summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7425.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7425.txt')
-rw-r--r--doc/rfc/rfc7425.txt2747
1 files changed, 2747 insertions, 0 deletions
diff --git a/doc/rfc/rfc7425.txt b/doc/rfc/rfc7425.txt
new file mode 100644
index 0000000..e988f67
--- /dev/null
+++ b/doc/rfc/rfc7425.txt
@@ -0,0 +1,2747 @@
+
+
+
+
+
+
+Independent Submission M. Thornburgh
+Request for Comments: 7425 Adobe
+Category: Informational December 2014
+ISSN: 2070-1721
+
+
+ Adobe's RTMFP Profile for Flash Communication
+
+Abstract
+
+ This memo describes how to use Adobe's Secure Real-Time Media Flow
+ Protocol (RTMFP) to transport the video, audio, and data messages of
+ Adobe Flash platform communications. Aspects of this application
+ profile include cryptographic methods and data formats, flow metadata
+ formats, and protocol details for client-server and peer-to-peer
+ communication.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7425.
+
+Copyright Notice
+
+ Copyright (c) 2014 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+ This document may not be modified, and derivative works of it may not
+ be created, except to format it for publication as an RFC or to
+ translate it into languages other than English.
+
+
+
+Thornburgh Informational [Page 1]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Terminology .....................................................4
+ 3. Common Syntax Elements ..........................................4
+ 4. Cryptography Profile ............................................5
+ 4.1. Default Session Key ........................................5
+ 4.2. Diffie-Hellman Groups ......................................6
+ 4.3. Certificates ...............................................6
+ 4.3.1. Format ..............................................6
+ 4.3.2. Fingerprint .........................................7
+ 4.3.3. Options .............................................7
+ 4.3.3.1. Hostname ...................................8
+ 4.3.3.2. Accepts Ancillary Data .....................8
+ 4.3.3.3. Extra Randomness ...........................8
+ 4.3.3.4. Supported Ephemeral Diffie-Hellman Group ...9
+ 4.3.3.5. Static Diffie-Hellman Public Key ...........9
+ 4.3.4. Authenticity .......................................10
+ 4.3.5. Signing and Verifying Messages .....................10
+ 4.3.5.1. Options ...................................11
+ 4.3.5.1.1. Simple Password ................11
+ 4.3.6. Glare Resolution ...................................13
+ 4.3.7. Session Override ...................................13
+ 4.4. Endpoint Discriminators ...................................13
+ 4.4.1. Format .............................................14
+ 4.4.2. Options ............................................14
+ 4.4.2.1. Required Hostname .........................15
+ 4.4.2.2. Ancillary Data ............................15
+ 4.4.2.3. Fingerprint ...............................16
+ 4.4.3. Certificate Selection ..............................16
+ 4.4.4. Canonical Endpoint Discriminator ...................17
+ 4.5. Session Keying Components .................................18
+ 4.5.1. Format .............................................19
+ 4.5.2. Options ............................................19
+ 4.5.2.1. Ephemeral Diffie-Hellman Public Key .......20
+ 4.5.2.2. Extra Randomness ..........................20
+ 4.5.2.3. Diffie-Hellman Group Select ...............21
+ 4.5.2.4. HMAC Negotiation ..........................21
+ 4.5.2.5. Session Sequence Number Negotiation .......22
+ 4.6. Session Key Computation ...................................23
+ 4.6.1. Public Key Selection ...............................23
+ 4.6.1.1. Initiator and Responder Ephemeral .........23
+ 4.6.1.2. Initiator Ephemeral and Responder Static ..23
+ 4.6.1.3. Initiator Static and Responder Ephemeral ..24
+ 4.6.1.4. Initiator and Responder Static ............24
+ 4.6.2. Diffie-Hellman Shared Secret .......................24
+ 4.6.3. Packet Encrypt/Decrypt Keys ........................25
+ 4.6.4. Packet HMAC Send/Receive Keys ......................25
+
+
+
+Thornburgh Informational [Page 2]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ 4.6.5. Session Nonces .....................................26
+ 4.6.6. Session Sequence Number ............................26
+ 4.7. Packet Encryption .........................................27
+ 4.7.1. Cipher .............................................27
+ 4.7.2. Format .............................................27
+ 4.7.3. Verification .......................................29
+ 4.7.3.1. Simple Checksum ...........................30
+ 4.7.3.2. HMAC ......................................30
+ 4.7.3.3. Session Sequence Number ...................31
+ 5. Flash Communication ............................................31
+ 5.1. RTMP Messages .............................................31
+ 5.1.1. Flow Metadata ......................................32
+ 5.1.2. Message Mapping ....................................34
+ 5.2. Flow Synchronization ......................................35
+ 5.3. Client-to-Server Connection ...............................36
+ 5.3.1. Connecting .........................................36
+ 5.3.2. Server-to-Client Return Control Flow ...............37
+ 5.3.3. setPeerInfo Command ................................37
+ 5.3.4. Set Keepalive Timers Command .......................39
+ 5.3.5. Additional Flows for Streams .......................40
+ 5.3.5.1. To Server .................................40
+ 5.3.5.2. From Server ...............................40
+ 5.3.5.3. Closing Stream Flows ......................41
+ 5.3.6. Closing the Connection .............................41
+ 5.3.7. Example ............................................42
+ 5.4. Direct Peer-to-Peer Streams ...............................43
+ 5.4.1. Connecting .........................................43
+ 5.4.2. Return Flows for Stream ............................43
+ 5.4.3. Closing the Connection .............................44
+ 6. IANA Considerations ............................................44
+ 6.1. RTMFP URI Scheme Registration .............................44
+ 7. Security Considerations ........................................46
+ 8. References .....................................................47
+ 8.1. Normative References ......................................47
+ 8.2. Informative References ....................................49
+ Acknowledgements ..................................................49
+ Author's Address ..................................................49
+
+1. Introduction
+
+ Adobe's Secure Real-Time Media Flow Protocol (RTMFP) [RFC7016] is a
+ general-purpose transport service for real-time media and bulk data
+ in IP networks, and it is suited to client-server and peer-to-peer
+ (P2P) communication. RTMFP provides a generalized framework for
+ securing its communications according to the needs of its
+ application.
