--- 1/draft-ietf-perc-private-media-framework-04.txt 2017-10-30 17:14:33.602343936 -0700 +++ 2/draft-ietf-perc-private-media-framework-05.txt 2017-10-30 17:14:33.654345174 -0700 @@ -1,47 +1,47 @@ Network Working Group P. Jones Internet-Draft D. Benham Intended status: Standards Track Cisco -Expires: January 4, 2018 C. Groves +Expires: May 3, 2018 C. Groves Huawei - July 3, 2017 + October 30, 2017 A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing - draft-ietf-perc-private-media-framework-04 + draft-ietf-perc-private-media-framework-05 Abstract This document describes a solution framework for ensuring that media confidentiality and integrity are maintained end-to-end within the context of a switched conferencing environment where media - distribution devices are not trusted with the end-to-end media - encryption keys. The solution aims to build upon existing security - mechanisms defined for the real-time transport protocol (RTP). + distributors are not trusted with the end-to-end media encryption + keys. The solution aims to build upon existing security mechanisms + defined for the real-time transport protocol (RTP). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 4, 2018. + This Internet-Draft will expire on May 3, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -61,45 +61,45 @@ 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 - 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 - 4.5.2. Key Exchange during a Conference . . . . . . . . . . 11 + 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 + 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12 - 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12 + 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 - 5.3. Conferences Identification . . . . . . . . . . . . . . . 13 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 + 5.3. Conferences Identification . . . . . . . . . . . . . . . 14 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 14 - 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14 - 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14 + 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 15 + 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 15 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15 - 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15 - 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15 + 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 16 + 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . 16 9.2. Informative References . . . . . . . . . . . . . . . . . 17 Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 18 A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 19 A.2. The Key Distributor Transmits the KEK (EKT Key) . . . . . 20 - A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 20 + A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 21 A.4. Who has What Key . . . . . . . . . . . . . . . . . . . . 21 - Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 21 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 + Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 22 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction Switched conferencing is an increasingly popular model for multimedia conferences with multiple participants using a combination of audio, video, text, and other media types. With this model, real-time media flows from conference participants are not mixed, transcoded, transrated, recomposed, or otherwise manipulated by a Media Distributor, as might be the case with a traditional media server or multipoint control unit (MCU). Instead, media flows transmitted by @@ -116,65 +116,64 @@ Deploying conference resources in a public cloud environment might introduce a higher security risk. Whereas traditional conference resources were usually deployed in private networks that were protected, cloud-based conference resources might be viewed as less secure since they are not always physically controlled by those who use them. Additionally, there are usually several ports open to the public in cloud deployments, such as for remote administration, and so on. This document defines a solution framework wherein media privacy is - ensured by making it impossible for a media distribution device to - gain access to keys needed to decrypt or authenticate the actual - media content sent between conference participants. At the same - time, the framework allows for the Media Distributors to modify - certain RTP headers; add, remove, encrypt, or decrypt RTP header - extensions; and encrypt and decrypt RTCP packets. The framework also - prevents replay attacks by authenticating each packet transmitted - between a given participant and the media distribution device using a - unique key per endpoint that is independent from the key for media - encryption and authentication. + ensured by making it impossible for a media distributor to gain + access to keys needed to decrypt or authenticate the actual media + content sent between conference participants. At the same time, the + framework allows for the Media Distributors to modify certain RTP + headers; add, remove, encrypt, or decrypt RTP header extensions; and + encrypt and decrypt RTCP packets. The framework also prevents replay + attacks by authenticating each packet transmitted between a given + participant and the media distributor using a unique key per endpoint + that is independent from the key for media encryption and + authentication. A goal of this document is to define a framework for enhanced privacy in RTP-based conferencing environments while utilizing existing security procedures defined for RTP with minimal enhancements. