diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7714.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7714.txt')
-rw-r--r-- | doc/rfc/rfc7714.txt | 2691 |
1 files changed, 2691 insertions, 0 deletions
diff --git a/doc/rfc/rfc7714.txt b/doc/rfc/rfc7714.txt new file mode 100644 index 0000000..f67912a --- /dev/null +++ b/doc/rfc/rfc7714.txt @@ -0,0 +1,2691 @@ + + + + + + +Internet Engineering Task Force (IETF) D. McGrew +Request for Comments: 7714 Cisco Systems, Inc. +Category: Standards Track K. Igoe +ISSN: 2070-1721 National Security Agency + December 2015 + + + AES-GCM Authenticated Encryption + in the Secure Real-time Transport Protocol (SRTP) + +Abstract + + This document defines how the AES-GCM Authenticated Encryption with + Associated Data family of algorithms can be used to provide + confidentiality and data authentication in the Secure Real-time + Transport Protocol (SRTP). + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7714. + +Copyright Notice + + Copyright (c) 2015 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + +McGrew & Igoe Standards Track [Page 1] + +RFC 7714 AES-GCM for SRTP December 2015 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. Conventions Used in This Document ...............................4 + 3. Overview of the SRTP/SRTCP AEAD Security Architecture ...........4 + 4. Terminology .....................................................5 + 5. Generic AEAD Processing .........................................6 + 5.1. Types of Input Data ........................................6 + 5.2. AEAD Invocation Inputs and Outputs .........................6 + 5.2.1. Encrypt Mode ........................................6 + 5.2.2. Decrypt Mode ........................................7 + 5.3. Handling of AEAD Authentication ............................7 + 6. Counter Mode Encryption .........................................7 + 7. Unneeded SRTP/SRTCP Fields ......................................8 + 7.1. SRTP/SRTCP Authentication Tag Field ........................8 + 7.2. RTP Padding ................................................9 + 8. AES-GCM Processing for SRTP .....................................9 + 8.1. SRTP IV Formation for AES-GCM ..............................9 + 8.2. Data Types in SRTP Packets ................................10 + 8.3. Handling Header Extensions ................................11 + 8.4. Prevention of SRTP IV Reuse ...............................12 + 9. AES-GCM Processing of SRTCP Compound Packets ...................13 + 9.1. SRTCP IV Formation for AES-GCM ............................13 + 9.2. Data Types in Encrypted SRTCP Compound Packets ............14 + 9.3. Data Types in Unencrypted SRTCP Compound Packets ..........16 + 9.4. Prevention of SRTCP IV Reuse ..............................17 + 10. Constraints on AEAD for SRTP and SRTCP ........................17 + 11. Key Derivation Functions ......................................18 + 12. Summary of AES-GCM in SRTP/SRTCP ..............................19 + 13. Security Considerations .......................................20 + 13.1. Handling of Security-Critical Parameters .................20 + 13.2. Size of the Authentication Tag ...........................21 + 14. IANA Considerations ...........................................21 + 14.1. SDES .....................................................21 + 14.2. DTLS-SRTP ................................................22 + 14.3. MIKEY ....................................................23 + 15. Parameters for Use with MIKEY .................................23 + 16. Some RTP Test Vectors .........................................24 + 16.1. SRTP AEAD_AES_128_GCM ....................................25 + 16.1.1. SRTP AEAD_AES_128_GCM Encryption ..................25 + 16.1.2. SRTP AEAD_AES_128_GCM Decryption ..................27 + 16.1.3. SRTP AEAD_AES_128_GCM Authentication Tagging ......29 + 16.1.4. SRTP AEAD_AES_128_GCM Tag Verification ............30 + 16.2. SRTP AEAD_AES_256_GCM ....................................31 + 16.2.1. SRTP AEAD_AES_256_GCM Encryption ..................31 + 16.2.2. SRTP AEAD_AES_256_GCM Decryption ..................33 + 16.2.3. SRTP AEAD_AES_256_GCM Authentication Tagging ......35 + 16.2.4. SRTP AEAD_AES_256_GCM Tag Verification ............36 + + + +McGrew & Igoe Standards Track [Page 2] + +RFC 7714 AES-GCM for SRTP December 2015 + + + 17. RTCP Test Vectors .............................................37 + 17.1. SRTCP AEAD_AES_128_GCM Encryption and Tagging ............39 + 17.2. SRTCP AEAD_AES_256_GCM Verification and Decryption .......41 + 17.3. SRTCP AEAD_AES_128_GCM Tagging Only ......................43 + 17.4. SRTCP AEAD_AES_256_GCM Tag Verification ..................44 + 18. References ....................................................45 + 18.1. Normative References .....................................45 + 18.2. Informative References ...................................47 + Acknowledgements ..................................................48 + Authors' Addresses ................................................48 + +1. Introduction + + The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile + of the Real-time Transport Protocol (RTP) [RFC3550], which can + provide confidentiality, message authentication, and replay + protection to the RTP traffic and to the control traffic for RTP, the + Real-time Transport Control Protocol (RTCP). It is important to note + that the outgoing SRTP packets from a single endpoint may be + originating from several independent data sources. + + Authenticated Encryption [BN00] is a form of encryption that, in + addition to providing confidentiality for the Plaintext that is + encrypted, provides a way to check its integrity and authenticity. + Authenticated Encryption with Associated Data, or AEAD [R02], adds + the ability to check the integrity and authenticity of some + Associated Data (AD), also called "Additional Authenticated Data" + (AAD), that is not encrypted. This specification makes use of the + interface to a generic AEAD algorithm as defined in [RFC5116]. + + The Advanced Encryption Standard (AES) is a block cipher that + provides a high level of security and can accept different key sizes. + AES Galois/Counter Mode (AES-GCM) [GCM] is a family of AEAD + algorithms based upon AES. This specification makes use of the AES + versions that use 128-bit and 256-bit keys, which we call "AES-128" + and "AES-256", respectively. + + Any AEAD algorithm provides an intrinsic authentication tag. In many + applications, the authentication tag is truncated to less than full + length. In this specification, the authentication tag MUST NOT be + truncated. The authentications tags MUST be a full 16 octets in + length. When used in SRTP/SRTCP, AES-GCM will have two + configurations: + + AEAD_AES_128_GCM AES-128 with a 16-octet authentication tag + AEAD_AES_256_GCM AES-256 with a 16-octet authentication tag + + + + + +McGrew & Igoe Standards Track [Page 3] + +RFC 7714 AES-GCM for SRTP December 2015 + + + The key size is set when the session is initiated and SHOULD NOT be + altered. + + The Galois/Counter Mode of operation (GCM) is an AEAD mode of + operation for block ciphers. GCM uses Counter Mode to encrypt the + data, an operation that can be efficiently pipelined. Further, GCM + authentication uses operations that are particularly well suited to + efficient implementation in hardware, making it especially appealing + for high-speed implementations, or for implementations in an + efficient and compact circuit. + + In summary, this document defines how to use an AEAD algorithm, + particularly AES-GCM, to provide confidentiality and message + authentication within SRTP and SRTCP packets. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + +3. Overview of the SRTP/SRTCP AEAD Security Architecture + + SRTP/SRTCP AEAD security is based upon the following principles: + + a) Both privacy and authentication are based upon the use of + symmetric algorithms. An AEAD algorithm such as AES-GCM + combines privacy and authentication into a single process. + + b) A secret master key is shared by all participating endpoints -- + both those originating SRTP/SRTCP packets and those receiving + these packets. Any given master key MAY be used simultaneously + by several endpoints to originate SRTP/SRTCP packets (as well + as one or more endpoints using this master key to process + inbound data). + + c) A Key Derivation Function (KDF) is applied to the shared master + key value to form separate encryption keys, authentication + keys, and salting keys for SRTP and for SRTCP (a total of six + keys). This process is described in Section 4.3 of [RFC3711]. + The master key MUST be at least as large as the encryption key + derived from it. Since AEAD algorithms such as AES-GCM combine + encryption and authentication into a single process, AEAD + algorithms do not make use of separate authentication keys. + + + + + + +McGrew & Igoe Standards Track [Page 4] + +RFC 7714 AES-GCM for SRTP December 2015 + + + d) Aside from making modifications to IANA registries to allow + AES-GCM to work with Security Descriptions (SDES), Datagram + Transport Layer Security for Secure RTP (DTLS-SRTP), and + Multimedia Internet KEYing (MIKEY), the details of how the + master key is established and shared between the participants + are outside the scope of this document. Similarly, any + mechanism for rekeying an existing session is outside the scope + of the document. + + e) Each time an instantiation of AES-GCM is invoked to encrypt and + authenticate an SRTP or SRTCP data packet, a new Initialization + Vector (IV) is used. SRTP combines the 4-octet Synchronization + Source (SSRC) identifier, the 4-octet Rollover Counter (ROC), + and the 2-octet Sequence Number (SEQ) with the 12-octet + encryption salt to form a 12-octet IV (see Section 8.1). + SRTCP combines the SSRC and 31-bit SRTCP index with the + encryption salt to form a 12-octet IV (see Section 9.1). + +4. Terminology + + The following terms have very specific meanings in the context of + this RFC: + + Instantiation: In AEAD, an instantiation is an (Encryption_key, + salt) pair together with all of the data structures + (for example, counters) needed for it to function + properly. In SRTP/SRTCP, each endpoint will need + two instantiations of the AEAD algorithm for each + master key in its possession: one instantiation for + SRTP traffic and one instantiation for SRTCP + traffic. + + Invocation: SRTP/SRTCP data streams are broken into packets. + Each packet is processed by a single invocation of + the appropriate instantiation of the AEAD + algorithm. + + In many applications, each endpoint will have one master key for + processing outbound data but may have one or more separate master + keys for processing inbound data. + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 5] + +RFC 7714 AES-GCM for SRTP December 2015 + + +5. Generic AEAD Processing + +5.1. Types of Input Data + + Associated Data: Data that is to be authenticated but not + encrypted. + + Plaintext: Data that is to be both encrypted and + authenticated. + + Raw Data: Data that is to be neither encrypted nor + authenticated. + + Which portions of SRTP/SRTCP packets that are to be treated as + Associated Data, which are to be treated as Plaintext, and which are + to be treated as Raw Data are covered in Sections 8.2, 9.2, and 9.3. + +5.2. AEAD Invocation Inputs and Outputs + +5.2.1. Encrypt Mode + + Inputs: + Encryption_key Octet string, either 16 or + 32 octets long + Initialization_Vector Octet string, 12 octets long + Associated_Data Octet string of variable length + Plaintext Octet string of variable length + + Outputs: + Ciphertext* Octet string, length = + length(Plaintext) + tag_length + + (*): In AEAD, the authentication tag in embedded in the + ciphertext. When GCM is being used, the ciphertext + consists of the encrypted Plaintext followed by the + authentication tag. + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 6] + +RFC 7714 AES-GCM for SRTP December 2015 + + +5.2.2. Decrypt Mode + + Inputs: + Encryption_key Octet string, either 16 or + 32 octets long + Initialization_Vector Octet string, 12 octets long + Associated_Data Octet string of variable length + Ciphertext Octet string of variable length + + Outputs: + Plaintext Octet string, length = + length(Ciphertext) - tag_length + Validity_Flag Boolean, TRUE if valid, + FALSE otherwise + +5.3. Handling of AEAD Authentication + + AEAD requires that all incoming packets MUST pass AEAD authentication + before any other action takes place. Plaintext and Associated Data + MUST NOT be released until the AEAD authentication tag has been + validated. Further, the ciphertext MUST NOT be decrypted until the + AEAD tag has been validated. + + Should the AEAD tag prove to be invalid, the packet in question is to + be discarded and a Validation Error flag raised. Local policy + determines how this flag is to be handled and is outside the scope of + this document. + +6. Counter Mode Encryption + + Each outbound packet uses a 12-octet IV and an encryption key to form + two outputs: + + o a 16-octet first_key_block, which is used in forming the + authentication tag, and + + o a keystream of octets, formed in blocks of 16 octets each + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 7] + +RFC 7714 AES-GCM for SRTP December 2015 + + + The first 16-octet block of the key is saved for use in forming the + authentication tag, and the remainder of the keystream is XORed to + the Plaintext to form the cipher. This keystream is formed one block + at a time by inputting the concatenation of a 12-octet IV (see + Sections 8.1 and 9.1) with a 4-octet block to AES. The pseudocode + below illustrates this process: + + def GCM_keystream( Plaintext_len, IV, Encryption_key ): + assert Plaintext_len <= (2**36) - 32 ## measured in octets + key_stream = "" + block_counter = 1 + first_key_block = AES_ENC( data=IV||block_counter, + key=Encryption_key ) + while len(key_stream) < Plaintext_len: + block_counter = block_counter + 1 + key_block = AES_ENC( data=IV||block_counter, + key=Encryption_key ) + key_stream = key_stream||key_block + key_stream = truncate( key_stream, Plaintext_len ) + return( first_key_block, key_stream ) + + In theory, this keystream generation process allows for the + encryption of up to (2^36) - 32 octets per invocation (i.e., per + packet), far longer than is actually required. + + With any counter mode, if the same (IV, Encryption_key) pair is used + twice, precisely the same keystream is formed. As explained in + Section 9.1 of [RFC3711], this is a cryptographic disaster. For GCM, + the consequences are even worse, since such a reuse compromises GCM's + integrity mechanism not only for the current packet stream but for + all future uses of the current encryption_key. + +7. Unneeded SRTP/SRTCP Fields + + AEAD Counter Mode encryption removes the need for certain existing + SRTP/SRTCP mechanisms. + +7.1. SRTP/SRTCP Authentication Tag Field + + The AEAD message authentication mechanism MUST be the primary message + authentication mechanism for AEAD SRTP/SRTCP. Additional SRTP/SRTCP + authentication mechanisms SHOULD NOT be used with any AEAD algorithm, + and the optional SRTP/SRTCP authentication tags are NOT RECOMMENDED + and SHOULD NOT be present. Note that this contradicts Section 3.4 of + [RFC3711], which makes the use of the SRTCP authentication tag field + mandatory, but the presence of the AEAD authentication renders the + older authentication methods redundant. + + + + +McGrew & Igoe Standards Track [Page 8] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Rationale: Some applications use the SRTP/SRTCP authentication tag + as a means of conveying additional information, notably [RFC4771]. + This document retains the authentication tag field primarily to + preserve compatibility with these applications. + +7.2. RTP Padding + + AES-GCM does not require that the data be padded out to a specific + block size, reducing the need to use the padding mechanism provided + by RTP. It is RECOMMENDED that the RTP padding mechanism not be used + unless it is necessary to disguise the length of the underlying + Plaintext. + +8. AES-GCM Processing for SRTP + +8.1. SRTP IV Formation for AES-GCM + + 0 0 0 0 0 0 0 0 0 0 1 1 + 0 1 2 3 4 5 6 7 8 9 0 1 + +--+--+--+--+--+--+--+--+--+--+--+--+ + |00|00| SSRC | ROC | SEQ |---+ + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | Encryption Salt |->(+) + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | Initialization Vector |<--+ + +--+--+--+--+--+--+--+--+--+--+--+--+ + + Figure 1: AES-GCM SRTP Initialization Vector Formation + + The 12-octet IV used by AES-GCM SRTP is formed by first concatenating + 2 octets of zeroes, the 4-octet SSRC, the 4-octet rollover counter + (ROC), and the 2-octet sequence number (SEQ). The resulting 12-octet + value is then XORed to the 12-octet salt to form the 12-octet IV. + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 9] + +RFC 7714 AES-GCM for SRTP December 2015 + + +8.2. Data Types in SRTP Packets + + All SRTP packets MUST be both authenticated and encrypted. The data + fields within the RTP packets are broken into Associated Data, + Plaintext, and Raw Data, as follows (see Figure 2): + + Associated Data: The version V (2 bits), padding flag P (1 bit), + extension flag X (1 bit), Contributing Source + (CSRC) count CC (4 bits), marker M (1 bit), + Payload Type PT (7 bits), sequence number + (16 bits), timestamp (32 bits), SSRC (32 bits), + optional CSRC identifiers (32 bits each), and + optional RTP extension (variable length). + + Plaintext: The RTP payload (variable length), RTP padding + (if used, variable length), and RTP pad count (if + used, 1 octet). + + Raw Data: The optional variable-length SRTP Master Key + Identifier (MKI) and SRTP authentication tag + (whose use is NOT RECOMMENDED). These fields are + appended after encryption has been performed. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A |V=2|P|X| CC |M| PT | sequence number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | timestamp | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | synchronization source (SSRC) identifier | + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A | contributing source (CSRC) identifiers (optional) | + A | .... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | RTP extension (OPTIONAL) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | payload ... | + P | +-------------------------------+ + P | | RTP padding | RTP pad count | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + P = Plaintext (to be encrypted and authenticated) + A = Associated Data (to be authenticated only) + + Figure 2: Structure of an RTP Packet before Authenticated Encryption + + + + + +McGrew & Igoe Standards Track [Page 10] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Since the AEAD ciphertext is larger than the Plaintext by exactly the + length of the AEAD authentication tag, the corresponding + SRTP-encrypted packet replaces the Plaintext field with a slightly + larger field containing the cipher. Even if the Plaintext field is + empty, AEAD encryption must still be performed, with the resulting + cipher consisting solely of the authentication tag. This tag is to + be placed immediately before the optional variable-length SRTP MKI + and SRTP authentication tag fields. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A |V=2|P|X| CC |M| PT | sequence number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | timestamp | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | synchronization source (SSRC) identifier | + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A | contributing source (CSRC) identifiers (optional) | + A | .... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | RTP extension (OPTIONAL) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + C | cipher | + C | ... | + C | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R : SRTP MKI (OPTIONAL) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R : SRTP authentication tag (NOT RECOMMENDED) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + C = Ciphertext (encrypted and authenticated) + A = Associated Data (authenticated only) + R = neither encrypted nor authenticated, added + after Authenticated Encryption completed + + Figure 3: Structure of an SRTP Packet after Authenticated Encryption + +8.3. Handling Header Extensions + + RTP header extensions were first defined in [RFC3550]. [RFC6904] + describes how these header extensions are to be encrypted in SRTP. + + When RFC 6904 is in use, a separate keystream is generated to encrypt + selected RTP header extension elements. For the AEAD_AES_128_GCM + algorithm, this keystream MUST be generated in the manner defined in + [RFC6904], using the AES Counter Mode (AES-CM) transform. For the + + + +McGrew & Igoe Standards Track [Page 11] + +RFC 7714 AES-GCM for SRTP December 2015 + + + AEAD_AES_256_GCM algorithm, the keystream MUST be generated in the + manner defined for the AES_256_CM transform. The originator must + perform any required header extension encryption before the AEAD + algorithm is invoked. + + As with the other fields contained within the RTP header, both + encrypted and unencrypted header extensions are to be treated by the + AEAD algorithm as Associated Data (AD). Thus, the AEAD algorithm + does not provide any additional privacy for the header extensions, + but it does provide integrity and authentication. + +8.4. Prevention of SRTP IV Reuse + + In order to prevent IV reuse, we must ensure that the (ROC,SEQ,SSRC) + triple is never used twice with the same master key. The following + two scenarios illustrate this issue: + + Counter Management: A rekey MUST be performed to establish a new + master key before the (ROC,SEQ) pair cycles + back to its original value. Note that this + scenario implicitly assumes that either + (1) the outgoing RTP process is trusted to not + attempt to repeat a (ROC,SEQ) value or (2) the + encryption process ensures that both the SEQ + and ROC numbers of the packets presented to it + are always incremented in the proper fashion. + This is particularly important for GCM, since + using the same (ROC,SEQ) value twice + compromises the authentication mechanism. For + GCM, the (ROC,SEQ) and SSRC values used MUST + be generated or checked by either the SRTP + implementation or a module (e.g., the RTP + application) that can be considered equally + trustworthy. While [RFC3711] allows the + detection of SSRC collisions after they + happen, SRTP using GCM with shared master keys + MUST prevent an SSRC collision from happening + even once. + + SSRC Management: For a given master key, the set of all SSRC + values used with that master key must be + partitioned into disjoint pools, one pool for + each endpoint using that master key to + originate outbound data. Each such + originating endpoint MUST only issue SSRC + values from the pool it has been assigned. + Further, each originating endpoint MUST + maintain a history of outbound SSRC + + + +McGrew & Igoe Standards Track [Page 12] + +RFC 7714 AES-GCM for SRTP December 2015 + + + identifiers that it has issued within the + lifetime of the current master key, and when a + new SSRC requests an SSRC identifier it + MUST NOT be given an identifier that has been + previously issued. A rekey MUST be performed + before any of the originating endpoints using + that master key exhaust their pools of SSRC + values. Further, the identity of the entity + giving out SSRC values MUST be verified, and + the SSRC signaling MUST be integrity + protected. + +9. AES-GCM Processing of SRTCP Compound Packets + + All SRTCP compound packets MUST be authenticated, but unlike SRTP, + SRTCP packet encryption is optional. A sender can select which + packets to encrypt and indicates this choice with a 1-bit + Encryption flag (located just before the 31-bit SRTCP index). + +9.1. SRTCP IV Formation for AES-GCM + + The 12-octet IV used by AES-GCM SRTCP is formed by first + concatenating 2 octets of zeroes, the 4-octet SSRC identifier, + 2 octets of zeroes, a single "0" bit, and the 31-bit SRTCP index. + The resulting 12-octet value is then XORed to the 12-octet salt to + form the 12-octet IV. + + 0 1 2 3 4 5 6 7 8 9 10 11 + +--+--+--+--+--+--+--+--+--+--+--+--+ + |00|00| SSRC |00|00|0+SRTCP Idx|---+ + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | Encryption Salt |->(+) + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+ | + | Initialization Vector |<--+ + +--+--+--+--+--+--+--+--+--+--+--+--+ + + Figure 4: SRTCP Initialization Vector Formation + + + + + + + + + + +McGrew & Igoe Standards Track [Page 13] + +RFC 7714 AES-GCM for SRTP December 2015 + + +9.2. Data Types in Encrypted SRTCP Compound Packets + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A |V=2|P| RC | Packet Type | length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | synchronization source (SSRC) of sender | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | sender info : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | report block 1 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | report block 2 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | ... : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P |V=2|P| SC | Packet Type | length | + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + P | SSRC/CSRC_1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + P | SDES items : + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + P | ... : + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A |1| SRTCP index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R | SRTCP MKI (optional) index : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R : SRTCP authentication tag (NOT RECOMMENDED) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + P = Plaintext (to be encrypted and authenticated) + A = Associated Data (to be authenticated only) + R = neither encrypted nor authenticated, added after + encryption + + Figure 5: AEAD SRTCP Inputs When Encryption Flag = 1 + (The fields are defined in RFC 3550.) + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 14] + +RFC 7714 AES-GCM for SRTP December 2015 + + + When the Encryption flag is set to 1, the SRTCP packet is broken into + Plaintext, Associated Data, and Raw (untouched) Data (as shown above + in Figure 5): + + Associated Data: The packet version V (2 bits), padding flag P + (1 bit), reception report count RC (5 bits), + Packet Type (8 bits), length (2 octets), SSRC + (4 octets), Encryption flag (1 bit), and SRTCP + index (31 bits). + + Raw Data: The optional variable-length SRTCP MKI and SRTCP + authentication tag (whose use is + NOT RECOMMENDED). + + Plaintext: All other data. + + Note that the Plaintext comes in one contiguous field. Since the + AEAD cipher is larger than the Plaintext by exactly the length of the + AEAD authentication tag, the corresponding SRTCP-encrypted packet + replaces the Plaintext field with a slightly larger field containing + the cipher. Even if the Plaintext field is empty, AEAD encryption + must still be performed, with the resulting cipher consisting solely + of the authentication tag. This tag is to be placed immediately + before the Encryption flag and SRTCP index. + + + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 15] + +RFC 7714 AES-GCM for SRTP December 2015 + + +9.3. Data Types in Unencrypted SRTCP Compound Packets + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A |V=2|P| RC | Packet Type | length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | synchronization