AVT Working Group D. McGrew Internet-Draft D. Wing Intended status: Standards Track Cisco Expires: April 24, 2014 J. Foley Cisco Systems October 21, 2013 Using Authenticated Encryption with Replay prOtection (AERO) in SRTP draft-mcgrew-srtp-aero-01 Abstract Authenticated Encryption with Replay prOtection (AERO) is a cryptographic technique that provides all of the security services that are used in the Secure Real-time Transport Protocol (SRTP). This note describes how to use AERO in SRTP. AERO has minimal data expansion, avoids the need to manage implicit state, and provides strong misuse resistance. These properties make it an ideal cryptographic transform for SRTP, as it enables SRTP to easily handle multiple senders sharing the same key, multiple receivers with late- joiners in a session, decentralized conferences with minimal control, and mixers that selectively forward RTP traffic. RTP architectures that utilize AERO can use the normal SSRC collision detection mechanism, and can ignore problematic SRTP artifacts such as the Roll-Over Counter (ROC) and Initial Sequence Number. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 24, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. McGrew, et al. Expires April 24, 2014 [Page 1] Internet-Draft AERO SRTP October 2013 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 1.2. History . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. SRTP AERO . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Contexts . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Secure RTCP . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . . 8 4. SRTP crypto suites . . . . . . . . . . . . . . . . . . . . . . 10 4.1. AERO_AES_128_XCB_80 . . . . . . . . . . . . . . . . . . . 10 4.2. AERO_AES_128_XCB_32 . . . . . . . . . . . . . . . . . . . 10 4.3. AERO_AES_256_XCB_128 . . . . . . . . . . . . . . . . . . . 11 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Comparison to other approaches . . . . . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6.1. SSRC collisions . . . . . . . . . . . . . . . . . . . . . 13 6.2. Key scope . . . . . . . . . . . . . . . . . . . . . . . . 13 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . . 16 9.2. Informative References . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 McGrew, et al. Expires April 24, 2014 [Page 2] Internet-Draft AERO SRTP October 2013 1. Introduction RTP is designed to allow decentralized groups with minimal control to establish sessions, such as for multimedia conferences. Unfortunately, Secure RTP (SRTP [RFC3711]) cannot be used in many minimal-control scenarios, because it requires that SSRC values and other data be coordinated among all of the participants in a session. For example, if a participant joins a session that is already in progress, the SRTP Roll-Over Counter (ROC) of each SRTP source in the session needs to be provided to that participant. The inability of SRTP to work in the absence of central control was well understood during the design of that protocol; that omission was considered less important than optimizations such as bandwidth conservation. Additionally, in many situations SRTP is used in conjunction with a signaling system that can provide much of the central control needed by SRTP. However, there are several cases in which conventional signaling systems cannot easily provide all of the coordination required. It is also desirable to eliminate the layer violations that occur when signaling systems coordinate certain SRTP parameters, such as SSRC values and ROCs. These issues are due to the particular cryptographic techniques used in SRTP, specifically a partially-implicit sequence number that is utilized for counter mode encryption, for replay protection, and for determining when re-keying should occur. Authenticated Encryption with Replay prOtection (AERO) [I-D.mcgrew-aero] is a cryptographic technique that provides confidentiality, authentication, and replay protection; it is a stateful and self-synchronizing authenticated encryption method. It has minimal data expansion, avoids the need to manage implicit state, and provides strong misuse resistance. This document defines how AERO can be used in SRTP as a replacement for the default transforms of [RFC3711] in a way that avoids all of the issues identified above. This document is organized as follows. Packet processing and contexts are described in Section 2 and Section 3. A rationale for the design is offered in Section 5. Security Considerations are provided in Section 6, and IANA considerations are provided in Section 7. 