diff options
| author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
|---|---|---|
| committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
| commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
| tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9335.txt | |
| parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) | |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9335.txt')
| -rw-r--r-- | doc/rfc/rfc9335.txt | 1066 |
1 files changed, 1066 insertions, 0 deletions
diff --git a/doc/rfc/rfc9335.txt b/doc/rfc/rfc9335.txt new file mode 100644 index 0000000..62b0e6f --- /dev/null +++ b/doc/rfc/rfc9335.txt @@ -0,0 +1,1066 @@ + + + + +Internet Engineering Task Force (IETF) J. Uberti +Request for Comments: 9335 +Updates: 3711 C. Jennings +Category: Standards Track Cisco +ISSN: 2070-1721 S. Garcia Murillo + Millicast + January 2023 + + + Completely Encrypting RTP Header Extensions and Contributing Sources + +Abstract + + While the Secure Real-time Transport Protocol (SRTP) provides + confidentiality for the contents of a media packet, a significant + amount of metadata is left unprotected, including RTP header + extensions and contributing sources (CSRCs). However, this data can + be moderately sensitive in many applications. While there have been + previous attempts to protect this data, they have had limited + deployment, due to complexity as well as technical limitations. + + This document updates RFC 3711, the SRTP specification, and defines + Cryptex as a new mechanism that completely encrypts header extensions + and CSRCs and uses simpler Session Description Protocol (SDP) + signaling with the goal of facilitating deployment. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9335. + +Copyright Notice + + Copyright (c) 2023 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 1.1. Problem Statement + 1.2. Previous Solutions + 1.3. Goals + 2. Terminology + 3. Design + 4. SDP Considerations + 5. RTP Header Processing + 5.1. Sending + 5.2. Receiving + 6. Encryption and Decryption + 6.1. Packet Structure + 6.2. Encryption Procedure + 6.3. Decryption Procedure + 7. Backward Compatibility + 8. Security Considerations + 9. IANA Considerations + 10. References + 10.1. Normative References + 10.2. Informative References + Appendix A. Test Vectors + A.1. AES-CTR + A.1.1. RTP Packet with One-Byte Header Extension + A.1.2. RTP Packet with Two-Byte Header Extension + A.1.3. RTP Packet with One-Byte Header Extension and CSRC + Fields + A.1.4. RTP Packet with Two-Byte Header Extension and CSRC + Fields + A.1.5. RTP Packet with Empty One-Byte Header Extension and + CSRC Fields + A.1.6. RTP Packet with Empty Two-Byte Header Extension and + CSRC Fields + A.2. AES-GCM + A.2.1. RTP Packet with One-Byte Header Extension + A.2.2. RTP Packet with Two-Byte Header Extension + A.2.3. RTP Packet with One-Byte Header Extension and CSRC + Fields + A.2.4. RTP Packet with Two-Byte Header Extension and CSRC + Fields + A.2.5. RTP Packet with Empty One-Byte Header Extension and + CSRC Fields + A.2.6. RTP Packet with Empty Two-Byte Header Extension and + CSRC Fields + Acknowledgements + Authors' Addresses + +1. Introduction + +1.1. Problem Statement + + The Secure Real-time Transport Protocol (SRTP) [RFC3711] mechanism + provides message authentication for the entire RTP packet but only + encrypts the RTP payload. This has not historically been a problem, + as much of the information carried in the header has minimal + sensitivity (e.g., RTP timestamp); in addition, certain fields need + to remain as cleartext because they are used for key scheduling + (e.g., RTP synchronization source (SSRC) and sequence number). + + However, as noted in [RFC6904], the security requirements can be + different for information carried in RTP header extensions, including + the per-packet sound levels defined in [RFC6464] and [RFC6465], which + are specifically noted as being sensitive in the Security + Considerations sections of those RFCs. + + In addition to the contents of the header extensions, there are now + enough header extensions in active use that the header extension + identifiers themselves can provide meaningful information