summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3830.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3830.txt')
-rw-r--r--doc/rfc/rfc3830.txt3699
1 files changed, 3699 insertions, 0 deletions
diff --git a/doc/rfc/rfc3830.txt b/doc/rfc/rfc3830.txt
new file mode 100644
index 0000000..640c8ee
--- /dev/null
+++ b/doc/rfc/rfc3830.txt
@@ -0,0 +1,3699 @@
+
+
+
+
+
+
+Network Working Group J. Arkko
+Request for Comments: 3830 E. Carrara
+Category: Standards Track F. Lindholm
+ M. Naslund
+ K. Norrman
+ Ericsson Research
+ August 2004
+
+
+ MIKEY: Multimedia Internet KEYing
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+Abstract
+
+ This document describes a key management scheme that can be used for
+ real-time applications (both for peer-to-peer communication and group
+ communication). In particular, its use to support the Secure Real-
+ time Transport Protocol is described in detail.
+
+ Security protocols for real-time multimedia applications have started
+ to appear. This has brought forward the need for a key management
+ solution to support these protocols.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 1]
+
+RFC 3830 MIKEY August 2004
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Existing Solutions . . . . . . . . . . . . . . . . . . . 4
+ 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 4
+ 1.3. Definitions. . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.4. Abbreviations. . . . . . . . . . . . . . . . . . . . . . 6
+ 1.5. Outline. . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 2. Basic Overview . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 2.1. Scenarios. . . . . . . . . . . . . . . . . . . . . . . . 7
+ 2.2. Design Goals . . . . . . . . . . . . . . . . . . . . . . 8
+ 2.3. System Overview. . . . . . . . . . . . . . . . . . . . . 8
+ 2.4. Relation to GKMARCH. . . . . . . . . . . . . . . . . . . 10
+ 3. Basic Key Transport and Exchange Methods . . . . . . . . . . . 10
+ 3.1. Pre-shared Key . . . . . . . . . . . . . . . . . . . . . 12
+ 3.2. Public-Key Encryption. . . . . . . . . . . . . . . . . . 13
+ 3.3. Diffie-Hellman Key Exchange. . . . . . . . . . . . . . . 14
+ 4. Selected Key Management Functions. . . . . . . . . . . . . . . 15
+ 4.1. Key Calculation. . . . . . . . . . . . . . . . . . . . . 16
+ 4.1.1. Assumptions. . . . . . . . . . . . . . . . . . . 16
+ 4.1.2. Default PRF Description. . . . . . . . . . . . . 17
+ 4.1.3. Generating keys from TGK . . . . . . . . . . . . 18
+ 4.1.4. Generating keys for MIKEY Messages from
+ an Envelope/Pre-Shared Key . . . . . . . . . . . 19
+ 4.2 Pre-defined Transforms and Timestamp Formats . . . . . . . 19
+ 4.2.1. Hash Functions . . . . . . . . . . . . . . . . . 19
+ 4.2.2. Pseudo-Random Number Generator and PRF . . . . . 20
+ 4.2.3. Key Data Transport Encryption. . . . . . . . . . 20
+ 4.2.4. MAC and Verification Message Function. . . . . . 21
+ 4.2.5. Envelope Key Encryption. . . . . . . . . . . . . 21
+ 4.2.6. Digital Signatures . . . . . . . . . . . . . . . 21
+ 4.2.7. Diffie-Hellman Groups. . . . . . . . . . . . . . 21
+ 4.2.8. Timestamps . . . . . . . . . . . . . . . . . . . 21
+ 4.2.9. Adding New Parameters to MIKEY . . . . . . . . . 22
+ 4.3. Certificates, Policies and Authorization . . . . . . . . 22
+ 4.3.1. Certificate Handling . . . . . . . . . . . . . . 22
+ 4.3.2. Authorization. . . . . . . . . . . . . . . . . . 23
+ 4.3.3. Data Policies. . . . . . . . . . . . . . . . . . 24
+ 4.4. Retrieving the Data SA . . . . . . . . . . . . . . . . . 24
+ 4.5. TGK Re-Keying and CSB Updating . . . . . . . . . . . . . 25
+ 5. Behavior and Message Handling. . . . . . . . . . . . . . . . . 26
+ 5.1. General. . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 5.1.1. Capability Discovery . . . . . . . . . . . . . . 26
+ 5.1.2. Error Handling . . . . . . . . . . . . . . . . . 27
+ 5.2. Creating a Message . . . . . . . . . . . . . . . . . . . 28
+ 5.3. Parsing a Message. . . . . . . . . . . . . . . . . . . . 29
+ 5.4. Replay Handling and Timestamp Usage. . . . . . . . . . . 30
+ 6. Payload Encoding . . . . . . . . . . . . . . . . . . . . . . . 32
+
+
+
+Arkko, et al. Standards Track [Page 2]
+
+RFC 3830 MIKEY August 2004
+
+
+ 6.1. Common Header Payload (HDR). . . . . . . . . . . . . . . 32
+ 6.1.1. SRTP ID. . . . . . . . . . . . . . . . . . . . . 35
+ 6.2. Key Data Transport Payload (KEMAC) . . . . . . . . . . . 36
+ 6.3. Envelope Data Payload (PKE). . . . . . . . . . . . . . . 37
+ 6.4. DH Data Payload (DH) . . . . . . . . . . . . . . . . . . 38
+ 6.5. Signature Payload (SIGN) . . . . . . . . . . . . . . . . 39
+ 6.6. Timestamp Payload (T). . . . . . . . . . . . . . . . . . 39
+ 6.7. ID Payload (ID) / Certificate Payload (CERT) . . . . . . 40
+ 6.8. Cert Hash Payload (CHASH). . . . . . . . . . . . . . . . 41
+ 6.9. Ver msg payload (V). . . . . . . . . . . . . . . . . . . 42
+ 6.10. Security Policy Payload (SP) . . . . . . . . . . . . . . 42
+ 6.10.1. SRTP Policy. . . . . . . . . . . . . . . . . . . 44
+ 6.11. RAND Payload (RAND). . . . . . . . . . . . . . . . . . . 45
+ 6.12. Error Payload (ERR). . . . . . . . . . . . . . . . . . . 46
+ 6.13. Key Data Sub-Payload . . . . . . . . . . . . . . . . . . 46
+ 6.14. Key Validity Data. . . . . . . . . . . . . . . . . . . . 48
+ 6.15. General Extension Payload. . . . . . . . . . . . . . . . 50
+ 7. Transport Protocols. . . . . . . . . . . . . . . . . . . . . . 50
+ 8. Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
+ 8.1. Simple One-to-Many . . . . . . . . . . . . . . . . . . . 51
+ 8.2. Small-Size Interactive Group . . . . . . . . . . . . . . 51
+ 9. Security Considerations. . . . . . . . . . . . . . . . . . . . 52
+ 9.1. General. . . . . . . . . . . . . . . . . . . . . . . . . 52
+ 9.2. Key Lifetime . . . . . . . . . . . . . . . . . . . . . . 54
+ 9.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . 55
+ 9.4. Identity Protection. . . . . . . . . . . . . . . . . . . 55
+ 9.5. Denial of Service. . . . . . . . . . . . . . . . . . . . 56
+ 9.6. Session Establishment. . . . . . . . . . . . . . . . . . 56
+ 10. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 57
+ 10.1. MIME Registration. . . . . . . . . . . . . . . . . . . . 59
+ 11. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 59
+ 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60
+ 12.1. Normative References . . . . . . . . . . . . . . . . . . 60
+ 12.2. Informative References . . . . . . . . . . . . . . . . . 61
+ Appendix A. - MIKEY - SRTP Relation. . . . . . . . . . . . . . . . 63
+ Author's Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 66
+
+1. Introduction
+
+ There has recently been work to define a security protocol for the
+ protection of real-time applications running over RTP, [SRTP].
+ However, a security protocol needs a key management solution to
+ exchange keys and related security parameters. There are some
+ fundamental properties that such a key management scheme has to
+ fulfill to serve streaming and real-time applications (such as
+ unicast and multicast), particularly in heterogeneous (mix of wired
+ and wireless) networks.
+
+
+
+Arkko, et al. Standards Track [Page 3]
+
+RFC 3830 MIKEY August 2004
+
+
+ This document describes a key management solution that addresses
+ multimedia scenarios (e.g., SIP [SIP] calls and RTSP [RTSP]
+ sessions). The focus is on how to set up key management for secure
+ multimedia sessions such that requirements in a heterogeneous
+ environment are fulfilled.
+
+1.1. Existing Solutions
+
+ There is work done in the IETF to develop key management schemes.
+ For example, IKE [IKE] is a widely accepted unicast scheme for IPsec,
+ and the MSEC WG is developing other schemes to address group
+ communication [GDOI, GSAKMP]. However, for reasons discussed below,
+ there is a need for a scheme with lower latency, suitable for
+ demanding cases such as real-time data over heterogeneous networks
+ and small interactive groups.
+
+ An option in some cases might be to use [SDP], as SDP defines one
+ field to transport keys, the "k=" field. However, this field cannot
+ be used for more general key management purposes, as it cannot be
+ extended from the current definition.
+
+1.2. Notational Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
+
+1.3. Definitions
+
+ (Data) Security Protocol: the security protocol used to protect the
+ actual data traffic. Examples of security protocols are IPsec and
+ SRTP.
+
+ Data Security Association (Data SA): information for the security
+ protocol, including a TEK and a set of parameters/policies.
+
+ Crypto Session (CS): uni- or bi-directional data stream(s), protected
+ by a single instance of a security protocol. For example, when SRTP
+ is used, the Crypto Session will often contain two streams, an RTP
+ stream and the corresponding RTCP, which are both protected by a
+ single SRTP Cryptographic Context, i.e., they share key data and the
+ bulk of security parameters in the SRTP Cryptographic Context
+ (default behavior in [SRTP]). In the case of IPsec, a Crypto Session
+ would represent an instantiation of an IPsec SA. A Crypto Session
+ can be viewed as a Data SA (as defined in [GKMARCH]) and could
+ therefore be mapped to other security protocols if necessary.
+
+
+
+
+Arkko, et al. Standards Track [Page 4]
+
+RFC 3830 MIKEY August 2004
+
+
+ Crypto Session Bundle (CSB): collection of one or more Crypto
+ Sessions, which can have common TGKs (see below) and security
+ parameters.
+
+ Crypto Session ID: unique identifier for the CS within a CSB.
+
+ Crypto Session Bundle ID (CSB ID): unique identifier for the CSB.
+
+ TEK Generation Key (TGK): a bit-string agreed upon by two or more
+ parties, associated with CSB. From the TGK, Traffic-encrypting Keys
+ can then be generated without needing further communication.
+
+ Traffic-Encrypting Key (TEK): the key used by the security protocol
+ to protect the CS (this key may be used directly by the security
+ protocol or may be used to derive further keys depending on the
+ security protocol). The TEKs are derived from the CSB's TGK.
+
+ TGK re-keying: the process of re-negotiating/updating the TGK (and
+ consequently future TEK(s)).
+
+ Initiator: the initiator of the key management protocol, not
+ necessarily the initiator of the communication.
+
+ Responder: the responder in the key management protocol.
+
+ Salting key: a random or pseudo-random (see [RAND, HAC]) string used
+ to protect against some off-line pre-computation attacks on the
+ underlying security protocol.
+
+ PRF(k,x): a keyed pseudo-random function (see [HAC]).
+ E(k,m): encryption of m with the key k.
+ PKx: the public key of x
+ [] an optional piece of information
+ {} denotes zero or more occurrences
+ || concatenation
+ | OR (selection operator)
+ ^ exponentiation
+ XOR exclusive or
+
+ Bit and byte ordering: throughout the document bits and bytes are
+ indexed, as usual, from left to right, with the leftmost bits/bytes
+ being the most significant.
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 5]
+
+RFC 3830 MIKEY August 2004
+
+
+1.4. Abbreviations
+
+ AES Advanced Encryption Standard
+ CM Counter Mode (as defined in [SRTP])
+ CS Crypto Session
+ CSB Crypto Session Bundle
+ DH Diffie-Hellman
+ DoS Denial of Service
+ MAC Message Authentication Code
+ MIKEY Multimedia Internet KEYing
+ PK Public-Key
+ PSK Pre-Shared key
+ RTP Real-time Transport Protocol
+ RTSP Real Time Streaming Protocol
+ SDP Session Description Protocol
+ SIP Session Initiation Protocol
+ SRTP Secure RTP
+ TEK Traffic-encrypting key
+ TGK TEK Generation Key
+
+1.5. Outline
+
+ Section 2 describes the basic scenarios and the design goals for
+ which MIKEY is intended. It also gives a brief overview of the
+ entire solution and its relation to the group key management
+ architecture [GKMARCH].
+
+ The basic key transport/exchange mechanisms are explained in detail
+ in Section 3. The key derivation, and other general key management
+ procedures are described in Section 4.
+
+ Section 5 describes the expected behavior of the involved parties.
+ This also includes message creation and parsing.
+
+ All definitions of the payloads in MIKEY are described in Section 6.
+
+ Section 7 deals with transport considerations, while Section 8
+ focuses on how MIKEY is used in group scenarios.
+
+ The Security Considerations section (Section 9), gives a deeper
+ explanation of important security related topics.
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 6]
+
+RFC 3830 MIKEY August 2004
+
+
+2. Basic Overview
+
+2.1. Scenarios
+
+ MIKEY is mainly intended to be used for peer-to-peer, simple one-to-
+ many, and small-size (interactive) groups. One of the main
+ multimedia scenarios considered when designing MIKEY has been the
+ conversational multimedia scenario, where users may interact and
+ communicate in real-time. In these scenarios it can be expected that
+ peers set up multimedia sessions between each other, where a
+ multimedia session may consist of one or more secured multimedia
+ streams (e.g., SRTP streams).
+
+ peer-to-peer/ many-to-many many-to-many
+ simple one-to-many (distributed) (centralized)
+ ++++ ++++ ++++ ++++ ++++
+ |. | |A | |B | |A |---- ----|B |
+ --| ++++ | |----------| | | | \ / | |
+ ++++ / ++|. | ++++ ++++ ++++ (S) ++++
+ |A |---------| ++++ \ / |
+ | | \ ++|B | \ / |
+ ++++ \-----| | \ ++++ / ++++
+ ++++ \|C |/ |C |
+ | | | |
+ ++++ ++++
+
+ Figure 2.1: Examples of the four scenarios: peer-to-peer, simple
+ one-to-many, many-to-many without a centralized server (also denoted
+ as small interactive group), and many-to-many with a centralized
+ server.
+
+ We identify in the following some typical scenarios which involve the
+ multimedia applications we are dealing with (see also Figure 2.1).