1.1. Conventions Used In This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. McGrew, et al. Expires April 24, 2014 [Page 3] Internet-Draft AERO SRTP October 2013 1.2. History This section describes the evolution of this document as an Internet Draft, and it should be removed by the RFC Editor prior to publication as an RFC. This is the initial version of this note. As it uses a cryptographic technique that was published recently, it may evolve over time as that technique is reviewed and experience is gained in its usage. Thus, while we encourage the implementation of the crypto suites specified in this note as the best way to obtain experience with their use in RTP architectures, we also expect that there may be changes to these crypto suites over time. McGrew, et al. Expires April 24, 2014 [Page 4] Internet-Draft AERO SRTP October 2013 2. SRTP AERO The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile of the Real-time Transport Protocol (RTP) that can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). SRTP provides a framework for the encryption and message authentication of RTP and RTCP streams. Default cryptographic transforms are defined in [RFC3711], while the framework supports the addition of new cryptographic transforms. The note describes how to use Authenticated Encryption with Replay prOtection (AERO) [I-D.mcgrew-aero] in SRTP, which we refer to as SRTP-AERO. All three security services - confidentiality, message authentication, and replay protection - are always provided with SRTP-AERO; none of those services is optional. The SRTP framework includes provisions for separate encryption and authentication transforms; when AERO is used, it is considered an encryption transform and there MUST NOT be a separate authentication transform. This description mainly consists of how AERO encryption inputs and outputs are mapped to RTP and SRTP packets, respectively, how AERO decryption inputs and outputs are mapped to SRTP and RTP packets, respectively, and how the AERO context is stored in the SRTP context. A similar description is provided for SRTCP. The security considerations are different from those in [RFC3711] (and are rather less stringent). With SRTP-AERO, the normal RTP SSRC collision detection and repair process can be followed. This is in contrast to SRTP with the default transforms, which relies on external mechanisms to coordinate SSRC values. AERO is an Authenticated Encryption with Associated Data (AEAD) method, and thus SRTP-AERO processing is similar to that of [I-D.ietf-avtcore-srtp-aes-gcm]. 2.1. Encryption To protect an RTP packet using AERO, the inputs to the encryption operation are as follows: The associated data A is set to the RTP header, including the CSRC identifiers (if present), and the RTP header extension (if present). (In Figure 1 of [RFC3711], this consists of the part of the Authenticated Portion of the packet that does not overlap with the Encrypted Portion.) McGrew, et al. Expires April 24, 2014 [Page 5] Internet-Draft AERO SRTP October 2013 The plaintext is set to the RTP payload, RTP padding, and RTP pad count. (In Figure 1 of [RFC3711], this is the Encrypted Portion.) The secret key K is set to the AERO key in the SRTP context. The ciphertext returned by that operation replaces the plaintext in the RTP packet. Note that the ciphertext will be longer than the plaintext. AERO does not include a separate authentication tag, and thus this field is omitted from the SRTP packet; it MUST NOT be present. This omission simplifies this specification (see Section 5). A Master Key Indicator (MKI) field MAY be present after the ciphertext; this field is optional in [RFC3711] and its usage is unchanged by this specification. 2.2. Decryption To decrypt an SRTP packet using AERO, the inputs to the decryption operation are as follows: The associated data A is set as in SRTP encryption Section 2.1. The ciphertext C is set as follows. It starts and the end of the RTP header extension, if that field is present. If it is not, then it starts at the end of the last CSRC identifier, if any CSRC identifiers are present. Otherwise, it starts at the end of the SSRC identifier. If an MKI is in use, then the ciphertext ends at the start of the MKI. Otherwise, the ciphertext ends at the end of the RTP packet. The secret key K is set to the AERO key in the SRTP context. If the decryption operation returns the symbol FAIL, then the SRTP packet is either a forgery attempt or a replay, and the packet MUST be discarded from further processing and the event MAY be logged. Otherwise, an RTP packet is formed from the SRTP packet and the plaintext returned by the decryption operation, by replacing the ciphertext with the plaintext, and discarding the MKI field if one is present. Steps 2 