draft-ietf-perc-private-media-framework-08.txt   draft-ietf-perc-private-media-framework-09.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track D. Benham Intended status: Standards Track D. Benham
Expires: July 27, 2019 C. Groves Expires: August 23, 2019 C. Groves
Independent Independent
January 23, 2019 February 19, 2019
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing
draft-ietf-perc-private-media-framework-08 draft-ietf-perc-private-media-framework-09
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distributors are not trusted with the end-to-end media encryption distributors are not trusted with the end-to-end media encryption
keys. The solution aims to build upon existing security mechanisms keys. The solution aims to build upon existing security mechanisms
defined for the real-time transport protocol (RTP). defined for the real-time transport protocol (RTP).
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 27, 2019. This Internet-Draft will expire on August 23, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 4 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 5
3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5 3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5
3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 5 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 6
3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6
3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 6 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7
4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9
4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 9 4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 10
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10
4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11
4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12
5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13
5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 5.2. Certificate Fingerprints in Session Signaling . . . . . . 14
5.3. Conferences Identification . . . . . . . . . . . . . . . 14 5.3. Conferences Identification . . . . . . . . . . . . . . . 14
6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Key Inventory and Management Considerations . . . . . . . 14 6.1. Key Inventory and Management Considerations . . . . . . . 15
6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 15 6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 15
6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 16 6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 16
6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 17 6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 17
6.5. Summary of Key Types and Entity Possession . . . . . . . 17 6.5. Summary of Key Types and Entity Possession . . . . . . . 17
7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 18 7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 18
8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19
8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 19 8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 19
8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 20 8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 20
8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 20 8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 20
8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 20 8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 21
8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 21 8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 21
8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 21 8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 21
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 8.2.5. RTCP Attacks . . . . . . . . . . . . . . . . . . . . 22
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
11.1. Normative References . . . . . . . . . . . . . . . . . . 22 11.1. Normative References . . . . . . . . . . . . . . . . . . 22
11.2. Informative References . . . . . . . . . . . . . . . . . 22 11.2. Informative References . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a Media transrated, recomposed, or otherwise manipulated by a Media
Distributor, as might be the case with a traditional media server or Distributor, as might be the case with a traditional media server or
skipping to change at page 3, line 24 skipping to change at page 3, line 26
conference participants are simply forwarded by Media Distributors to conference participants are simply forwarded by Media Distributors to
each of the other participants. Media Distributors often forward each of the other participants. Media Distributors often forward
only a subset of flows based on voice activity detection or other only a subset of flows based on voice activity detection or other
criteria. In some instances, Media Distributors may make limited criteria. In some instances, Media Distributors may make limited
modifications to RTP [RFC3550] headers, for example, but the actual modifications to RTP [RFC3550] headers, for example, but the actual
media content (e.g., voice or video data) is unaltered. media content (e.g., voice or video data) is unaltered.
An advantage of switched conferencing is that Media Distributors can An advantage of switched conferencing is that Media Distributors can
be more easily deployed on general-purpose computing hardware, be more easily deployed on general-purpose computing hardware,
including virtualized environments in private and public clouds. including virtualized environments in private and public clouds.
While virutalized public cloud environments have been viewed as less Virtualized public cloud environments have been viewed as less secure
secure since resources are not always physically controlled by those since resources are not always physically controlled by those who use
who use them and since there are usually several ports open to the them and since there are usually several ports open to the public.
public, this draft aims to improve security so as to lower the This document aims to improve security so as to lower the barrier to
barrier to taking advantage of those environments. taking advantage of those environments.
This document defines a solution framework wherein media privacy is This document defines a solution framework wherein media privacy is
ensured by making it impossible for a media distributor to gain ensured by making it impossible for a media distributor to gain
access to keys needed to decrypt or authenticate the actual media access to keys needed to decrypt or authenticate the actual media
content sent between conference participants. At the same time, the content sent between conference participants. At the same time, the
framework allows for the Media Distributors to modify certain RTP framework allows for the Media Distributors to modify certain RTP
headers; add, remove, encrypt, or decrypt RTP header extensions; and headers; add, remove, encrypt, or decrypt RTP header extensions; and
encrypt and decrypt RTCP packets. The framework also prevents replay encrypt and decrypt RTP Control Protocol (RTCP) [RFC3550] packets.
attacks by authenticating each packet transmitted between a given The framework also prevents replay attacks by authenticating each
participant and the media distributor using a unique key per endpoint packet transmitted between a given participant and the media
that is independent from the key for media encryption and distributor using a unique key per endpoint that is independent from
authentication. the key for media encryption and authentication.