in terms of + determining the identity of the endpoint and/or application. + Accordingly, these identifiers can be considered a fingerprinting + issue. + + Finally, the CSRCs included in RTP packets can also be sensitive, + potentially allowing a network eavesdropper to determine who was + speaking and when during an otherwise secure conference call. + +1.2. Previous Solutions + + Encryption of Header Extensions in SRTP [RFC6904] was proposed in + 2013 as a solution to the problem of unprotected header extension + values. However, it has not seen significant adoption and has a few + technical shortcomings. + + First, the mechanism is complicated. Since it allows encryption to + be negotiated on a per-extension basis, a fair amount of signaling + logic is required. And in the SRTP layer, a somewhat complex + transform is required to allow only the selected header extension + values to be encrypted. One of the most popular SRTP implementations + had a significant bug in this area that was not detected for five + years. + + Second, the mechanism only protects the header extension values and + not their identifiers or lengths. It also does not protect the + CSRCs. As noted above, this leaves a fair amount of potentially + sensitive information exposed. + + Third, the mechanism bloats the header extension space. Because each + extension must be offered in both unencrypted and encrypted forms, + twice as many header extensions must be offered, which will in many + cases push implementations past the 14-extension limit for the use of + one-byte extension headers defined in [RFC8285]. Accordingly, in + many cases, implementations will need to use two-byte headers, which + are not supported well by some existing implementations. + + Finally, the header extension bloat combined with the need for + backward compatibility results in additional wire overhead. Because + two-byte extension headers may not be handled well by existing + implementations, one-byte extension identifiers will need to be used + for the unencrypted (backward-compatible) forms, and two-byte for the + encrypted forms. Thus, deployment of encryption for header + extensions [RFC6904] will typically result in multiple extra bytes in + each RTP packet, compared to the present situation. + +1.3. Goals + + From the previous analysis, the desired properties of a solution are: + + * Built on the existing SRTP framework [RFC3711] (simple to + understand) + + * Built on the existing header extension framework [RFC8285] (simple + to implement) + + * Protection of header extension identifiers, lengths, and values + + * Protection of CSRCs when present + + * Simple signaling + + * Simple crypto transform and SRTP interactions + + * Backward compatibility with unencrypted endpoints, if desired + + * Backward compatibility with existing RTP tooling + + The last point deserves further discussion. While other possible + solutions that would have encrypted more of the RTP header (e.g., the + number of CSRCs) were considered, the inability to parse the + resultant packets with current tools and a generally higher level of + complexity outweighed the slight improvement in confidentiality in + these solutions. Hence, a more pragmatic approach was taken to solve + the problem described in Section 1.1. + +2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +3. Design + + This specification proposes a mechanism to negotiate encryption of + all RTP header extensions (ids, lengths, and values) as well as CSRC + values. It reuses the existing SRTP framework, is accordingly simple + to implement, and is backward compatible with existing RTP packet + parsing code, even when support for the mechanism has been + negotiated. + + Except when explicitly stated otherwise, Cryptex reuses all the + framework procedures, transforms, and considerations described in + [RFC3711]. + +4. SDP Considerations + + Cryptex support is indicated via a new "a=cryptex" SDP attribute + defined in this specification. + + The new "a=cryptex" attribute is a property attribute as defined in + Section 5.13 of [RFC8866]; it therefore takes no value and can be + used at the session level or media