--- 1/draft-ietf-perc-private-media-framework-05.txt 2018-03-05 13:13:45.902231314 -0800 +++ 2/draft-ietf-perc-private-media-framework-06.txt 2018-03-05 13:13:45.958232644 -0800 @@ -1,56 +1,56 @@ Network Working Group P. Jones Internet-Draft D. Benham Intended status: Standards Track Cisco -Expires: May 3, 2018 C. Groves - Huawei - October 30, 2017 +Expires: September 6, 2018 C. Groves + Independent + March 5, 2018 A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing - draft-ietf-perc-private-media-framework-05 + draft-ietf-perc-private-media-framework-06 Abstract This document describes a solution framework for ensuring that media confidentiality and integrity are maintained end-to-end within the context of a switched conferencing environment where media distributors are not trusted with the end-to-end media encryption keys. The solution aims to build upon existing security mechanisms defined for the real-time transport protocol (RTP). Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- - Drafts is at http://datatracker.ietf.org/drafts/current/. + Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 3, 2018. + This Internet-Draft will expire on September 6, 2018. Copyright Notice - Copyright (c) 2017 IETF Trust and the persons identified as the + Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info) in effect on the date of + (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 @@ -61,40 +61,40 @@ 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 - 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 + 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 - 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12 + 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 5.3. Conferences Identification . . . . . . . . . . . . . . . 14 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 14 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 15 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 15 - 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15 + 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 16 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 16 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 16 - 9.2. Informative References . . . . . . . . . . . . . . . . . 17 - Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 18 - A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 19 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 + 9.2. Informative References . . . . . . . . . . . . . . . . . 18 + Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 19 + A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 20 A.2. The Key Distributor Transmits the KEK (EKT Key) . . . . . 20 A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 21 A.4. Who has What Key . . . . . . . . . . . . . . . . . . . . 21 Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction Switched conferencing is an increasingly popular model for multimedia conferences with multiple participants using a combination of audio, @@ -246,22 +246,24 @@ media content MUST NOT not be decryptable by a Media Distributor, so it is untrusted to have access to the E2E media encryption keys. The key exchange mechanisms specified in this framework will prevent the Media Distributor from gaining access to the E2E media encryption keys. An endpoint's ability to join a conference hosted by a Media Distributor MUST NOT alone be interpreted as being authorized to have access to the E2E media encryption keys, as the Media Distributor does not have the ability to determine whether an endpoint is - authorized. Trusted endpoint authorization is described in - [I-D.roach-perc-webrtc]. + authorized. Instead, the Key Distributor is responsible for + authenticating endpoints (e.g., using WebRTC Identity + [I-D.ietf-rtcweb-security-arch]) and determining their authorization + to receive E2E media encryption keys. A Media Distributor MUST perform its role in properly forwarding media packets while taking measures to mitigate the adverse effects of denial of service attacks (refer to Section 6), etc, to a level equal to or better than traditional conferencing (i.e. non-PERC) deployments. A Media Distributor or associated conferencing infrastructure may also initiate or terminate various conference control related messaging, which is outside the scope of this framework document. @@ -297,25 +299,24 @@ information. While it is possible for an endpoint to be compromised, subsequently performing in undesired ways, defining endpoint resistance to compromise is outside the scope of this document. Endpoints will take measures to mitigate the adverse effects of denial of service attacks (refer to Section 6) from other entities, including from other endpoints, to a level equal to or better than traditional conference (i.e., non-PERC) deployments. 