A goal of this document is to define a framework for enhanced privacy A goal of this document is to define a framework for enhanced privacy
in RTP-based conferencing environments while utilizing existing in RTP-based conferencing environments while utilizing existing
security procedures defined for RTP with minimal enhancements. security procedures defined for RTP with minimal enhancements.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
skipping to change at page 4, line 18 skipping to change at page 4, line 20
End-to-End (E2E): Communications from one endpoint through one or End-to-End (E2E): Communications from one endpoint through one or
more Media Distributors to the endpoint at the other end. more Media Distributors to the endpoint at the other end.
Hop-by-Hop (HBH): Communications between an endpoint and a Media Hop-by-Hop (HBH): Communications between an endpoint and a Media
Distributor or between Media Distributors. Distributor or between Media Distributors.
Trusted Endpoint: An RTP flow terminating entity that has possession Trusted Endpoint: An RTP flow terminating entity that has possession
of E2E media encryption keys and terminates E2E encryption. This may of E2E media encryption keys and terminates E2E encryption. This may
include embedded user conferencing equipment or browsers on include embedded user conferencing equipment or browsers on
computers, media gateways, MCUs, media recording device and more that computers, media gateways, MCUs, media recording device and more that
are in the trusted domain for a given deployment. are in the trusted domain for a given deployment. In the context of
WebRTC, where control of a session is divided between a JavaScript
application and a browser, the browser acts as the Trusted Endpoint
for purposes of this framework (just as it acts as the endpoint for
DTLS-SRTP [RFC5764] in one-to-one calls).
Media Distributor (MD): An RTP middlebox that forwards endpoint media Media Distributor (MD): An RTP middlebox that forwards endpoint media
content (e.g., voice or video data) unaltered, either a subset or all content (e.g., voice or video data) unaltered, either a subset or all
of the flows at any given time, and is never allowed have access to of the flows at any given time, and is never allowed to have access
E2E encryption keys. It operates according to the Selective to E2E encryption keys. It operates according to the Selective
Forwarding Middlebox RTP topologies [RFC7667] per the constraints Forwarding Middlebox RTP topologies [RFC7667] per the constraints
defined by the PERC system, which includes, but not limited to, defined by the PERC system, which includes, but not limited to,
having no access to RTP media unencrypted and having limits on what having no access to RTP media unencrypted and having limits on what
RTP header field it can alter. RTP header field it can alter. This header fields that may be
modified by a Media Distributor are enumerated in Section 4 of the
Double cryptographic transform specification [I-D.ietf-perc-double]
and chosen with respect to utility and the security considerations
outlined in this document.
Key Distributor: An entity that is a logical function which Key Distributor: An entity that is a logical function which
distributes keying material and related information to trusted distributes keying material and related information to trusted
endpoints and Media Distributor(s), only that which is appropriate endpoints and Media Distributor(s), only that which is appropriate
for each. The Key Distributor might be co-resident with another for each. The Key Distributor might be co-resident with another
entity trusted with E2E keying material. entity trusted with E2E keying material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via trusted
endpoints to exchange RTP flows through one or more Media endpoints to exchange RTP flows through one or more Media
Distributor. Distributor.
skipping to change at page 7, line 25 skipping to change at page 7, line 34
3.2.2. Key Distributor 3.2.2. Key Distributor
The Key Distributor, which may be colocated with an endpoint or exist The Key Distributor, which may be colocated with an endpoint or exist
standalone, is responsible for providing key information to endpoints standalone, is responsible for providing key information to endpoints
for both end-to-end (E2E) and hop-by-hop (HBH) security and for for both end-to-end (E2E) and hop-by-hop (HBH) security and for
providing key information to Media Distributors for the hop-by-hop providing key information to Media Distributors for the hop-by-hop
security. security.