+
+ a) peer-to-peer (unicast), e.g., a SIP-based [SIP] call between two
+ parties, where it may be desirable that the security is either set
+ up by mutual agreement or that each party sets up the security for
+ its own outgoing streams.
+
+ b) simple one-to-many (multicast), e.g., real-time presentations,
+ where the sender is in charge of setting up the security.
+
+ c) many-to-many, without a centralized control unit, e.g., for
+ small-size interactive groups where each party may set up the
+ security for its own outgoing media. Two basic models may be used
+ here. In the first model, the Initiator of the group acts as the
+
+
+
+
+
+Arkko, et al. Standards Track [Page 7]
+
+RFC 3830 MIKEY August 2004
+
+
+ group server (and is the only one authorized to include new
+ members). In the second model, authorization information to
+ include new members can be delegated to other participants.
+
+ d) many-to-many, with a centralized control unit, e.g., for larger
+ groups with some kind of Group Controller that sets up the
+ security.
+
+ The key management solutions may be different in the above scenarios.
+ When designing MIKEY, the main focus has been on case a, b, and c.
+ For scenario c, only the first model is covered by this document.
+
+2.2. Design Goals
+
+ The key management protocol is designed to have the following
+ characteristics:
+
+ * End-to-end security. Only the participants involved in the
+ communication have access to the generated key(s).
+
+ * Simplicity.
+
+ * Efficiency. Designed to have:
+ - low bandwidth consumption,
+ - low computational workload,
+ - small code size, and
+ - minimal number of roundtrips.
+
+ * Tunneling. Possibility to "tunnel"/integrate MIKEY in session
+ establishment protocols (e.g., SDP and RTSP).
+
+ * Independence from any specific security functionality of the
+ underlying transport.
+
+2.3. System Overview
+
+ One objective of MIKEY is to produce a Data SA for the security
+ protocol, including a traffic-encrypting key (TEK), which is derived
+ from a TEK Generation Key (TGK), and used as input for the security
+ protocol.
+
+ MIKEY supports the possibility of establishing keys and parameters
+ for more than one security protocol (or for several instances of the
+ same security protocol) at the same time. The concept of Crypto
+ Session Bundle (CSB) is used to denote a collection of one or more
+ Crypto Sessions that can have common TGK and security parameters, but
+ which obtain distinct TEKs from MIKEY.
+
+
+
+
+Arkko, et al. Standards Track [Page 8]
+
+RFC 3830 MIKEY August 2004
+
+
+ The procedure of setting up a CSB and creating a TEK (and Data SA),
+ is done in accordance with Figure 2.2:
+
+ 1. A set of security parameters and TGK(s) are agreed upon for the
+ Crypto Session Bundle (this is done by one of the three
+ alternative key transport/exchange mechanisms, see Section 3).
+
+ 2. The TGK(s) is used to derive (in a cryptographically secure way) a
+ TEK for each Crypto Session.
+
+ 3. The TEK, together with the security protocol parameters, represent
+ the Data SA, which is used as the input to the security protocol.
+
+ +-----------------+
+ | CSB |
+ | Key transport | (see Section 3)
+ | /exchange |
+ +-----------------+
+ | :
+ | TGK :
+ v :
+ +----------+ :
+ CS ID ->| TEK | : Security protocol (see Section 4)
+ |derivation| : parameters (policies)
+ +----------+ :
+ TEK | :
+ v v
+ Data SA
+ |
+ v
+ +-------------------+
+ | Crypto Session |
+ |(Security Protocol)|
+ +-------------------+
+
+ Figure 2.2: Overview of MIKEY key management procedure.
+
+ The security protocol can then either use the TEK directly, or, if
+ supported, derive further session keys from the TEK (e.g., see SRTP
+ [SRTP]). It is however up to the security protocol to define how the
+ TEK is used.
+
+ MIKEY can be used to update TEKs and the Crypto Sessions in a current
+ Crypto Session Bundle (see Section 4.5). This is done by executing
+ the transport/exchange phase once again to obtain a new TGK (and
+ consequently derive new TEKs) or to update some other specific CS
+ parameters.
+
+
+
+
+Arkko, et al. Standards Track [Page 9]
+
+RFC 3830 MIKEY August 2004
+
+
+2.4. Relation to GKMARCH
+
+ The Group key management architecture (GKMARCH) [GKMARCH] describes a
+ general architecture for group key management protocols. MIKEY is a
+ part of this architecture, and can be used as a so-called
+ Registration protocol. The main entities involved in the
+ architecture are the group controller/key server (GCKS), the
+ receiver(s), and the sender(s).
+
+ In MIKEY, the sender could act as GCKS and push keys down to the
+ receiver(s).
+
+ Note that, for example, in a SIP-initiated call, the sender may also
+ be a receiver. As MIKEY addresses small interactive groups, a member
+ may dynamically change between being a sender and receiver (or being
+ both simultaneously).
+
+3. Basic Key Transport and Exchange Methods
+
+ The following sub-sections define three different methods of
+ transporting/establishing a TGK: with the use of a pre-shared key,
+ public-key encryption, and Diffie-Hellman (DH) key exchange. In the
+ following, we assume unicast communication for simplicity. In
+ addition to the TGK, a random "nonce", denoted RAND, is also
+ transported. In all three cases, the TGK and RAND values are then
+ used to derive TEKs as described in Section 4.1.3. A timestamp is
+ also sent to avoid replay attacks (see Section 5.4).
+
+ The pre-shared key method and the public-key method are both based on
+ key transport mechanisms, where the actual TGK is pushed (securely)
+ to the recipient(s). In the Diffie-Hellman method, the actual TGK is
+ instead derived from the Diffie-Hellman values exchanged between the
+ peers.
+
+ The pre-shared case is, by far, the most efficient way to handle the
+ key transport due to the use of symmetric cryptography only. This
+ approach also has the advantage that only a small amount of data has
+ to be exchanged. Of course, the problematic issue is scalability as
+ it is not always feasible to share individual keys with a large group
+ of peers. Therefore, this case mainly addresses scenarios such as
+ server-to-client and also those cases where the public-key modes have
+ already been used, thus allowing for the "cache" of a symmetric key
+ (see below and Section 3.2).
+
+ Public-key cryptography can be used to create a scalable system. A
+ disadvantage with this approach is that it is more resource consuming
+ than the pre-shared key approach. Another disadvantage is that in
+ most cases, a PKI (Public Key Infrastructure) is needed to handle the
+
+
+
+Arkko, et al. Standards Track [Page 10]
+
+RFC 3830 MIKEY August 2004
+
+
+ distribution of public keys. Of course, it is possible to use public
+ keys as pre-shared keys (e.g., by using self-signed certificates).
+ It should also be noted that, as mentioned above, this method may be
+ used to establish a "cached" symmetric key that later can be used to
+ establish subsequent TGKs by using the pre-shared key method (hence,
+ the subsequent request can be executed more efficiently).
+
+ In general, the Diffie-Hellman (DH) key agreement method has a higher
+ resource consumption (both computationally and in bandwidth) than the
+ previous ones, and needs certificates as in the public-key case.
+ However, it has the advantage of providing perfect forward secrecy
+ (PFS) and flexibility by allowing implementation in several different
+ finite groups.
+
+ Note that by using the DH method, the two involved parties will
+ generate a unique unpredictable random key. Therefore, it is not
+ possible to use this DH method to establish a group TEK (as the
+ different parties in the group would end up with different TEKs). It
+ is not the intention of the DH method to work in this scenario, but
+ to be a good alternative in the special peer-to-peer case.
+
+ The following general notation is used:
+
+ HDR: The general MIKEY header, which includes MIKEY CSB related data
+ (e.g., CSB ID) and information mapping to the specific security
+ protocol used. See Section 6.1 for payload definition.
+
+ T: The timestamp, used mainly to prevent replay attacks. See
+ Section 6.6 for payload definition and also Section 5.4 for other
+ timestamp related information.
+
+ IDx: The identity of entity x (IDi=Initiator, IDr=Responder). See
+ Section 6.7 for payload definition.
+
+ RAND: Random/pseudo-random byte-string, which is always included in
+ the first message from the Initiator. RAND is used as a freshness
+ value for the key generation. It is not included in update messages
+ of a CSB. See Section 6.11 for payload definition. For randomness
+ recommendations for security, see [RAND].
+
+ SP: The security policies for the data security protocol. See
+ Section 6.10 for payload definition.
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 11]
+
+RFC 3830 MIKEY August 2004
+
+
+3.1. Pre-shared key
+
+ In this method, the pre-shared secret key, s, is used to derive key
+ material for both the encryption (encr_key) and the integrity
+ protection (auth_key) of the MIKEY messages, as described in Section
+ 4.1.4. The encryption and authentication transforms are described in
+ Section 4.2.
+
+ Initiator Responder
+
+ I_MESSAGE =
+ HDR, T, RAND, [IDi],[IDr],
+ {SP}, KEMAC --->
+ R_MESSAGE =
+ [<---] HDR, T, [IDr], V
+
+ The main objective of the Initiator's message (I_MESSAGE) is to
+ transport one or more TGKs (carried into KEMAC) and a set of security
+ parameters (SPs) to the Responder in a secure manner. As the
+ verification message from the Responder is optional, the Initiator
+ indicates in the HDR whether it requires a verification message or
+ not from the Responder.
+
+ KEMAC = E(encr_key, {TGK}) || MAC
+
+ The KEMAC payload contains a set of encrypted sub-payloads and a MAC.
+ Each sub-payload includes a TGK randomly and independently chosen by
+ the Initiator (and other possible related parameters, e.g., the key
+ lifetime). The MAC is a Message Authentication Code covering the
+ entire MIKEY message using the authentication key, auth_key. See
+ Section 6.2 for payload definition and Section 5.2 for an exact
+ definition of the MAC calculation.
+
+ The main objective of the verification message from the Responder is
+ to obtain mutual authentication. The verification message, V, is a
+ MAC computed over the Responder's entire message, the timestamp (the
+ same as the one that was included in the Initiator's message), and
+ the two parties identities, using the authentication key. See also
+ Section 5.2 for the exact definition of the Verification MAC
+ calculation and Section 6.9 for payload definition.
+
+ The ID fields SHOULD be included, but they MAY be left out when it
+ can be expected that the peer already knows the other party's ID
+ (otherwise it cannot look up the pre-shared key). For example, this
+ could be the case if the ID is extracted from SIP.
+
+ It is MANDATORY to implement this method.
+
+
+
+
+Arkko, et al. Standards Track [Page 12]
+
+RFC 3830 MIKEY August 2004
+
+
+3.2. Public-key encryption
+
+ Initiator Responder
+
+ I_MESSAGE =
+ HDR, T, RAND, [IDi|CERTi], [IDr], {SP},
+ KEMAC, [CHASH], PKE, SIGNi --->
+ R_MESSAGE =
+ [<---] HDR, T, [IDr], V
+
+ As in the previous case, the main objective of the Initiator's
+ message is to transport one or more TGKs and a set of security
+ parameters to the Responder in a secure manner. This is done using
+ an envelope approach where the TGKs are encrypted (and integrity
+ protected) with keys derived from a randomly/pseudo-randomly chosen
+ "envelope key". The envelope key is sent to the Responder encrypted
+ with the public key of the Responder.
+
+ The PKE contains the encrypted envelope key: PKE = E(PKr, env_key).
+ It is encrypted using the Responder's public key (PKr). If the
+ Responder possesses several public keys, the Initiator can indicate
+ the key used in the CHASH payload (see Section 6.8).
+
+ The KEMAC contains a set of encrypted sub-payloads and a MAC:
+
+ KEMAC = E(encr_key, IDi || {TGK}) || MAC
+
+ The first payload (IDi) in KEMAC is the identity of the Initiator
+ (not a certificate, but generally the same ID as the one specified in
+ the certificate). Each of the following payloads (TGK) includes a
+ TGK randomly and independently chosen by the Initiator (and possible
+ other related parameters, e.g., the key lifetime). The encrypted
+ part is then followed by a MAC, which is calculated over the KEMAC
+ payload. The encr_key and the auth_key are derived from the envelope
+ key, env_key, as specified in Section 4.1.4. See also Section 6.2
+ for payload definition.
+
+ The SIGNi is a signature covering the entire MIKEY message, using the
+ Initiator's signature key (see also Section 5.2 for the exact
+ definition).
+
+ The main objective of the verification message from the Responder is
+ to obtain mutual authentication. As the verification message V from
+ the Responder is optional, the Initiator indicates in the HDR whether
+ it requires a verification message or not from the Responder. V is
+ calculated in the same way as in the pre-shared key mode (see also
+ Section 5.2 for the exact definition). See Section 6.9 for payload
+ definition.
+
+
+
+Arkko, et al. Standards Track [Page 13]
+
+RFC 3830 MIKEY August 2004
+
+
+ Note that there will be one encrypted IDi and possibly also one
+ unencrypted IDi. The encrypted one is used together with the MAC as
+ a countermeasure for certain man-in-the-middle attacks, while the
+ unencrypted one is always useful for the Responder to immediately
+ identify the Initiator. The encrypted IDi MUST always be verified to
+ be equal with the expected IDi.
+
+ It is possible to cache the envelope key, so that it can be used as a
+ pre-shared key. It is not recommended for this key to be cached
+ indefinitely (however it is up to the local policy to decide this).
+ This function may be very convenient during the lifetime of a CSB, if
+ a new crypto session needs to be added (or an expired one removed).
+ Then, the pre-shared key can be used, instead of the public keys (see
+ also Section 4.5). If the Initiator indicates that the envelope key
+ should be cached, the key is at least to be cached during the
+ lifetime of the entire CSB.
+
+ The cleartext ID fields and certificate SHOULD be included, but they
+ MAY be left out when it can be expected that the peer already knows
+ the other party's ID, or can obtain the certificate in some other
+ manner. For example, this could be the case if the ID is extracted
+ from SIP.
+
+ For certificate handling, authorization, and policies, see Section
+ 4.3.
+
+ It is MANDATORY to implement this method.
+
+3.3. Diffie-Hellman key exchange
+
+ For a fixed, agreed upon, cyclic group, (G,*), we let g denote a
+ generator for this group. Choices for the parameters are given in
+ Section 4.2.7. The other transforms below are described in Section
+ 4.2.
+
+ This method creates a DH-key, which is used as the TGK. This method
+ cannot be used to create group keys; it can only be used to create
+ single peer-to-peer keys. It is OPTIONAL to implement this method.