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] when they appear in ALL CAPS. These words may also appear in this document in lower case as plain English words, absent their normative meanings. - Additionally, this solution framework uses the following conventions, - terms and acronyms: + Additionally, this solution framework uses the following terms and + acronyms: End-to-End (E2E): Communications from one endpoint through one or - more Media Distribution Devices to the endpoint at the other end. + more Media Distributors to the endpoint at the other end. Hop-by-Hop (HBH): Communications between an endpoint and a Media - Distribution Device or between Media Distribution Devices. + Distributor or between Media Distributors. Trusted Endpoint: An RTP flow terminating entity that has possession of E2E media encryption keys and terminates E2E encryption. This may include embedded user conferencing equipment or browsers on computers, media gateways, MCUs, media recording device and more that are in the trusted domain for a given deployment. Media Distributor (MD): An RTP middlebox that is not allowed to to have access to E2E encryption keys. It operates according to the - Selective Forwarding Middlebox RTP topologies - [I-D.ietf-avtcore-rtp-topologies-update] per the constraints defined - by the PERC system, which includes, but not limited to, having no - access to RTP media unencrypted and having limits on what RTP header - field it can alter. + Selective Forwarding Middlebox RTP topologies [RFC7667] per the + constraints defined by the PERC system, which includes, but not + limited to, having no access to RTP media unencrypted and having + limits on what RTP header field it can alter. Key Distributor: An entity that is a logical function which distributes keying material and related information to trusted endpoints and Media Distributor(s), only that which is appropriate for each. The Key Distributor might be co-resident with another entity trusted with E2E keying material. Conference: Two or more participants communicating via trusted endpoints to exchange RTP flows through one or more Media Distributor. @@ -221,36 +220,41 @@ The architecture described in this framework document enables conferencing infrastructure to be hosted in domains, such as in a cloud conferencing provider's facilities, where the trustworthiness is below the level needed to assume the privacy of participant's media will not be compromised. The conferencing infrastructure in such a domain is still trusted with reliably connecting the participants together in a conference, but not trusted with keying material needed to decrypt any of the participant's media. Entities in such lower trustworthiness domains will simply be referred to as - untrusted entities from this point forward. This does not mean that - they are completely untrusted as they may be trusted with most non- - media related aspects of hosting a conference. + untrusted entities from this point forward. + + It is important to understand that untrusted in this document does + not mean an entity is not expected to function properly. Rather, it + means only that the entity does not have access to the E2E media + encryption keys. 3.1.1. Media Distributor A Media Distributor forwards RTP flows between endpoints in the conference while performing per-hop authentication of each RTP packet. The Media Distributor may need access to one or more RTP headers or header extensions, potentially adding or modifying a certain subset. The Media Distributor will also relay secured messaging between the endpoints and the Key Distributor and will acquire per-hop key information from the Key Distributor. The actual - media content *MUST NOT* not be decryptable by a Media Distributor, - so it is untrusted to have access to the E2E media encryption keys, - which this framework's key exchange mechanisms will prevent. + media content MUST NOT not be decryptable by a Media Distributor, so + it is untrusted to have access to the E2E media encryption keys. The + key exchange mechanisms specified in this framework will prevent the + Media Distributor from gaining access to the E2E media encryption + keys. An endpoint's ability to join a conference hosted by a Media Distributor MUST NOT alone be interpreted as being authorized to have access to the E2E media encryption keys, as the Media Distributor does not have the ability to determine whether an endpoint is authorized. Trusted endpoint authorization is described in [I-D.roach-perc-webrtc]. A Media Distributor MUST perform its role in properly forwarding media packets while taking measures to mitigate the adverse effects @@ -278,21 +282,21 @@ entities. In any deployment scenario where the call processing function is considered trusted, the call processing function MUST ensure the integrity of received messages before forwarding to other entities. 