Interaction between the Key Distributor and the call processing Interaction between the Key Distributor and the call processing
function is necessary to for proper conference-to-endpoint mappings. function is necessary for proper conference-to-endpoint mappings.
This is described in Section 5.3. This is described in Section 5.3.
The Key Distributor needs to be secured and managed in a way to The Key Distributor needs to be secured and managed in a way to
prevent exploitation by an adversary, as any kind of compromise of prevent exploitation by an adversary, as any kind of compromise of
the Key Distributor puts the security of the conference at risk. the Key Distributor puts the security of the conference at risk.
4. Framework for PERC 4. Framework for PERC
The purpose for this framework is to define a means through which The purpose for this framework is to define a means through which
media privacy is ensured when communicating within a conferencing media privacy is ensured when communicating within a conferencing
environment consisting of one or more Media Distributors that only environment consisting of one or more Media Distributors that only
switch, hence not terminate, media. It does not otherwise attempt to switch, hence not terminate, media. It does not otherwise attempt to
hide the fact that a conference between endpoints is taking place. hide the fact that a conference between endpoints is taking place.
This framework reuses several specified RTP security technologies, This framework reuses several specified RTP security technologies,
including SRTP [RFC3711], EKT [I-D.ietf-perc-srtp-ekt-diet], and including Secure Real-time Transport Protocol (SRTP) [RFC3711],
Encrypted Key Transport (EKT) [I-D.ietf-perc-srtp-ekt-diet], and
DTLS-SRTP [RFC5764]. DTLS-SRTP [RFC5764].
4.1. End-to-End and Hop-by-Hop Authenticated Encryption 4.1. End-to-End and Hop-by-Hop Authenticated Encryption
This solution framework focuses on the end-to-end privacy and This solution framework focuses on the end-to-end privacy and
integrity of the participant's media by limiting access to only integrity of the participant's media by limiting access to only
trusted entities to the E2E key used for authenticated end-to-end trusted entities to the E2E key used for authenticated end-to-end
encryption. However, this framework does give a Media Distributor encryption. However, this framework does give a Media Distributor
access to RTP headers and all or most header extensions, as well as access to RTP headers and all or most header extensions, as well as
the ability to modify a certain subset of those headers and to add the ability to modify a certain subset of those headers and to add
skipping to change at page 12, line 35 skipping to change at page 12, line 50
gain access to the KEK information, preventing it from gaining access gain access to the KEK information, preventing it from gaining access
to any endpoint's E2E key and subsequently decrypting media. to any endpoint's E2E key and subsequently decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK (i.e., EKT Key) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is leaves a conference. Dictating if, when or how often a conference is
to be re-keyed is outside the scope of this document, but this to be re-keyed is outside the scope of this document, but this
framework does accommodate re-keying during the life of a conference. framework does accommodate re-keying during the life of a conference.
When a Key Distributor decides to re-key a conference, it transmits a When a Key Distributor decides to re-key a conference, it transmits a
new EKTKey message [I-D.ietf-perc-srtp-ekt-diet] to each of the new EKTKey message containing the new EKT Key
conference participants containing the new EKT Key. Upon receipt of [I-D.ietf-perc-srtp-ekt-diet] to each of the conference participants.
the new EKT Key, the endpoint MUST create a new SRTP master key and Upon receipt of the new EKT Key, the endpoint MUST create a new SRTP
prepare to send that key inside a Full EKT Field using the new EKT master key and prepare to send that key inside a Full EKT Field using
Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet]. In order to the new EKT Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet].
allow time for all endpoints in the conference to receive the new In order to allow time for all endpoints in the conference to receive
keys, the sender should follow the recommendations in Section 4.7 of the new keys, the sender should follow the recommendations in
[I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT Key, endpoints Section 4.7 of [I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT
MUST be prepared to decrypt EKT tags using the new key. The EKT SPI Key, endpoints MUST be prepared to decrypt EKT tags using the new
field is used to differentiate between tags encrypted with the old key. The EKT SPI field is used to differentiate between tags
and new keys. encrypted with the old and new keys.