+
+ Initiator Responder
+
+ I_MESSAGE =
+ HDR, T, RAND, [IDi|CERTi],[IDr]
+ {SP}, DHi, SIGNi --->
+ R_MESSAGE =
+ <--- HDR, T, [IDr|CERTr], IDi,
+ DHr, DHi, SIGNr
+
+
+
+
+Arkko, et al. Standards Track [Page 14]
+
+RFC 3830 MIKEY August 2004
+
+
+ The main objective of the Initiator's message is to, in a secure way,
+ provide the Responder with its DH value (DHi) g^(xi), where xi MUST
+ be randomly/pseudo-randomly and secretly chosen, and a set of
+ security protocol parameters.
+
+ The SIGNi is a signature covering the Initiator's MIKEY message,
+ I_MESSAGE, using the Initiator's signature key (see Section 5.2 for
+ the exact definition).
+
+ The main objective of the Responder's message is to, in a secure way,
+ provide the Initiator with the Responder's value (DHr) g^(xr), where
+ xr MUST be randomly/pseudo-randomly and secretly chosen. The
+ timestamp that is included in the answer is the same as the one
+ included in the Initiator's message.
+
+ The SIGNr is a signature covering the Responder's MIKEY message,
+ R_MESSAGE, using the Responder's signature key (see Section 5.2 for
+ the exact definition).
+
+ The DH group parameters (e.g., the group G, the generator g) are
+ chosen by the Initiator and signaled to the Responder. Both parties
+ calculate the TGK, g^(xi*xr) from the exchanged DH-values.
+
+ Note that this approach does not require that the Initiator has to
+ possess any of the Responder's certificates before the setup.
+ Instead, it is sufficient that the Responder includes its signing
+ certificate in the response.
+
+ The ID fields and certificate SHOULD be included, but they MAY be
+ left out when it can be expected that the peer already knows the
+ other party's ID (or can obtain the certificate in some other
+ manner). For example, this could be the case if the ID is extracted
+ from SIP.
+
+ For certificate handling, authorization, and policies, see Section
+ 4.3.
+
+4. Selected Key Management Functions
+
+ MIKEY manages symmetric keys in two main ways. First, following key
+ transport or key exchange of TGK(s) (and other parameters) as defined
+ by any of the above three methods, MIKEY maintains a mapping between
+ Data SA identifiers and Data SAs, where the identifiers used depend
+ on the security protocol in question, see Section 4.4. Thus, when
+ the security protocol requests a Data SA, given such a Data SA
+ identifier, an up-to-date Data SA will be obtained. In particular,
+
+
+
+
+
+Arkko, et al. Standards Track [Page 15]
+
+RFC 3830 MIKEY August 2004
+
+
+ correct keying material, TEK(s), might need to be derived. The
+ derivation of TEK(s) (and other keying material) is done from a TGK
+ and is described in Section 4.1.3.
+
+ Second, for use within MIKEY itself, two key management procedures
+ are needed:
+
+ * in the pre-shared case, deriving encryption and authentication key
+ material from a single pre-shared key, and
+
+ * in the public key case, deriving similar key material from the
+ transported envelope key.
+
+ These two key derivation methods are specified in section 4.1.4.
+
+ All the key derivation functionality mentioned above is based on a
+ pseudo-random function, defined next.
+
+4.1. Key Calculation
+
+ In the following, we define a general method (pseudo-random function)
+ to derive one or more keys from a "master" key. This method is used
+ to derive:
+
+ * TEKs from a TGK and the RAND value,
+
+ * encryption, authentication, or salting key from a pre-shared/
+ envelope key and the RAND value.
+
+4.1.1. Assumptions
+
+ We assume that the following parameters are in place:
+
+ csb_id : Crypto Session Bundle ID (32-bits unsigned integer)
+ cs_id : the Crypto Session ID (8-bits unsigned integer)
+ RAND : (at least) 128-bit (pseudo-)random bit-string sent by the
+ Initiator in the initial exchange.
+
+ The key derivation method has the following input parameters:
+
+ inkey : the input key to the derivation function
+ inkey_len : the length in bits of the input key
+ label : a specific label, dependent on the type of the key to be
+ derived, the RAND, and the session IDs
+ outkey_len: desired length in bits of the output key.
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 16]
+
+RFC 3830 MIKEY August 2004
+
+
+ The key derivation method has the following output:
+
+ outkey: the output key of desired length.
+
+4.1.2. Default PRF Description
+
+ Let HMAC be the SHA-1 based message authentication function, see
+ [HMAC] [SHA-1]. Similarly to [TLS], we define:
+
+ P (s, label, m) = HMAC (s, A_1 || label) ||
+ HMAC (s, A_2 || label) || ...
+ HMAC (s, A_m || label)
+ where
+
+ A_0 = label,
+ A_i = HMAC (s, A_(i-1))
+ s is a key (defined below)
+ m is a positive integer (also defined below).
+
+ Values of label depend on the case in which the PRF is invoked, and
+ values are specified in the following for the default PRF. Thus,
+ note that other PRFs later added to MIKEY MAY specify different input
+ parameters.
+
+ The following procedure describes a pseudo-random function, denoted
+ PRF(inkey,label), based on the above P-function, applied to compute
+ the output key, outkey:
+
+ * let n = inkey_len / 256, rounded up to the nearest integer if not
+ already an integer
+
+ * split the inkey into n blocks, inkey = s_1 || ... || s_n, where *
+ all s_i, except possibly s_n, are 256 bits each
+
+ * let m = outkey_len / 160, rounded up to the nearest integer if not
+ already an integer
+
+ (The values "256" and "160" equals half the input block-size and full
+ output hash size, respectively, of the SHA-1 hash as part of the P-
+ function.)
+
+ Then, the output key, outkey, is obtained as the outkey_len most
+ significant bits of
+
+ PRF(inkey, label) = P(s_1, label, m) XOR P(s_2, label, m) XOR ...
+ XOR P(s_n, label, m).
+
+
+
+
+
+Arkko, et al. Standards Track [Page 17]
+
+RFC 3830 MIKEY August 2004
+
+
+4.1.3. Generating keys from TGK
+
+ In the following, we describe how keying material is derived from a
+ TGK, thus assuming that a mapping of the Data SA identifier to the
+ correct TGK has already been done according to Section 4.4.
+
+ The key derivation method SHALL be executed using the above PRF with
+ the following input parameters:
+
+ inkey : TGK
+ inkey_len : bit length of TGK
+ label : constant || cs_id || csb_id || RAND
+ outkey_len : bit length of the output key.
+
+ The constant part of label depends on the type of key that is to be
+ generated. The constant 0x2AD01C64 is used to generate a TEK from
+ TGK. If the security protocol itself does not support key derivation
+ for authentication and encryption from the TEK, separate
+ authentication and encryption keys MAY be created directly for the
+ security protocol by replacing 0x2AD01C64 with 0x1B5C7973 and
+ 0x15798CEF respectively, and outkey_len by the desired key-length(s)
+ in each case.
+
+ A salt key can be derived from the TGK as well, by using the constant
+ 0x39A2C14B. Note that the Key data sub-payload (Section 6.13) can
+ carry a salt. The security protocol in need of the salt key SHALL
+ use the salt key carried in the Key data sub-payload (in the pre-
+ shared and public-key case), when present. If that is not sent, then
+ it is possible to derive the salt key via the key derivation
+ function, as described above.
+
+ The table below summarizes the constant values, used to generate keys
+ from a TGK.
+
+ constant | derived key from the TGK
+ --------------------------------------
+ 0x2AD01C64 | TEK
+ 0x1B5C7973 | authentication key
+ 0x15798CEF | encryption key
+ 0x39A2C14B | salting key
+
+ Table 4.1.3: Constant values for the derivation of keys from TGK.
+
+ Note that these 32-bit constant values (listed in the table above)
+ are taken from the decimal digits of e (i.e., 2.7182...), where each
+ constant consists of nine decimal digits (e.g., the first nine
+ decimal digits 718281828 = 0x2AD01C64). The strings of nine
+
+
+
+
+Arkko, et al. Standards Track [Page 18]
+
+RFC 3830 MIKEY August 2004
+
+
+ decimal digits are not chosen at random, but as consecutive "chunks"
+ from the decimal digits of e.
+
+4.1.4. Generating keys for MIKEY messages from an envelope/pre-shared
+ key
+
+ This derivation is to form the symmetric encryption key (and salting
+ key) for the encryption of the TGK in the pre-shared key and public
+ key methods. This is also used to derive the symmetric key used for
+ the message authentication code in these messages, and the
+ corresponding verification messages. Hence, this derivation is
+ needed in order to get different keys for the encryption and the MAC
+ (and in the case of the pre-shared key, it will result in fresh key
+ material for each new CSB). The parameters for the default PRF are
+ here:
+
+ inkey : the envelope key or the pre-shared key
+ inkey_len : the bit length of inkey
+ label : constant || 0xFF || csb_id || RAND
+ outkey_len : desired bit length of the output key.
+
+ The constant part of label depends on the type of key that is to be
+ generated from an envelope/pre-shared key, as summarized below.
+
+ constant | derived key
+ --------------------------------------
+ 0x150533E1 | encryption key
+ 0x2D22AC75 | authentication key
+ 0x29B88916 | salt key
+
+ Table 4.1.4: Constant values for the derivation of keys from an
+ envelope/pre-shared key.
+
+4.2. Pre-defined Transforms and Timestamp Formats
+
+ This section identifies default transforms for MIKEY. It is
+ mandatory to implement and support the following transforms in the
+ respective case. New transforms can be added in the future (see
+ Section 4.2.9 for further guidelines).
+
+4.2.1. Hash functions
+
+ In MIKEY, it is MANDATORY to implement SHA-1 as the default hash
+ function.
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 19]
+
+RFC 3830 MIKEY August 2004
+
+
+4.2.2. Pseudo-random number generator and PRF
+
+ A cryptographically secure random or pseudo-random number generator
+ MUST be used for the generation of the keying material and nonces,
+ e.g., [BMGL]. However, which one to use is implementation specific
+ (as the choice will not affect the interoperability).
+
+ For the key derivations, it is MANDATORY to implement the PRF
+ specified in Section 4.1. Other PRFs MAY be added by writing
+ standard-track RFCs specifying the PRF constructions and their exact
+ use within MIKEY.
+
+4.2.3. Key data transport encryption
+
+ The default and mandatory-to-implement key transport encryption is
+ AES in counter mode, as defined in [SRTP], using a 128-bit key as
+ derived in Section 4.1.4, SRTP_PREFIX_LENGTH set to zero, and using
+ the initialization vector
+
+ IV = (S XOR (0x0000 || CSB ID || T)) || 0x0000,
+
+ where S is a 112-bit salting key, also derived as in Section 4.1.4,
+ and where T is the 64-bit timestamp sent by the Initiator.
+
+ Note: this restricts the maximum size that can be encrypted to 2^23
+ bits, which is still enough for all practical purposes [SRTP].
+
+ The NULL encryption algorithm (i.e., no encryption) can be used (but
+ implementation is OPTIONAL). Note that this MUST NOT be used unless
+ the underlying protocols can guarantee security. The main reason for
+ including this is for specific SIP scenarios, where SDP is protected
+ end-to-end. For this scenario, MIKEY MAY be used with the pre-shared
+ key method, the NULL encryption, and NULL authentication algorithm
+ (see Section 4.2.4) while relying on the security of SIP. Use this
+ option with caution!
+
+ The AES key wrap function [AESKW] is included as an OPTIONAL
+ implementation method. If the key wrap function is used in the
+ public key method, the NULL MAC is RECOMMENDED to be used, as the key
+ wrap itself will provide integrity of the encrypted content (note
+ though that the NULL MAC SHOULD NOT be used in the pre-shared key
+ case, as the MAC in that case covers the entire message). The 128-
+ bit key and a 64-bit salt, S, are derived in accordance to Section
+ 4.1.4 and the key wrap IV is then set to S.
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 20]
+
+RFC 3830 MIKEY August 2004
+
+
+4.2.4. MAC and Verification Message function
+
+ MIKEY uses a 160-bit authentication tag, generated by HMAC with SHA-1
+ as the MANDATORY implementation method, see [HMAC]. Authentication
+ keys are derived according to Section 4.1.4. Note that the
+ authentication key size SHOULD be equal to the size of the hash
+ function's output (e.g., for HMAC-SHA-1, a 160-bit authentication key
+ is used) [HMAC].
+
+ The NULL authentication algorithm (i.e., no MAC) can be used together
+ with the NULL encryption algorithm (but implementation is OPTIONAL).
+ Note that this MUST NOT be used unless the underlying protocols can
+ guarantee security. The main reason for including this is for
+ specific SIP scenarios, where SDP is protected end-to-end. For this
+ scenario, MIKEY MAY be used with the pre-shared key method and the
+ NULL encryption and authentication algorithm, while relying on the
+ security of SIP. Use this option with caution!
+
+4.2.5. Envelope Key encryption
+
+ The public key encryption algorithm applied is defined by, and
+ dependent on the certificate used. It is MANDATORY to support RSA
+ PKCS#1, v1.5, and it is RECOMMENDED to also support RSA OAEP [PSS].
+
+4.2.6. Digital Signatures
+
+ The signature algorithm applied is defined by, and dependent on the
+ certificate used. It is MANDATORY to support RSA PKCS#1, v1.5, and it
+ is RECOMMENDED to also support RSA PSS [PSS].
+
+4.2.7. Diffie-Hellman Groups
+
+ The Diffie-Hellman key exchange, when supported, uses OAKLEY 5
+ [OAKLEY] as a mandatory implementation. Both OAKLEY 1 and OAKLEY 2
+ MAY be used (but these are OPTIONAL implementations).
+
+ See Section 4.2.9 for the guidelines on specifying a new DH Group to
+ be used within MIKEY.
+
+4.2.8. Timestamps
+
+ The timestamp is as defined in NTP [NTP], i.e., a 64-bit number in
+ seconds relative to 0h on 1 January 1900. An implementation MUST be
+ aware of (and take into account) the fact that the counter will
+ overflow approximately every 136th year. It is RECOMMENDED that the
+ time always be specified in UTC.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 21]
+
+RFC 3830 MIKEY August 2004
+
+
+4.2.9. Adding new parameters to MIKEY
+
+ There are two different parameter sets that can be added to MIKEY.
+ The first is a set of MIKEY transforms (needed for the exchange
+ itself), and the second is the Data SAs.
+
+ New transforms and parameters (including new policies) SHALL be added
+ by registering with IANA (according to [RFC2434], see also Section
+ 10) a new number for the concerned payload, and also if necessary,
+ documenting how the new transform/parameter is used. Sometimes it
+ might be enough to point to an already specified document for the
+ usage, e.g., when adding a new, already standardized, hash function.