3.2.2. Key Distributor - The Key Distributor, which may be collocated with an endpoint or - exist standalone, is responsible for providing key information to - endpoints for both end-to-end and hop-by-hop security and for - providing key information to Media Distributors for the hop-by-hop - security. + The Key Distributor, which may be colocated with an endpoint or exist + standalone, is responsible for providing key information to endpoints + for both end-to-end and hop-by-hop security and for providing key + information to Media Distributors for the hop-by-hop security. Interaction between the Key Distributor and the call processing function is necessary to for proper conference-to-endpoint mappings. This is described in Section 5.3. The Key Distributor needs to be secured and managed in a way to prevent exploitation by an adversary, as any kind of compromise of the Key Distributor puts the security of the conference at risk. 4. Framework for PERC @@ -339,54 +340,53 @@ header extensions, as well as the ability to modify a certain subset of those headers and to add header extensions. Packets received by a Media Distributor or an endpoint are authenticated hop-by-hop. To enable all of the above, this framework defines the use of two security contexts and two associated encryption keys: an "inner" key (an E2E key distinct for each transmitted media flow) for authenticated encryption of RTP media between endpoints and an "outer" key (HBH key) known only to media distributor and the adjacent endpoint) for the hop between an endpoint and a Media - Distributor or between Media Distributor. Reference the following - figure. + Distributor or between Media Distributor. +-------------+ +-------------+ | |################################| | - | Media |------------------------------->| Media | - | Distributor |<-------------------------------| Distributor | - | X |################################| Y | - | | HBH Key (XY) | | - +-------------+ +-------------+ - # ^ | # # ^ | # - # | | # HBH HBH # | | # - # | | # <== Key(AX) Key(YB) ==> # | | # + | Media |------------------------ *----->| Media | + | Distributor |<----------------------*-|------| Distributor | + | X |#####################*#|#|######| Y | + | | | | | | | + +-------------+ | | | +-------------+ + # ^ | # HBH Key (XY) -+ | | # ^ | # + # | | # E2E Key (B) ---+ | # | | # + # | | # E2E Key (A) -----+ # | | # # | | # # | | # - # |<+--#---- E2E Key (A) E2E Key (B) ---#->| | # + # | | # # | | # + # | | *---- HBH Key (AX) HBH Key (YB) ----* | | # + # | | # # | | # + # *--------- E2E Key (A) E2E Key (A) ---------* # + # | *------- E2E Key (B) E2E Key (B) -------* | # # | | # # | | # # | v # # | v # +-------------+ +-------------+ | Endpoint A | | Endpoint B | +-------------+ +-------------+ - E2E and HBH Keys Used for Authenticated Encryption + E2E and HBH Keys Used for Authenticated Encryption of SRTP Packets - The PERC Double specification [I-D.ietf-perc-double] uses standard - SRTP keying material and recommended cryptographic transform(s) to - first form the inner, end-to-end SRTP cryptographic context. That - end-to-end SRTP cryptographic context MAY be used to encrypt some RTP - header extensions along with RTP media content. The output of this - is treated like an RTP packet and encrypted again using the outer - hop-by-hop cryptographic context. The endpoint executes the entire - Double operation while the Media Distributor just performs the outer, - hop-by-hop operation. (See Appendix A for a description of the keys - used in PERC and Appendix B for an overview of how the packet appears - on the wire.) + The PERC Double transform [I-D.ietf-perc-double] enables endpoints to + perform encryption using both the E2E and HBH contexts while still + preserving the same overall interface as other SRTP transforms. The + Media Distributor simply uses the corresponding normal (single) AES- + GCM transform, keyed with the appropriate HBH keys. See Appendix A + for a description of the keys used in PERC and Appendix B for an + overview of how the packet appears on the wire. RTCP can only be encrypted hop-by-hop, not end-to-end. This framework introduces no additional step for RTCP authenticated encryption, so the procedures needed are specified in [RFC3711] and use the same outer, hop-by-hop cryptographic context chosen in the Double operation described above. 4.2. E2E Key Confidentiality To ensure the confidentiality of E2E keys shared between endpoints, @@ -424,21 +424,21 @@ header extensions encrypted with an E2E key. 4.4. HBH Keys and Hop Operations To ensure the integrity of transmitted media packets, this framework requires that every packet be authenticated hop-by-hop (HBH) between an endpoint and a Media Distributor, as well between Media Distributors. The authentication key used for hop-by-hop authentication is derived from an SRTP master key shared only on the respective hop. Each HBH key is distinct per hop and no two hops - ever intentionally use the same SRTP master key. + ever use the same SRTP master key. Using hop-by-hop authentication gives the Media Distributor the ability to change certain RTP header values. Which values the Media Distributor can change in the RTP header are defined in [I-D.ietf-perc-double]. RTCP can only be encrypted HBH, giving the Media Distributor the flexibility to forward RTCP content unchanged, transmit compound RTCP packets or to initiate RTCP packets for reporting statistics or conveying other information. Performing hop- by-hop authentication for all RTP and RTCP packets also helps provide replay protection (see Section 6). @@ -447,41 +447,56 @@ by-hop, an encryption key is derived from the hop-by-hop SRTP master key to encrypt header extensions as per [RFC6904]. This will still give the Media Distributor visibility into header extensions, such as the one used to determine audio level [RFC6464] of conference participants. Note that when RTP header extensions are encrypted, all hops - in the untrusted domain at least - will need to decrypt and re-encrypt these encrypted header extensions. 