+
+
+
+
+
+Thornburgh Informational [Page 3]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ The Flash platform comprises the Flash runtime (including Flash
+ Player) from Adobe Systems Incorporated, communication servers such
+ as Adobe Media Server, and interoperable clients and servers provided
+ by other parties.
+
+ Real-time streaming network communication for the Flash platform of
+ video, audio, and data typically uses Adobe's Real-Time Messaging
+ Protocol (RTMP) [RTMP] messages. RTMP messages were originally
+ designed to be transported over RTMP Chunk Stream in TCP [RTMP];
+ however, other transports (such as the one described in this memo)
+ are possible.
+
+ This memo specifies the syntax and semantics for transporting RTMP
+ messages over RTMFP, and it extends Flash communication semantics to
+ include direct P2P communication. This memo further specifies a
+ concrete Cryptography Profile for RTMFP tailored to the application
+ and cryptographic needs of Flash platform client-server and P2P
+ communications.
+
+ These protocols and profiles were developed by Adobe Systems
+ Incorporated and are not the product of an IETF activity.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ [RFC2119].
+
+ "HMAC" means the Keyed-Hash Message Authentication Code (HMAC)
+ algorithm [RFC2104].
+
+ "HMAC-SHA256" means HMAC using the SHA-256 Secure Hash Algorithm
+ [SHA256] [RFC6234].
+
+ "HMAC-SHA256(K, M)" means the calculation of the HMAC-SHA256 of
+ message M using key K.
+
+3. Common Syntax Elements
+
+ Definitions of types and structures in this specification use
+ traditional text diagrams paired with procedural descriptions using a
+ C-like syntax. The C-like procedural descriptions SHALL be construed
+ as definitive.
+
+
+
+
+
+
+
+Thornburgh Informational [Page 4]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ Structures are packed to take only as many bytes as explicitly
+ indicated. There is no 32-bit alignment constraint, and fields are
+ not padded for alignment unless explicitly indicated or described.
+ Text diagrams may include a bit ruler across the top; this is a
+ convenience for counting bits in individual fields and does not
+ necessarily imply field alignment on a multiple of the ruler width.
+
+ Unless specified otherwise, reserved fields SHOULD be set to 0 by a
+ sender and MUST be ignored by a receiver.
+
+ The procedural syntax of this specification defines correct and
+ error-free encoded inputs to a parser. The procedural syntax does
+ not describe a fully featured parser, including error detection and
+ handling. Implementations MUST include means to identify error
+ circumstances, including truncations causing elementary or composed
+ types not to fit inside containing structures, fields, or elements.
+ Unless specified otherwise, an error circumstance SHALL abort the
+ parsing and processing of an element and its enclosing elements.
+
+ This memo uses the elementary and composed types described in
+ Section 2.1 of RFC 7016. The definitions of that section are
+ incorporated by reference as though fully set forth here.
+
+4. Cryptography Profile
+
+ RTMFP defines a general security framework but delegates specifics,
+ such as packet encryption ciphers and key agreement algorithms, to an
+ application-defined Cryptography Profile.
+
+ This section defines the RTMFP Cryptography Profile for Flash
+ platform communication.
+
+4.1. Default Session Key
+
+ RTMFP uses a Default Session Key and associated default cipher
+ configuration during session startup handshaking, where session-
+ specific keys and ciphers are negotiated.
+
+ The default cipher is the Advanced Encryption Standard [AES] with
+ 128-bit keys operating in Cipher Block Chaining [CBC] mode, as
+ described in Section 4.7.1. The Default Session Key is the 16 bytes
+ of the string "Adobe Systems 02" encoded in UTF-8 [RFC3629]:
+
+ Hex: 41 64 6F 62 65 20 53 79 73 74 65 6D 73 20 30 32
+
+ The Default Session Key uses checksum mode for packet verification
+ and does not use session sequence numbers (Section 4.7.3).
+
+
+
+
+Thornburgh Informational [Page 5]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.2. Diffie-Hellman Groups
+
+ Implementations conforming to this profile MUST support Diffie-
+ Hellman [DH] modular exponentiation (MODP) group 2 (1024 bits) as
+ defined in [RFC7296], and SHOULD support Diffie-Hellman MODP group 5
+ (1536 bits) and group 14 (2048 bits) as defined in [RFC3526].
+ Implementations MAY support additional groups.
+
+4.3. Certificates
+
+ This section defines the certificate format for this Cryptography
+ Profile, and the mapping to the abstract properties and semantics for
+ RTMFP endpoint identities.
+
+4.3.1. Format
+
+ A certificate in this profile is encoded as a sequence of zero or
+ more RTMFP Options and Markers (Section 2.1.3 of RFC 7016). The
+ first marker (if any) in the certificate separates the canonical
+ section of the certificate from the remainder. Some options are
+ ignored if they occur outside of the canonical section (that is,
+ after the first marker).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 6]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ +~~~/~~~/~~~+ +~~~/~~~/~~~+~~~~~+~~~/~~~/~~~+ +~~~/~~~/~~~+
+ | L \ T \ V |...| L \ T \ V | 0 | L \ T \ V |...| L \ T \ V |
+ +~~~/~~~/~~~+ +~~~/~~~/~~~+~~~~~+~~~/~~~/~~~+ +~~~/~~~/~~~+
+ ^ ^ ^ ^ ^
+ | Zero or more non-empty | | | Zero or more Options |
+ | Options | | +------ or Markers -------+
+ | | |
+ +--- Canonical Section ---+ +---- First Marker
+ (if present)
+
+ struct certificate_t
+ {
+ canonicalStart = remainder();
+ canonicalEnd = remainder();
+ markerFound = false;
+
+ while(remainder() > 0)
+ {
+ option_t option :variable*8;
+
+ if(0 == option.length)
+ markerFound = true;
+ else if(!markerFound)
+ canonicalEnd = remainder();
+ };
+
+ canonicalSectionLength = canonicalStart - canonicalEnd;
+ } :variable*8;
+
+4.3.2. Fingerprint
+
+ A certificate's fingerprint is the SHA-256 hash [SHA256] of the
+ canonical section of the certificate (that is, the hash of the first
+ canonicalSectionLength bytes of the certificate).