+
+ In the case of adding a new DH group, the group MUST be specified in
+ a companion standards-track RFC (it is RECOMMENDED that the specified
+ group use the same format as used in [OAKLEY]). A number can then be
+ assigned by IANA for such a group to be used in MIKEY.
+
+ When adding support for a new data security protocol, the following
+ MUST be specified:
+
+ * A map sub-payload (see Section 6.1). This is used to be able to
+ map a crypto session to the right instance of the data security
+ protocol and possibly also to provide individual parameters for
+ each data security protocol.
+
+ * A policy payload, i.e., specification of parameters and supported
+ values.
+
+ * General guidelines of usage.
+
+4.3. Certificates, Policies and Authorization
+
+4.3.1. Certificate handling
+
+ Certificate handling may involve a number of additional tasks not
+ shown here, and effect the inclusion of certain parts of the message
+ (c.f. [X.509]). However, the following observations can be made:
+
+ * The Initiator typically has to find the certificate of the
+ Responder in order to send the first message. If the Initiator
+ does not already have the Responder's certificate, this may
+ involve one or more roundtrips to a central directory agent.
+
+ * It will be possible for the Initiator to omit its own certificate
+ and rely on the Responder getting this certificate using other
+ means. However, we only recommend doing this when it is
+ reasonable to expect that the Responder has cached the certificate
+
+
+
+Arkko, et al. Standards Track [Page 22]
+
+RFC 3830 MIKEY August 2004
+
+
+ from a previous connection. Otherwise accessing the certificate
+ would mean additional roundtrips for the Responder as well.
+
+ * Verification of the certificates using Certificate Revocation
+ Lists (CRLs) [X.509] or protocols such as OCSP [OCSP] may be
+ necessary. All parties in a MIKEY exchange should have a local
+ policy which dictates whether such checks are made, how they are
+ made, and how often they are made. Note that performing the
+ checks may imply additional messaging.
+
+4.3.2. Authorization
+
+ In general, there are two different models for making authorization
+ decisions for both the Initiator and the Responder, in the context of
+ the applications targeted by MIKEY:
+
+ * Specific peer-to-peer configuration. The user has configured the
+ application to trust a specific peer.
+
+ When pre-shared secrets are used, this is pretty much the only
+ available scheme. Typically, the configuration/entering of the
+ pre-shared secret is taken to mean that authorization is implied.
+
+ In some cases, one could also use this with public keys, e.g., if
+ two peers exchange keys offline and configure them to be used for
+ the purpose of running MIKEY.
+
+ * Trusted root. The user accepts all peers that prove to have a
+ certificate issued by a specific CA. The granularity of
+ authorization decisions is not very precise in this method.
+
+ In order to make this method possible, all participants in the
+ MIKEY protocol need to configure one or more trusted roots. The
+ participants also need to be capable of performing certificate
+ chain validation, and possibly transfer more than a single
+ certificate in the MIKEY messages (see also Section 6.7).
+
+ In practice, a combination of both mentioned methods might be
+ advantageous. Also, the possibility for a user to explicitly exclude
+ a specific peer (or sub-tree) in a trust chain might be needed.
+
+ These authorization policies address the MIKEY scenarios a-c of
+ Section 2.1, where the Initiator acts as the group owner and is also
+ the only one that can invite others. This implies that for each
+ Responder, the distributed keys MUST NOT be re-distributed to other
+ parties.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 23]
+
+RFC 3830 MIKEY August 2004
+
+
+ In a many-to-many situation, where the group control functions are
+ distributed (and/or where it is possible to delegate the group
+ control function to others), a means of distributing authorization
+ information about who may be added to the group MUST exist. However,
+ it is out of scope of this document to specify how this should be
+ done.
+
+ For any broader communication situation, an external authorization
+ infrastructure may be used (following the assumptions of [GKMARCH]).
+
+4.3.3. Data Policies
+
+ Included in the message exchange, policies (i.e., security
+ parameters) for the Data security protocol are transmitted. The
+ policies are defined in a separate payload and are specific to the
+ security protocol (see also Section 6.10). Together with the keys,
+ the validity period of these can also be specified. For example,
+ this can be done with an SPI (or SRTP MKI) or with an Interval (e.g.,
+ a sequence number interval for SRTP), depending on the security
+ protocol.
+
+ New parameters can be added to a policy by documenting how they
+ should be interpreted by MIKEY and by also registering new values in
+ the appropriate name space in IANA. If a completely new policy is
+ needed, see Section 4.2.9 for guidelines.
+
+4.4. Retrieving the Data SA
+
+ The retrieval of a Data SA will depend on the security protocol, as
+ different security protocols will have different characteristics.
+ When adding support for a security protocol to MIKEY, some interface
+ of how the security protocol retrieves the Data SA from MIKEY MUST be
+ specified (together with policies that can be negotiated).
+
+ For SRTP, the SSRC (see [SRTP]) is one of the parameters used to
+ retrieve the Data SA (while the MKI may be used to indicate the
+ TGK/TEK used for the Data SA). However, the SSRC is not sufficient.
+ For the retrieval of the Data SA from MIKEY, it is RECOMMENDED that
+ the MIKEY implementation support a lookup using destination network
+ address and port together with SSRC. Note that MIKEY does not send
+ network addresses or ports. One reason for this is that they may not
+ be known in advance. Also, if a NAT exists in-between, problems may
+ arise. When SIP or RTSP is used, the local view of the destination
+ address and port can be obtained from either SIP or RTSP. MIKEY can
+ then use these addresses as the index for the Data SA lookup.
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 24]
+
+RFC 3830 MIKEY August 2004
+
+
+4.5. TGK re-keying and CSB updating
+
+ MIKEY provides a means of updating the CSB (e.g., transporting a new
+ TGK/TEK or adding a new Crypto Session to the CSB). The updating of
+ the CSB is done by executing MIKEY again, for example, before a TEK
+ expires, or when a new Crypto Session is added to the CSB. Note that
+ MIKEY does not provide re-keying in the GKMARCH sense, only updating
+ of the keys by normal unicast messages.
+
+ When MIKEY is executed again to update the CSB, it is not necessary
+ to include certificates and other information that was provided in
+ the first exchange, for example, all payloads that are static or
+ optionally included may be left out (see Figure 4.1).
+
+ The new message exchange MUST use the same CSB ID as the initial
+ exchange, but MUST use a new timestamp. A new RAND MUST NOT be
+ included in the message exchange (the RAND will only have effect in
+ the Initial exchange). If desired, new Crypto Sessions are added in
+ the update message. Note that a MIKEY update message does not need
+ to contain new keying material (e.g., new TGK). In this case, the
+ crypto session continues to use the previously established keying
+ material, while updating the new information.
+
+ As explained in Section 3.2, the envelope key can be "cached" as a
+ pre-shared key (this is indicated by the Initiator in the first
+ message sent). If so, the update message is a pre-shared key message
+ with the cached envelope key as the pre-shared key; it MUST NOT be a
+ public key message. If the public key message is used, but the
+ envelope key is not cached, the Initiator MUST provide a new
+ encrypted envelope key that can be used in the verification message.
+ However, the Initiator does not need to provide any other keys.
+
+ Figure 4.1 visualizes the update messages that can be sent, including
+ the optional parts. The main difference from the original message is
+ that it is optional to include TGKs (or DH values in the DH method).
+ Also see Section 3 for more details on the specific methods.
+
+ By definition, a CSB can contain several CSs. A problem that then
+ might occur is to synchronize the TGK re-keying if an SPI (or similar
+ functionality, e.g., MKI in [SRTP]) is not used. It is therefore
+ RECOMMENDED that an SPI or MKI be used, if more than one CS is
+ present.
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 25]
+
+RFC 3830 MIKEY August 2004
+
+
+ Initiator Responder
+
+ Pre-shared key method:
+
+ I_MESSAGE =
+ HDR, T, [IDi], [IDr], {SP}, KEMAC --->
+ R_MESSAGE =
+ [<---] HDR, T, [IDr], V
+
+ Public key method:
+
+ I_MESSAGE =
+ HDR, T, [IDi|CERTi], [IDr], {SP},
+ [KEMAC], [CHASH], PKE, SIGNi --->
+ R_MESSAGE =
+ [<---] HDR, T, [IDr], V
+
+ DH method:
+
+ I_MESSAGE =
+ HDR, T, [IDi|CERTi], [IDr], {SP},
+ [DHi], SIGNi --->
+ R_MESSAGE =
+ <--- HDR, T, [IDr|CERTr], IDi,
+ [DHr, DHi], SIGNr
+
+ Figure 4.1: Update messages.
+
+ Note that for the DH method, if the Initiator includes the DHi
+ payload, then the Responder MUST include DHr and DHi. If the
+ Initiator does not include DHi, the Responder MUST NOT include DHr or
+ DHi.
+
+5. Behavior and message handling
+
+ Each message that is sent by the Initiator or the Responder is built
+ by a set of payloads. This section describes how messages are
+ created and also when they can be used.
+
+5.1. General
+
+5.1.1. Capability Discovery
+
+ The Initiator indicates the security policy to be used (i.e., in
+ terms of security protocol algorithms). If the Responder does not
+ support it (for some reason), the Responder can together with an
+ error message (indicating that it does not support the parameters),
+ send back its own capabilities (negotiation) to let the Initiator
+
+
+
+Arkko, et al. Standards Track [Page 26]
+
+RFC 3830 MIKEY August 2004
+
+
+ choose a common set of parameters. This is done by including one or
+ more security policy payloads in the error message sent in response
+ (see Section 5.1.2.). Multiple attributes can be provided in
+ sequence in the response. This is done to reduce the number of
+ roundtrips as much as possible (i.e., in most cases, where the policy
+ is accepted the first time, one roundtrip is enough). If the
+ Responder does not accept the offer, the Initiator must go out with a
+ new MIKEY message.
+
+ If the Responder is not willing/capable of providing security or the
+ parties simply cannot agree, it is up to the parties' policies how to
+ behave, for example, accepting or rejecting an insecure
+ communication.
+
+ Note that it is not the intention of this protocol to have a broad
+ variety of options, as it is assumed that a denied offer should
+ rarely occur.
+
+ In the one-to-many and many-to-many scenarios using multicast
+ communication, one issue is of course that there MUST be a common
+ security policy for all the receivers. This limits the possibility
+ of negotiation.
+
+5.1.2. Error Handling
+
+ Due to the key management protocol, all errors SHOULD be reported to
+ the peer(s) by an error message. The Initiator SHOULD therefore
+ always be prepared to receive such a message from the Responder.
+
+ If the Responder does not support the set of parameters suggested by
+ the Initiator, the error message SHOULD include the supported
+ parameters (see also Section 5.1.1).
+
+ The error message is formed as:
+
+ HDR, T, {ERR}, {SP}, [V|SIGNr]
+
+ Note that if failure is due to the inability to authenticate the
+ peer, the error message is OPTIONAL, and does not need to be
+ authenticated. It is up to local policy to determine how to treat
+ this kind of message. However, if in response to a failed
+ authentication a signed error message is returned, this can be used
+ for DoS purposes (against the Responder). Similarly, an
+ unauthenticated error message could be sent to the Initiator in order
+ to fool the Initiator into tearing down the CSB. It is highly
+ RECOMMENDED that the local policy take this into consideration.
+ Therefore, in case of authentication failure, one recommendation
+ would be not to authenticate such an error message, and when
+
+
+
+Arkko, et al. Standards Track [Page 27]
+
+RFC 3830 MIKEY August 2004
+
+
+ receiving an unauthenticated error message view it only as a
+ recommendation of what may have gone wrong.
+
+5.2. Creating a message
+
+ To create a MIKEY message, a Common Header payload is first created.
+ This payload is then followed, depending on the message type, by a
+ set of information payloads (e.g., DH-value payload, Signature
+ payload, Security Policy payload). The defined payloads and the
+ exact encoding of each payload are described in Section 6.
+
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! version ! data type ! next payload ! !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+... +
+ ~ Common Header... ~
+ ! !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! next payload ! Payload 1 ... !
+ +-+-+-+-+-+-+-+-+ +
+ ~ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : : :
+ : : :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! next payload ! Payload x ... !
+ +-+-+-+-+-+-+-+-+ +
+ ~ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! MAC/Signature ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 5.1. MIKEY payload message example. Note that the payloads
+ are byte aligned and not 32-bit aligned.
+
+ The process of generating a MIKEY message consists of the following
+ steps:
+
+ * Create an initial MIKEY message starting with the Common Header
+ payload.
+
+ * Concatenate necessary payloads of the MIKEY message (see the
+ exchange definitions for payloads that may be included, and the
+ recommended order).
+
+ * As a last step (for messages that must be authenticated, this also
+ includes the verification message), create and concatenate the
+ MAC/signature payload without the MAC/signature field filled in
+
+
+
+Arkko, et al. Standards Track [Page 28]
+
+RFC 3830 MIKEY August 2004
+
+
+ (if a Next payload field is included in this payload, it is set to
+ Last payload).
+
+ * Calculate the MAC/signature over the entire MIKEY message, except
+ the MAC/Signature field, and add the MAC/signature in the field.
+ In the case of the verification message, the Identity_i ||
+ Identity_r || Timestamp MUST directly follow the MIKEY message in
+ the Verification MAC calculation. Note that the added identities
+ and timestamp are identical to those transported in the ID and T
+ payloads.
+
+ In the public key case, the Key data transport payload is generated
+ by concatenating the IDi with the TGKs. This is then encrypted and
+ placed in the data field. The MAC is calculated over the entire Key
+ data transport payload except the MAC field. Before calculating the
+ MAC, the Next payload field is set to zero.
+
+ Note that all messages from the Initiator MUST use a unique
+ timestamp. The Responder does not create a new timestamp, but uses
+ the timestamp used by the Initiator.
+
+5.3. Parsing a message
+
+ In general, parsing of a MIKEY message is done by extracting payload
+ by payload and checking that no errors occur. The exact procedure is
+ implementation specific; however, for the Responder, it is
+ RECOMMENDED that the following procedure be followed:
+
+ * Extract the Timestamp and check that it is within the allowable
+ clock skew (if not, discard the message). Also check the replay
+ cache (Section 5.4) so that the message is not replayed (see
+ Section 5.4). If the message is replayed, discard it.
+
+ * Extract the ID and authentication algorithm (if not included,
+ assume the default).
+
+ * Verify the MAC/signature.
+
+ * If the authentication is not successful, an Auth failure Error
+ message MAY be sent to the Initiator. The message is then
+ discarded from further processing. See also Section 5.1.2 for
+ treatment of errors.
+
+ * If the authentication is successful, the message is processed and
+ also added to the replay cache; processing is implementation
+ specific. Note also that only successfully authenticated messages
+ are stored in the replay cache.