source (SSRC) of sender | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | sender info : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | report block 1 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | report block 2 : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | ... : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A |V=2|P| SC | Packet Type | length | + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A | SSRC/CSRC_1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A | SDES items : + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A | ... : + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + A |0| SRTCP index | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R | SRTCP MKI (optional) index : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + R : authentication tag (NOT RECOMMENDED) : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + A = Associated Data (to be authenticated only) + R = neither encrypted nor authenticated, added after + encryption + + Figure 6: AEAD SRTCP Inputs When Encryption Flag = 0 + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 16] + +RFC 7714 AES-GCM for SRTP December 2015 + + + When the Encryption flag is set to 0, the SRTCP compound packet is + broken into Plaintext, Associated Data, and Raw (untouched) Data, as + follows (see Figure 6): + + Plaintext: None. + + Raw Data: The variable-length optional SRTCP MKI and SRTCP + authentication tag (whose use is + NOT RECOMMENDED). + + Associated Data: All other data. + + Even though there is no ciphertext in this RTCP packet, AEAD + encryption returns a cipher field that is precisely the length of the + AEAD authentication tag. This cipher is to be placed before the + Encryption flag and the SRTCP index in the authenticated SRTCP + packet. + +9.4. Prevention of SRTCP IV Reuse + + A new master key MUST be established before the 31-bit SRTCP index + cycles back to its original value. Ideally, a rekey should be + performed and a new master key put in place well before the SRTCP + index cycles back to the starting value. + + The comments on SSRC management in Section 8.4 also apply. + +10. Constraints on AEAD for SRTP and SRTCP + + In general, any AEAD algorithm can accept inputs with varying + lengths, but each algorithm can accept only a limited range of + lengths for a specific parameter. In this section, we describe the + constraints on the parameter lengths that any AEAD algorithm must + support to be used in AEAD-SRTP. Additionally, we specify a complete + parameter set for one specific family of AEAD algorithms, namely + AES-GCM. + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 17] + +RFC 7714 AES-GCM for SRTP December 2015 + + + All AEAD algorithms used with SRTP/SRTCP MUST satisfy the five + constraints listed below: + + Parameter Meaning Value + --------------------------------------------------------------------- + A_MAX maximum Associated MUST be at least 12 octets. + Data length + + N_MIN minimum nonce (IV) MUST be 12 octets. + length + + N_MAX maximum nonce (IV) MUST be 12 octets. + length + + P_MAX maximum Plaintext GCM: MUST be <= 2^36 - 32 octets. + length per invocation + + C_MAX maximum ciphertext GCM: MUST be <= 2^36 - 16 octets. + length per invocation + + For the sake of clarity, we specify three additional parameters: + + AEAD authentication tag length MUST be 16 octets + + Maximum number of invocations SRTP: MUST be at most 2^48 + for a given instantiation SRTCP: MUST be at most 2^31 + + Block Counter size GCM: MUST be 32 bits + + The reader is reminded that the ciphertext is longer than the + Plaintext by exactly the length of the AEAD authentication tag. + +11. Key Derivation Functions + + A Key Derivation Function (KDF) is used to derive all of the required + encryption and authentication keys from a secret value shared by the + endpoints. The AEAD_AES_128_GCM algorithm MUST use the (128-bit) + AES_CM PRF KDF described in [RFC3711]. AEAD_AES_256_GCM MUST use the + AES_256_CM_PRF KDF described in [RFC6188]. + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 18] + +RFC 7714 AES-GCM for SRTP December 2015 + + +12. Summary of AES-GCM in SRTP/SRTCP + + For convenience, much of the information about the use of the AES-GCM + family of algorithms in SRTP is collected in the tables contained in + this section. + + The AES-GCM family of AEAD algorithms is built around the AES block + cipher algorithm. AES-GCM uses AES-CM for encryption and Galois + Message Authentication Code (GMAC) for authentication. A detailed + description of the AES-GCM family can be found in [RFC5116]. The + following members of the AES-GCM family may be used with SRTP/SRTCP: + + Name Key Size AEAD Tag Size Reference + ================================================================ + AEAD_AES_128_GCM 16 octets 16 octets [RFC5116] + AEAD_AES_256_GCM 32 octets 16 octets [RFC5116] + + Table 1: AES-GCM Algorithms for SRTP/SRTCP + + Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM + and AEAD_AES_256_GCM. Below, we summarize parameters associated with + these two GCM algorithms: + + +--------------------------------+------------------------------+ + | Parameter | Value | + +--------------------------------+------------------------------+ + | Master key length | 128 bits | + | Master salt length | 96 bits | + | Key Derivation Function | AES_CM PRF [RFC3711] | + | Maximum key lifetime (SRTP) | 2^48 packets | + | Maximum key lifetime (SRTCP) | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AEAD_AES_128_GCM | + | AEAD authentication tag length | 128 bits | + +--------------------------------+------------------------------+ + + Table 2: The AEAD_AES_128_GCM Crypto Suite + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 19] + +RFC 7714 AES-GCM for SRTP December 2015 + + + +--------------------------------+------------------------------+ + | Parameter | Value | + +--------------------------------+------------------------------+ + | Master key length | 256 bits | + | Master salt length | 96 bits | + | Key Derivation Function | AES_256_CM_PRF [RFC6188] | + | Maximum key lifetime (SRTP) | 2^48 packets | + | Maximum key lifetime (SRTCP) | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AEAD_AES_256_GCM | + | AEAD authentication tag length | 128 bits | + +--------------------------------+------------------------------+ + + Table 3: The AEAD_AES_256_GCM Crypto Suite + +13. Security Considerations + +13.1. Handling of Security-Critical Parameters + + As with any security process, the implementer must take care to + ensure that cryptographically sensitive parameters are properly + handled. Many of these recommendations hold for all SRTP + cryptographic algorithms, but we include them here to emphasize their + importance. + + - If the master salt is to be kept secret, it MUST be properly erased + when no longer needed. + + - The secret master key and all keys derived from it MUST be kept + secret. All keys MUST be properly erased when no longer needed. + + - At the start of each packet, the Block Counter MUST be reset to 1. + The Block Counter is incremented after each block key has been + produced, but it MUST NOT be allowed to exceed 2^32 - 1 for GCM. + Note that even though the Block Counter is reset at the start of + each packet, IV uniqueness is ensured by the inclusion of + SSRC/ROC/SEQ or the SRTCP index in the IV. (The reader is reminded + that the first block of key produced is reserved for use in + authenticating the packet and is not used to encrypt Plaintext.) + + - Each time a rekey occurs, the initial values of both the 31-bit + SRTCP index and the 48-bit SRTP packet index (ROC||SEQ) MUST be + saved in order to prevent IV reuse. + + - Processing MUST cease if either the 31-bit SRTCP index or the + 48-bit SRTP packet index (ROC||SEQ) cycles back to its initial + value. Processing MUST NOT resume until a new SRTP/SRTCP session + has been established using a new SRTP master key. Ideally, a rekey + should be done well before any of these counters cycle. + + + +McGrew & Igoe Standards Track [Page 20] + +RFC 7714 AES-GCM for SRTP December 2015 + + +13.2. Size of the Authentication Tag + + We require that the AEAD authentication tag be 16 octets, in order to + effectively eliminate the risk of an adversary successfully + introducing fraudulent data. Though other protocols may allow the + use of truncated authentication tags, the consensus of the authors + and the working group is that risks associated with using truncated + AES-GCM tags are deemed too high to allow the use of truncated + authentication tags in SRTP/SRTCP. + +14. IANA Considerations + +14.1. SDES + + "Session Description Protocol (SDP) Security Descriptions for Media + Streams" [RFC4568] defines SRTP "crypto suites". A crypto suite + corresponds to a particular AEAD algorithm in SRTP. In order to + allow security descriptions to signal the use of the algorithms + defined in this document, IANA has registered the following crypto + suites in the "SRTP Crypto Suite Registrations" subregistry of the + "Session Description Protocol (SDP) Security Descriptions" registry. + The ABNF [RFC5234] syntax is as follows: + + srtp-crypto-suite-ext = "AEAD_AES_128_GCM" / + "AEAD_AES_256_GCM" / + srtp-crypto-suite-ext + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 21] + +RFC 7714 AES-GCM for SRTP December 2015 + + +14.2. DTLS-SRTP + + DTLS-SRTP [RFC5764] defines DTLS-SRTP "SRTP protection profiles". + These profiles also correspond to the use of an AEAD algorithm in + SRTP. In order to allow the use of the algorithms defined in this + document in DTLS-SRTP, IANA has registered the following SRTP + protection profiles: + + SRTP_AEAD_AES_128_GCM = {0x00, 0x07} + SRTP_AEAD_AES_256_GCM = {0x00, 0x08} + + Below, we list the SRTP transform parameters for each of these + protection profiles. Unless separate parameters for SRTP and SRTCP + are explicitly listed, these parameters apply to both SRTP and SRTCP. + + SRTP_AEAD_AES_128_GCM + cipher: AES_128_GCM + cipher_key_length: 128 bits + cipher_salt_length: 96 bits + aead_auth_tag_length: 16 octets + auth_function: NULL + auth_key_length: N/A + auth_tag_length: N/A + maximum lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + SRTP_AEAD_AES_256_GCM + cipher: AES_256_GCM + cipher_key_length: 256 bits + cipher_salt_length: 96 bits + aead_auth_tag_length: 16 octets + auth_function: NULL + auth_key_length: N/A + auth_tag_length: N/A + maximum lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + Note that these SRTP protection profiles do not specify an + auth_function, auth_key_length, or auth_tag_length, because all + of these profiles use AEAD algorithms and thus do not use a + separate auth_function, auth_key, or auth_tag. The term + "aead_auth_tag_length" is used to emphasize that this refers to + the authentication tag provided by the AEAD algorithm and that + this tag is not located in the authentication tag field provided by + SRTP/SRTCP. + + + + + + +McGrew & Igoe Standards Track [Page 22] + +RFC 7714 AES-GCM for SRTP December 2015 + + +14.3. MIKEY + + In accordance with "MIKEY: Multimedia Internet KEYing" [RFC3830], + IANA maintains several subregistries under "Multimedia Internet + KEYing (MIKEY) Payload Name Spaces". Per this document, additions + have been made to two of the MIKEY subregistries. + + In the "MIKEY Security Protocol Parameters" subregistry, the + following has been added: + + Type | Meaning | Possible Values + -------------------------------------------------------- + 20 | AEAD authentication tag length | 16 octets + + This list is, of course, intended for use with GCM. It is + conceivable that new AEAD algorithms introduced at some point in the + future may require a different set of authentication tag lengths. + + In the "Encryption algorithm (Value 0)" subregistry (derived from + Table 6.10.1.b of [RFC3830]), the following has been added: + + SRTP Encr. | Value | Default Session | Default Auth. + Algorithm | | Encr. Key Length | Tag Length + ----------------------------------------------------------- + AES-GCM | 6 | 16 octets | 16 octets + + The encryption algorithm, session encryption key length, and AEAD + authentication tag sizes received from MIKEY fully determine the AEAD + algorithm to be used. The exact mapping is described in Section 15. + +15. Parameters for Use with MIKEY + + MIKEY specifies the algorithm family separately from the key length + (which is specified by the Session Encryption key length) and the + authentication tag length (specified by the AEAD authentication tag + length). + + +------------+-------------+-------------+ + | Encryption | Encryption | AEAD Auth. | + | Algorithm | Key Length | Tag Length | + +============+=============+=============+ + AEAD_AES_128_GCM | AES-GCM | 16 octets | 16 octets | + +------------+-------------+-------------+ + AEAD_AES_256_GCM | AES-GCM | 32 octets | 16 octets | + +============+=============+=============+ + + Table 4: Mapping MIKEY Parameters to AEAD Algorithms + + + + +McGrew & Igoe Standards Track [Page 23] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Section 11 of this document restricts the choice of KDF for AEAD + algorithms. To enforce this restriction in MIKEY, we require that + the SRTP Pseudorandom Function (PRF) has value AES-CM whenever an + AEAD algorithm is used. Note that, according to Section 6.10.1 of + [RFC3830], the input key length of the KDF (i.e., the SRTP master key + length) is always equal to the session encryption key length. This + means, for example, that AEAD_AES_256_GCM will use AES_256_CM_PRF as + the KDF. + +16. Some RTP Test Vectors + + The examples in this section are all based upon the same RTP packet + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + + consisting of a 12-octet header (8040f17b 8041f8d3 5501a0b2) and a + 38-octet payload (47616c6c 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 6573), which is just the ASCII + string "Gallia est omnis divisa in partes tres". The salt used + (51756964 2070726f 2071756f) comes from the ASCII string "Quid pro + quo". The 16-octet (128-bit) key is 00 01 02 ... 0f, and the + 32-octet (256-bit) key is 00 01 02 ... 1f. At the time this document + was written, the RTP payload type (1000000 binary = 64 decimal) was + an unassigned value. + + As shown in Section 8.1, the IV is formed by XORing two 12-octet + values. The first 12-octet value is formed by concatenating two + zero octets, the 4-octet SSRC (found in the ninth through 12th octets + of the packet), the 4-octet rollover counter (ROC) maintained at each + end of the link, and the 2-octet sequence number (SEQ) (found in the + third and fourth octets of the packet). The second 12-octet value is + the salt, a value that is held constant at least until the key is + changed. + + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt 51 75 69 64 20 70 72 6f 20 71 75 6f + ------------------------------------ + IV 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + All of the RTP examples use this IV. + + + + + + + +McGrew & Igoe Standards Track [Page 24] + +RFC 7714 AES-GCM for SRTP December 2015 + + +16.1. SRTP AEAD_AES_128_GCM + +16.1.1. SRTP AEAD_AES_128_GCM Encryption + + Encrypting the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 8040f17b 8041f8d3 5501a0b2 + PT: 47616c6c 69612065 7374206f 6d6e6973 + 20646976 69736120 696e2070 61727465 + 73207472 6573 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: c6a13b37878f5b826f4f8162a1c8d879 + + Encrypt the Plaintext + block # 0 + IV||blk_cntr: 51753c6580c2726f2071841400000002 + key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9 + plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73 + cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca + block # 1 + IV||blk_cntr: 51753c6580c2726f2071841400000003 + key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe + plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65 + cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b + block # 2 + IV||blk_cntr: 51753c6580c2726f2071841400000004 + key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b + plain_block: 73 20 74 72 65 73 + cipher_block: 36 de 3a df 88 33 + + Cipher before tag appended + f24de3a3 fb34de6c acba861c 9d7e4bca + be633bd5 0d294e6f 42a5f47a 51c7d19b + 36de3adf 8833 + + + + + +McGrew & Igoe Standards Track [Page 25] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Compute the GMAC tag + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b200000000 + partial hash: bcfb3d1d0e6e3e78ba45403377dba11b + + Process the cipher + cipher word: f24de3a3fb34de6cacba861c9d7e4bca + partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61 + cipher word: be633bd50d294e6f42a5f47a51c7d19b + partial hash: 438e5797011ea860585709a2899f4685 + cipher word: 36de3adf883300000000000000000000 + partial hash: 336fb643310d7bac2aeaa76247f6036d + + Process the length word + length word: 00000000000000600000000000000130 + partial hash: 1b964067078c408c4e442a8f015e5264 + + Turn GHASH into GMAC + GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64 + K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa + full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce + + Cipher with tag + f24de3a3 fb34de6c acba861c 9d7e4bca + be633bd5 0d294e6f 42a5f47a 51c7d19b + 36de3adf 8833899d 7f27beb1 6a9152cf + 765ee439 0cce + + Encrypted and tagged packet: + 8040f17b 8041f8d3 5501a0b2 f24de3a3 + fb34de6c acba861c 9d7e4bca be633bd5 + 0d294e6f 42a5f47a 51c7d19b 36de3adf + 8833899d 7f27beb1 6a9152cf 765ee439 + 0cce + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 26] + +RFC 7714 AES-GCM for SRTP December 2015 + + +16.1.2. SRTP AEAD_AES_128_GCM Decryption + + Decrypting the following packet: + + 8040f17b 8041f8d3 5501a0b2 f24de3a3 + fb34de6c acba861c 9d7e4bca be633bd5 + 0d294e6f 42a5f47a 51c7d19b 36de3adf + 8833899d 7f27beb1 6a9152cf 765ee439 + 0cce + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 8040f17b 8041f8d3 5501a0b2 + CT: f24de3a3 fb34de6c acba861c 9d7e4bca + be633bd5 0d294e6f 42a5f47a 51c7d19b + 36de3adf 8833899d 7f27beb1 6a9152cf + 765ee439 0cce + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: c6a13b37878f5b826f4f8162a1c8d879 + + Verify the received tag + 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b200000000 + partial hash: bcfb3d1d0e6e3e78ba45403377dba11b + + Process the cipher + cipher word: f24de3a3fb34de6cacba861c9d7e4bca + partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61 + cipher word: be633bd50d294e6f42a5f47a51c7d19b + partial hash: 438e5797011ea860585709a2899f4685 + cipher word: 36de3adf883300000000000000000000 + partial hash: 336fb643310d7bac2aeaa76247f6036d + + Process the length word + length word: 00000000000000600000000000000130 + partial hash: 1b964067078c408c4e442a8f015e5264 + + + + + + + + +McGrew & Igoe Standards Track [Page 27] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Turn GHASH into GMAC + GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64 + K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa + full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce + + Received tag = 899d7f27 beb16a91 52cf765e e4390cce + Computed tag = 899d7f27 beb16a91 52cf765e e4390cce + Received tag verified. + + Decrypt the cipher + block # 0 + IV||blk_cntr: 51753c6580c2726f2071841400000002 + key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9 + cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca + plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73 + block # 1 + IV||blk_cntr: 51753c6580c2726f2071841400000003 + key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe + cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b + plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65 + block # 2 + IV||blk_cntr: 51753c6580c2726f2071841400000004 + key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b + cipher_block: 36 de 3a df 88 33 + plain_block: 73 20 74 72 65 73 + + Verified and tagged packet: + 47616c6c 69612065 7374206f 6d6e6973 + 20646976 69736120 696e2070 61727465 + 73207472 6573 + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 28] + +RFC 7714 AES-GCM for SRTP December 2015 + + +16.1.3. SRTP AEAD_AES_128_GCM Authentication Tagging + + Tagging the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: c6a13b37878f5b826f4f8162a1c8d879 + + Compute the GMAC tag + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b247616c6c + partial hash: 79f41fea34a474a77609d8925e9f2b22 + AAD word: 696120657374206f6d6e697320646976 + partial hash: 84093a2f85abf17ab37d3ce2f706138f + AAD word: 69736120696e20706172746573207472 + partial hash: ab2760fee24e6dec754739d8059cd144 + AAD word: 65730000000000000000000000000000 + partial hash: e84f3c55d287fc561c41d09a8aada4be + + Process the length word + length word: 00000000000001900000000000000000 + partial hash: b04200c26b81c98af55cc2eafccd1cbc + + Turn GHASH into GMAC + GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc + K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa + full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16 + + Cipher with tag + 22493f82 d2bce397 e9d79e3b 19aa4216 + + + + + +McGrew & Igoe Standards Track [Page 29] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Tagged packet: + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 65732249 3f82d2bc e397e9d7 9e3b19aa + 4216 + +16.1.4. SRTP AEAD_AES_128_GCM Tag Verification + + Verifying the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 65732249 3f82d2bc e397e9d7 9e3b19aa + 4216 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + CT: 22493f82 d2bce397 e9d79e3b 19aa4216 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: c6a13b37878f5b826f4f8162a1c8d879 + + Verify the received tag + 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16 + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b247616c6c + partial hash: 79f41fea34a474a77609d8925e9f2b22 + AAD word: 696120657374206f6d6e697320646976 + partial hash: 84093a2f85abf17ab37d3ce2f706138f + AAD word: 69736120696e20706172746573207472 + partial hash: ab2760fee24e6dec754739d8059cd144 + AAD word: 65730000000000000000000000000000 + partial hash: e84f3c55d287fc561c41d09a8aada4be + + Process the length word + length word: 00000000000001900000000000000000 + partial hash: b04200c26b81c98af55cc2eafccd1cbc + + + +McGrew & Igoe Standards Track [Page 30] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Turn GHASH into GMAC + GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc + K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa + full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16 + + Received tag = 22493f82 d2bce397 e9d79e3b 19aa4216 + Computed tag = 22493f82 d2bce397 e9d79e3b 19aa4216 + Received tag verified. + +16.2. SRTP AEAD_AES_256_GCM + +16.2.1. SRTP AEAD_AES_256_GCM Encryption + + Encrypting the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 8040f17b 8041f8d3 5501a0b2 + PT: 47616c6c 69612065 7374206f 6d6e6973 + 20646976 69736120 696e2070 61727465 + 73207472 6573 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: f29000b62a499fd0a9f39a6add2e7780 + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 31] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Encrypt the Plaintext + block # 0 + IV||blk_cntr: 51753c6580c2726f2071841400000002 + key_block: 75 d0 b2 14 c1 43 de 77 9c eb 58 95 5e 40 5a d9 + plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73 + cipher_block: 32 b1 de 78 a8 22 fe 12 ef 9f 78 fa 33 2e 33 aa + block # 1 + IV||blk_cntr: 51753c6580c2726f2071841400000003 + key_block: 91 e4 7b 4e f3 2b 83 d3 dc 65 0a 72 17 8d da 6a + plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65 + cipher_block: b1 80 12 38 9a 58 e2 f3 b5 0b 2a 02 76 ff ae 0f + block # 2 + IV||blk_cntr: 51753c6580c2726f2071841400000004 + key_block: 68 86 43 eb dd 08 07 98 16 3a 16 d5 e5 04 f6 3a + plain_block: 73 20 74 72 65 73 + cipher_block: 1b a6 37 99 b8 7b + + Cipher before tag appended + 32b1de78 a822fe12 ef9f78fa 332e33aa + b1801238 9a58e2f3 b50b2a02 76ffae0f + 1ba63799 b87b + + Compute the GMAC tag + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b200000000 + partial hash: 0154dcb75485b71880e1957c877351bd + + Process the cipher + cipher word: 32b1de78a822fe12ef9f78fa332e33aa + partial hash: c3f07db9a8b9cb4345eb07f793d322d2 + cipher word: b18012389a58e2f3b50b2a0276ffae0f + partial hash: 6d1e66fe32eb32ecd8906ceab09db996 + cipher word: 1ba63799b87b00000000000000000000 + partial hash: b3d1d2f1fa3b366619bc42cd2eedafee + + Process the length word + length word: 00000000000000600000000000000130 + partial hash: 7debf5fa1fac3bd318d5e1a7ee401091 + + Turn GHASH into GMAC + GHASH: 7d eb f5 fa 1f ac 3b d3 18 d5 e1 a7 ee 40 10 91 + K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82 + full GMAC: 7a a3 db 36 df ff d6 b0 f9 bb 78 78 d7 a7 6c 13 + + + + + + + +McGrew & Igoe Standards Track [Page 32] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Cipher with tag + 32b1de78 a822fe12 ef9f78fa 332e33aa + b1801238 9a58e2f3 b50b2a02 76ffae0f + 1ba63799 b87b7aa3 db36dfff d6b0f9bb + 7878d7a7 6c13 + + Encrypted and tagged packet: + 8040f17b 8041f8d3 5501a0b2 32b1de78 + a822fe12 ef9f78fa 332e33aa b1801238 + 9a58e2f3 b50b2a02 76ffae0f 1ba63799 + b87b7aa3 db36dfff d6b0f9bb 7878d7a7 + 6c13 + +16.2.2. SRTP AEAD_AES_256_GCM Decryption + + Decrypting the following packet: + + 8040f17b 8041f8d3 5501a0b2 32b1de78 + a822fe12 ef9f78fa 332e33aa b1801238 + 9a58e2f3 b50b2a02 76ffae0f 1ba63799 + b87b7aa3 db36dfff d6b0f9bb 7878d7a7 + 6c13 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 8040f17b 8041f8d3 5501a0b2 + CT: 32b1de78 a822fe12 ef9f78fa 332e33aa + b1801238 9a58e2f3 b50b2a02 76ffae0f + 1ba63799 b87b7aa3 db36dfff d6b0f9bb + 7878d7a7 6c13 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: f29000b62a499fd0a9f39a6add2e7780 + + Verify the received tag + 7a a3 db 36 df ff d6 b0 f9 bb 78 78 d7 a7 6c 13 + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b200000000 + partial hash: 0154dcb75485b71880e1957c877351bd + + + + + + +McGrew & Igoe Standards Track [Page 33] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Process the cipher + cipher word: 32b1de78a822fe12ef9f78fa332e33aa + partial hash: c3f07db9a8b9cb4345eb07f793d322d2 + cipher word: b18012389a58e2f3b50b2a0276ffae0f + partial hash: 6d1e66fe32eb32ecd8906ceab09db996 + cipher word: 1ba63799b87b00000000000000000000 + partial hash: b3d1d2f1fa3b366619bc42cd2eedafee + + Process the length word + length word: 00000000000000600000000000000130 + partial hash: 7debf5fa1fac3bd318d5e1a7ee401091 + + Turn GHASH into GMAC + GHASH: 7d eb f5 fa 1f ac 3b d3 18 d5 e1 a7 ee 40 10 91 + K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82 + full GMAC: 7a a3 db 36 df ff d6 b0 f9 bb 78 78 d7 a7 6c 13 + + Received tag = 7aa3db36 dfffd6b0 f9bb7878 d7a76c13 + Computed tag = 7aa3db36 dfffd6b0 f9bb7878 d7a76c13 + Received tag verified. + + Decrypt the cipher + block # 0 + IV||blk_cntr: 51753c6580c2726f2071841400000002 + key_block: 75 d0 b2 14 c1 43 de 77 9c eb 58 95 5e 40 5a d9 + cipher_block: 32 b1 de 78 a8 22 fe 12 ef 9f 78 fa 33 2e 33 aa + plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73 + block # 1 + IV||blk_cntr: 51753c6580c2726f2071841400000003 + key_block: 91 e4 7b 4e f3 2b 83 d3 dc 65 0a 72 17 8d da 6a + cipher_block: b1 80 12 38 9a 58 e2 f3 b5 0b 2a 02 76 ff ae 0f + plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65 + block # 2 + IV||blk_cntr: 51753c6580c2726f2071841400000004 + key_block: 68 86 43 eb dd 08 07 98 16 3a 16 d5 e5 04 f6 3a + cipher_block: 1b a6 37 99 b8 7b + plain_block: 73 20 74 72 65 73 + + Verified and tagged packet: + 47616c6c 69612065 7374206f 6d6e6973 + 20646976 69736120 696e2070 61727465 + 73207472 6573 + + + + + + + + + +McGrew & Igoe Standards Track [Page 34] + +RFC 7714 AES-GCM for SRTP December 2015 + + +16.2.3. SRTP AEAD_AES_256_GCM Authentication Tagging + + Tagging the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: f29000b62a499fd0a9f39a6add2e7780 + + Compute the GMAC tag + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b247616c6c + partial hash: c059753e6763791762ca630d8ef97714 + AAD word: 696120657374206f6d6e697320646976 + partial hash: a4e3401e712900dc4f1d2303bc4b2675 + AAD word: 69736120696e20706172746573207472 + partial hash: 1c8c1af883de0d67878f379a19c65987 + AAD word: 65730000000000000000000000000000 + partial hash: 958462781aa8e8feacce6d93b54472ac + + Process the length word + length word: 00000000000001900000000000000000 + partial hash: af2efb5dcfdb9900e7127721fdb56956 + + Turn GHASH into GMAC + GHASH: af 2e fb 5d cf db 99 00 e7 12 77 21 fd b5 69 56 + K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82 + full GMAC: a8 66 d5 91 0f 88 74 63 06 7c ee fe c4 52 15 d4 + + Cipher with tag + a866d591 0f887463 067ceefe c45215d4 + + + + +McGrew & Igoe Standards Track [Page 35] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Tagged packet: + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573a866 d5910f88 7463067c eefec452 + 15d4 + +16.2.4. SRTP AEAD_AES_256_GCM Tag Verification + + Verifying the following packet: + + 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573a866 d5910f88 7463067c eefec452 + 15d4 + + Form the IV + | Pad | SSRC | ROC | SEQ | + 00 00 55 01 a0 b2 00 00 00 00 f1 7b + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c + 69612065 7374206f 6d6e6973 20646976 + 69736120 696e2070 61727465 73207472 + 6573 + CT: a866d591 0f887463 067ceefe c45215d4 + IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14 + H: f29000b62a499fd0a9f39a6add2e7780 + + Verify the received tag + a8 66 d5 91 0f 88 74 63 06 7c ee fe c4 52 15 d4 + + Process the AAD + AAD word: 8040f17b8041f8d35501a0b247616c6c + partial hash: c059753e6763791762ca630d8ef97714 + AAD word: 696120657374206f6d6e697320646976 + partial hash: a4e3401e712900dc4f1d2303bc4b2675 + AAD word: 69736120696e20706172746573207472 + partial hash: 1c8c1af883de0d67878f379a19c65987 + AAD word: 65730000000000000000000000000000 + partial hash: 958462781aa8e8feacce6d93b54472ac + + + + + + +McGrew & Igoe Standards Track [Page 36] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Process the length word + length word: 00000000000001900000000000000000 + partial hash: af2efb5dcfdb9900e7127721fdb56956 + + Turn GHASH into GMAC + GHASH: af 2e fb 5d cf db 99 00 e7 12 77 21 fd b5 69 56 + K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82 + full GMAC: a8 66 d5 91 0f 88 74 63 06 7c ee fe c4 52 15 d4 + + Received tag = a866d591 0f887463 067ceefe c45215d4 + Computed tag = a866d591 0f887463 067ceefe c45215d4 + Received tag verified. + +17. RTCP Test Vectors + + The examples in this section are all based upon the same RTCP packet: + + 81c8000e 4d617273 4e545031 4e545031 + 52545020 0000042a 0000eb98 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef + + with 32-bit SRTCP index 000005d4. + + As shown in Section 9.1, the IV is formed by XORing two 12-octet + values. The first 12-octet value is formed by concatenating + two zero octets, the 4-octet SSRC (found in the fifth through + eighth octets of the RTP packet), another two padding octets, and the + 31-bit SRTCP index, right-justified in a 32-bit = 4-octet field with + a single "0" bit prepended as padding. An example of SRTCP IV + formation is shown below: + + | Pad | SSRC | Pad | 0+SRTCP | + 00 00 4d 61 72 73 00 00 00 00 05 d4 + salt 51 75 69 64 20 70 72 6f 20 71 75 6f + ------------------------------------ + IV 51 75 24 05 52 03 72 6f 20 71 70 bb + + In an SRTCP packet, a 1-bit Encryption flag is prepended to the + 31-bit SRTCP index to form a 32-bit value we shall call the + "ESRTCP word". The E-flag is one if the SRTCP packet has been + encrypted and zero if it has been tagged but not encrypted. Note + that the ESRTCP field is only present in an SRTCP packet, not in an + RTCP packet. The full ESRTCP word is part of the AAD. + + + + + + + +McGrew & Igoe Standards Track [Page 37] + +RFC 7714 AES-GCM for SRTP December 2015 + + + When encrypting and tagging an RTCP packet (E-flag = 1), the SRTCP + packet consists of the following fields in the following order: + + - The first 8 octets of the RTCP packet (part of the AAD). + + - The cipher. + + - The ESRTCP word (the final part of the AAD). + + - Any Raw Data that might have been appended to the end of the + original RTCP packet. + + Recall that AEAD treats the authentication tag as an integral part of + the cipher, and in fact the authentication tag is the last 8 or + 16 octets of the cipher. + + The reader is reminded that when the RTCP packet is to be tagged but + not encrypted (E-flag = 0), GCM will produce a cipher that consists + solely of the 8-octet or 16-octet authentication tag. The tagged + SRTCP consists of the following fields in the order listed below: + + - All of the AAD, except for the ESRTCP word. + + - The cipher (= the authentication tag). + + - The ESRTCP word (the final part of the AAD). + + - Any Raw Data that might have been appended to the end of the + original RTCP packet. + + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 38] + +RFC 7714 AES-GCM for SRTP December 2015 + + +17.1. SRTCP AEAD_AES_128_GCM Encryption and Tagging + + Encrypting the following packet: + + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef + + Key size = 128 bits + Tag size = 16 octets + + Form the IV + | Pad | SSRC | Pad | SRTCP | + 00 00 4d 61 72 73 00 00 00 00 05 d4 + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 81c8000d 4d617273 800005d4 + PT: 4e545031 4e545032 52545020 0000042a + 0000e930 4c756e61 deadbeef deadbeef + deadbeef deadbeef deadbeef + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + H: c6a13b37878f5b826f4f8162a1c8d879 + + Encrypt the Plaintext + block # 0 + IV||blk_cntr: 517524055203726f207170bb00000002 + key_block: 2d bd 18 b4 92 8e e6 4e f5 73 87 46 2f 6b 7a b3 + plain_block: 4e 54 50 31 4e 54 50 32 52 54 50 20 00 00 04 2a + cipher_block: 63 e9 48 85 dc da b6 7c a7 27 d7 66 2f 6b 7e 99 + block # 1 + IV||blk_cntr: 517524055203726f207170bb00000003 + key_block: 7f f5 29 c7 20 73 9d 4c 18 db 1b 1e ad a0 d1 35 + plain_block: 00 00 e9 30 4c 75 6e 61 de ad be ef de ad be ef + cipher_block: 7f f5 c0 f7 6c 06 f3 2d c6 76 a5 f1 73 0d 6f da + block # 2 + IV||blk_cntr: 517524055203726f207170bb00000004 + key_block: 92 4d 25 a9 58 9d 83 02 d5 14 99 b4 e0 14 78 15 + plain_block: de ad be ef de ad be ef de ad be ef + cipher_block: 4c e0 9b 46 86 30 3d ed 0b b9 27 5b + + Cipher before tag appended + 63e94885 dcdab67c a727d766 2f6b7e99 + 7ff5c0f7 6c06f32d c676a5f1 730d6fda + 4ce09b46 86303ded 0bb9275b + + + + +McGrew & Igoe Standards Track [Page 39] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Compute the GMAC tag + + Process the AAD + AAD word: 81c8000d4d617273800005d400000000 + partial hash: 085d6eb166c555aa62982f630430ec6e + + Process the cipher + cipher word: 63e94885dcdab67ca727d7662f6b7e99 + partial hash: 8c9221be93466d68bbb16fa0d42b0187 + cipher word: 7ff5c0f76c06f32dc676a5f1730d6fda + partial hash: 221ebb044ec9fd0bf116d7780f198792 + cipher word: 4ce09b4686303ded0bb9275b00000000 + partial hash: 50f70b9ca110ab312dce212657328dae + + Process the length word + length word: 00000000000000600000000000000160 + partial hash: 7296107c9716534371dfc1a30c5ffeb5 + + Turn GHASH into GMAC + GHASH: 72 96 10 7c 97 16 53 43 71 df c1 a3 0c 5f fe b5 + K0: ba dc b4 24 01 d9 1e 6c b4 74 39 d1 49 86 14 6b + full GMAC: c8 4a a4 58 96 cf 4d 2f c5 ab f8 72 45 d9 ea de + + Cipher with tag + 63e94885 dcdab67c a727d766 2f6b7e99 + 7ff5c0f7 6c06f32d c676a5f1 730d6fda + 4ce09b46 86303ded 0bb9275b c84aa458 + 96cf4d2f c5abf872 45d9eade + + Append the ESRTCP word with the E-flag set + 63e94885 dcdab67c a727d766 2f6b7e99 + 7ff5c0f7 6c06f32d c676a5f1 730d6fda + 4ce09b46 86303ded 0bb9275b c84aa458 + 96cf4d2f c5abf872 45d9eade 800005d4 + + Encrypted and tagged packet: + 81c8000d 4d617273 63e94885 dcdab67c + a727d766 2f6b7e99 7ff5c0f7 6c06f32d + c676a5f1 730d6fda 4ce09b46 86303ded + 0bb9275b c84aa458 96cf4d2f c5abf872 + 45d9eade 800005d4 + + + + + + + + + + +McGrew & Igoe Standards Track [Page 40] + +RFC 7714 AES-GCM for SRTP December 2015 + + +17.2. SRTCP AEAD_AES_256_GCM Verification and Decryption + + Key size = 256 bits + Tag size = 16 octets + + Process the length word + + Decrypting the following packet: + + 81c8000d 4d617273 d50ae4d1 f5ce5d30 + 4ba297e4 7d470c28 2c3ece5d bffe0a50 + a2eaa5c1 110555be 8415f658 c61de047 + 6f1b6fad 1d1eb30c 4446839f 57ff6f6c + b26ac3be 800005d4 + + Key size = 256 bits + Key size = 16 octets + + Form the IV + | Pad | SSRC | Pad | SRTCP | + 00 00 4d 61 72 73 00 00 00 00 05 d4 + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 81c8000d 4d617273 800005d4 + CT: d50ae4d1 f5ce5d30 4ba297e4 7d470c28 + 2c3ece5d bffe0a50 a2eaa5c1 110555be + 8415f658 c61de047 6f1b6fad 1d1eb30c + 4446839f 57ff6f6c b26ac3be + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + H: f29000b62a499fd0a9f39a6add2e7780 + + Verify the received tag + 1d 1e b3 0c 44 46 83 9f 57 ff 