+
+ The certificate's fingerprint is also called the "peer ID".
+
+4.3.3. Options
+
+ This section lists options that can appear in a certificate. The
+ following option type codes are defined:
+
+ 0x00: Hostname (must be in canonical section) (Section 4.3.3.1)
+
+ 0x0a: Accepts Ancillary Data (must be in canonical section)
+ (Section 4.3.3.2)
+
+ 0x0e: Extra Randomness (Section 4.3.3.3)
+
+
+
+Thornburgh Informational [Page 7]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ 0x15: Supported Ephemeral Diffie-Hellman Group (must be in
+ canonical section) (Section 4.3.3.4)
+
+ 0x1d: Static Diffie-Hellman Public Key (must be in canonical
+ section) (Section 4.3.3.5)
+
+ An implementation MUST ignore a certificate option type that is not
+ understood.
+
+4.3.3.1. Hostname
+
+ This option gives an optional hostname for the endpoint. This option
+ MUST be ignored if is not in the canonical section. This option MUST
+ NOT occur more than once in a certificate.
+
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | length \ | 0x00 \ | hostname |
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct hostnameCertOptionValue_t
+ {
+ uint8_t hostname[remainder()];
+ } :remainder()*8;
+
+4.3.3.2. Accepts Ancillary Data
+
+ This option indicates that the endpoint will accept an Endpoint
+ Discriminator encoding an Ancillary Data option (Section 4.4.2.2).
+ This option MUST be ignored if it is not in the canonical section.
+
+ +-------------/-+-------------/-+
+ | length \ | 0x0a \ |
+ +-------------/-+-------------/-+
+
+4.3.3.3. Extra Randomness
+
+ This option can be used to add extra entropy or randomness to a
+ certificate that doesn't have any other cryptographic pseudorandom
+ members (such as a public key). This option is typically used so
+ that endpoints using ephemeral Diffie-Hellman keying can have a
+ unique certificate fingerprint.
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 8]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | length \ | 0x0e \ | extra randomness |
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct extraRandomnessCertOptionValue_t
+ {
+ uint_t extraRandomness[remainder()];
+ } :remainder()*8;
+
+4.3.3.4. Supported Ephemeral Diffie-Hellman Group
+
+ This option specifies a Diffie-Hellman group ID that is supported for
+ ephemeral keying. This option MUST be ignored if it is not in the
+ canonical section. This option may occur more than once in the
+ certificate; each instance indicates an additional group that is
+ supported for key agreement.
+
+ +-------------/-+-------------/-+-------------/-+
+ | length \ | 0x15 \ | group ID \ |
+ +-------------/-+-------------/-+-------------/-+
+
+ struct ephemeralDHGroupCertOptionValue_t
+ {
+ vlu_t groupID :variable*8;
+ } :variable*8;
+
+ The presence of this option means that the certificate uses ephemeral
+ Diffie-Hellman public keys only. The certificate MUST NOT contain a
+ Static Diffie-Hellman public key (Section 4.3.3.5).
+
+4.3.3.5. Static Diffie-Hellman Public Key
+
+ This option specifies a Diffie-Hellman group ID and static public key
+ in that group. This option MUST be ignored if it is not in the
+ canonical section. This option MAY occur more than once in the
+ certificate; however, this option SHOULD NOT occur more than once for
+ each group ID. The behavior for specifying more than one public key
+ per group ID is not defined.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 9]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ +-------------/-+-------------/-+-------------/-+
+ | length \ | 0x1d \ | group ID \ |
+ +-------------/-+-------------/-+-------------/-+
+ +------------------------------------------------------------------+
+ | Diffie-Hellman Public Key |
+ +------------------------------------------------------------------/
+
+ struct staticDHPublicKeyCertOptionValue_t
+ {
+ vlu_t groupID :variable*8;
+ uintn_t publicKey :remainder()*8; // network byte order
+ } :remainder()*8;
+
+ The presence of this option means that the certificate uses static
+ Diffie-Hellman public keys only. The certificate MUST NOT contain
+ any Supported Ephemeral Diffie-Hellman Group options
+ (Section 4.3.3.4).
+
+4.3.4. Authenticity
+
+ This profile does not use a public key infrastructure, nor are there
+ signing keys present in certificates. Therefore, any properly
+ encoded certificate is considered authentic according to Section 3.2
+ of RFC 7016.
+
+ A certificate containing a static public key can only be used
+ successfully for session communication if the holder of the
+ certificate actually holds the private key associated with the public
+ key. Authenticity of an identity and its peer ID (Section 4.3.2)
+ having a certificate containing a static public key is implied by
+ successful encrypted communication with the associated endpoint
+ (Section 4.6).
+
+ See Section 7 for further discussion of security issues related to
+ identities.
+
+4.3.5. Signing and Verifying Messages
+
+ RTMFP Initiator Initial Keying and Responder Initial Keying messages
+ have a field for the sender's digital signature of the keying
+ parameters (Sections 2.3.7 and 2.3.8 of RFC 7016). In this profile,
+ the signature field of those messages is encoded as a sequence of
+ zero or more RTMFP Options.
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 10]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ | L \ T \ V |...............| L \ T \ V |
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ ^ ^
+ +------------- Zero or more Options ----------+
+
+ struct initialKeyingSignature_t
+ {
+ while(remainder() > 0)
+ option_t option :variable*8;
+ } :remainder()*8;
+
+ If a signer has no signature options to send, it MAY encode a
+ signature as a UTF-8 capital "X" (hex 58) or as empty. A verifier
+ MUST interpret a malformed signature field or a signature field
+ consisting only of a UTF-8 capital "X" as though it was empty.