+
+
+
+
+Arkko, et al. Standards Track [Page 29]
+
+RFC 3830 MIKEY August 2004
+
+
+ * If any unsupported parameters or errors occur during the
+ processing, these MAY be reported to the Initiator by sending an
+ error message. The processing is then aborted. The error message
+ can also include payloads to describe the supported parameters.
+
+ * If the processing was successful and in case the Initiator
+ requested it, a verification/response message MAY be created and
+ sent to the Initiator.
+
+5.4. Replay handling and timestamp usage
+
+ MIKEY does not use a challenge-response mechanism for replay
+ handling; instead, timestamps are used. This requires that the
+ clocks are synchronized. The required synchronization is dependent
+ on the number of messages that can be cached (note though, that the
+ replay cache only contains messages that have been successfully
+ authenticated). If we could assume an unlimited cache, the terminals
+ would not need to be synchronized at all (as the cache could then
+ contain all previous messages). However, if there are restrictions
+ on the size of the replay cache, the clocks will need to be
+ synchronized to some extent. In short, one can in general say that
+ it is a tradeoff between the size of the replay cache and the
+ required synchronization.
+
+ Timestamp usage prevents replay attacks under the following
+ assumptions:
+
+ * Each host has a clock which is at least "loosely synchronized"
+ with the clocks of the other hosts.
+
+ * If the clocks are to be synchronized over the network, a secure
+ network clock synchronization protocol SHOULD be used, e.g.,
+ [ISO3].
+
+ * Each Responder utilizes a replay cache in order to remember the
+ successfully authenticated messages presented within an allowable
+ clock skew (which is set by the local policy).
+
+ * Replayed and outdated messages, for example, messages that can be
+ found in the replay cache or which have an outdated timestamp are
+ discarded and not processed.
+
+ * If the host loses track of the incoming requests (e.g., due to
+ overload), it rejects all incoming requests until the clock skew
+ interval has passed.
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 30]
+
+RFC 3830 MIKEY August 2004
+
+
+ In a client-server scenario, servers may encounter a high workload,
+ especially if a replay cache is necessary. However, servers that
+ assume the role of MIKEY Initiators will not need to manage any
+ significant replay cache as they will refuse all incoming messages
+ that are not a response to a message previously sent by the server.
+
+ In general, a client may not expect a very high load of incoming
+ messages and may therefore allow the degree of looseness to be on the
+ order of several minutes to hours. If a (D)DoS attack is launched
+ and the replay cache grows too large, MIKEY MAY dynamically decrease
+ the looseness so that the replay cache becomes manageable. However,
+ note that such (D)DoS attacks can only be performed by peers that can
+ authenticate themselves. Hence, such an attack is very easy to trace
+ and mitigate.
+
+ The maximum number of messages that a client will need to cache may
+ vary depending on the capacity of the client itself and the network.
+ The number of expected messages should be taken into account.
+
+ For example, assume that we can at most spend 6kB on a replay cache.
+ Assume further that we need to store 30 bytes for each incoming
+ authenticated message (the hash of the message is 20 bytes). This
+ implies that it is possible to cache approximately 204 messages. If
+ the expected number of messages per minute can be estimated, the
+ clock skew can easily be calculated. For example, in a SIP scenario
+ where the client is expected, in the most extreme case, to receive 10
+ calls per minute, the clock skew needed is then approximately 20
+ minutes. In a not so extreme setting, where one could expect an
+ incoming call every 5th minute, this would result in a clock skew on
+ the order of 16.5 hours (approx 1000 minutes).
+
+ Consider a very extreme case, where the maximum number of incoming
+ messages are assumed to be on the order of 120 messages per minute,
+ and a requirement that the clock skew is on the order of 10 minutes,
+ a 48kB replay cache would be required.
+
+ Hence, one can note that the required clock skew will depend largely
+ on the setting in which MIKEY is used. One recommendation is to fix
+ a size for the replay cache, allowing the clock skew to be large (the
+ initial clock skew can be set depending on the application in which
+ it is used). As the replay cache grows, the clock skew is decreased
+ depending on the percentage of the used replay cache. Note that this
+ is locally handled, which will not require interaction with the peer
+ (even though it may indirectly effect the peer). However, exactly
+ how to implement such functionality is out of the scope of this
+ document and considered implementation specific.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 31]
+
+RFC 3830 MIKEY August 2004
+
+
+ In case of a DoS attack, the client will most likely be able to
+ handle the replay cache. A more likely (and serious) DoS attack is a
+ CPU DoS attack where the attacker sends messages to the peer, which
+ then needs to expend resources on verifying the MACs/signatures of
+ the incoming messages.
+
+6. Payload Encoding
+
+ This section describes, in detail, all the payloads. For all
+ encoding, network byte order is always used. While defining
+ supported types (e.g., which hash functions are supported) the
+ mandatory-to-implement types are indicated (as Mandatory), as well as
+ the default types (note, default also implies mandatory
+ implementation). Support for the other types are implicitly assumed
+ to be optional.
+
+ In the following, note that the support for SRTP [SRTP] as a security
+ protocol is defined. This will help us better understand the purpose
+ of the different payloads and fields. Other security protocols MAY
+ be specified for use within MIKEY, see Section 10.
+
+ In the following, the sign ~ indicates variable length field.
+
+6.1. Common Header payload (HDR)
+
+ The Common Header payload MUST always be present as the first payload
+ in each message. The Common Header includes a general description of
+ the exchange message.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! version ! data type ! next payload !V! PRF func !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! CSB ID !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! #CS ! CS ID map type! CS ID map info ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * version (8 bits): the version number of MIKEY.
+
+ version = 0x01 refers to MIKEY as defined in this document.
+
+ * data type (8 bits): describes the type of message (e.g., public-
+ key transport message, verification message, error message).
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 32]
+
+RFC 3830 MIKEY August 2004
+
+
+ Data type | Value | Comment
+ --------------------------------------
+ Pre-shared | 0 | Initiator's pre-shared key message
+ PSK ver msg | 1 | Verification message of a Pre-shared
+ | | key message
+ Public key | 2 | Initiator's public-key transport message
+ PK ver msg | 3 | Verification message of a public-key
+ | | message
+ D-H init | 4 | Initiator's DH exchange message
+ D-H resp | 5 | Responder's DH exchange message
+ Error | 6 | Error message
+
+ Table 6.1.a
+
+ * next payload (8 bits): identifies the payload that is added after
+ this payload.
+
+ Next payload | Value | Section
+ ------------------------------
+ Last payload | 0 | -
+ KEMAC | 1 | 6.2
+ PKE | 2 | 6.3
+ DH | 3 | 6.4
+ SIGN | 4 | 6.5
+ T | 5 | 6.6
+ ID | 6 | 6.7
+ CERT | 7 | 6.7
+ CHASH | 8 | 6.8
+ V | 9 | 6.9
+ SP | 10 | 6.10
+ RAND | 11 | 6.11
+ ERR | 12 | 6.12
+ Key data | 20 | 6.13
+ General Ext. | 21 | 6.15
+
+ Table 6.1.b
+
+ Note that some of the payloads cannot directly follow the header
+ (such as "Last payload", "Signature"). However, the Next payload
+ field is generic for all payloads. Therefore, a value is
+ allocated for each payload. The Next payload field is set to zero
+ (Last payload) if the current payload is the last payload.
+
+ * V (1 bit): flag to indicate whether a verification message is
+ expected or not (this only has meaning when it is set by the
+ Initiator). The V flag SHALL be ignored by the receiver in the DH
+ method (as the response is MANDATORY).
+
+
+
+
+Arkko, et al. Standards Track [Page 33]
+
+RFC 3830 MIKEY August 2004
+
+
+ V = 0 ==> no response expected
+ V = 1 ==> response expected
+
+ * PRF func (7 bits): indicates the PRF function that has been/will
+ be used for key derivation.
+
+ PRF func | Value | Comments
+ --------------------------------------------------------
+ MIKEY-1 | 0 | Mandatory (see Section 4.1.2)
+
+ Table 6.1.c
+
+ * CSB ID (32 bits): identifies the CSB. It is RECOMMENDED that the
+ CSB ID be chosen at random by the Initiator. This ID MUST be
+ unique between each Initiator-Responder pair, i.e., not globally
+ unique. An Initiator MUST check for collisions when choosing the
+ ID (if the Initiator already has one or more established CSBs with
+ the Responder). The Responder uses the same CSB ID in the
+ response.
+
+ * #CS (8 bits): indicates the number of Crypto Sessions that will be
+ handled within the CBS. Note that even though it is possible to
+ use 255 CSs, it is not likely that a CSB will include this many
+ CSs. The integer 0 is interpreted as no CS included. This may be
+ the case in an initial setup message.
+
+ * CS ID map type (8 bits): specifies the method of uniquely mapping
+ Crypto Sessions to the security protocol sessions.
+
+ CS ID map type | Value
+ -----------------------
+ SRTP-ID | 0
+
+ Table 6.1.d
+
+ * CS ID map info (16 bits): identifies the crypto session(s) for
+ which the SA should be created. The currently defined map type is
+ the SRTP-ID (defined in Section 6.1.1).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 34]
+
+RFC 3830 MIKEY August 2004
+
+
+6.1.1. SRTP ID
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Policy_no_1 ! SSRC_1 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! SSRC_1 (cont) ! ROC_1 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! ROC_1 (cont) ! Policy_no_2 ! SSRC_2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! SSRC_2 (cont) ! ROC_2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! ROC_2 (cont) ! :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ...
+ : : :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Policy_no_#CS ! SSRC_#CS !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ !SSRC_#CS (cont)! ROC_#CS !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! ROC_#CS (cont)!
+ +-+-+-+-+-+-+-+-+
+
+ * Policy_no_i (8 bits): The security policy applied for the stream
+ with SSRC_i. The same security policy may apply for all CSs.
+
+ * SSRC_i (32 bits): specifies the SSRC that MUST be used for the
+ i-th SRTP stream. Note that it is the sender of the streams that
+ chooses the SSRC. Therefore, it is possible that the Initiator of
+ MIKEY cannot fill in all fields. In this case, SSRCs that are not
+ chosen by the Initiator are set to zero and the Responder fills in
+ these fields in the response message. Note that SRTP specifies
+ requirements on the uniqueness of the SSRCs (to avoid two-time pad
+ problems if the same TEK is used for more than one stream) [SRTP].
+
+ * ROC_i (32 bits): Current rollover counter used in SRTP. If the
+ SRTP session has not started, this field is set to 0. This field
+ is used to enable a member to join and synchronize with an already
+ started stream.
+
+ NOTE: The stream using SSRC_i will also have Crypto Session ID equal
+ to no i (NOT to the SSRC).
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 35]
+
+RFC 3830 MIKEY August 2004
+
+
+6.2. Key data transport payload (KEMAC)
+
+ The Key data transport payload contains encrypted Key data sub-
+ payloads (see Section 6.13 for the definition of the Key data sub-
+ payload). It may contain one or more Key data payloads, each
+ including, for example, a TGK. The last Key data payload has its
+ Next payload field set to Last payload. For an update message (see
+ also Section 4.5), it is allowed to skip the Key data sub-payloads
+ (which will result in the Encr data len being equal to 0).
+
+ Note that the MAC coverage depends on the method used, i.e., pre-
+ shared vs public key, see below.
+
+ If the transport method used is the pre-shared key method, this Key
+ data transport payload is the last payload in the message (note that
+ the Next payload field is set to Last payload). The MAC is then
+ calculated over the entire MIKEY message following the directives in
+ Section 5.2.
+
+ If the transport method used is the public-key method, the
+ Initiator's identity is added in the encrypted data. This is done by
+ adding the ID payload as the first payload, which is then followed by
+ the Key data sub-payloads. Note that for an update message, the ID
+ is still sent encrypted to the Responder (this is to avoid certain
+ re-direction attacks) even though no Key data sub-payload is added
+ after.
+
+ In the public-key case, the coverage of the MAC field is over the Key
+ data transport payload only, instead of the complete MIKEY message,
+ as in the pre-shared case. The MAC is therefore calculated over the
+ Key data transport payload, except for the MAC field and where the
+ Next payload field has been set to zero (see also Section 5.2).
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next payload ! Encr alg ! Encr data len !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Encr data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Mac alg ! MAC ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for defined values.
+
+ * Encr alg (8 bits): the encryption algorithm used to encrypt the
+ Encr data field.
+
+
+
+Arkko, et al. Standards Track [Page 36]
+
+RFC 3830 MIKEY August 2004
+
+
+ Encr alg | Value | Comment
+ -------------------------------------------
+ NULL | 0 | Very restricted usage, see Section 4.2.3!
+ AES-CM-128 | 1 | Mandatory; AES-CM using a 128-bit key, see
+ Section 4.2.3)
+ AES-KW-128 | 2 | AES Key Wrap using a 128-bit key, see
+ Section 4.2.3
+
+ Table 6.2.a
+
+ * Encr data len (16 bits): length of Encr data (in bytes).
+
+ * Encr data (variable length): the encrypted key sub-payloads (see
+ Section 6.13).
+
+ * MAC alg (8 bits): specifies the authentication algorithm used.
+
+ MAC alg | Value | Comments | Length (bits)
+ ----------------------------------------------------------
+ NULL | 0 | restricted usage | 0
+ | | Section 4.2.4 |
+ HMAC-SHA-1-160 | 1 | Mandatory, | 160
+ | | Section 4.2.4 |
+
+ Table 6.2.b
+
+ * MAC (variable length): the message authentication code of the
+ entire message.
+
+6.3. Envelope data payload (PKE)
+
+ The Envelope data payload contains the encrypted envelope key that is
+ used in the public-key transport to protect the data in the Key data
+ transport payload. The encryption algorithm used is implicit from
+ the certificate/public key used.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! C ! Data len ! Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * C (2 bits): envelope key cache indicator (Section 3.2).
+
+
+
+
+
+Arkko, et al. Standards Track [Page 37]
+
+RFC 3830 MIKEY August 2004
+
+
+ Cache type | Value | Comments
+ --------------------------------------
+ No cache | 0 | The envelope key MUST NOT be cached
+ Cache | 1 | The envelope key MUST be cached
+ Cache for CSB | 2 | The envelope key MUST be cached, but only
+ | | to be used for the specific CSB.
+ Table 6.3
+
+ * Data len (14 bits): the length of the data field (in bytes).
+
+ * Data (variable length): the encrypted envelope key.
+
+6.4. DH data payload (DH)
+
+ The DH data payload carries the DH-value and indicates the DH-group
+ used. Notice that in this sub-section, "MANDATORY" is conditioned
+ upon DH being supported.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! DH-Group ! DH-value ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Reserv! KV ! KV data (optional) ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * DH-Group (8 bits): identifies the DH group used.