After re-keying, an endpoint SHOULD retain prior SRTP master keys and After re-keying, an endpoint SHOULD retain prior SRTP master keys and
EKT Key for a period of time sufficient for the purpose of ensuring EKT Key for a period of time sufficient for the purpose of ensuring
it can decrypt late-arriving or out-of-order packets or packets sent it can decrypt late-arriving or out-of-order packets or packets sent
by other endpoints that used the prior keys for a period of time by other endpoints that used the prior keys for a period of time
after re-keying began. An endpoint MAY retain old keys until the end after re-keying began. An endpoint MAY retain old keys until the end
of the conference. of the conference.
Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
renegotiate HBH keys as desired. If new HBH keys are generated, the renegotiate HBH keys as desired. If new HBH keys are generated, the
skipping to change at page 14, line 7 skipping to change at page 14, line 20
and the Key Distributor. and the Key Distributor.
5.2. Certificate Fingerprints in Session Signaling 5.2. Certificate Fingerprints in Session Signaling
Entities managing session signaling are generally assumed to be Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate. authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to As a concrete example, SIP [RFC3261] and Session Description Protocol
convey the fingerprint information per [RFC5763]. An endpoint's SIP (SDP) [RFC4566] can be used to convey the fingerprint information per
User Agent would send an INVITE message containing SDP for the media [RFC5763]. An endpoint's SIP User Agent would send an INVITE message
session along with the endpoint's certificate fingerprint, which can containing SDP for the media session along with the endpoint's
be signed using the procedures described in [RFC8224] for the benefit certificate fingerprint, which can be signed using the procedures
of forwarding the message to other entities by the Focus [RFC4353]. described in [RFC8224] for the benefit of forwarding the message to
Other entities can verify the fingerprints match the certificates other entities by the Focus [RFC4353]. Other entities can verify the
found in the DTLS-SRTP connections to find the identity of the far fingerprints match the certificates found in the DTLS-SRTP
end of the DTLS-SRTP connection and verify that is the authorized connections to find the identity of the far end of the DTLS-SRTP
entity. connection and verify that is the authorized entity.
Ultimately, if using session signaling, an endpoint's certificate Ultimately, if using session signaling, an endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed fingerprint would need to be securely mapped to a user and conveyed
to the Key Distributor so that it can check that that user is to the Key Distributor so that it can check that that user is
authorized. Similarly, the Key Distributor's certificate fingerprint authorized. Similarly, the Key Distributor's certificate fingerprint
can be conveyed to endpoint in a manner that can be authenticated as can be conveyed to endpoint in a manner that can be authenticated as
being an authorized Key Distributor for this conference. being an authorized Key Distributor for this conference.
5.3. Conferences Identification 5.3. Conferences Identification
The Key Distributor needs to know what endpoints are being added to a The Key Distributor needs to know what endpoints are being added to a
given conference. Thus, the Key Distributor and the Media given conference. Thus, the Key Distributor and the Media
Distributor need to know endpoint-to-conference mappings, which is Distributor need to know endpoint-to-conference mappings, which is
enabled by exchanging a conference-specific unique identifier defined enabled by exchanging a conference-specific unique identifier defined
in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is
assigned is outside the scope of this document. assigned is outside the scope of this document.
6. PERC Keys 6. PERC Keys
This section describes the various keys employed by PERC, how they This section describes the various keys employed by PERC.
are derived, conveyed, and so forth.
6.1. Key Inventory and Management Considerations 6.1. Key Inventory and Management Considerations
This section summarizes the several different keys used in the PERC This section summarizes the several different keys used in the PERC
framework, how they are generated, and what purpose they serve. framework, how they are generated, and what purpose they serve.
The keys are described in the order in which they would typically be The keys are described in the order in which they would typically be
acquired. acquired.
The various keys used in PERC are shown in Figure 4 below. The various keys used in PERC are shown in Figure 4 below.
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| Key | Description | | Key | Description |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| KEK | Key shared by all endpoints and used to encrypt | | KEK | Key shared by all endpoints and used to encrypt |
| (EKT Key) | each endpoint's SRTP master key so receiving | | (EKT Key) | each endpoint's E2E SRTP master key so receiving |
| | endpoints can decrypt media. | | | endpoints can decrypt media. |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| HBH Key | Key used to encrypt media hop-by-hop. | | HBH Key | SRTP master key used to encrypt media hop-by-hop. |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
| E2E Key | Key used to encrypt media end-to-end. | | E2E Key | SRTP master key used to encrypt media end-to-end. |
+-----------+----------------------------------------------------+ +-----------+----------------------------------------------------+
Figure 4: Key Inventory Figure 4: Key Inventory
While the number key types is very small, it should be understood While the number of key types is very small, it should be understood
that the actual number of distinct keys can be large as the that the actual number of distinct keys can be large as the
conference grows in size. conference grows in size.