+
+ If a verifier does not require a signature, it SHALL consider any
+ signature field (including an empty or malformed one) to be valid. A
+ verifier MAY require a signature comprising one or more non-empty
+ options that are valid according to their respective types.
+
+ This profile does not use a public key infrastructure, nor are there
+ signing keys present in certificates. Section 4.3.5.1.1 defines a
+ simple ID/password credential system.
+
+4.3.5.1. Options
+
+ This section lists options that can appear in an RTMFP Initial Keying
+ signature field. The following option type code is defined:
+
+ 0x1d: Simple Password (Section 4.3.5.1.1)
+
+ Future or derived profiles may define additional signature field
+ options and semantics; therefore, a verifier SHOULD ignore option
+ types that are not understood.
+
+4.3.5.1.1. Simple Password
+
+ This option encodes a password identifier (such as a user name, or an
+ application-specific or implementation-specific selector) and an HMAC
+ over the signed parameters using the identified password as the HMAC
+ key. This option can occur more than once (for example, to allow
+ interoperation between a current and a previous version of an
+ implementation using implementation-specific passwords).
+
+
+
+
+
+
+Thornburgh Informational [Page 11]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ To support the versioning use case, a verifier SHOULD ignore a Simple
+ Password option encoding an unrecognized password identifier. A
+ verifier SHOULD treat the entire signature as invalid if any Simple
+ Password option encodes a recognized password identifier with an
+ invalid password HMAC.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-------------/-+-------------/-+
+ | length \ | 0x1d \ |
+ +-------------/-+-------------/-+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | hmacSHA256 |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | passwordID |
+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct simplePasswordSignatureOptionValue_t
+ {
+ uint8_t hmacSHA256[32];
+ uint8_t passwordID[remainder()];
+ } :remainder()*8;
+
+ hmacSHA256: HMAC-SHA256(K, M), where K is the password associated
+ with passwordID, and M is the signed parameters.
+
+ passwordID: The identifier (such as a user name) for the password
+ used as the HMAC key.
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 12]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.3.6. Glare Resolution
+
+ Glare occurs when two endpoints initiate a session each to the other
+ concurrently.
+
+ Compare the near end's certificate to the far end's with a binary
+ lexicographic comparison, one byte at a time, up to the length of the
+ shorter certificate. At the first corresponding byte from each
+ certificate that is different, the certificate having the differing
+ byte (treated as an unsigned 8-bit integer) with the lower value is
+ ordered before the other certificate. If the certificates are not
+ the same length and they are identical up to the length of the
+ shorter certificate, then the shorter certificate is ordered before
+ the longer.
+
+ The near end prevails as the Initiator in case of glare if its
+ certificate is ordered before, or is identical to, the certificate of
+ the far end. Otherwise, the near end's certificate is ordered after
+ the far end's certificate, and the near end assumes the role of
+ Responder.
+
+4.3.7. Session Override
+
+ A new incoming session overrides an existing session only if the
+ certificate for the new session is identical to the certificate for
+ the existing session.
+
+4.4. Endpoint Discriminators
+
+ This section describes the Endpoint Discriminator (EPD) (Section 3.2
+ of RFC 7016) format and semantics for this Cryptography Profile, and
+ the mapping to RTMFP's abstract certificate and identity selection
+ semantics.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 13]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.4.1. Format
+
+ An EPD in this profile is encoded as a sequence of zero or more RTMFP
+ Options.
+
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ | L \ T \ V |...............| L \ T \ V |
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ ^ ^
+ +------------- Zero or more Options ----------+
+
+ struct endpointDiscriminator_t
+ {
+ while(remainder() > 0)
+ option_t option :variable*8;
+ } :remainder()*8;
+
+4.4.2. Options
+
+ This section lists options that can appear in an EPD. The following
+ option type codes are defined:
+
+ 0x00: Required Hostname (Section 4.4.2.1)
+
+ 0x0a: Ancillary Data (Section 4.4.2.2)
+
+ 0x0f: Fingerprint (Section 4.4.2.3)
+
+ The use of these options for selecting certificates is described in
+ Section 4.4.3.
+
+ An implementation MUST ignore EPD option types that are not
+ understood.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 14]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.4.2.1. Required Hostname
+
+ This option indicates the hostname to match against the certificate's
+ Hostname option (Section 4.3.3.1).
+
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | length \ | 0x00 \ | hostname |
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct hostnameEPDOptionValue_t
+ {
+ uint8_t hostname[remainder()];
+ } :remainder()*8;
+
+ This option MUST NOT occur more than once in an EPD.
+
+4.4.2.2. Ancillary Data
+
+ In this profile, this option indicates the server Uniform Resource
+ Identifier (URI) [RFC3986] encoded in UTF-8 to which a client is
+ connecting on this session, for example,
+ "rtmfp://server.example.com/app/instance".
+
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | length \ | 0x0a \ | ancillary data |
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct ancillaryDataEPDOptionValue_t
+ {
+ uint8_t ancillaryData[remainder()];
+ } :remainder()*8;
+
+ This option MUST NOT occur more than once in an EPD.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 15]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.4.2.3. Fingerprint
+
+ This option indicates the 256-bit (32-byte) fingerprint
+ (Section 4.3.2) of a certificate.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-------------/-+-------------/-+
+ | length \ | 0x0f \ |
+ +-------------/-+-------------/-+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | fingerprint |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ struct fingerprintEPDOptionValue_t
+ {
+ uint8_t fingerprint[32];
+ } :256;
+
+ This option MUST NOT occur more than once in an EPD.
+
+4.4.3. Certificate Selection
+
+ This section describes the REQUIRED method of determining whether an
+ EPD selects a certificate.
+
+ An EPD MUST contain at least one of Fingerprint, Required Hostname,
+ or Ancillary Data options to select any certificate.
+
+ A Fingerprint EPD option selects or rejects a certificate no matter
+ what other options are present.
+
+ Without a Fingerprint option, a Required Hostname EPD option, if
+ present, REQUIRES an identical Hostname option in the certificate.