level. + + The presence of the "a=cryptex" attribute in the SDP (in either an + offer or an answer) indicates that the endpoint is capable of + receiving RTP packets encrypted with Cryptex, as defined below. + + Once each peer has verified that the other party supports receiving + RTP packets encrypted with Cryptex, senders can unilaterally decide + whether or not to use the Cryptex mechanism on a per-packet basis. + + If BUNDLE is in use as per [RFC9143] and the "a=cryptex" attribute is + present for a media line, it MUST be present for all RTP-based "m=" + sections belonging to the same bundle group. This ensures that the + encrypted Media Identifier (MID) header extensions can be processed, + allowing RTP streams to be associated with the correct "m=" section + in each BUNDLE group as specified in Section 9.2 of [RFC9143]. When + used with BUNDLE, this attribute is assigned to the TRANSPORT + category [RFC8859]. + + Both endpoints can change the Cryptex support status by modifying the + session as specified in Section 8 of [RFC3264]. Generating + subsequent SDP offers and answers MUST use the same procedures for + including the "a=cryptex" attribute as the ones on the initial offer + and answer. + +5. RTP Header Processing + + A General Mechanism for RTP Header Extensions [RFC8285] defines two + values for the "defined by profile" field for carrying one-byte and + two-byte header extensions. In order to allow a receiver to + determine if an incoming RTP packet is using the encryption scheme in + this specification, two new values are defined: + + * 0xC0DE for the encrypted version of the one-byte header extensions + (instead of 0xBEDE). + + * 0xC2DE for the encrypted versions of the two-byte header + extensions (instead of 0x100). + + In the case of using two-byte header extensions, the extension + identifier with value 256 MUST NOT be negotiated, as the value of + this identifier is meant to be contained in the "appbits" of the + "defined by profile" field, which are not available when using the + values above. + + Note that as per [RFC8285], it is not possible to mix one-byte and + two-byte headers on the same RTP packet. Mixing one-byte and two- + byte headers on the same RTP stream requires negotiation of the + "extmap-allow-mixed" SDP attribute as defined in Section 6 of + [RFC8285]. + + Peers MAY negotiate both Cryptex and the Encryption of Header + Extensions mechanism defined in [RFC6904] via SDP offer/answer as + described in Section 4, and if both mechanisms are supported, either + one can be used for any given packet. However, if a packet is + encrypted with Cryptex, it MUST NOT also use header extension + encryption [RFC6904], and vice versa. + + If one of the peers has advertised the ability to receive both + Cryptex and header extensions encrypted as per [RFC6904] in the SDP + exchange, it is RECOMMENDED that the other peer use Cryptex rather + than the mechanism in [RFC6904] when sending RTP packets so that all + the header extensions and CSRCS are encrypted. However, if there is + a compelling reason to use the mechanism in [RFC6904] (e.g., a need + for some header extensions to be sent in the clear so that so they + are processable by RTP middleboxes), the other peer SHOULD use the + mechanism in [RFC6904] instead. + +5.1. Sending + + When the mechanism defined by this specification has been negotiated, + sending an RTP packet that has any CSRCs or contains any header + extensions [RFC8285] follows the steps below. This mechanism MUST + NOT be used with header extensions other than the variety described + in [RFC8285]. + + If the RTP packet contains one-byte headers, the 16-bit RTP header + extension tag MUST be set to 0xC0DE to indicate that the encryption + has been applied and the one-byte framing is being used. If the RTP + packet contains two-byte headers, the header extension tag MUST be + set to 0xC2DE to indicate encryption has been applied and the two- + byte framing is being used. + + If the packet contains CSRCs but no header extensions, an empty + extension block consisting of the 0xC0DE tag and a 16-bit length + field set to zero (explicitly permitted by [RFC3550]) MUST be + appended, and