As an example, with 1,000 participants in a conference, there would As an example, with 1,000 participants in a conference, there would
be at least 1,000 distinct SRTP master keys, all of which share the be at least 1,000 distinct SRTP master keys, all of which share the
same master salt. Each of those keys are passed through the KDF same master salt. Each of those keys are passed through the KDF
defined in [RFC3711] to produce the actual encryption and defined in [RFC3711] to produce the actual encryption and
authentication keys. authentication keys.
Complicating key management is the fact that the KEK can change and, Complicating key management is the fact that the KEK can change and,
skipping to change at page 17, line 8 skipping to change at page 17, line 13
specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit
key). This cipher is different than the cipher used to protect media key). This cipher is different than the cipher used to protect media
and is only used to encrypt the endpoint's SRTP master key (and other and is only used to encrypt the endpoint's SRTP master key (and other
EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]). EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]).
The media distributor is not given the KEK (i.e., EKT Key). The media distributor is not given the KEK (i.e., EKT Key).
6.4. Endpoints fabricate an SRTP Master Key 6.4. Endpoints fabricate an SRTP Master Key
As stated earlier, the E2E key determined via DTLS-SRTP MAY be As stated earlier, the E2E key determined via DTLS-SRTP MAY be
discarded in favor of a locally-generated SRTP master key. While the discarded in favor of a locally-generated E2E SRTP master key. While
DTLS-SRTP-derived SRTP master key can be used initially, the endpoint the DTLS-SRTP-derived SRTP master key can be used initially, the
might choose to change the SRTP master key periodically and MUST endpoint might choose to change the SRTP master key periodically and
change the SRTP master key as a result of the EKT key changing. MUST change the SRTP master key as a result of the EKT key changing.
A locally-generated SRTP master key is used along with the master A locally-generated SRTP master key is used along with the master
salt transmitted to the endpoint from the key distributor via the salt transmitted to the endpoint from the key distributor via the
EKTKey message to encrypt media end-to-end. EKTKey message to encrypt media end-to-end.
Since the media distributor is not involved in E2E functions, it does Since the media distributor is not involved in E2E functions, it does
not create this key nor have access to any endpoint's E2E key. Note, not create this key nor have access to any endpoint's E2E key. Note,
too, that even the key distributor is unaware of the locally- too, that even the key distributor is unaware of the locally-
generated E2E keys used by each endpoint. generated E2E keys used by each endpoint.
skipping to change at page 19, line 50 skipping to change at page 19, line 50
8. Security Considerations 8. Security Considerations
8.1. Third Party Attacks 8.1. Third Party Attacks
On-path attacks are mitigated by hop-by-hop integrity protection and On-path attacks are mitigated by hop-by-hop integrity protection and
encryption. The integrity protection mitigates packet modification encryption. The integrity protection mitigates packet modification
and encryption makes selective blocking of packets harder, but not and encryption makes selective blocking of packets harder, but not
impossible. impossible.
Off-path attackers may try connecting to different PERC entities and Off-path attackers could try connecting to different PERC entities
send specifically crafted packets. A successful attacker might be and send specifically crafted packets. Endpoints and Media
able to get the Media Distributor to forward such packets. The Media Distributors mitigate such an attack by performing hop-by-hop
Distributor mitigates such an attack by performing hop-by-hop
authentication and discarding packets that fail authentication. authentication and discarding packets that fail authentication.
Another potential attack is a third party claiming to be a Media Another attack vector is a third party claiming to be a Media
Distributor, fooling endpoints in to sending packets to the false Distributor, fooling endpoints into sending packets to the false
Media Distributor instead of the correct one. The deceived sending Media Distributor instead of the correct one. The deceived sending
endpoints could incorrectly assuming their packets have been endpoints could incorrectly assume their packets have been delivered
delivered to endpoints when they in fact have not. Further, the to endpoints when they in fact have not. While this attack is
false Media Distributor may cascade to another legitimate Media possible, the result is a simple denial of service with no leakage of
Distributor creating a false version of the real conference. confidential information, since the false Media Distributor would not
have access to either HBH or E2E encryption keys.