+
+
+
+
+Thornburgh Informational [Page 16]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ Without a Fingerprint option, an Ancillary Data EPD option, if
+ present, REQUIRES that the certificate has an Accepts Ancillary Data
+ option.
+
+ if EPD contains a Fingerprint option:
+ if certificate.fingerprint == option.fingerprint:
+ certificate is selected. stop.
+ else:
+ certificate is not selected. stop.
+ else:
+ if EPD contains a Required Hostname option:
+ if certificate contains a Hostname option:
+ if certificate.hostname != option.hostname:
+ certificate is not selected. stop.
+ else:
+ certificate is not selected. stop.
+ if EPD contains an Ancillary Data option:
+ if certificate doesn't have an Accepts Ancillary Data option:
+ certificate is not selected. stop.
+ else if EPD does not contain a Required Hostname option:
+ certificate is not selected. stop.
+ certificate is selected. stop.
+
+ Figure 1: Algorithm to Test Whether an EPD Selects a Certificate
+
+4.4.4. Canonical Endpoint Discriminator
+
+ In this profile, a Canonical Endpoint Discriminator (Section 3.2 of
+ RFC 7016) contains only a Fingerprint option (Section 4.4.2.3) and no
+ other options. The option length and type code MUST be encoded as
+ 1-byte VLUs, even though VLU encoding allows those fields to be
+ encoded in an arbitrary number of bytes. That is, the Canonical
+ Endpoint Discriminator MUST be exactly 34 bytes long, with a length
+ field of 0x21 encoded as one byte, a type code of 0x0f encoded as one
+ byte, and 32 bytes of fingerprint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 17]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0x21 | 0x0f |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | fingerprint |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ + - - - - - - - + - - - - - - - + - - - - - - - + - - - - - - - +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ struct canonicalEndpointDiscriminator_t
+ {
+ uint8_t length = 0x21;
+ uint8_t type = 0x0f;
+ uint8_t fingerprint[32];
+ } :272;
+
+4.5. Session Keying Components
+
+ This section describes the format of the Session Key Initiator
+ Component of the Initiator Initial Keying RTMFP chunk and the Session
+ Key Responder Component of the Responder Initial Keying RTMFP chunk
+ (Sections 2.3.7 and 2.3.8 of RFC 7016). The Initiator and Responder
+ Session Keying Components have the same format.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 18]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.5.1. Format
+
+ A Session Keying Component in this profile is encoded as a sequence
+ of zero or more RTMFP Options.
+
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ | L \ T \ V |...............| L \ T \ V |
+ +~~~/~~~/~~~~~~~+ +~~~/~~~/~~~~~~~+
+ ^ ^
+ +------------- Zero or more Options ----------+
+
+ struct sessionKeyingComponent_t
+ {
+ while(remainder() > 0)
+ option_t option :variable*8;
+ } :remainder()*8;
+
+4.5.2. Options
+
+ This section lists options that can appear in a Session Keying
+ Component. The following option type codes are defined:
+
+ 0x0d: Ephemeral Diffie-Hellman Public Key (Section 4.5.2.1)
+
+ 0x0e: Extra Randomness (Section 4.5.2.2)
+
+ 0x1d: Diffie-Hellman Group Select (Section 4.5.2.3)
+
+ 0x1a: HMAC Negotiation (Section 4.5.2.4)
+
+ 0x1e: Session Sequence Number Negotiation (Section 4.5.2.5)
+
+ An implementation MUST ignore a session keying component option type
+ that is not understood.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 19]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.5.2.1. Ephemeral Diffie-Hellman Public Key
+
+ This option specifies a Diffie-Hellman group ID and public key in
+ that group. This option MUST NOT be sent if the sender's certificate
+ has a static Diffie-Hellman public key. This option MUST be sent if
+ the sender's certificate does not have a static Diffie-Hellman public
+ key. This option MUST NOT be sent more than once.
+
+ +-------------/-+-------------/-+-------------/-+
+ | length \ | 0x0d \ | group ID \ |
+ +-------------/-+-------------/-+-------------/-+
+ +------------------------------------------------------------------+
+ | Diffie-Hellman Public Key |
+ +------------------------------------------------------------------/
+
+ struct ephemeralDHPublicKeyKeyingOptionValue_t
+ {
+ vlu_t groupID :variable*8;
+ uintn_t publicKey :remainder()*8; // network byte order
+ } :remainder()*8;
+
+4.5.2.2. Extra Randomness
+
+ This option can be used to add extra entropy or randomness to a
+ keying component, particularly when the sender uses a static public
+ key. When used for that purpose, the extra randomness SHOULD be
+ cryptographically strong pseudorandom bytes not less than 16 bytes
+ (for cryptographically significant entropy) and not more than 64
+ bytes (the length of a SHA-256 input block) in length. The extra
+ randomness serves as a salt when computing the session keys
+ (Section 4.6).
+
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | length \ | 0x0e \ | extra randomness |
+ +-------------/-+-------------/-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct extraRandomnessKeyingOptionValue_t
+ {
+ uint_t extraRandomness[remainder()];
+ } :remainder()*8;
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 20]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.5.2.3. Diffie-Hellman Group Select
+
+ This option is sent by the Initiator to specify which Diffie-Hellman
+ group to use for key agreement. The Initiator MUST send this option
+ when it advertises a static Diffie-Hellman public key in its
+ certificate and MUST NOT send this option if it sends an ephemeral
+ Diffie-Hellman public key. This option MUST NOT be sent more than
+ once.
+
+ +-------------/-+-------------/-+-------------/-+
+ | length \ | 0x1d \ | group ID \ |
+ +-------------/-+-------------/-+-------------/-+
+
+ struct staticDHGroupSelectKeyingOptionValue_t
+ {
+ vlu_t groupID :variable*8;
+ } :variable*8;
+
+4.5.2.4. HMAC Negotiation
+
+ This option is used to negotiate sending and receiving of an HMAC
+ field for packet verification.