3.2. Trusted Entities From the PERC model system perspective, entities considered trusted (refer to Figure 1) can be in possession of the E2E media encryption - key(s) for one or more conferences. + keys for one or more conferences. 3.2.1. Endpoint An endpoint is considered trusted and will have access to E2E key information. While it is possible for an endpoint to be compromised, subsequently performing in undesired ways, defining endpoint resistance to compromise is outside the scope of this document. Endpoints will take measures to mitigate the adverse effects of denial of service attacks (refer to Section 6) from other entities, including from other endpoints, to a level equal to or better than @@ -425,99 +429,106 @@ requires that every packet be authenticated hop-by-hop (HBH) between an endpoint and a Media Distributor, as well between Media Distributors. The authentication key used for hop-by-hop authentication is derived from an SRTP master key shared only on the respective hop. Each HBH key is distinct per hop and no two hops ever intentionally use the same SRTP master key. Using hop-by-hop authentication gives the Media Distributor the ability to change certain RTP header values. Which values the Media Distributor can change in the RTP header are defined in - [I-D.ietf-perc-double]. RTCP can only be encrypted, giving the Media - Distributor the flexibility to forward RTCP content unchanged, + [I-D.ietf-perc-double]. RTCP can only be encrypted HBH, giving the + Media Distributor the flexibility to forward RTCP content unchanged, transmit compound RTCP packets or to initiate RTCP packets for reporting statistics or conveying other information. Performing hop- by-hop authentication for all RTP and RTCP packets also helps provide replay protection (see Section 6). If there is a need to encrypt one or more RTP header extensions hop- by-hop, an encryption key is derived from the hop-by-hop SRTP master key to encrypt header extensions as per [RFC6904]. This will still give the Media Distributor visibility into header extensions, such as the one used to determine audio level [RFC6464] of conference participants. Note that when RTP header extensions are encrypted, all hops - in the untrusted domain at least - will need to decrypt and re-encrypt these encrypted header extensions. 4.5. Key Exchange - To facilitate key exchange required to establish or generate an E2E - key and a HBH key for an endpoint and the same HBH key for the Media - Distributor, this framework utilizes a DTLS-SRTP [RFC5764] - association between an endpoint and the Key Distributor. To - establish this association, an endpoint will send DTLS-SRTP messages - to the Media Distributor which will then forward them to the Key - Distributor as defined in [I-D.ietf-perc-dtls-tunnel]. The Key - Encryption Key (KEK) (i.e., EKTKey) is also conveyed by the Key - Distributor over the DTLS association to endpoints via procedures - defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet]. - - Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media - Distributor to establish the HBH key for transmitting RTP and RTCP - packets to that peer Media Distributor. The Key Distributor does not - facilitate establishing a HBH key for use between Media Distributors. - 4.5.1. Initial Key Exchange and Key Distributor The procedures defined in DTLS Tunnel for PERC [I-D.ietf-perc-dtls-tunnel] establish one or more TLS tunnels between the Media Distributor and Key Distributor, making it is possible for the Media Distributor to facilitate the establishment of a secure DTLS association between each endpoint and the Key Distributor as shown the following figure. The DTLS association between endpoints - and the Key Distributor will enable each endpoint to receive E2E key - information, Key Encryption Key (KEK) information (i.e., EKT Key), - and HBH key information. At the same time, the Key Distributor can - securely provide the HBH key information to the Media Distributor. - The key information summarized here may include the SRTP master key, - SRTP master salt, and the negotiated cryptographic transform. + and the Key Distributor will enable each endpoint to generate E2E and + HBH keys and receive the Key Encryption Key (KEK) (i.e., EKT Key). + At the same time, the Key Distributor can securely provide the HBH + key information to the Media Distributor. The key information + summarized here may include the SRTP master key, SRTP master salt, + and the negotiated cryptographic transform. +-----------+ KEK info | Key | HBH Key info to to Endpoints |Distributor| Endpoints & Media Distributor +-----------+ # ^ ^ # # | | #-TLS Tunnel # | | # +-----------+ +-----------+ +-----------+ | Endpoint | DTLS | Media | DTLS | Endpoint | | KEK |<------------|Distributor|------------>| KEK | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | +-----------+ +-----------+ +-----------+ Figure 2: Exchanging Key Information Between Entities - Endpoints will establish a DTLS-SRTP association over the RTP - session's