+
+ DH-Group | Value | Comment | DH Value length (bits)
+ --------------------------------------|---------------------
+ OAKLEY 5 | 0 | Mandatory | 1536
+ OAKLEY 1 | 1 | | 768
+ OAKLEY 2 | 2 | | 1024
+
+ Table 6.4
+
+ * DH-value (variable length): the public DH-value (the length is
+ implicit from the group used).
+
+ * KV (4 bits): indicates the type of key validity period specified.
+ This may be done by using an SPI (alternatively an MKI in SRTP) or
+ by providing an interval in which the key is valid (e.g., in the
+ latter case, for SRTP this will be the index range where the key
+ is valid). See Section 6.13 for pre-defined values.
+
+
+
+
+Arkko, et al. Standards Track [Page 38]
+
+RFC 3830 MIKEY August 2004
+
+
+ * KV data (variable length): This includes either the SPI/MKI or an
+ interval (see Section 6.14). If KV is NULL, this field is not
+ included.
+
+6.5. Signature payload (SIGN)
+
+ The Signature payload carries the signature and its related data.
+ The signature payload is always the last payload in the PK transport
+ and DH exchange messages. The signature algorithm used is implicit
+ from the certificate/public key used.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! S type| Signature len ! Signature ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * S type (4 bits): indicates the signature algorithm applied by the
+ signer.
+
+ S type | Value | Comments
+ -------------------------------------
+ RSA/PKCS#1/1.5| 0 | Mandatory, PKCS #1 version 1.5 signature
+ [PSS]
+ RSA/PSS | 1 | RSASSA-PSS signature [PSS]
+
+ Table 6.5
+
+ * Signature len (12 bits): the length of the signature field (in
+ bytes).
+
+ * Signature (variable length): the signature (its formatting and
+ padding depend on the type of signature).
+
+6.6. Timestamp payload (T)
+
+ The timestamp payload carries the timestamp information.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! TS type ! TS value ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * TS type (8 bits): specifies the timestamp type used.
+
+
+
+Arkko, et al. Standards Track [Page 39]
+
+RFC 3830 MIKEY August 2004
+
+
+ TS type | Value | Comments | length of TS value
+ -------------------------------------|-------------------
+ NTP-UTC | 0 | Mandatory | 64-bits
+ NTP | 1 | Mandatory | 64-bits
+ COUNTER | 2 | Optional | 32-bits
+
+ Table 6.6
+
+ Note: COUNTER SHALL be padded (with leading zeros) to a 64-bit
+ value when used as input for the default PRF.
+
+ * TS-value (variable length): The timestamp value of the specified
+ TS type.
+
+6.7. ID payload (ID) / Certificate Payload (CERT)
+
+ Note that the ID payload and the Certificate payload are two
+ completely different payloads (having different payload identifiers).
+ However, as they share the same payload structure, they are described
+ in the same section.
+
+ The ID payload carries a uniquely defined identifier.
+
+ The certificate payload contains an indicator of the certificate
+ provided as well as the certificate data. If a certificate chain is
+ to be provided, each certificate in the chain should be included in a
+ separate CERT payload.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! ID/Cert Type ! ID/Cert len !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! ID/Certificate Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ If the payload is an ID payload, the following values apply for the
+ ID type field:
+
+ * ID Type (8 bits): specifies the identifier type used.
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 40]
+
+RFC 3830 MIKEY August 2004
+
+
+ ID Type | Value | Comments
+ ----------------------------------------------
+ NAI | 0 | Mandatory (see [NAI])
+ URI | 1 | Mandatory (see [URI])
+
+ Table 6.7.a
+
+ If the payload is a Certificate payload, the following values applies
+ for the Cert type field:
+
+ * Cert Type (8 bits): specifies the certificate type used.
+
+ Cert Type | Value | Comments
+ ----------------------------------------------
+ X.509v3 | 0 | Mandatory
+ X.509v3 URL | 1 | plain ASCII URL to the location of the Cert
+ X.509v3 Sign | 2 | Mandatory (used for signatures only)
+ X.509v3 Encr | 3 | Mandatory (used for encryption only)
+
+ Table 6.7.b
+
+ * ID/Cert len (16 bits): the length of the ID or Certificate field
+ (in bytes).
+
+ * ID/Certificate (variable length): The ID or Certificate data. The
+ X.509 [X.509] certificates are included as a bytes string using
+ DER encoding as specified in X.509.
+
+6.8. Cert hash payload (CHASH)
+
+ The Cert hash payload contains the hash of the certificate used.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! Hash func ! Hash ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * Hash func (8 bits): indicates the hash function that is used (see
+ also Section 4.2.1).
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 41]
+
+RFC 3830 MIKEY August 2004
+
+
+ Hash func | Value | Comment | hash length (bits)
+ -------------------------------------------------
+ SHA-1 | 0 | Mandatory | 160
+ MD5 | 1 | | 128
+
+ Table 6.8
+
+ * Hash (variable length): the hash data. The hash length is
+ implicit from the hash function used.
+
+6.9. Ver msg payload (V)
+
+ The Ver msg payload contains the calculated verification message in
+ the pre-shared key and the public-key transport methods. Note that
+ the MAC is calculated over the entire MIKEY message, as well as the
+ IDs and Timestamp (see also Section 5.2).
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! Auth alg ! Ver data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * Auth alg (8 bits): specifies the MAC algorithm used for the
+ verification message. See Section 6.2 for defined values.
+
+ * Ver data (variable length): the verification message data. The
+ length is implicit from the authentication algorithm used.
+
+6.10. Security Policy payload (SP)
+
+ The Security Policy payload defines a set of policies that apply to a
+ specific security protocol.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next payload ! Policy no ! Prot type ! Policy param ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ~ length (cont) ! Policy param ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+
+
+
+Arkko, et al. Standards Track [Page 42]
+
+RFC 3830 MIKEY August 2004
+
+
+ * Policy no (8 bits): each security policy payload must be given a
+ distinct number for the current MIKEY session by the local peer.
+ This number is used to map a crypto session to a specific policy
+ (see also Section 6.1.1).
+
+ * Prot type (8 bits): defines the security protocol.
+
+ Prot type | Value |
+ ---------------------------
+ SRTP | 0 |
+
+ Table 6.10
+
+ * Policy param length (16 bits): defines the total length of the
+ policy parameters for the specific security protocol.
+
+ * Policy param (variable length): defines the policy for the
+ specific security protocol.
+
+ The Policy param part is built up by a set of Type/Length/Value
+ fields. For each security protocol, a set of possible
+ types/values that can be negotiated is defined.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Type ! Length ! Value ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Type (8 bits): specifies the type of the parameter.
+
+ * Length (8 bits): specifies the length of the Value field (in
+ bytes).
+
+ * Value (variable length): specifies the value of the parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 43]
+
+RFC 3830 MIKEY August 2004
+
+
+6.10.1. SRTP policy
+
+ This policy specifies the parameters for SRTP and SRTCP. The
+ types/values that can be negotiated are defined by the following
+ table:
+
+ Type | Meaning | Possible values
+ ----------------------------------------------------
+ 0 | Encryption algorithm | see below
+ 1 | Session Encr. key length | depends on cipher used
+ 2 | Authentication algorithm | see below
+ 3 | Session Auth. key length | depends on MAC used
+ 4 | Session Salt key length | see [SRTP] for recommendations
+ 5 | SRTP Pseudo Random Function | see below
+ 6 | Key derivation rate | see [SRTP] for recommendations
+ 7 | SRTP encryption off/on | 0 if off, 1 if on
+ 8 | SRTCP encryption off/on | 0 if off, 1 if on
+ 9 | sender's FEC order | see below
+ 10 | SRTP authentication off/on | 0 if off, 1 if on
+ 11 | Authentication tag length | in bytes
+ 12 | SRTP prefix length | in bytes
+
+ Table 6.10.1.a
+
+ Note that if a Type/Value is not set, the default is used (according
+ to SRTP's own criteria). Note also that, if "Session Encr. key
+ length" is set, this should also be seen as the Master key length
+ (otherwise, the SRTP default Master key length is used).
+
+ For the Encryption algorithm, a one byte length is enough. The
+ currently defined possible Values are:
+
+ SRTP encr alg | Value
+ ---------------------
+ NULL | 0
+ AES-CM | 1
+ AES-F8 | 2
+
+ Table 6.10.1.b
+
+ where AES-CM is AES in CM, and AES-F8 is AES in f8 mode [SRTP].
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 44]
+
+RFC 3830 MIKEY August 2004
+
+
+ For the Authentication algorithm, a one byte length is enough. The
+ currently defined possible Values are:
+
+ SRTP auth alg | Value
+ ---------------------
+ NULL | 0
+ HMAC-SHA-1 | 1
+
+ Table 6.10.1.c
+
+ For the SRTP pseudo-random function, a one byte length is also
+ enough. The currently defined possible Values are:
+
+ SRTP PRF | Value
+ ---------------------
+ AES-CM | 0
+
+ Table 6.10.1.d
+
+ If FEC is used at the same time SRTP is used, MIKEY can negotiate the
+ order in which these should be applied at the sender side.
+
+ FEC order | Value | Comments
+ --------------------------------
+ FEC-SRTP | 0 | First FEC, then SRTP
+
+ Table 6.10.1.e
+
+6.11. RAND payload (RAND)
+
+ The RAND payload consists of a (pseudo-)random bit-string. The RAND
+ MUST be independently generated per CSB (note that if the CSB has
+ several members, the Initiator MUST use the same RAND for all the
+ members). For randomness recommendations for security, see [RAND].
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next payload ! RAND len ! RAND ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * RAND len (8 bits): length of the RAND (in bytes). It SHOULD be at
+ least 16.
+
+ * RAND (variable length): a (pseudo-)randomly chosen bit-string.
+
+
+
+Arkko, et al. Standards Track [Page 45]
+
+RFC 3830 MIKEY August 2004
+
+
+6.12. Error payload (ERR)
+
+ The Error payload is used to specify the error(s) that may have
+ occurred.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! Error no ! Reserved !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * Error no (8 bits): indicates the type of error that was
+ encountered.
+
+ Error no | Value | Comment
+ -------------------------------------------------------
+ Auth failure | 0 | Authentication failure
+ Invalid TS | 1 | Invalid timestamp
+ Invalid PRF | 2 | PRF function not supported
+ Invalid MAC | 3 | MAC algorithm not supported
+ Invalid EA | 4 | Encryption algorithm not supported
+ Invalid HA | 5 | Hash function not supported
+ Invalid DH | 6 | DH group not supported
+ Invalid ID | 7 | ID not supported
+ Invalid Cert | 8 | Certificate not supported
+ Invalid SP | 9 | SP type not supported
+ Invalid SPpar | 10 | SP parameters not supported
+ Invalid DT | 11 | not supported Data type
+ Unspecified error | 12 | an unspecified error occurred
+
+ Table 6.12
+
+6.13. Key data sub-payload
+
+ The Key data payload contains key material, e.g., TGKs. The Key data
+ payloads are never included in clear, but as an encrypted part of the
+ Key data transport payload.
+
+ Note that a Key data transport payload can contain multiple Key data
+ sub-payloads.
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 46]
+
+RFC 3830 MIKEY August 2004
+
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! Type ! KV ! Key data len !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Key data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Salt len (optional) ! Salt data (optional) ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! KV data (optional) ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload. See Section 6.1 for values.
+
+ * Type (4 bits): indicates the type of key included in the payload.
+
+ Type | Value
+ -----------------
+ TGK | 0
+ TGK+SALT | 1
+ TEK | 2
+ TEK+SALT | 3
+
+ Table 6.13.a
+
+ Note that the possibility of including a TEK (instead of using the
+ TGK) is provided. When sent directly, the TEK can generally not
+ be shared between more than one Crypto Session (unless the
+ Security protocol allows for this, e.g., [SRTP]). The recommended
+ use of sending a TEK, instead of a TGK, is when pre-encrypted
+ material exists and therefore, the TEK must be known in advance.
+
+ * KV (4 bits): indicates the type of key validity period specified.
+ This may be done by using an SPI (or MKI in the case of [SRTP]) or
+ by providing an interval in which the key is valid (e.g., in the
+ latter case, for SRTP this will be the index range where the key
+ is valid).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 47]
+
+RFC 3830 MIKEY August 2004
+
+
+ KV | Value | Comments
+ -------------------------------------------
+ Null | 0 | No specific usage rule (e.g., a TEK
+ | | that has no specific lifetime)
+ SPI | 1 | The key is associated with the SPI/MKI
+ Interval | 2 | The key has a start and expiration time
+ | | (e.g., an SRTP TEK)
+
+ Table 6.13.b
+
+ Note that when NULL is specified, any SPI or Interval is valid.
+ For an Interval, this means that the key is valid from the first
+ observed sequence number until the key is replaced (or the
+ security protocol is shutdown).
+
+ * Key data len (16 bits): the length of the Key data field (in
+ bytes). Note that the sum of the overall length of all the Key
+ data payloads contained in a single Key data transport payload
+ (KEMAC) MUST be such that the KEMAC payload does not exceed a
+ length of 2^16 bytes (total length of KEMAC, see Section 6.2).
+
+ * Key data (variable length): The TGK or TEK data.
+
+ * Salt len (16 bits): The salt key length in bytes. Note that this
+ field is only included if the salt is specified in the Type-field.
+
+ * Salt data (variable length): The salt key data. Note that this
+ field is only included if the salt is specified in the Type-field.
+ (For SRTP, this is the so-called master salt.)
+
+ * KV data (variable length): This includes either the SPI or an
+ interval (see Section 6.14). If KV is NULL, this field is not
+ included.
+
+6.14. Key validity data
+
+ The Key validity data is not a standalone payload, but part of either
+ the Key data payload (see Section 6.13) or the DH payload (see
+ Section 6.4). The Key validity data gives a guideline of when the
+ key should be used. There are two KV types defined (see Section
+ 6.13), SPI/MKI (SPI) or a lifetime range (interval).
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 48]
+
+RFC 3830 MIKEY August 2004
+
+
+ SPI/MKI
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! SPI Length ! SPI ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * SPI Length (8 bits): the length of the SPI (or MKI) in bytes.
+
+ * SPI (variable length): the SPI (or MKI) value.
+
+ Interval
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! VF Length ! Valid From ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! VT Length ! Valid To (expires) ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * VF Length (8 bits): length of the Valid From field in bytes.
+
+ * Valid From (variable length): sequence number, index, timestamp,
+ or other start value that the security protocol uses to identify
+ the start position of the key usage.
+
+ * VT Length (8 bits): length of the Valid To field in bytes.