and the replay checking in Step 5 of the decryption processing in Section 3.4 of [RFC3711] SHOULD NOT be performed, since it is unnecessary. The SRTP packet index used in Step 3 to determine the master key and salt SHOULD be set to the sequence number returned by the AERO decryption operation. McGrew, et al. Expires April 24, 2014 [Page 6] Internet-Draft AERO SRTP October 2013 2.3. Contexts The AERO context is stored in the transform-dependent parameters of the SRTP context, as the SRTP encryption transform. That is, the identifier for the encryption algorithm describes the particular AERO algorithm that is in use. When AERO is used, an SRTP implementation MAY omit the following transform-independent parameters: the ROC, the replay list maintained by an SRTP/SRTCP receiver, and the identifier for the message authentication algorithm. The ROC and replay list are not needed because AERO provides replay protection, and the message authentication algorithm identifier is not needed because AERO provides that security service. McGrew, et al. Expires April 24, 2014 [Page 7] Internet-Draft AERO SRTP October 2013 3. Secure RTCP The use of AERO in SRTCP follows that in SRTP. 3.1. Encryption To protect an RTCP packet using AERO, the inputs to the encryption operation are as follows: The associated data A is set to the RTCP header, including all of the fields starting with the Version and up to and including the SSRC of the sender. The plaintext is set to the remaining part of the RTCP packet. The secret key K is set to the AERO key in the SRTCP context. The ciphertext returned by that operation replaces the plaintext in the RTCP packet. Note that the ciphertext will be longer than the plaintext. AERO does not include a separate authentication tag, and thus this field is omitted from the SRTCP packet; it MUST NOT be present (see Section 5 for the rationale). A Master Key Indicator (MKI) field MAY be present after the ciphertext; this field is optional in [RFC3711] and its usage is unchanged by this specification. The "E" flag and the SRTCP index MUST NOT be included in the SRTCP packet. 3.2. Decryption To decrypt an SRTCP packet using AERO, the inputs to the decryption operation are as follows: The associated data A is set as in SRTCP encryption Section 2.1. The ciphertext C consists of all of the data after the associated data, to the end of the packet. The secret key K is set to the AERO key in the SRTCP context. If the decryption operation returns the symbol FAIL, then the SRTCP packet is either a forgery attempt or a replay, and the packet MUST be discarded from further processing and the event MAY be logged. Otherwise, an RTCP packet is formed from the SRTCP packet and the McGrew, et al. Expires April 24, 2014 [Page 8] Internet-Draft AERO SRTP October 2013 plaintext returned by the decryption operation, by replacing the ciphertext with the plaintext, and discarding the MKI field if one is present. McGrew, et al. Expires April 24, 2014 [Page 9] Internet-Draft AERO SRTP October 2013 4. SRTP crypto suites This section defines some crypto suites for use in SRTP, which can be signaled by DTLS-SRTP [RFC5764], SDP Security Descriptions [RFC4568] or MIKEY [RFC3830]. The use of these crypto suites in SDP Security Descriptions is straightforward; the particular crypto suite to be used is specified by the "crypto-suite" parameter. Their use in DTLS-SRTP is similarly straightforward; each crypto suite is described by an SRTP Protection Profile (as in Section 4.1.2 of [RFC5764]). For MIKEY, the use of a particular crypto suite is specified by both the MIKEY "encryption algorithm" parameter and the "session encryption key length" parameter, as noted below. 4.1. AERO_AES_128_XCB_80 The AERO_AES_128_XCB_80 crypto suite uses the AERO_AES_128_XCB algorithm defined in [I-D.mcgrew-aero], with a sequence number length T of 72 bits. It provides authentication strength equivalent to an ideal message authentication code with a 70-bit tag. The data expansion is 80 bits; the ciphertext will be at most 80 bits longer than the plaintext. The master-key length is 128 bits and has a default lifetime of a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes first (see page 39 [RFC3711]). The SRTP and SRTCP encryption key lengths are 128 bits. The master salt value is 112 bits in length and the session salt value is 112 bits in length. The pseudo-random function (PRF) is the default SRTP pseudo-random function that uses AES Counter Mode with a 128-bit key length. The length of the base64-decoded key and salt value for this crypto suite MUST be 30 characters (i.e., 240 bits); otherwise, the crypto attribute is considered invalid. To signal the use