+
+ |0 1 2 3 4 5 6 7|
+ +-------------/-+-------------/-+-+-+-+-+-+-+-+-+-------------/-+
+ | \ | \ | |S|S|R| \ |
+ | length / | 0x1a / | rsv |N|O|E| hmacLength / |
+ | \ | \ | |D|R|Q| \ |
+ +-------------/-+-------------/-+-+-+-+-+-+-+-+-+-------------/-+
+
+ struct hmacNegotiationKeyingOptionValue_t
+ {
+ uintn_t reserved :5; // rsv
+ bool_t willSendAlways :1; // SND
+ bool_t willSendOnRequest :1; // SOR
+ bool_t request :1; // REQ
+ vlu_t hmacLength :variable*8;
+ } :variable*8;
+
+ willSendAlways: If set, the sender will send an HMAC on packets in
+ this session.
+
+ willSendOnRequest: If set, the sender will send an HMAC on packets
+ in this session if the other end sets the request flag in its HMAC
+ Negotiation.
+
+
+
+
+
+
+Thornburgh Informational [Page 21]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ request: If set, the sender would very much like the receiver to
+ send an HMAC on its packets. If the other end doesn't send an
+ HMAC on its packets, the session can fail.
+
+ hmacLength: If the sender negotiates to send an HMAC on its packets,
+ the HMAC field will be this many bytes long. This value MUST be
+ between 4 and 32 inclusive, or 0 if and only if willSendAlways and
+ willSendOnRequest are clear.
+
+ The handshake operational semantics for this option are described in
+ Section 4.6.4.
+
+4.5.2.5. Session Sequence Number Negotiation
+
+ This option is used to negotiate sending and receiving of the Session
+ Sequence Number field for packet verification.
+
+ |0 1 2 3 4 5 6 7|
+ +-------------/-+-------------/-+-+-+-+-+-+-+-+-+
+ | \ | \ | |S|S|R|
+ | length / | 0x1e / | rsv |N|O|E|
+ | \ | \ | |D|R|Q|
+ +-------------/-+-------------/-+-+-+-+-+-+-+-+-+
+
+ struct sseqNegotiationKeyingOptionValue_t
+ {
+ uintn_t reserved :5; // rsv
+ bool_t willSendAlways :1; // SND
+ bool_t willSendOnRequest :1; // SOR
+ bool_t request :1; // REQ
+ } :8;
+
+ willSendAlways: If set, the sender will send a session sequence
+ number in packets in this session.
+
+ willSendOnRequest: If set, the sender will send a session sequence
+ number in packets in this session if the other end sets the
+ request flag in its Session Sequence Number Negotiation.
+
+ request: If set, the sender would very much like the receiver to
+ send a session sequence number in its packets. If the other end
+ doesn't send a session sequence number in its packets, the session
+ can fail.
+
+ The handshake operational semantics for this option are described in
+ Section 4.6.6.
+
+
+
+
+
+Thornburgh Informational [Page 22]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.6. Session Key Computation
+
+ This section describes how to compute the cryptographic keys and
+ other settings for packet encryption and verification.
+
+ The Session Key Near Component (SKNC) means the keying component sent
+ by the near end of the session; that is, it is the Session Key
+ Initiator Component at the Initiator and the Session Key Responder
+ Component at the Responder.
+
+ The Session Key Far Component (SKFC) means the keying component sent
+ by the far end of the session; that is, it is the Session Key
+ Responder Component at the Initiator and the Session Key Initiator
+ Component at the Responder.
+
+4.6.1. Public Key Selection
+
+ This section enumerates the public key selection methods for all
+ possible combinations of static or ephemeral public key modes for
+ each endpoint according to their certificate options (Section 4.3.3).
+
+4.6.1.1. Initiator and Responder Ephemeral
+
+ The Initiator and Responder list one or more Supported Ephemeral
+ Diffie-Hellman Group options (Section 4.3.3.4) in their certificates.
+ The Initiator sends exactly one Ephemeral Diffie-Hellman Public Key
+ option (Section 4.5.2.1) in its Session Key Initiator Component,
+ which selects one group from among those supported by the Responder
+ and Initiator. Responder sends exactly one Ephemeral Diffie-Hellman
+ Public Key option in its Session Key Responder Component, in the same
+ group as indicated by the Initiator.
+
+4.6.1.2. Initiator Ephemeral and Responder Static
+
+ The Responder lists one or more Static Diffie-Hellman Public Key
+ options (Section 4.3.3.5) in its certificate. The Initiator lists
+ one or more Supported Ephemeral Diffie-Hellman Group options in its
+ certificate. The Initiator sends exactly one Ephemeral Diffie-
+ Hellman Public Key option in its Session Key Initiator Component,
+ which selects one group from among those supported by the Responder
+ and Initiator and the corresponding public key for the Responder.
+ Responder uses its public key from the indicated group, and sends
+ only an Extra Randomness option (Section 4.5.2.2) in its Session Key
+ Responder Component to salt the session keys.
+
+
+
+
+
+
+
+Thornburgh Informational [Page 23]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.6.1.3. Initiator Static and Responder Ephemeral
+
+ The Responder lists one or more Supported Ephemeral Diffie-Hellman
+ Group options in its certificate. The Initiator lists one or more
+ Static Diffie-Hellman Public Key options in its certificate. The
+ Initiator sends exactly one Diffie-Hellman Group Select option
+ (Section 4.5.2.3) in its Session Key Initiator Component, which
+ selects one group from among those supported by the Responder and
+ Initiator and the corresponding public key for the Initiator, plus an
+ Extra Randomness option to salt the session keys. The Responder
+ sends an Ephemeral Diffie-Hellman Public Key option in its Session
+ Key Responder Component in the same group as indicated by the
+ Initiator.
+
+4.6.1.4. Initiator and Responder Static
+
+ The Initiator and Responder each list one or more Static Diffie-
+ Hellman Public Key options in their certificates. The Initiator
+ sends exactly one Diffie-Hellman Group Select option in its Session
+ Key Initiator Component, which selects one group and corresponding
+ public keys from among those supported by the Responder and
+ Initiator, and an Extra Randomness option to salt the session keys.