the X bit MUST be set to 1 to indicate an extension + block is present. This is necessary to provide the receiver an + indication that the CSRCs in the packet are encrypted. + + The RTP packet MUST then be encrypted as described in Section 6.2 + ("Encryption Procedure"). + +5.2. Receiving + + When receiving an RTP packet that contains header extensions, the + "defined by profile" field MUST be checked to ensure the payload is + formatted according to this specification. If the field does not + match one of the values defined above, the implementation MUST + instead handle it according to the specification that defines that + value. + + Alternatively, if the implementation considers the use of this + specification mandatory and the "defined by profile" field does not + match one of the values defined above, it MUST stop the processing of + the RTP packet and report an error for the RTP stream. + + If the RTP packet passes this check, it is then decrypted as + described in Section 6.3 ("Decryption Procedure") and passed to the + next layer to process the packet and its extensions. In the event + that a zero-length extension block was added as indicated above, it + can be left as is and will be processed normally. + +6. Encryption and Decryption + +6.1. Packet Structure + + When this mechanism is active, the SRTP packet is protected as + follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ + |V=2|P|X| CC |M| PT | sequence number | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | timestamp | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | synchronization source (SSRC) identifier | | + +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | + | | contributing source (CSRC) identifiers | | + | | .... | | + +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + X | 0xC0 or 0xC2 | 0xDE | length | | + +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | RFC 8285 header extensions | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | payload ... | | + | | +-------------------------------+ | + | | | RTP padding | RTP pad count | | + +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ + | ~ SRTP Master Key Identifier (MKI) (OPTIONAL) ~ | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | : authentication tag (RECOMMENDED) : | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + +- Encrypted Portion Authenticated Portion ---+ + + Figure 1: A Protected SRTP Packet + + Note that, as required by [RFC8285], the 4 bytes at the start of the + extension block are not encrypted. + + Specifically, the Encrypted Portion MUST include any CSRC + identifiers, any RTP header extension (except for the first 4 bytes), + and the RTP payload. + +6.2. Encryption Procedure + + The encryption procedure is identical to that of [RFC3711] except for + the Encrypted Portion of the SRTP packet. The plaintext input to the + cipher is as follows: + + Plaintext = CSRC identifiers (if used) || header extension data || + RTP payload || RTP padding (if used) || RTP pad count (if used) + + Here "header extension data" refers to the content of the RTP + extension field, excluding the first four bytes (the extension header + [RFC8285]). The first 4 * CSRC count (CC) bytes of the ciphertext + are placed in the CSRC field of the RTP header. The remainder of the + ciphertext is the RTP payload of the encrypted packet. + + To minimize changes to surrounding code, the encryption mechanism can + choose to replace a "defined by profile" field from [RFC8285] with + its counterpart defined in Section 5 ("RTP Header Processing") and + encrypt at the same time. + + For Authenticated Encryption with Associated Data (AEAD) ciphers + (e.g., AES-GCM), the 12-byte fixed header and the four-byte header + extension header (the "defined by profile" field and the length) are + considered additional authenticated data (AAD), even though they are + non-contiguous in the packet if CSRCs are present. + + Associated Data: fixed header || extension header (if X=1) + + Here "fixed header" refers to the 12-byte fixed portion of the RTP + header, and "extension header" refers to the four-byte extension + header [RFC8285] ("defined by profile" and extension length). + + Implementations can rearrange a packet so that the AAD and plaintext + are contiguous by swapping the order of the extension header and the + CSRC identifiers, resulting in an intermediate representation of the + form shown in Figure 2. After encryption, the CSRCs (now encrypted) + and extension header would need to be swapped back to their original + positions. A similar operation can be done when decrypting to create + contiguous ciphertext and AAD inputs. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ + |V=2|P|X| CC |M| PT | sequence number | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | timestamp | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | synchronization source (SSRC) identifier | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | 0xC0 or 0xC2 | 0xDE | length | | + +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<+ + | | contributing source (CSRC) identifiers | | + | | .... | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | RFC 8285 header extensions | | + | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | payload ... | | + | | +-------------------------------+ | + | | | RTP padding | RTP pad count | | + +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + +- Plaintext Input AAD Input ---+ + + Figure 2: An RTP Packet Transformed to Make Cryptex Cipher Inputs + Contiguous + + Note that this intermediate representation is only displayed as + reference for implementations and is not meant to be sent on the + wire. + +6.3. Decryption Procedure + + The decryption procedure is identical to that of [RFC3711] except for + the Encrypted Portion of the SRTP packet, which is as shown in the + section above. + + To minimize changes to surrounding code, the decryption mechanism can + choose to replace the "defined by profile" field with its no- + encryption counterpart from [RFC8285] and decrypt at the same time. + +7. Backward Compatibility + + This specification attempts to encrypt as much as possible without + interfering with backward compatibility for systems that expect a + certain structure from an RTPv2 packet, including systems that + perform demultiplexing based on packet headers. Accordingly, the + first two bytes of the RTP packet are not encrypted. + + This specification also attempts to reuse the key scheduling from + SRTP, which depends on the RTP packet sequence number and SSRC + identifier. Accordingly, these values are also not encrypted. + +8. Security Considerations + + All security considerations in Section 9 of [RFC3711] are applicable + to this specification; the exception is Section 9.4, because + confidentiality of the RTP Header is the purpose of this + specification. + + The risks of using weak or NULL authentication with SRTP, described + in Section 9.5 of [RFC3711], apply to encrypted header extensions as + well. + + This specification extends SRTP by expanding the Encrypted Portion of + the RTP packet, as shown in Section 6.1 ("Packet Structure"). It + does not change how SRTP authentication works in any way. Given that + more of the packet is being encrypted than before, this is + necessarily an improvement. + + The RTP fields that are left unencrypted (see rationale above) are as + follows: + + * RTP version + + * padding bit + + * extension bit + + * number of CSRCs + + * marker bit + + * payload type + + * sequence number + + * timestamp + + * SSRC identifier + + * number of header extensions [RFC8285] + + These values contain a fixed set (i.e., one that won't be changed by + extensions) of information that, at present, is observed to have low + sensitivity. In the event any of these values need to be encrypted, + SRTP is likely the wrong protocol to use and a fully encapsulating + protocol such as DTLS is preferred (with its attendant per-packet + overhead). + +9. IANA Considerations + + This document updates the "attribute-name (formerly "att-field")" + subregistry of the "Session Description Protocol (SDP) Parameters" + registry (see Section 8.2.4 of [RFC8866]). Specifically, it adds the + SDP "a=cryptex" attribute for use at both the media level and the + session level. + + Contact name: IETF AVT Working Group or IESG if the AVT Working + Group is closed + + Contact email address: avt@ietf.org + + Attribute name: cryptex + + Attribute syntax: This attribute takes no values. + + Attribute semantics: N/A + + Attribute value: N/A + + Usage level: session, media + + Charset dependent: No + + Purpose: The presence of this attribute in the SDP indicates that + the endpoint is capable of receiving RTP packets encrypted with + Cryptex as described in this document. + + O/A procedures: SDP O/A procedures are described in Section 4 of + this document. + + Mux Category: TRANSPORT + +10. References + +10.