of AERO_AES_128_XCB_80 with MIKEY, the following MIKEY SRTP Policy Parameters MUST be used: An encryption algorithm parameter of TBD Section 7 A session encryption key length of 128 bits. An authentication tag length of 80 bits. 4.2. AERO_AES_128_XCB_32 This crypto suite is identical to AERO_AES_128_XCB_80, except that it uses a sequence number length T of 24 bits. Its authentication strength is about 24 bits, and its data overhead is at most 32 bits. McGrew, et al. Expires April 24, 2014 [Page 10] Internet-Draft AERO SRTP October 2013 To signal the use of AERO_AES_128_XCB_32 with MIKEY, the following MIKEY SRTP Policy Parameters MUST be used: An encryption algorithm parameter of TBD Section 7 A session encryption key length of 128 bits. An authentication tag length of 32 bits. 4.3. AERO_AES_256_XCB_128 The AERO_AES_256_XCB_128 crypto suite uses the AERO_AES_256_XCB algorithm defined in [I-D.mcgrew-aero], with a sequence number length T of 128 bits. It provides authentication strength equivalent to an ideal message authentication code with a 121-bit tag. The data expansion is 128 bits; the ciphertext will be exactly 128 bits longer than the plaintext. The master-key length is 128 bits and has a default lifetime of a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes first (see page 39 [RFC3711]). The SRTP and SRTCP encryption key lengths are 256 bits. The master salt value is 112 bits in length and the session salt value is 112 bits in length. The pseudo-random function (PRF) is the AES_256_CM_PRF key derivation function [RFC6188] which uses AES Counter Mode with a 256-bit key length. The length of the base64-decoded key and salt value for this crypto suite MUST be 46 characters (i.e., 368 bits); otherwise, the crypto attribute is considered invalid. To signal the use of AERO_AES_128_XCB_80 with MIKEY, the following MIKEY SRTP Policy Parameters MUST be used: An encryption algorithm parameter of TBD Section 7 A session encryption key length of 256 bits. An authentication tag length of 128 bits. McGrew, et al. Expires April 24, 2014 [Page 11] Internet-Draft AERO SRTP October 2013 5. Rationale There is no need to allow the SRTP or SRTCP Authentication Tag fields to be present, and thus it is forbidden instead of being optional. Compatibility with [RFC4771], which uses this field as a means of conveying the Roll-Over Counter (ROC), is not needed because AERO removes any need for the ROC. Omitting this field simplifies implementations and avoids confusion. The SSRC field serves as a Sender Identifier, and meets the requirements described in Section 3.5 of [I-D.mcgrew-aero]. 5.1. Comparison to other approaches There are other approaches that have been used to address the issues identified in Section 1. In this section, we compare them to SRTP AERO. With the SRTP Integrity Transform Carrying Roll-Over Counter [RFC4771], the sender periodically includes the ROC in the SRTP authentication tag, in which case the authentication process is altered so that the ROC is authenticated. This approach addresses synchronization issues that are due to multiple receivers, such as the problem of "late joiners" in a session. However, it does not address any of the issues that are due to multiple senders using the same encryption key. It also does not change the need for misuse resistance. With SRTP Encrypted Key Transport (EKT) [SRTP-EKT], the sender periodically includes additional data about the session in its outbound packets. This data includes the value of the master key being used for that SRTP source, encrypted under a master key that is used for all sources in the session. EKT address the issues that arise in multiple-sender sessions by providing a way that each source can use a distinct master key. EKT also includes the initial RTP sequence number, to aid receivers in establishing the appropriate SRTP packet index for the first packet in a session. EKT is more complex than SRTP-AERO, as it requires a separate authenticated encryption method for protecting the data that is conveyed, and it adds complexities to the packet processing rules. It also adds data overhead to SRTP and SRTCP packets in a way that is non-uniform, with some packets growing by a single byte, and others growing by over 24 bytes. In contrast, SRTP-AERO has data overhead that is constant, and need not be greater than a single byte at equivalent security levels. McGrew, et al. Expires April 24, 2014 [Page 12] Internet-Draft AERO SRTP October 2013 6. Security Considerations 6.1. SSRC collisions With SRTP-AERO, SSRC collisions do not undermine security; instead, there is a limited and quantifiable loss of confidentiality, which is described in Section 11.4 