4.5. Key Exchange + In brief, the keys used by any given endpoints are determined in the + following way: + + o The HBH keys that the endpoint uses to send and receive SRTP media + are derived from a DTLS handshake that the endpoint performs with + the Key Distributor (following normal DTLS-SRTP procedures). + + o The E2E key that an endpoint uses to send SRTP media can either be + set from DTLS or chosen by the endpoint. It is then distributed + to other endpoints in a Full EKT Field, encrypted under an EKTKey + provided to the client by the Key Distributor within the DTLS + channel they negotiated. + + o Each E2E key that an endpoint uses to receive SRTP media is set by + receiving a Full EKT Field from another endpoint. + 4.5.1. Initial Key Exchange and Key Distributor - The procedures defined in DTLS Tunnel for PERC - [I-D.ietf-perc-dtls-tunnel] establish one or more TLS tunnels between - the Media Distributor and Key Distributor, making it is possible for - the Media Distributor to facilitate the establishment of a secure - DTLS association between each endpoint and the Key Distributor as - shown the following figure. The DTLS association between endpoints - and the Key Distributor will enable each endpoint to generate E2E and - HBH keys and receive the Key Encryption Key (KEK) (i.e., EKT Key). - At the same time, the Key Distributor can securely provide the HBH - key information to the Media Distributor. The key information - summarized here may include the SRTP master key, SRTP master salt, - and the negotiated cryptographic transform. + The Media Distributor maintains a tunnel with the Key Distrubutor + (e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the + Media Distributor to facilitate the establishment of a secure DTLS + association between each endpoint and the Key Distributor as shown + the following figure. The DTLS association between endpoints and the + Key Distributor will enable each endpoint to generate E2E and HBH + keys and receive the Key Encryption Key (KEK) (i.e., EKT Key). At + the same time, the Key Distributor can securely provide the HBH key + information to the Media Distributor. The key information summarized + here may include the SRTP master key, SRTP master salt, and the + negotiated cryptographic transform. +-----------+ KEK info | Key | HBH Key info to to Endpoints |Distributor| Endpoints & Media Distributor +-----------+ # ^ ^ # - # | | #-TLS Tunnel + # | | #--- Tunnel # | | # +-----------+ +-----------+ +-----------+ | Endpoint | DTLS | Media | DTLS | Endpoint | | KEK |<------------|Distributor|------------>| KEK | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | +-----------+ +-----------+ +-----------+ Figure 2: Exchanging Key Information Between Entities Endpoints will establish a DTLS-SRTP [RFC5764] association over the @@ -489,36 +504,37 @@ exchange with the Key Distributor. The Media Distributor will not terminate the DTLS signaling, but will instead forward DTLS packets received from an endpoint on to the Key Distributor (and vice versa) via a tunnel established between Media Distributor and the Key Distributor. This tunnel is used to encapsulate the DTLS-SRTP signaling between the Key Distributor and endpoints will also be used to convey HBH key information from the Key Distributor to the Media Distributor, so no additional protocol or interface is required. In establishing the DTLS association between endpoints and the Key - Distributor, the endpoint acts as the DTLS client and the Key - Distributor acts as the DTLS server. The Key Encryption Key (KEK) - (i.e., EKT Key) is conveyed by the Key Distributor over the DTLS - association to endpoints via procedures defined in PERC EKT + Distributor, the endpoint MUST act as the DTLS client and the Key + Distributor MUST act as the DTLS server. The Key Encryption Key + (KEK) (i.e., EKT Key) is conveyed by the Key Distributor over the + DTLS association to endpoints via procedures defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message. Note that following DTLS-SRTP procedures for the [I-D.ietf-perc-double] cipher, the endpoint will generate both E2E and HBH encryption keys and salt values. Endpoints MAY use the DTLS- - SRTP generated E2E key or MAY generate different E2E keys. In either - case, the generated SRTP master salt for E2E encryption MUST be - replaced with the salt value provided by the Key Distributor via the - EKTKey message. That is because every endpoint in the conference - uses the same SRTP master salt. The endpoint only transmits the SRTP - master key (not the salt) used for E2E encryption to other endpoints - in RTP/RTCP packets per [I-D.ietf-perc-srtp-ekt-diet]. + SRTP generated E2E key for transmission or MAY generate a fresh E2E + key. In either case, the generated SRTP master salt for E2E + encryption MUST be replaced with the salt value provided by the Key + Distributor via the EKTKey message. That is because every endpoint + in the conference uses the same SRTP master salt. The endpoint only + transmits the SRTP master key (not the salt) used for E2E encryption + to other endpoints in RTP/RTCP packets per + [I-D.ietf-perc-srtp-ekt-diet]. Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media Distributor to establish the HBH key for transmitting RTP and RTCP packets to that peer Media Distributor. The Key Distributor does not facilitate establishing a HBH key for use between Media Distributors. 4.5.2. Key Exchange during a Conference Following the initial key information exchange with the Key Distributor, an endpoint will be able to encrypt media end-to-end @@ -550,26 +566,26 @@ re-negotiate HBH keys as desired. If new HBH keys are generated, the new keys are also delivered to the Media Distributor following the procedures defined in [I-D.ietf-perc-dtls-tunnel]. Endpoints are at liberty to change the E2E encryption key used at any time. Endpoints MUST generate a new E2E encryption key whenever it receives a new EKT Key. After switching to a new key, the new key will be conveyed to other endpoints in the conference in RTP/RTCP packets per [I-D.ietf-perc-srtp-ekt-diet]. -5. Entity Trust +5. Authentication It is important to this solution framework that the entities can - trust and validate the authenticity of other entities, especially the - Key Distributor and endpoints. The details of this are outside the - scope of specification but a few possibilities are discussed in the + validate the authenticity of other entities, especially the Key + Distributor and endpoints. The details of this are outside the scope + of specification but a few possibilities are discussed in the following sections. The key requirements is that endpoints can verify they are connected to the correct Key Distributor for the conference and the Key Distributor can verify the endpoints are the correct endpoints for the conference. Two possible approaches to solve this are Identity Assertions and Certificate Fingerprints. 5.1. Identity Assertions @@ -742,107 +758,103 @@ invaluable input on this document. Also, we would like to acknowledge Nermeen Ismail for serving on the initial versions of this document as a co-author. 9. References 9.1. Normative References [I-D.ietf-perc-double] Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP - Double Encryption Procedures", draft-ietf-perc-double-07 - (work in progress), September 2017. + Double Encryption Procedures", draft-ietf-perc-double-08 + (work in progress), March 2018. [I-D.ietf-perc-dtls-tunnel] Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel between a Media Distributor and Key Distributor to - Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 - (work in progress), April 2017. + Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-02 + (work in progress), October 2017. [I-D.ietf-perc-srtp-ekt-diet] - Jennings, C., Mattsson, J., McGrew, D., and D. Wing, - "Encrypted Key Transport for DTLS and Secure RTP", draft- - ietf-perc-srtp-ekt-diet-05 (work in progress), June 2017. + Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. + Andreasen, "Encrypted Key Transport for DTLS and Secure + RTP", draft-ietf-perc-srtp-ekt-diet-07 (work in progress), + March 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, . + DOI 10.17487/RFC2119, March 1997, + . [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, . [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, - DOI 10.17487/RFC5764, May 2010, . + DOI 10.17487/RFC5764, May 2010, + . [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)", RFC 6904, - DOI 10.17487/RFC6904, April 2013, . + DOI 10.17487/RFC6904, April 2013, + . 9.2. Informative References [I-D.ietf-rtcweb-security-arch] Rescorla, E., "WebRTC Security Architecture", draft-ietf- rtcweb-security-arch-13 (work in progress), October 2017. - [I-D.roach-perc-webrtc] - Roach, A., "Using Privacy Enhanced Real-time Conferencing - (PERC) in a WebRTC Context", draft-roach-perc-webrtc-00 - (work in progress), March 2017. - [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, - DOI 10.17487/RFC3261, June 2002, . + DOI 10.17487/RFC3261, June 2002, + . [RFC4353] Rosenberg, J., "A Framework for Conferencing with the Session Initiation Protocol (SIP)", RFC 4353, - DOI 10.17487/RFC4353, February 2006, . + DOI 10.17487/RFC4353, February 2006, + . [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, - DOI 10.17487/RFC4474, August 2006, . + DOI 10.17487/RFC4474, August 2006, + . [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, DOI 10.17487/RFC4566, July 2006, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 2010, . [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time Transport Protocol (RTP) Header Extension for Client-to- Mixer Audio Level Indication", RFC 6464, - DOI 10.17487/RFC6464, December 2011, . + DOI 10.17487/RFC6464, December 2011, + . [RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667, - DOI 10.17487/RFC7667, November 2015, . + DOI 10.17487/RFC7667, November 2015, + . Appendix A. PERC Key Inventory PERC specifies the use of a number of different keys and, understandably, it looks complicated or confusing on the surface. This section summarizes the various keys used in the system, how they are generated, and what purpose they serve. The keys are described in the order in which they would typically be acquired. @@ -1055,15 +1067,15 @@ Email: paulej@packetizer.com David Benham Cisco 170 West Tasman Drive San Jose, California 95134 USA Email: dbenham@cisco.com Christian Groves - Huawei + Independent Melbourne Australia Email: Christian.Groves@nteczone.com