+ The Responder sends an Extra Randomness option in its Session Key
+ Responder Component to add its own salt to the session keys.
+
+4.6.2. Diffie-Hellman Shared Secret
+
+ To be acceptable, a Diffie-Hellman public key MUST have all of the
+ following properties:
+
+ o Be at least 16777216 (2^24);
+
+ o Be at most the group's prime modulus minus 16777216;
+
+ o Have at least 16 "1" bits;
+
+ o Have at least 16 "0" bits, not including leading zeros.
+
+ An endpoint MUST NOT complete to an S_OPEN session with a far
+ endpoint using a public key that is not acceptable according to these
+ criteria.
+
+ Once the group and corresponding public key of the far end is
+ determined, the far end's public key and the near end's private key
+ are combined according to Diffie-Hellman [DH] to compute the Diffie-
+ Hellman Shared Secret, an integer.
+
+
+
+
+
+Thornburgh Informational [Page 24]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ In the following sections, DH_SECRET means the Diffie-Hellman Shared
+ Secret encoded as a byte-aligned unsigned integer in network byte
+ order with no leading zero bytes. For example, if the shared secret
+ is 4886718345, DH_SECRET would be the five bytes:
+
+ Hex: 01 23 45 67 89
+
+4.6.3. Packet Encrypt/Decrypt Keys
+
+ Packets are encrypted using a symmetric cipher, such as the Advanced
+ Encryption Standard [AES]. Distinct keys are used for sending and
+ receiving packets. Each end's sending (encrypt) key is the other
+ end's receiving (decrypt) key.
+
+ The raw keys computed in this section for encryption and decryption
+ are transformed in a manner specific to the cipher with which they
+ are to be used. In this profile, AES-128 is the only currently
+ defined cipher. For this cipher, the first 128 bits (16 bytes) of
+ the 256-bit output of the calculation are taken to be the AES-128
+ key.
+
+ Set ENCRYPT_KEY = HMAC-SHA256(DH_SECRET, HMAC-SHA256(SKFC, SKNC));
+
+ Set DECRYPT_KEY = HMAC-SHA256(DH_SECRET, HMAC-SHA256(SKNC, SKFC));
+
+ The full 256 bits of ENCRYPT_KEY and DECRYPT_KEY are used in the
+ computations in the following sections.
+
+4.6.4. Packet HMAC Send/Receive Keys
+
+ Packets can be verified that they were not corrupted or modified by
+ appending an HMAC to the packet. Whether to use an HMAC or a simple
+ checksum is determined during the initial keying phase using the HMAC
+ Negotiation option (Section 4.5.2.4). Distinct HMAC keys are used
+ for sending and receiving packets. Each end's sending key is the
+ other end's receiving key, and vice versa.
+
+ Set HMAC_SEND_KEY = HMAC_SHA256(DH_SECRET, ENCRYPT_KEY);
+
+ Set HMAC_RECV_KEY = HMAC_SHA256(DH_SECRET, DECRYPT_KEY);
+
+ If an endpoint sets the willSendAlways flag in its HMAC Negotiation
+ option, then it MUST send an HMAC on packets it sends with this
+ session key.
+
+
+
+
+
+
+
+Thornburgh Informational [Page 25]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ If an endpoint's willSendAlways flag is clear but its
+ willSendOnRequest flag is set, then it MUST send an HMAC on packets
+ it sends with this session key if and only if the other endpoint's
+ request flag is set.
+
+ If a sending endpoint's willSendAlways and willSendOnRequest flags
+ are clear, then the receiving endpoint SHOULD reject that keying
+ component if the receiving endpoint is configured to require the
+ sending endpoint to send HMAC.
+
+ If HMAC is negotiated to be used, the corresponding hmacLength MUST
+ be between 4 and 32 inclusive.
+
+ If HMAC is negotiated not to be used, a simple checksum is used for
+ packet verification.
+
+ The Default Session Key uses the simple checksum and does not use
+ HMAC.
+
+4.6.5. Session Nonces
+
+ Session nonces are per-session, cryptographically strong secret
+ values known only to the two endpoints of the session. They can be
+ used for application-layer cryptographic challenges (such as signing
+ or password verification). These nonces are a convenience being pre-
+ shared and pre-agreed-upon in a secure manner during the initial
+ keying handshake.
+
+ Each end's near nonce is the other end's far nonce, and vice versa.
+
+ Set NEAR_NONCE = HMAC_SHA256(DH_SECRET, SKNC);
+
+ Set FAR_NONCE = HMAC_SHA256(DH_SECRET, SKFC);
+
+4.6.6. Session Sequence Number
+
+ Duplicate packets can be detected and rejected by using an optional
+ session sequence number inside the encrypted packets. The session
+ sequence number is a monotonically increasing unbounded integer and
+ does not wrap. Session sequence numbers SHOULD start at zero and
+ SHOULD increment by one for each packet sent using that session key.
+ Implementations MUST handle session sequence numbers with no less
+ than 64 bits of range.
+
+ If an endpoint's willSendAlways flag in its Session Sequence Number
+ Negotiation option (Section 4.5.2.5) is set, then it MUST send a
+ session sequence number in packets it sends with this session key.
+
+
+
+
+Thornburgh Informational [Page 26]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ If an endpoint's willSendAlways flag is clear but its
+ willSendOnRequest flag is set, then it MUST send a session sequence
+ number on packets it sends with this session key if and only if the
+ other endpoint's request flag is set.
+
+ If a sending endpoint's willSendAlways and willSendOnRequest flags
+ are clear, then the receiving endpoint SHOULD reject that keying
+ component if the receiving endpoint is configured to require the
+ sending endpoint to send session sequence numbers.
+
+ The Default Session Key does not use session sequence numbers.
+
+4.7. Packet Encryption
+
+ This section describes the concrete syntax and operational semantics
+ of RTMFP packet encryption for this Cryptography Profile.