This attack is be mitigated by the false Media Distributor not being If mutual DTLS authentication is not employed, a false Media
authenticated by the Key Distributor. They Key Distributor will fail Distributor could cascade to another legitimate Media Distributor
to establish the secure association with the endpoint if the Media that is part of a larger conference. However, this scenario will
Distributor cannot be authenticated. also produce no positive results for the false Media Distributor
since it would not have access to keying material.
A third party could cause a denial-of-service by transmitting many
bogus or replayed packets toward receiving devices that ultimately
degrade conference or device performance. Therefore, implementations
might wish to devise mechanisms to safeguard against such
illegitimate packets, such as utilizing rate-limiting or performing
basic sanity-checks on packets (e.g., looking at packet length or
expected sequence number ranges) before performing more expensive
decryption operations.
8.2. Media Distributor Attacks 8.2. Media Distributor Attacks
The Media Distributor can attack the session in a number of possible A malicious or compromised Media Distributor can attack the session
ways. in a number of possible ways.
8.2.1. Denial of service 8.2.1. Denial of service
A simple form of attack is discarding received packets that should be A simple form of attack is discarding received packets that should be
forwarded. This solution framework does not introduce any mitigation forwarded. This solution framework does not introduce any mitigation
for Media Distributors that fail to forward media packets. for Media Distributors that fail to forward media packets.
Another form of attack is modifying received packets before Another form of attack is modifying received packets before
forwarding. With this solution framework, any modification of the forwarding. With this solution framework, any modification of the
end-to-end authenticated data results in the receiving endpoint end-to-end authenticated data results in the receiving endpoint
skipping to change at page 20, line 46 skipping to change at page 21, line 9
The Media Distributor can also attempt to perform resource The Media Distributor can also attempt to perform resource
consumption attacks on the receiving endpoint. One such attack would consumption attacks on the receiving endpoint. One such attack would
be to insert random SSRC/CSRC values in any RTP packet with an inband be to insert random SSRC/CSRC values in any RTP packet with an inband
key-distribution message attached (i.e., Full EKT Tag). Since such a key-distribution message attached (i.e., Full EKT Tag). Since such a
message would trigger the receiver to form a new cryptographic message would trigger the receiver to form a new cryptographic
context, the Media Distributor can attempt to consume the receiving context, the Media Distributor can attempt to consume the receiving
endpoints resources. While E2E authentication would fail and the endpoints resources. While E2E authentication would fail and the
cryptographic context would be destroyed, the key derivation cryptographic context would be destroyed, the key derivation
operation would nonetheless consume some computational resources. operation would nonetheless consume some computational resources.
While resource consumption attacks cannot be mitigated entirely,
rate-limiting packets might help reduce the impact of such attacks.
8.2.2. Replay Attack 8.2.2. Replay Attack
A replay attack is when an already received packets from a previous A replay attack is when an already received packet from a previous
point in the RTP stream is replayed as new packet. This could, for point in the RTP stream is replayed as new packet. This could, for
example, allow a Media Distributor to transmit a sequence of packets example, allow a Media Distributor to transmit a sequence of packets
identified as a user saying "yes", instead of the "no" the user identified as a user saying "yes", instead of the "no" the user
actually said. actually said.
The mitigation for a replay attack is to prevent old packets beyond a The mitigation for a replay attack is to implement replay protection
small-to-modest jitter and network re-ordering sized window to be as described in Section 3.3.2 of [RFC3711]. End-to-end replay
rejected. End-to-end replay protection MUST be provided for the protection MUST be provided for the whole duration of the conference.
whole duration of the conference.
8.2.3. Delayed Playout Attack 8.2.3. Delayed Playout Attack
The delayed playout attack is a variant of the replay attack. This The delayed playout attack is a variant of the replay attack. This
attack is possible even if E2E replay protection is in place. attack is possible even if E2E replay protection is in place.