media ports for the purposes of key information exchange - with the Key Distributor. The Media Distributor will not terminate - the DTLS signaling, but will instead forward DTLS packets received - from an endpoint on to the Key Distributor (and vice versa) via a - tunnel established between Media Distributor and the Key Distributor. - This tunnel is used to encapsulate the DTLS-SRTP signaling between - the Key Distributor and endpoints will also be used to convey HBH key - information from the Key Distributor to the Media Distributor, so no - additional protocol or interface is required. + Endpoints will establish a DTLS-SRTP [RFC5764] association over the + RTP session's media ports for the purposes of key information + exchange with the Key Distributor. The Media Distributor will not + terminate the DTLS signaling, but will instead forward DTLS packets + received from an endpoint on to the Key Distributor (and vice versa) + via a tunnel established between Media Distributor and the Key + Distributor. This tunnel is used to encapsulate the DTLS-SRTP + signaling between the Key Distributor and endpoints will also be used + to convey HBH key information from the Key Distributor to the Media + Distributor, so no additional protocol or interface is required. + + In establishing the DTLS association between endpoints and the Key + Distributor, the endpoint acts as the DTLS client and the Key + Distributor acts as the DTLS server. The Key Encryption Key (KEK) + (i.e., EKT Key) is conveyed by the Key Distributor over the DTLS + association to endpoints via procedures defined in PERC EKT + [I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message. + + Note that following DTLS-SRTP procedures for the + [I-D.ietf-perc-double] cipher, the endpoint will generate both E2E + and HBH encryption keys and salt values. Endpoints MAY use the DTLS- + SRTP generated E2E key or MAY generate different E2E keys. In either + case, the generated SRTP master salt for E2E encryption MUST be + replaced with the salt value provided by the Key Distributor via the + EKTKey message. That is because every endpoint in the conference + uses the same SRTP master salt. The endpoint only transmits the SRTP + master key (not the salt) used for E2E encryption to other endpoints + in RTP/RTCP packets per [I-D.ietf-perc-srtp-ekt-diet]. + + Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media + Distributor to establish the HBH key for transmitting RTP and RTCP + packets to that peer Media Distributor. The Key Distributor does not + facilitate establishing a HBH key for use between Media Distributors. 4.5.2. Key Exchange during a Conference Following the initial key information exchange with the Key - Distributor, an endpoints will be able to encrypt media end-to-end + Distributor, an endpoint will be able to encrypt media end-to-end with an E2E key, sending that E2E key to other endpoints encrypted with the KEK, and will be able to encrypt and authenticate RTP packets using a HBH key. The procedures defined do not allow the Media Distributor to gain access to the KEK information, preventing it from gaining access to any endpoint's E2E key and subsequently decrypting media. The KEK (i.e., EKT Key) may need to change from time-to-time during the life of a conference, such as when a new participant joins or leaves a conference. Dictating if, when or how often a conference is @@ -528,20 +539,31 @@ specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to each of the conference participants. The endpoint MUST create a new SRTP master key and prepare to send that key inside a Full EKT Field using the new EKTKey. Since it may take some time for all of the endpoints in conference to finish re-keying, senders MUST delay a short period of time before sending media encrypted with the new master key, but it MUST be prepared to make use of the information from a new inbound EKT Key immediately. See Section 2.2.2 of [I-D.ietf-perc-srtp-ekt-diet]. + Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to + re-negotiate HBH keys as desired. If new HBH keys are generated, the + new keys are also delivered to the Media Distributor following the + procedures defined in [I-D.ietf-perc-dtls-tunnel]. + + Endpoints are at liberty to change the E2E encryption key used at any + time. Endpoints MUST generate a new E2E encryption key whenever it + receives a new EKT Key. After switching to a new key, the new key + will be conveyed to other endpoints in the conference in RTP/RTCP + packets per [I-D.ietf-perc-srtp-ekt-diet]. + 5. Entity Trust It is important to this solution framework that the entities can trust and validate the authenticity of other entities, especially the Key Distributor and endpoints. The details of this are outside the scope of specification but a few possibilities are discussed in the following sections. The key requirements is that endpoints can verify they are connected to the correct Key Distributor for the conference and the Key Distributor can verify the endpoints are the correct endpoints for the conference. @@ -719,109 +741,108 @@ The authors would like to thank Mo Zanaty and Christian Oien for invaluable input on this document. Also, we would like to acknowledge Nermeen Ismail for serving on the initial versions of this document as a co-author. 