+
+ * Valid To (variable length): sequence number, index, timestamp, or
+ other expiration value that the security protocol can use to
+ identify the expiration of the key usage.
+
+ Note that for SRTP usage, the key validity period for a TGK/TEK
+ should be specified with either an interval, where the VF/VT
+ Length is equal to 6 bytes (i.e., the size of the index), or with
+ an MKI. It is RECOMMENDED that if more than one SRTP stream is
+ sharing the same keys and key update/re-keying is desired, this is
+ handled using MKI rather than the From-To method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 49]
+
+RFC 3830 MIKEY August 2004
+
+
+6.15. General Extension Payload
+
+ The General extensions payload is included to allow possible
+ extensions to MIKEY without the need for defining a completely new
+ payload each time. This payload can be used in any MIKEY message and
+ is part of the authenticated/signed data part.
+
+ 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next payload ! Type ! Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ * Next payload (8 bits): identifies the payload that is added after
+ this payload.
+
+ * Type (8 bits): identifies the type of general payload.
+
+ Type | Value | Comments
+ ---------------------------------------
+ Vendor ID | 0 | Vendor specific byte string
+ SDP IDs | 1 | List of SDP key mgmt IDs (allocated for use in
+ [KMASDP])
+
+ Table 6.15
+
+ * Length (16 bits): the length in bytes of the Data field.
+
+ * Data (variable length): the general payload data.
+
+7. Transport protocols
+
+ MIKEY MAY be integrated within session establishment protocols.
+ Currently, integration of MIKEY within SIP/SDP and RTSP is defined in
+ [KMASDP]. MIKEY MAY use other transports, in which case how MIKEY is
+ transported over such a transport protocol has to be defined.
+
+8. Groups
+
+ What has been discussed up to now is not limited to single peer-to-
+ peer communication (except for the DH method), but can be used to
+ distribute group keys for small-size interactive groups and simple
+ one-to-many scenarios. Section 2.1. describes the scenarios in the
+ focus of MIKEY. This section describes how MIKEY is used in a group
+ scenario (though, see also Section 4.3 for issues related to
+ authorization).
+
+
+
+Arkko, et al. Standards Track [Page 50]
+
+RFC 3830 MIKEY August 2004
+
+
+8.1. Simple one-to-many
+
+ ++++
+ |S |
+ | |
+ ++++
+ |
+ --------+-------------- - -
+ | | |
+ v v v
+ ++++ ++++ ++++
+ |A | |B | |C |
+ | | | | | |
+ ++++ ++++ ++++
+
+ Figure 8.1. Simple one-to-many scenario.
+
+ In the simple one-to-many scenario, a server is streaming to a small
+ group of clients. RTSP or SIP is used for the registration and the
+ key management set up. The streaming server acts as the Initiator of
+ MIKEY. In this scenario, the pre-shared key or public key transport
+ mechanism will be appropriate in transporting the same TGK to all the
+ clients (which will result in common TEKs for the group).
+
+ Note, if the same TGK/TEK(s) should be used by all the group members,
+ the streaming server MUST specify the same CSB_ID and CS_ID(s) for
+ the session to all the group members.
+
+ As the communication may be performed using multicast, the members
+ need a common security policy if they want to be part of the group.
+ This limits the possibility of negotiation.
+
+ Furthermore, the Initiator should carefully consider whether to
+ request the verification message in reply from each receiver, as this
+ may result in a certain load for the Initiator itself as the group
+ size increases.
+
+8.2. Small-size interactive group
+
+ As described in the overview section, for small-size interactive
+ groups, one may expect that each client will be in charge for setting
+ up the security for its outgoing streams. In these scenarios, the
+ pre-shared key or the public-key transport method is used.
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 51]
+
+RFC 3830 MIKEY August 2004
+
+
+ ++++ ++++
+ |A | -------> |B |
+ | | <------- | |
+ ++++ ++++
+ ^ | | ^
+ | | | |
+ | | ++++ | |
+ | --->|C |<--- |
+ ------| |------
+ ++++
+
+ Figure 8.2. Small-size group without a centralized controller.
+
+ One scenario may then be that the client sets up a three-part call,
+ using SIP. Due to the small size of the group, unicast SRTP is used
+ between the clients. Each client sets up the security for its
+ outgoing stream(s) to the others.
+
+ As for the simple one-to-many case, the streaming client specifies
+ the same CSB_ID and CS_ID(s) for its outgoing sessions if the same
+ TGK/TEK(s) is used for all the group members.
+
+9. Security Considerations
+
+9.1. General
+
+ Key management protocols based on timestamps/counters and one-
+ roundtrip key transport have previously been standardized, for
+ example ISO [ISO1, ISO2]. The general security of these types of
+ protocols can be found in various articles and literature, c.f. [HAC,
+ AKE, LOA].
+
+ No chain is stronger than its weakest link. If a given level of
+ protection is wanted, then the cryptographic functions protecting the
+ keys during transport/exchange MUST offer a security corresponding to
+ at least that level.
+
+ For instance, if a security against attacks with a complexity 2^96 is
+ wanted, then one should choose a secure symmetric cipher supporting
+ at least 96 bit keys (128 bits may be a practical choice) for the
+ actual media protection, and a key transport mechanism that provides
+ equivalent protection, e.g., MIKEY's pre-shared key transport with
+ 128 bit TGK, or RSA with 1024 bit keys (which according to [LV]
+ corresponds to the desired 96 bit level, with some margin).
+
+ In summary, key size for the key-exchange mechanism MUST be weighed
+ against the size of the exchanged TGK so that it at least offers the
+ required level. For efficiency reasons, one SHOULD also avoid a
+
+
+
+Arkko, et al. Standards Track [Page 52]
+
+RFC 3830 MIKEY August 2004
+
+
+ security overkill, e.g., by not using a public key transport with
+ public keys giving a security level that is orders of magnitude
+ higher than length of the transported TGK. We refer to [LV] for
+ concrete key size recommendations.
+
+ Moreover, if the TGKs are not random (or pseudo-random), a brute
+ force search may be facilitated, again lowering the effective key
+ size. Therefore, care MUST be taken when designing the (pseudo-)
+ random generators for TGK generation, see [FIPS][RAND].
+
+ For the selection of the hash function, SHA-1 with 160-bit output is
+ the default one. In general, hash sizes should be twice the
+ "security level", indicating that SHA-1-256, [SHA256], should be used
+ for the default 128-bit level. However, due to the real-time aspects
+ in the scenarios we are treating, hash sizes slightly below 256 are
+ acceptable, as the normal "existential" collision probabilities would
+ be of secondary importance.
+
+ In a Crypto Session Bundle, the Crypto Sessions can share the same
+ TGK as discussed earlier. From a security point of view, to satisfy
+ the criterion in case the TGK is shared, the encryption of the
+ individual Crypto Sessions are performed "independently". In MIKEY,
+ this is accomplished by having unique Crypto Session identifiers (see
+ also Section 4.1) and a TEK derivation method that provides
+ cryptographically independent TEKs to distinct Crypto Sessions
+ (within the Crypto Session Bundle), regardless of the security
+ protocol used.
+
+ Specifically, the key derivations, as specified in Section 4.1, are
+ implemented by a pseudo-random function. The one used here is a
+ simplified version of that used in TLS [TLS]. Here, only one single
+ hash function is used, whereas TLS uses two different functions.
+ This choice is motivated by the high confidence in the SHA-1 hash
+ function, and by efficiency and simplicity of design (complexity does
+ not imply security). Indeed, as shown in [DBJ], if one of the two
+ hashes is severely broken, the TLS PRF is actually less secure than
+ as if a single hash had been used on the whole key, as is done in
+ MIKEY.
+
+ In the pre-shared key and public-key schemes, the TGK is generated by
+ a single party (Initiator). This makes MIKEY somewhat more sensitive
+ if the Initiator uses a bad random number generator. It should also
+ be noted that neither the pre-shared nor the public-key scheme
+ provides perfect forward secrecy. If mutual contribution or perfect
+ forward secrecy is desired, the Diffie-Hellman method is to be used.
+ Authentication (e.g., signatures) in the Diffie-Hellman method is
+ required to prevent man-in-the-middle attacks.
+
+
+
+
+Arkko, et al. Standards Track [Page 53]
+
+RFC 3830 MIKEY August 2004
+
+
+ Forward/backward security: if the TGK is exposed, all generated TEKs
+ are compromised. However, under the assumption that the derivation
+ function is a pseudo-random function, disclosure of an individual TEK
+ does not compromise other (previous or later) TEKs derived from the
+ same TGK. The Diffie-Hellman mode can be considered by cautious
+ users, as it is the only one that supports so called perfect forward
+ secrecy (PFS). This is in contrast to a compromise of the pre-shared
+ key (or the secret key of the public key mode), where future sessions
+ and recorded sessions from the past are then also compromised.
+
+ The use of random nonces (RANDs) in the key derivation is of utmost
+ importance to counter off-line pre-computation attacks. Note however
+ that update messages re-use the old RAND. This means that the total
+ effective key entropy (relative to pre-computation attacks) for k
+ consecutive key updates, assuming the TGKs and RAND are each n bits
+ long, is about L = n*(k+1)/2 bits, compared to the theoretical
+ maximum of n*k bits. In other words, a 2^L work effort MAY enable an
+ attacker to get all k n-bit keys, which is better than brute force
+ (except when k = 1). While this might seem like a defect, first note
+ that for a proper choice of n, the 2^L complexity of the attack is
+ way out of reach. Moreover, the fact that more than one key can be
+ compromised in a single attack is inherent to the key exchange
+ problem. Consider for instance a user who, using a fixed 1024-bit
+ RSA key, exchanges keys and communicates during a one or two year
+ lifetime of the public key. Breaking this single RSA key will enable
+ access to all exchanged keys and consequently the entire
+ communication of that user over the whole period.
+
+ All the pre-defined transforms in MIKEY use state-of-the-art
+ algorithms that have undergone large amounts of public evaluation.
+ One of the reasons for using the AES-CM from SRTP [SRTP], is to have
+ the possibility of limiting the overall number of different
+ encryption modes and algorithms, while offering a high level of
+ security at the same time.
+
+9.2. Key lifetime
+
+ Even if the lifetime of a TGK (or TEK) is not specified, it MUST be
+ taken into account that the encryption transform in the underlying
+ security protocol can in some way degenerate after a certain amount
+ of encrypted data. It is not possible to here state universally
+ applicable, general key lifetime bounds; each security protocol
+ should define such maximum amount and trigger a re-keying procedure
+ before the "exhaustion" of the key. For example, according to SRTP
+ [SRTP] the TEK, together with the corresponding TGK, MUST be changed
+ at least every 2^48 SRTP packet.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 54]
+
+RFC 3830 MIKEY August 2004
+
+
+ Still, the following can be said as a rule of thumb. If the security
+ protocol uses an "ideal" b-bit block cipher (in CBC mode, counter
+ mode, or a feedback mode, e.g., OFB, with full b-bit feedback),
+ degenerate behavior in the crypto stream, possibly useful for an
+ attacker, is (with constant probability) expected to occur after a
+ total of roughly 2^(b/2) encrypted b-bit blocks (using random IVs).
+ For security margin, re-keying MUST be triggered well in advance
+ compared to the above bound. See [BDJR] for more details.
+
+ For use of a dedicated stream cipher, we refer to the analysis and
+ documentation of said cipher in each specific case.
+
+9.3. Timestamps
+
+ The use of timestamps, instead of challenge-responses, requires the
+ systems to have synchronized clocks. Of course, if two clients are
+ not synchronized, they will have difficulties in setting up the
+ security. The current timestamp based solution has been selected to
+ allow a maximum of one roundtrip (i.e., two messages), but still
+ provide a reasonable replay protection. A (secure) challenge-
+ response based version would require at least three messages. For a
+ detailed description of the timestamp and replay handling in MIKEY,
+ see Section 5.4.
+
+ Practical experiences of Kerberos and other timestamp-based systems
+ indicate that it is not always necessary to synchronize the terminals
+ over the network. Manual configuration could be a feasible
+ alternative in many cases (especially in scenarios where the degree
+ of looseness is high). However, the choice must be made carefully
+ with respect to the usage scenario.
+
+9.4. Identity Protection
+
+ User privacy is a complex matter that to some extent can be enforced
+ by cryptographic mechanisms, but also requires policy enforcement and
+ various other functionalities. One particular facet of privacy is
+ user identity protection. However, identity protection was not a
+ main design goal for MIKEY. Such a feature will add more complexity
+ to the protocol and was therefore not chosen to be included. As
+ MIKEY is anyway proposed to be transported over, e.g., SIP, the
+ identity may be exposed by this. However, if the transporting
+ protocol is secured and also provides identity protection, MIKEY
+ might inherit the same feature. How this should be done is for
+ future study.
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 55]
+
+RFC 3830 MIKEY August 2004
+
+
+9.5. Denial of Service
+
+ This protocol is resistant to Denial of Service attacks in the sense
+ that a Responder does not construct any state (at the key management
+ protocol level) before it has authenticated the Initiator. However,
+ this protocol, like many others, is open to attacks that use spoofed
+ IP addresses to create a large number of fake requests. This may for
+ example, be solved by letting the protocol transporting MIKEY do an
+ IP address validity test. The SIP protocol can provide this using
+ the anonymous authentication challenge mechanism (specified in
+ Section 22.1 of [SIP]).
+
+ It is highly RECOMMENDED to include IDr in the Initiator's message.
+ If not included, its absence can be used for DoS purposes (the
+ largest DoS-impact being on the public key and DH methods), where a
+ message intended for other entities is sent to the target. In fact,
+ the target may verify the signature correctly due to the fact that
+ the Initiator's ID is correct and the message is actually signed by
+ the claimed Initiator (e.g., by re-directing traffic from another
+ session).
+
+ However, in the public key method, the envelop key and the MAC will
+ ensure that the message is not accepted (still, compared to a normal
+ faked message, where the signature verification would detect the
+ problem, one extra public key decryption is needed to detect the
+ problem in this case).
+
+ In the DH method, a message would be accepted (without detecting the
+ error) and a response (and state) would be created for the malicious
+ request.
+
+ As also discussed in Section 5.4, the tradeoff between time
+ synchronization and the size of the replay cache may be affected in
+ case of for example, a flooding DoS attack. However, if the
+ recommendations of using a dynamic size of the replay cache are
+ followed, it is believed that the client will in most cases be able
+ to handle the replay cache. Of course, as the replay cache decreases
+ in size, the required time synchronization is more restricted.
+ However, a bigger problem during such an attack would probably be to
+ process the messages (e.g., verify signatures/MACs) due to the
+ computational workload this implies.