6f 6c b2 6a c3 be + + Process the AAD + AAD word: 81c8000d4d617273800005d400000000 + partial hash: 3ae5afd36dead5280b18950400176b5b + + Process the cipher + cipher word: d50ae4d1f5ce5d304ba297e47d470c28 + partial hash: e90fab7546f6940781227227ac926ebe + cipher word: 2c3ece5dbffe0a50a2eaa5c1110555be + partial hash: 9b236807d8b2dab07583adce367aa88f + cipher word: 8415f658c61de0476f1b6fad00000000 + partial hash: e69313f423a75e3e0b7eb93321700e86 + + + +McGrew & Igoe Standards Track [Page 41] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Process the length word + length word: 00000000000000600000000000000160 + partial hash: 3a284af2616fdf505faf37eec39fbc8b + + Turn GHASH into GMAC + GHASH: 3a 28 4a f2 61 6f df 50 5f af 37 ee c3 9f bc 8b + K0: 27 36 f9 fe 25 29 5c cf 08 50 58 82 71 f5 7f 35 + full GMAC: 1d 1e b3 0c 44 46 83 9f 57 ff 6f 6c b2 6a c3 be + + Received tag = 1d1eb30c 4446839f 57ff6f6c b26ac3be + Computed tag = 1d1eb30c 4446839f 57ff6f6c b26ac3be + Received tag verified. + + Decrypt the cipher + block # 0 + IV||blk_cntr: 517524055203726f207170bb00000002 + key_block: 9b 5e b4 e0 bb 9a 0d 02 19 f6 c7 c4 7d 47 08 02 + cipher_block: d5 0a e4 d1 f5 ce 5d 30 4b a2 97 e4 7d 47 0c 28 + plain_block: 4e 54 50 31 4e 54 50 32 52 54 50 20 00 00 04 2a + block # 1 + IV||blk_cntr: 517524055203726f207170bb00000003 + key_block: 2c 3e 27 6d f3 8b 64 31 7c 47 1b 2e cf a8 eb 51 + cipher_block: 2c 3e ce 5d bf fe 0a 50 a2 ea a5 c1 11 05 55 be + plain_block: 00 00 e9 30 4c 75 6e 61 de ad be ef de ad be ef + block # 2 + IV||blk_cntr: 517524055203726f207170bb00000004 + key_block: 5a b8 48 b7 18 b0 5e a8 b1 b6 d1 42 3b 74 39 55 + cipher_block: 84 15 f6 58 c6 1d e0 47 6f 1b 6f ad + plain_block: de ad be ef de ad be ef de ad be ef + + Verified and decrypted packet: + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 42] + +RFC 7714 AES-GCM for SRTP December 2015 + + +17.3. SRTCP AEAD_AES_128_GCM Tagging Only + + Tagging the following packet: + + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef + + Key size = 128 bits + Tag size = 16 octets + + Form the IV + | Pad | SSRC | Pad | SRTCP | + 00 00 4d 61 72 73 00 00 00 00 05 d4 + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + AAD: 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef 000005d4 + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + H: c6a13b37878f5b826f4f8162a1c8d879 + + Compute the GMAC tag + + Process the AAD + AAD word: 81c8000d4d6172734e5450314e545032 + partial hash: f8dbbe278e06afe17fb4fb2e67f0a22e + AAD word: 525450200000042a0000e9304c756e61 + partial hash: 6ccd900dfd0eb292f68f8a410d0648ec + AAD word: deadbeefdeadbeefdeadbeefdeadbeef + partial hash: 6a14be0ea384c6b746235ba955a57ff5 + AAD word: deadbeef000005d40000000000000000 + partial hash: cc81f14905670a1e37f8bc81a91997cd + + Process the length word + length word: 00000000000001c00000000000000000 + partial hash: 3ec16d4c3c0e90a59e91be415bd976d8 + + Turn GHASH into GMAC + GHASH: 3e c1 6d 4c 3c 0e 90 a5 9e 91 be 41 5b d9 76 d8 + K0: ba dc b4 24 01 d9 1e 6c b4 74 39 d1 49 86 14 6b + full GMAC: 84 1d d9 68 3d d7 8e c9 2a e5 87 90 12 5f 62 b3 + + + + + +McGrew & Igoe Standards Track [Page 43] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Cipher with tag + 841dd968 3dd78ec9 2ae58790 125f62b3 + + Tagged packet: + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef 841dd968 3dd78ec9 2ae58790 + 125f62b3 000005d4 + +17.4. SRTCP AEAD_AES_256_GCM Tag Verification + + Key size = 256 bits + Tag size = 16 octets + + Process the length word + Verifying the following packet: + + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef 91db4afb feee5a97 8fab4393 + ed2615fe 000005d4 + + Key size = 256 bits + Key size = 16 octets + + Form the IV + | Pad | SSRC | Pad | SRTCP | + 00 00 4d 61 72 73 00 00 00 00 05 d4 + salt: 51 75 69 64 20 70 72 6f 20 71 75 6f + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + + Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + AAD: 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef 000005d4 + CT: 91db4afb feee5a97 8fab4393 ed2615fe + IV: 51 75 24 05 52 03 72 6f 20 71 70 bb + H: f29000b62a499fd0a9f39a6add2e7780 + + Verify the received tag + 91 db 4a fb fe ee 5a 97 8f ab 43 93 ed 26 15 fe + + + + + + +McGrew & Igoe Standards Track [Page 44] + +RFC 7714 AES-GCM for SRTP December 2015 + + + Process the AAD + AAD word: 81c8000d4d6172734e5450314e545032 + partial hash: 7bc665c71676a5a5f663b3229af4b85c + AAD word: 525450200000042a0000e9304c756e61 + partial hash: 34ed77752703ab7d69f44237910e3bc0 + AAD word: deadbeefdeadbeefdeadbeefdeadbeef + partial hash: 74a59f1a99282344d64ab1c8a2be6cf8 + AAD word: deadbeef000005d40000000000000000 + partial hash: 126335c0baa7ab1b79416ceeb9f7a518 + + Process the length word + length word: 00000000000001c00000000000000000 + partial hash: b6edb305dbc7065887fb1b119cd36acb + + Turn GHASH into GMAC + GHASH: b6 ed b3 05 db c7 06 58 87 fb 1b 11 9c d3 6a cb + K0: 27 36 f9 fe 25 29 5c cf 08 50 58 82 71 f5 7f 35 + full GMAC: 91 db 4a fb fe ee 5a 97 8f ab 43 93 ed 26 15 fe + + Received tag = 91db4afb feee5a97 8fab4393 ed2615fe + Computed tag = 91db4afb feee5a97 8fab4393 ed2615fe + Received tag verified. + + Verified packet: + 81c8000d 4d617273 4e545031 4e545032 + 52545020 0000042a 0000e930 4c756e61 + deadbeef deadbeef deadbeef deadbeef + deadbeef + +18. References + +18.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <http://www.rfc-editor.org/info/rfc2119>. + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, + July 2003, <http://www.rfc-editor.org/info/rfc3550>. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + <http://www.rfc-editor.org/info/rfc3711>. + + + + +McGrew & Igoe Standards Track [Page 45] + +RFC 7714 AES-GCM for SRTP December 2015 + + + [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. + Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, + DOI 10.17487/RFC3830, August 2004, + <http://www.rfc-editor.org/info/rfc3830>. + + [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session + Description Protocol (SDP) Security Descriptions for Media + Streams", RFC 4568, DOI 10.17487/RFC4568, July 2006, + <http://www.rfc-editor.org/info/rfc4568>. + + [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated + Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, + <http://www.rfc-editor.org/info/rfc5116>. + + [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for + Syntax Specifications: ABNF", STD 68, RFC 5234, + DOI 10.17487/RFC5234, January 2008, + <http://www.rfc-editor.org/info/rfc5234>. + + [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer + Security (DTLS) Extension to Establish Keys for the Secure + Real-time Transport Protocol (SRTP)", RFC 5764, + DOI 10.17487/RFC5764, May 2010, + <http://www.rfc-editor.org/info/rfc5764>. + + [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure + RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, + <http://www.rfc-editor.org/info/rfc6188>. + + [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure + Real-time Transport Protocol (SRTP)", RFC 6904, + DOI 10.17487/RFC6904, April 2013, + <http://www.rfc-editor.org/info/rfc6904>. + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 46] + +RFC 7714 AES-GCM for SRTP December 2015 + + +18.2. Informative References + + [BN00] Bellare, M. and C. Namprempre, "Authenticated Encryption: + Relations among notions and analysis of the generic + composition paradigm", Proceedings of ASIACRYPT 2000, + Springer-Verlag, LNCS 1976, pp. 531-545, + DOI 10.1007/3-540-44448-3_41, + <http://www-cse.ucsd.edu/users/mihir/papers/oem.html>. + + [GCM] Dworkin, M., "NIST Special Publication 800-38D: + Recommendation for Block Cipher Modes of Operation: + Galois/Counter Mode (GCM) and GMAC", U.S. National + Institute of Standards and Technology, November 2007, + <http://csrc.nist.gov/publications/nistpubs/ + 800-38D/SP-800-38D.pdf>. + + [R02] Rogaway, P., "Authenticated-Encryption with Associated- + Data", ACM Conference on Computer and Communications + Security (CCS'02), pp. 98-107, ACM Press, + DOI 10.1145/586110.586125, September 2002, + <http://www.cs.ucdavis.edu/~rogaway/papers/ad.html>. + + [RFC4771] Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity + Transform Carrying Roll-Over Counter for the Secure + Real-time Transport Protocol (SRTP)", RFC 4771, + DOI 10.17487/RFC4771, January 2007, + <http://www.rfc-editor.org/info/rfc4771>. + + + + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 47] + +RFC 7714 AES-GCM for SRTP December 2015 + + +Acknowledgements + + The authors would like to thank Michael Peck, Michael Torla, Qin Wu, + Magnus Westerlund, Oscar Ohllson, Woo-Hwan Kim, John Mattsson, + Richard Barnes, Morris Dworkin, Stephen Farrell, and many other + reviewers who provided valuable comments on earlier draft versions of + this document. + +Authors' Addresses + + David A. McGrew + Cisco Systems, Inc. + 510 McCarthy Blvd. + Milpitas, CA 95035 + United States + Phone: (408) 525 8651 + + Email: mcgrew@cisco.com + URI: http://www.mindspring.com/~dmcgrew/dam.htm + + + Kevin M. Igoe + NSA/CSS Commercial Solutions Center + National Security Agency + + Email: mythicalkevin@yahoo.com + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew & Igoe Standards Track [Page 48] + |