9. References 9.1. Normative References [I-D.ietf-perc-double] - Jennings, C., Jones, P., and A. Roach, "SRTP Double - Encryption Procedures", draft-ietf-perc-double-04 (work in - progress), April 2017. + Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP + Double Encryption Procedures", draft-ietf-perc-double-07 + (work in progress), September 2017. [I-D.ietf-perc-dtls-tunnel] Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel between a Media Distributor and Key Distributor to Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 (work in progress), April 2017. [I-D.ietf-perc-srtp-ekt-diet] Jennings, C., Mattsson, J., McGrew, D., and D. Wing, "Encrypted Key Transport for DTLS and Secure RTP", draft- - ietf-perc-srtp-ekt-diet-04 (work in progress), April 2017. + ietf-perc-srtp-ekt-diet-05 (work in progress), June 2017. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, - . + DOI 10.17487/RFC2119, March 1997, . [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, - July 2003, . + July 2003, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, - . + . [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, - DOI 10.17487/RFC5764, May 2010, - . + DOI 10.17487/RFC5764, May 2010, . [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)", RFC 6904, - DOI 10.17487/RFC6904, April 2013, - . + DOI 10.17487/RFC6904, April 2013, . 9.2. Informative References - [I-D.ietf-avtcore-rtp-topologies-update] - Westerlund, M. and S. Wenger, "RTP Topologies", draft- - ietf-avtcore-rtp-topologies-update-10 (work in progress), - July 2015. - [I-D.ietf-rtcweb-security-arch] Rescorla, E., "WebRTC Security Architecture", draft-ietf- - rtcweb-security-arch-12 (work in progress), June 2016. + rtcweb-security-arch-13 (work in progress), October 2017. [I-D.roach-perc-webrtc] Roach, A., "Using Privacy Enhanced Real-time Conferencing (PERC) in a WebRTC Context", draft-roach-perc-webrtc-00 (work in progress), March 2017. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, - DOI 10.17487/RFC3261, June 2002, - . + DOI 10.17487/RFC3261, June 2002, . [RFC4353] Rosenberg, J., "A Framework for Conferencing with the Session Initiation Protocol (SIP)", RFC 4353, - DOI 10.17487/RFC4353, February 2006, - . + DOI 10.17487/RFC4353, February 2006, . [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, - DOI 10.17487/RFC4474, August 2006, - . + DOI 10.17487/RFC4474, August 2006, . [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, DOI 10.17487/RFC4566, - July 2006, . + July 2006, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May - 2010, . + 2010, . [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time Transport Protocol (RTP) Header Extension for Client-to- Mixer Audio Level Indication", RFC 6464, - DOI 10.17487/RFC6464, December 2011, - . + DOI 10.17487/RFC6464, December 2011, . + + [RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667, + DOI 10.17487/RFC7667, November 2015, . Appendix A. PERC Key Inventory PERC specifies the use of a number of different keys and, understandably, it looks complicated or confusing on the surface. This section summarizes the various keys used in the system, how they are generated, and what purpose they serve. The keys are described in the order in which they would typically be acquired. @@ -920,27 +941,28 @@ The EKT Field in media packets is encrypted using a cipher specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This cipher is different than the cipher used to protect media and is only used to encrypt the endpoint's SRTP master key (and other EKT Field data as per [I-D.ietf-perc-srtp-ekt-diet]). The media distributor is not given the KEK (i.e., EKT Key). A.3. Endpoints fabricate an SRTP Master Key - As stated earlier, the E2E key determined via DTLS-SRTP is discarded. - While it could have been used, the fact that endpoints may need to - change the SRTP master key periodically or are forced to change the - SRTP master key as a result of the EKT key changing means using it - has only limited utility. To reduce complexity, PERC prescribes that - endpoints manufacturer random SRTP master keys locally to be used for - E2E encryption. + As stated earlier, the E2E key determined via DTLS-SRTP MAY be + discarded in favor of a locally-generated SRTP master key. While the + DTLS-SRTP-derived key could be used, the fact that an endpoint might + need to change the SRTP master key periodically or is forced to + change the SRTP master key as a result of the EKT key changing means + using it has only limited utility. To reduce complexity, PERC + *RECOMMENDS* that endpoints create random SRTP master keys locally to + be used for E2E encryption. This locally-generated SRTP master key is used along with the master salt transmitted to the endpoint from the key distributor via the EKTKey message to encrypt media end-to-end. Since the media distributor is not involved in E2E functions, it will not create this key nor have access to any endpoint's E2E key. Note, too, that even the key distributor is unaware of the locally- generated E2E keys used by each endpoint.