of [I-D.mcgrew-aero]. In essence, if there is an SSRC collision between two senders, then the attacker will be able to detect the event that both senders encrypt two distinct packets that happen to have exactly the same plaintext and associated data values. Even if an SSRC collision occurs, it is unlikely that the RTP sequence number, the RTP timestamp, and the plaintexts will all be identical. Thus, in many setting the unpredictability of the RTP header and payload provide additional protection even in the unlikely occurrence of an SSRC collision. An SSRC collision will not undermine authentication. The normal RTP mechanism for detection and correction of SSRC collisions MUST be used. In practice, if an SRTP or SRTCP sender receives a valid SRTP or SRTCP packet that it did not itself originate, which has an SSRC value equal to its own, then it MUST stop using that SSRC value, and select a new SSRC value at random. A packet is valid only if its AERO decryption does not return FAIL. 6.2. Key scope With SRTP-AERO, a single master key MAY be used with multiple SRTP sources or multiple SRTP receivers within a single session. Scenarios in which there may be multiple sources in a single session include multicast SRTP, as well as an RTP mixer that retransmits packets from one selected source to an entire set of sources. In this latter case, a set of participants in a session can all use a single SRTP master key, and a mixer can selectively retransmit packets, e.g. from the "loudest talker", without re-encrypting the packets. A single master key MUST NOT be used across distinct SRTP sessions. This property is not specific to AERO, but instead is general to all uses of SRTP, and it follows from the fact that RTP and RTCP receivers have no way of distinguishing between the packets from one session and those from another. This fact would allow an attacker to substitute packets from one session to another, if both sessions were using the same master key. McGrew, et al. Expires April 24, 2014 [Page 13] Internet-Draft AERO SRTP October 2013 7. IANA Considerations This section registers with IANA the following SRTP crypto-suite parameters for SDP Security Descriptions [RFC4568]: o SRTP_AERO_128_XCB_80 o SRTP_AERO_128_XCB_32 o SRTP_AERO_256_XCB_128 They are specified in Section 4 of this note. We also request the IANA assignment of the following values to the DTLS SRTPProtectionProfile registry: SRTP_AERO_128_XCB_80 = { TBD1, TBD2 } SRTP_AERO_128_XCB_32 = { TBD3, TBD4 } SRTP_AERO_256_XCB_128 = { TBD5, TBD6 } We also request the following IANA assignment from the MIKEY registry of SRTP policy parameters: o An Encryption Algorithm parameter value of TBD. This value indicates the use AERO_AES_XCB in SRTP, and corresponds to either SRTP_AERO_128_XCB_80, SRTP_AERO_128_XCB_32, and SRTP_AERO_256_XCB_128. McGrew, et al. Expires April 24, 2014 [Page 14] Internet-Draft AERO SRTP October 2013 8. Acknowledgements Thanks are due to Nermeen Ismail for insightful discussions on the use of SRTP in telepresence environments. McGrew, et al. Expires April 24, 2014 [Page 15] Internet-Draft AERO SRTP October 2013 9. References 9.1. Normative References [I-D.ietf-avtcore-srtp-aes-gcm] McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-aes-gcm-10 (work in progress), September 2013. [I-D.mcgrew-aero] McGrew, D. and J. Foley, "Authenticated Encryption with Replay prOtection (AERO)", draft-mcgrew-aero-00 (work in progress), October 2013. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004. [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, August 2004. [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol (SDP) Security Descriptions for Media Streams", RFC 4568, July 2006. [RFC4771] Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity Transform Carrying Roll-Over Counter for the Secure Real- time Transport Protocol (SRTP)", RFC 4771, January 2007. [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure RTP", RFC 6188, March 2011. 9.2. Informative References [SRTP-EKT] McGrew, D., Andreason, F., Wing, D., and K. Fisher, "Encrypted Key Transport for Secure RTP", Internet Draft; Work In Progress. . McGrew, et al. Expires April 24, 2014 [Page 16] Internet-Draft AERO SRTP October 2013 Authors' Addresses David A. McGrew Cisco Systems, Inc. 510 McCarthy Blvd. Milpitas, CA 95035 US Phone: (408) 525 8651 Email: mcgrew@cisco.com URI: http://www.mindspring.com/~dmcgrew/dam.htm Dan Wing Cisco Systems, Inc. 510 McCarthy Blvd. Milpitas, CA 95035 US Phone: (408) 853 4197 Email: dwing@cisco.com John Foley Cisco Systems 7025-2 Kit Creek Road Research Triangle Park, NC 14987 US Email: foleyj@cisco.com McGrew, et al. Expires April 24, 2014 [Page 17]