTP pad count | I O O I | | RTP padding | RTP pad count | IO
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O | | E2E authentication tag | | O O | | E2E authentication tag | |O
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O
O | | OHB ... | | O O | | OHB ... | |O
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+ +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+
| | | HBH authentication tag | | | | | | HBH authentication tag | ||
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||
| | | | | | ||
| +- E2E Encrypted Portion E2E Authenticated Portion ---+ | | +- E2E Encrypted Portion E2E Authenticated Portion ---+|
| | | |
+--- HBH Encrypted Portion HBH Authenticated Portion -----+ +--- HBH Encrypted Portion HBH Authenticated Portion ----+
--- HBH Encrypted Portion HBH Authenticated Portion <span class="insert">----+</span>
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
Email: fluffy@iii.ca Email: fluffy@iii.ca
Paul E. Jones Paul E. Jones
Cisco Systems Cisco Systems
Email: paulej@packetizer.com Email: paulej@packetizer.com
Richard Barnes Richard Barnes
Cisco Systems Cisco Systems
Email: rlb@ipv.sx Email: rlb@ipv.sx
Adam Roach Adam Roach
Mozilla Mozilla
Email: adam@nostrum.com Email: adam@nostrum.com
 End of changes. 44 change blocks. 
144 lines changed or deleted 197 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/