+
+9.6. Session Establishment
+
+ It should be noted that if the session establishment protocol is
+ insecure, there may be attacks on this that will have indirect
+ security implications on the secured media streams. This however
+ only applies to groups (and is not specific to MIKEY). The threat is
+
+
+
+Arkko, et al. Standards Track [Page 56]
+
+RFC 3830 MIKEY August 2004
+
+
+ that one group member may re-direct a stream from one group member to
+ another. This will have the same implication as when a member tries
+ to impersonate another member, e.g., by changing its IP address. If
+ this is seen as a problem, it is RECOMMENDED that a Data Origin
+ Authentication (DOA) scheme (e.g., digital signatures) be applied to
+ the security protocol.
+
+ Re-direction of streams can of course be done even if it is not a
+ group. However, the effect will not be the same as compared to a
+ group where impersonation can be done if DOA is not used. Instead,
+ re-direction will only deny the receiver the possibility of receiving
+ (or just delay) the data.
+
+10. IANA Considerations
+
+ This document defines several new name spaces associated with the
+ MIKEY payloads. This section summarizes the name spaces for which
+ IANA is requested to manage the allocation of values. IANA is
+ requested to record the pre-defined values defined in the given
+ sections for each name space. IANA is also requested to manage the
+ definition of additional values in the future. Unless explicitly
+ stated otherwise, values in the range 0-240 for each name space
+ SHOULD be approved by the process of IETF consensus and values in the
+ range 241-255 are reserved for Private Use, according to [RFC2434].
+
+ The name spaces for the following fields in the Common header payload
+ (from Section 6.1) are requested to be managed by IANA (in bracket is
+ the reference to the table with the initially registered values):
+
+ * version
+
+ * data type (Table 6.1.a)
+
+ * Next payload (Table 6.1.b)
+
+ * PRF func (Table 6.1.c). This name space is between 0-127, where
+ values between 0-111 should be approved by the process of IETF
+ consensus and values between 112-127 are reserved for Private Use.
+
+ * CS ID map type (Table 6.1.d)
+
+ The name spaces for the following fields in the Key data transport
+ payload (from Section 6.2) are requested to be managed by IANA:
+
+ * Encr alg (Table 6.2.a)
+
+ * MAC alg (Table 6.2.b)
+
+
+
+
+Arkko, et al. Standards Track [Page 57]
+
+RFC 3830 MIKEY August 2004
+
+
+ The name spaces for the following fields in the Envelope data payload
+ (from Section 6.3) are requested to be managed by IANA:
+
+ * C (Table 6.3)
+
+ The name spaces for the following fields in the DH data payload (from
+ Section 6.4) are requested to be managed by IANA:
+
+ * DH-Group (Table 6.4)
+
+ The name spaces for the following fields in the Signature payload
+ (from Section 6.5) are requested to be managed by IANA:
+
+ * S type (Table 6.5)
+
+ The name spaces for the following fields in the Timestamp payload
+ (from Section 6.6) are requested to be managed by IANA:
+
+ * TS type (Table 6.6)
+
+ The name spaces for the following fields in the ID payload and the
+ Certificate payload (from Section 6.7) are requested to be managed by
+ IANA:
+
+ * ID type (Table 6.7.a)
+
+ * Cert type (Table 6.7.b)
+
+ The name spaces for the following fields in the Cert hash payload
+ (from Section 6.8) are requested to be managed by IANA:
+
+ * Hash func (Table 6.8)
+
+ The name spaces for the following fields in the Security policy
+ payload (from Section 6.10) are requested to be managed by IANA:
+
+ * Prot type (Table 6.10)
+
+ For each security protocol that uses MIKEY, a set of unique
+ parameters MAY be registered.
+
+ From Section 6.10.1.
+
+ * SRTP Type (Table 6.10.1.a)
+
+ * SRTP encr alg (Table 6.10.1.b)
+
+ * SRTP auth alg (Table 6.10.1.c)
+
+
+
+Arkko, et al. Standards Track [Page 58]
+
+RFC 3830 MIKEY August 2004
+
+
+ * SRTP PRF (Table 6.10.1.d)
+
+ * FEC order (Table 6.10.1.e)
+
+ The name spaces for the following fields in the Error payload (from
+ Section 6.12) are requested to be managed by IANA:
+
+ * Error no (Table 6.12)
+
+ The name spaces for the following fields in the Key data payload
+ (from Section 6.13) are requested to be managed by IANA:
+
+ * Type (Table 6.13.a). This name space is between 0-16, which
+ should be approved by the process of IETF consensus.
+
+ * KV (Table 6.13.b). This name space is between 0-16, which should
+ be approved by the process of IETF consensus.
+
+ The name spaces for the following fields in the General Extensions
+ payload (from Section 6.15) are requested to be managed by IANA:
+
+ * Type (Table 6.15).
+
+10.1. MIME Registration
+
+ This section gives instructions to IANA to register the
+ application/mikey MIME media type. This registration is as follows:
+
+ MIME media type name : application
+ MIME subtype name : mikey
+ Required parameters : none
+ Optional parameters : version
+ version: The MIKEY version number of the enclosed message
+ (e.g., 1). If not present, the version defaults to 1.
+ Encoding Considerations : binary, base64 encoded
+ Security Considerations : see section 9 in this memo
+ Interoperability considerations : none
+ Published specification : this memo
+
+11. Acknowledgments
+
+ The authors would like to thank Mark Baugher, Ran Canetti, Martin
+ Euchner, Steffen Fries, Peter Barany, Russ Housley, Pasi Ahonen (with
+ his group), Rolf Blom, Magnus Westerlund, Johan Bilien, Jon-Olov
+ Vatn, Erik Eliasson, and Gerhard Strangar for their valuable
+ feedback.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 59]
+
+RFC 3830 MIKEY August 2004
+
+
+12. References
+
+12.1. Normative References
+
+ [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104, February
+ 1997.
+
+ [NAI] Aboba, B. and M. Beadles, "The Network Access Identifier",
+ RFC 2486, January 1999.
+
+ [OAKLEY] Orman, H., "The OAKLEY Key Determination Protocol", RFC
+ 2412, November 1998.
+
+ [PSS] PKCS #1 v2.1 - RSA Cryptography Standard, RSA Laboratories,
+ June 14, 2002, www.rsalabs.com
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+ October 1998.
+
+ [SHA-1] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.
+
+ [SRTP] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
+ Norrman, "The Secure Real Time Transport Protocol", RFC
+ 3711, March 2004.
+
+ [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifiers (URI): Generic Syntax", RFC 2396,
+ August 1998.
+
+ [X.509] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
+ X.509 Public Key Infrastructure Certificate and Certificate
+ Revocation List (CRL) Profile", RFC 3280, April 2002.
+
+ [AESKW] Schaad, J. and R. Housley, "Advanced Encryption Standard
+ (AES) Key Wrap Algorithm", RFC 3394, September 2002.
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 60]
+
+RFC 3830 MIKEY August 2004
+
+
+12.2. Informative References
+
+ [AKE] Canetti, R. and H. Krawczyk, "Analysis of Key-Exchange
+ Protocols and their use for Building Secure Channels",
+ Eurocrypt 2001, LNCS 2054, pp. 453-474, 2001.
+
+ [BDJR] Bellare, M., Desai, A., Jokipii, E., and P. Rogaway, "A
+ Concrete Analysis of Symmetric Encryption: Analysis of the
+ DES Modes of Operation", in Proceedings of the 38th
+ Symposium on Foundations of Computer Science, IEEE, 1997,
+ pp. 394-403.
+
+ [BMGL] Hastad, J. and M. Naslund: "Practical Construction and
+ Analysis of Pseduo-randomness Primitives", Proceedings of
+ Asiacrypt 2001, LNCS. vol 2248, pp. 442-459, 2001.
+
+ [DBJ] Johnson, D.B., "Theoretical Security Concerns with TLS use
+ of MD5", Contribution to ANSI X9F1 WG, 2001.
+
+ [FIPS] "Security Requirements for Cryptographic Modules", Federal
+ Information Processing Standard Publications (FIPS PUBS)
+ 140-2, December 2002.
+
+ [GKMARCH] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
+ "Group Key Management Architecture", Work in Progress.
+
+ [GDOI] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
+ Group Domain of Interpretation", RFC 3547, July 2003.
+
+ [GSAKMP] Harney, H., Colegrove, A., Harder, E., Meth, U., and R.
+ Fleischer, "Group Secure Association Key Management
+ Protocol", Work in Progress.
+
+ [HAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook
+ of Applied Cryptography", CRC press, 1996.
+
+ [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [ISO1] ISO/IEC 9798-3: 1997, Information technology - Security
+ techniques - Entity authentication - Part 3: Mechanisms
+ using digital signature techniques.
+
+ [ISO2] ISO/IEC 11770-3: 1997, Information technology - Security
+ techniques - Key management - Part 3: Mechanisms using
+ digital signature techniques.
+
+
+
+
+
+Arkko, et al. Standards Track [Page 61]
+
+RFC 3830 MIKEY August 2004
+
+
+ [ISO3] ISO/IEC 18014 Information technology - Security techniques
+ - Time-stamping services, Part 1-3.
+
+ [KMASDP] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
+ Norrman, "Key Management Extensions for SDP and RTSP", Work
+ in Progress.
+
+ [LOA] Burrows, Abadi, and Needham, "A logic of authentication",
+ ACM Transactions on Computer Systems 8 No.1 (Feb. 1990),
+ 18-36.
+
+ [LV] Lenstra, A. K. and E. R. Verheul, "Suggesting Key Sizes for
+ Cryptosystems", http://www.cryptosavvy.com/suggestions.htm
+
+ [NTP] Mills, D., "Network Time Protocol (Version 3)
+ Specification, Implementation and Analysis", RFC 1305,
+ March 1992.
+
+ [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
+ Adams, "X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP", RFC 2560, June 1999.
+
+ [RAND] Eastlake, 3rd, D., Crocker, S., and J. Schiller,
+ "Randomness Requirements for Security", RFC 1750, December
+ 1994.
+
+ [RTSP] Schulzrinne, H., Rao, A., and R. Lanphier, "Real Time
+ Streaming Protocol (RTSP)", RFC 2326, April 1998.
+
+ [SDP] Handley, M. and V. Jacobson, "SDP: Session Description
+ Protocol", RFC 2327, April 1998.
+
+ [SHA256] NIST, "Description of SHA-256, SHA-384, and SHA-512",
+ http://csrc.nist.gov/encryption/shs/sha256-384-512.pdf
+
+ [SIP] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
+ A., Peterson, J., Sparks, R., Handley, M., and E. Schooler,
+ "SIP: Session Initiation Protocol", RFC 3261, June 2002.
+
+ [TLS] Dierks, T. and C. Allen, "The TLS Protocol - Version 1.0",
+ RFC 2246, January 1999.
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 62]
+
+RFC 3830 MIKEY August 2004
+
+
+Appendix A. MIKEY - SRTP Relation
+
+ The terminology in MIKEY differs from the one used in SRTP as MIKEY
+ needs to be more general, nor is tight to SRTP only. Therefore, it
+ might be hard to see the relations between keys and parameters
+ generated in MIKEY and those used by SRTP. This section provides
+ some hints on their relation.
+
+ MIKEY | SRTP
+ -------------------------------------------------
+ Crypto Session | SRTP stream (typically with related SRTCP stream)
+ Data SA | input to SRTP's crypto context
+ TEK | SRTP master key
+
+ The Data SA is built up by a TEK and the security policy exchanged.
+ SRTP may use an MKI to index the TEK or TGK (the TEK is then derived
+ from the TGK that is associated with the corresponding MKI), see
+ below.
+
+A.1. MIKEY-SRTP Interactions
+
+ In the following, we give a brief outline of the interface between
+ SRTP and MIKEY and the processing that takes place. We describe the
+ SRTP receiver side only, the sender side will require analogous
+ interfacing.
+
+ 1. When an SRTP packet arrives at the receiver and is processed, the
+ triple <SSRC, destination address, destination port> is extracted
+ from the packet and used to retrieve the correct SRTP crypto
+ context, hence the Data SA. (The actual retrieval can, for
+ example, be done by an explicit request from the SRTP
+ implementation to MIKEY, or, by the SRTP implementation accessing
+ a "database", maintained by MIKEY. The application will typically
+ decide which implementation is preferred.)
+
+ 2. If an MKI is present in the SRTP packet, it is used to point to
+ the correct key within the SA. Alternatively, if SRTP's <From,
+ To> feature is used, the ROC||SEQ of the packet is used to
+ determine the correct key.
+
+ 3. Depending on whether the key sent in MIKEY (as obtained in step 2)
+ was a TEK or a TGK, there are now two cases.
+
+ - If the key obtained in step 2 is the TEK itself, it is used
+ directly by SRTP as a master key.
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 63]
+
+RFC 3830 MIKEY August 2004
+
+
+ - If the key instead is a TGK, the mapping with the CS_ID
+ (internal to MIKEY, Section 6.1.1) allows MIKEY to compute the
+ correct TEK from the TGK as described in Section 4.1 before
+ SRTP uses it.
+
+ If multiple TGKs (or TEKs) are sent, it is RECOMMENDED that each TGK
+ (or TEK) be associated with a distinct MKI. It is RECOMMENDED that
+ the use of <From, To> in this scenario be limited to very simple
+ cases, e.g., one stream only.
+
+ Besides the actual master key, other information in the Data SA
+ (e.g., transform identifiers) will of course also be communicated
+ from MIKEY to SRTP.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 64]
+
+RFC 3830 MIKEY August 2004
+
+
+Authors' Addresses
+
+ Jari Arkko
+ Ericsson Research
+ 02420 Jorvas
+ Finland
+
+ Phone: +358 40 5079256
+ EMail: jari.arkko@ericsson.com
+
+
+ Elisabetta Carrara
+ Ericsson Research
+ SE-16480 Stockholm
+ Sweden
+
+ Phone: +46 8 50877040
+ EMail: elisabetta.carrara@ericsson.com
+
+
+ Fredrik Lindholm
+ Ericsson Research
+ SE-16480 Stockholm
+ Sweden
+
+ Phone: +46 8 58531705
+ EMail: fredrik.lindholm@ericsson.com
+
+
+ Mats Naslund
+ Ericsson Research
+ SE-16480 Stockholm
+ Sweden
+
+ Phone: +46 8 58533739
+ EMail: mats.naslund@ericsson.com
+
+
+ Karl Norrman
+ Ericsson Research
+ SE-16480 Stockholm
+ Sweden
+
+ Phone: +46 8 4044502
+ EMail: karl.norrman@ericsson.com
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 65]
+
+RFC 3830 MIKEY August 2004
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+Arkko, et al. Standards Track [Page 66]
+