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model + with Session Description Protocol (SDP)", RFC 3264, + DOI 10.17487/RFC3264, June 2002, + <https://www.rfc-editor.org/info/rfc3264>. + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, + July 2003, <https://www.rfc-editor.org/info/rfc3550>. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + <https://www.rfc-editor.org/info/rfc3711>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General + Mechanism for RTP Header Extensions", RFC 8285, + DOI 10.17487/RFC8285, October 2017, + <https://www.rfc-editor.org/info/rfc8285>. + + [RFC8859] Nandakumar, S., "A Framework for Session Description + Protocol (SDP) Attributes When Multiplexing", RFC 8859, + DOI 10.17487/RFC8859, January 2021, + <https://www.rfc-editor.org/info/rfc8859>. + + [RFC8866] Begen, A., Kyzivat, P., Perkins, C., and M. Handley, "SDP: + Session Description Protocol", RFC 8866, + DOI 10.17487/RFC8866, January 2021, + <https://www.rfc-editor.org/info/rfc8866>. + + [RFC9143] Holmberg, C., Alvestrand, H., and C. Jennings, + "Negotiating Media Multiplexing Using the Session + Description Protocol (SDP)", RFC 9143, + DOI 10.17487/RFC9143, February 2022, + <https://www.rfc-editor.org/info/rfc9143>. + +10.2. Informative References + + [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time + Transport Protocol (RTP) Header Extension for Client-to- + Mixer Audio Level Indication", RFC 6464, + DOI 10.17487/RFC6464, December 2011, + <https://www.rfc-editor.org/info/rfc6464>. + + [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- + time Transport Protocol (RTP) Header Extension for Mixer- + to-Client Audio Level Indication", RFC 6465, + DOI 10.17487/RFC6465, December 2011, + <https://www.rfc-editor.org/info/rfc6465>. + + [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure + Real-time Transport Protocol (SRTP)", RFC 6904, + DOI 10.17487/RFC6904, April 2013, + <https://www.rfc-editor.org/info/rfc6904>. + + [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption + in the Secure Real-time Transport Protocol (SRTP)", + RFC 7714, DOI 10.17487/RFC7714, December 2015, + <https://www.rfc-editor.org/info/rfc7714>. + +Appendix A. Test Vectors + + All values are in hexadecimal and represented in network order (big + endian). + +A.1. AES-CTR + + The following subsections list the test vectors for using Cryptex + with AES-CTR as per [RFC3711]. + + Common values are organized as follows: + + Rollover Counter: 00000000 + Master Key: e1f97a0d3e018be0d64fa32c06de4139 + Master Salt: 0ec675ad498afeebb6960b3aabe6 + Crypto Suite: AES_CM_128_HMAC_SHA1_80 + Session Key: c61e7a93744f39ee10734afe3ff7a087 + Session Salt: 30cbbc08863d8c85d49db34a9ae1 + Authentication Key: cebe321f6ff7716b6fd4ab49af256a156d38baa4 + +A.1.1. RTP Packet with One-Byte Header Extension + + RTP Packet: + + 900f1235 + decafbad + cafebabe + bede0001 + 51000200 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 900f1235 + decafbad + cafebabe + c0de0001 + eb923652 + 51c3e036 + f8de27e9 + c27ee3e0 + b4651d9f + bc4218a7 + 0244522f + 34a5 + +A.1.2. RTP Packet with Two-Byte Header Extension + + RTP Packet: + + 900f1236 + decafbad + cafebabe + 10000001 + 05020002 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 900f1236 + decafbad + cafebabe + c2de0001 + 4ed9cc4e + 6a712b30 + 96c5ca77 + 339d4204 + ce0d7739 + 6cab6958 + 5fbce381 + 94a5 + +A.1.3. RTP Packet with One-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f1238 + decafbad + cafebabe + 0001e240 + 0000b26e + bede0001 + 51000200 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f1238 + decafbad + cafebabe + 8bb6e12b + 5cff16dd + c0de0001 + 92838c8c + 09e58393 + e1de3a9a + 74734d67 + 45671338 + c3acf11d + a2df8423 + bee0 + +A.1.4. RTP Packet with Two-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f1239 + decafbad + cafebabe + 0001e240 + 0000b26e + 10000001 + 05020002 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f1239 + decafbad + cafebabe + f70e513e + b90b9b25 + c2de0001 + bbed4848 + faa64466 + 5f3d7f34 + 125914e9 + f4d0ae92 + 3c6f479b + 95a0f7b5 + 3133 + +A.1.5. RTP Packet with Empty One-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f123a + decafbad + cafebabe + 0001e240 + 0000b26e + bede0000 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f123a + decafbad + cafebabe + 7130b6ab + fe2ab0e3 + c0de0000 + e3d9f64b + 25c9e74c + b4cf8e43 + fb92e378 + 1c2c0cea + b6b3a499 + a14c + +A.1.6. RTP Packet with Empty Two-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f123b + decafbad + cafebabe + 0001e240 + 0000b26e + 10000000 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f123b + decafbad + cafebabe + cbf24c12 + 4330e1c8 + c2de0000 + 599dd45b + c9d687b6 + 03e8b59d + 771fd38e + 88b170e0 + cd31e125 + eabe + +A.2. AES-GCM + + The following subsections list the test vectors for using Cryptex + with AES-GCM as per [RFC7714]. + + Common values are organized as follows: + + Rollover Counter: 00000000 + Master Key: 000102030405060708090a0b0c0d0e0f + Master Salt: a0a1a2a3a4a5a6a7a8a9aaab + Crypto Suite: AEAD_AES_128_GCM + Session Key: 077c6143cb221bc355ff23d5f984a16e + Session Salt: 9af3e95364ebac9c99c5a7c4 + +A.2.1. RTP Packet with One-Byte Header Extension + + RTP Packet: + + 900f1235 + decafbad + cafebabe + bede0001 + 51000200 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 900f1235 + decafbad + cafebabe + c0de0001 + 39972dc9 + 572c4d99 + e8fc355d + e743fb2e + 94f9d8ff + 54e72f41 + 93bbc5c7 + 4ffab0fa + 9fa0fbeb + +A.2.2. RTP Packet with Two-Byte Header Extension + + RTP Packet: + + 900f1236 + decafbad + cafebabe + 10000001 + 05020002 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 900f1236 + decafbad + cafebabe + c2de0001 + bb75a4c5 + 45cd1f41 + 3bdb7daa + 2b1e3263 + de313667 + c9632490 + 81b35a65 + f5cb6c88 + b394235f + +A.2.3. RTP Packet with One-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f1238 + decafbad + cafebabe + 0001e240 + 0000b26e + bede0001 + 51000200 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f1238 + decafbad + cafebabe + 63bbccc4 + a7f695c4 + c0de0001 + 8ad7c71f + ac70a80c + 92866b4c + 6ba98546 + ef913586 + e95ffaaf + fe956885 + bb0647a8 + bc094ac8 + +A.2.4. RTP Packet with Two-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f1239 + decafbad + cafebabe + 0001e240 + 0000b26e + 10000001 + 05020002 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f1239 + decafbad + cafebabe + 3680524f + 8d312b00 + c2de0001 + c78d1200 + 38422bc1 + 11a7187a + 18246f98 + 0c059cc6 + bc9df8b6 + 26394eca + 344e4b05 + d80fea83 + +A.2.5. RTP Packet with Empty One-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f123a + decafbad + cafebabe + 0001e240 + 0000b26e + bede0000 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f123a + decafbad + cafebabe + 15b6bb43 + 37906fff + c0de0000 + b7b96453 + 7a2b03ab + 7ba5389c + e9331712 + 6b5d974d + f30c6884 + dcb651c5 + e120c1da + +A.2.6. RTP Packet with Empty Two-Byte Header Extension and CSRC Fields + + RTP Packet: + + 920f123b + decafbad + cafebabe + 0001e240 + 0000b26e + 10000000 + abababab + abababab + abababab + abababab + + Encrypted RTP Packet: + + 920f123b + decafbad + cafebabe + dcb38c9e + 48bf95f4 + c2de0000 + 61ee432c + f9203170 + 76613258 + d3ce4236 + c06ac429 + 681ad084 + 13512dc9 + 8b5207d8 + +Acknowledgements + + The authors wish to thank Lennart Grahl for pointing out many of the + issues with the existing header encryption mechanism, as well as + suggestions for this proposal. Thanks also to Jonathan Lennox, Inaki + Castillo, and Bernard Aboba for their reviews and suggestions. + +Authors' Addresses + + Justin Uberti + Email: justin@uberti.name + + + Cullen Jennings + Cisco + Email: fluffy@iii.ca + + + Sergio Garcia Murillo + Millicast + Email: sergio.garcia.murillo@cosmosoftware.io |