However, due to fact that the Media Distributor is allowed to select However, due to fact that the Media Distributor is allowed to select
a sub-set of streams and not forward the rest to a receiver, such as a subset of streams and not forward the rest to a receiver, such as
in forwarding only the most active speakers, the receiver has to in forwarding only the most active speakers, the receiver has to
accept gaps in the E2E packet sequence. The issue with this is that accept gaps in the E2E packet sequence. The issue with this is that
a Media Distributor can select to not deliver a particular stream for a Media Distributor can select to not deliver a particular stream for
a while. a while.
Within the window from last packet forwarded to the receiver and the Within the window from last packet forwarded to the receiver and the
latest received by the Media Distributor, the Media Distributor can latest received by the Media Distributor, the Media Distributor can
select an arbitrary starting point when resuming forwarding packets. select an arbitrary starting point when resuming forwarding packets.
Thus what the media source said can be substantially delayed at the Thus what the media source said can be substantially delayed at the
receiver with the receiver believing that it is what was said just receiver with the receiver believing that it is what was said just
now, and only delayed due to transport delay. now, and only delayed due to transport delay.
8.2.4. Splicing Attack 8.2.4. Splicing Attack
The splicing attack is an attack where a Media Distributor receiving A splicing attack is an attack where a Media Distributor receiving
multiple media sources splices one media stream into the other. If multiple media sources splices one media stream into the other. If
the Media Distributor is able to change the SSRC without the receiver the Media Distributor were able to change the SSRC without the
having any method for verifying the original source ID, then the receiver having any method for verifying the original source ID, then
Media Distributor could first deliver stream A and then later forward the Media Distributor could first deliver stream A and then later
stream B under the same SSRC as stream A was previously using. By forward stream B under the same SSRC as stream A was previously
not allowing the Media Distributor to change the SSRC, PERC mitigates using. By including the SSRC in the integrity check for each packet,
this attack. both HBH and E2E, PERC prevents splicing attacks.
8.2.5. RTCP Attacks
PERC does not provide end-to-end protection of RTCP messages. This
allows a compromised Media Distributor to impact any message that
might be transmitted via RTCP, including media statistics, picture
requests, or loss indication. It is also possible for a compromised
Media Distributor to forge requests, such as requests to the endpoint
to send a new picture. Such requests can consume significant
bandwidth and impair conference performance.
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations for this document. There are no IANA considerations for this document.
10. Acknowledgments 10. Acknowledgments
The authors would like to thank Mo Zanaty and Christian Oien for The authors would like to thank Mo Zanaty, Christian Oien, and
invaluable input on this document. Also, we would like to Richard Barnes for invaluable input on this document. Also, we would
acknowledge Nermeen Ismail for serving on the initial versions of like to acknowledge Nermeen Ismail for serving on the initial
this document as a co-author. versions of this document as a co-author. We would also like to
acknowledge John Mattsson, Mats Naslund, and Magnus Westerlund for
providing some of the text in the document, including much of the
original text in the security considerations section.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-perc-double] [I-D.ietf-perc-double]
Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP
Double Encryption Procedures", draft-ietf-perc-double-10 Double Encryption Procedures", draft-ietf-perc-double-10
(work in progress), October 2018. (work in progress), October 2018.
skipping to change at page 22, line 30 skipping to change at page 23, line 5
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <https://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<https://www.rfc-editor.org/info/rfc6904>. <https://www.rfc-editor.org/info/rfc6904>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References 11.2. Informative References
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-04 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-04
(work in progress), October 2018. (work in progress), October 2018.
[I-D.ietf-rtcweb-security-arch] [I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf- Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-17 (work in progress), November 2018. rtcweb-security-arch-18 (work in progress), February 2019.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>.
[RFC4353] Rosenberg, J., "A Framework for Conferencing with the [RFC4353] Rosenberg, J., "A Framework for Conferencing with the
Session Initiation Protocol (SIP)", RFC 4353, Session Initiation Protocol (SIP)", RFC 4353,
DOI 10.17487/RFC4353, February 2006, DOI 10.17487/RFC4353, February 2006,
<https://www.rfc-editor.org/info/rfc4353>. <https://www.rfc-editor.org/info/rfc4353>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
 End of changes. 45 change blocks. 
102 lines changed or deleted 136 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/