+
+4.7.1. Cipher
+
+ This profile defines AES-128 [AES] in CBC [CBC] mode as the only
+ cipher. Extensions to this profile can specify and negotiate
+ additional ciphers and modes by defining certificate and keying
+ component options and associated semantics.
+
+ For AES-128-CBC, the initialization vector (IV) for each packet is 16
+ zero bytes. The IV is not included in the packet.
+
+4.7.2. Format
+
+ The Encrypted Packet is the encryptedPacket field of an RTMFP
+ Multiplex packet (Section 2.2.2 of RFC 7016); that is, the portion of
+ the Multiplex packet following the scrambled session ID. The
+ Encrypted Packet has the following format:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 27]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ +----------------+ +----------------+~~~~~~~~~~~~~~~~~~~~~~~+
+ | CBC Block 1 | ... | CBC Block N | truncatedHMAC |
+ +----------------+ +----------------+~~~~~~~~~~~~~~~~~~~~~~~+
+ ^ ^ ^
+ | Zero or more AES-128 chained | hmacLength bytes long |
+ +-------- cipher blocks -----------+--- (may be zero) ---+
+
+ struct flashProfileEncryptedPacket_t
+ {
+ if(HMAC is being used)
+ hmacLength = negotiated length;
+ else
+ hmacLength = 0;
+
+ struct
+ {
+ iv[16 bytes] = { 0 };
+ blockCount = 0;
+ while((remainder() > hmacLength) && (remainder() >= 16))
+ {
+ uint8_t cbcBlock[16];
+ blockCount++;
+ }
+ } chainedCipherBlocks :variable*16*8;
+
+ if(HMAC is being used)
+ {
+ if(remainder() == hmacLength)
+ uint8_t truncatedHMAC[hmacLength];
+ else
+ packetVerificationFailed();
+ }
+ else if(remainder() > 0)
+ packetVerificationFailed();
+ } :encryptedPacket.length*8;
+
+ cbcBlock: The next AES-128-CBC block.
+
+ chainedCipherBlocks: The concatenation of every cipher block in the
+ packet (over which the HMAC is computed).
+
+ truncatedHMAC: If HMAC was negotiated to be used (Section 4.5.2.4),
+ this field is set to the first negotiated hmacLength bytes of the
+ HMAC of the chainedCipherBlocks.
+
+ The plaintext data before encryption or after decryption has the
+ following format:
+
+
+
+
+Thornburgh Informational [Page 28]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +~~~~~~~~~~~~~/~+
+ | SSEQ (opt.) \ |
+ +~~~~~~~~~~~~~/~+
+ +~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
+ | Checksum (opt.) |
+ +~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+~+
+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
+ | Plain RTMFP Packet |
+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct flashProfilePlainPacket_t
+ {
+ if(session sequence numbers being used)
+ vlu_t sessionSequenceNumber :variable*8; // SSEQ
+ if(HMAC not being used)
+ uint16_t checksum;
+ packet_t plainRTMFPPacket :variable*8;
+ } :chainedCipherBlocks.blockCount*16*8;
+
+ sessionSequenceNumber: If session sequence numbers were negotiated
+ to be used (Section 4.6.6), this field is present and is the VLU
+ session sequence number of this packet.
+
+ checksum: If HMAC was not negotiated to be used, this field is
+ present and is the simple checksum (Section 4.7.3.1) of the
+ remaining bytes of this structure.
+
+ plainRTMFPPacket: The (plain, unencrypted) RTMFP Packet
+ (Section 2.2.4 of RFC 7016) plus any necessary padding.
+
+ When assembling this structure and prior to calculating the checksum
+ (if present), if the structure's total length is not an integer
+ multiple of 16 bytes (the AES cipher block size), pad the end of
+ plainRTMFPPacket with as many bytes having a value of 0xff as are
+ needed to bring the structure's total length to an integer multiple
+ of 16 bytes. The receiver's RTMFP Packet parser (Section 2.2.4 of
+ RFC 7016) will consume this padding.
+
+4.7.3. Verification
+
+ In RTMFP, the Cryptography Profile is responsible for packet
+ verification. In this profile, packets are verified with an HMAC or
+ a simple checksum, depending on the configuration of the endpoints,
+ and optionally verified against replay or duplication using session
+ sequence numbers. The simple checksum is inside the encrypted
+ packet, so it becomes essentially a 16-bit cryptographic checksum.
+
+
+
+
+Thornburgh Informational [Page 29]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+4.7.3.1. Simple Checksum
+
+ The simple checksum is the 16-bit ones' complement of the 16-bit
+ ones' complement sum of all 16-bit (2 bytes in network byte order)
+ words to be checked. If there are an odd number of bytes to be
+ checked, then for purposes of this checksum, treat the last byte as
+ the lower 8 bits of a 16-bit word whose upper 8 bits are 0. This is
+ also known as the "Internet Checksum" [RFC1071].
+
+ When present, the checksum is calculated over all bytes of the
+ plaintext packet starting after the checksum field through the end of
+ the plain packet. It cannot be calculated until the plain packet is
+ padded, if necessary, to bring its length to an integer multiple of
+ 16 bytes (the AES cipher block size). The session sequence number
+ field, if present, and the checksum field itself are not included in
+ the checksum.
+
+ On receiving a packet being verified with a checksum: calculate the
+ checksum over all the bytes of the plaintext packet following the
+ checksum field and compare the checksum to the value in the checksum
+ field. If they match, the packet is verified; if they do not match,
+ the packet is corrupt and MUST be discarded as though it was never
+ received.
+
+4.7.3.2. HMAC
+
+ When present, the HMAC field is the last hmacLength bytes of the
+ packet and is calculated over all of the encrypted cipher blocks of
+ the packet preceding the HMAC field. The value of the HMAC field is
+ the first hmacLength bytes of the HMAC-SHA256 of the checked data,
+ using the computed HMAC keys (Section 4.6.4) and negotiated
+ hmacLength (Section 4.5.2.4). Note each endpoint independently
+ specifies the length of the HMAC it will send via its hmacLength
+ field.
+
+ When an endpoint has negotiated to send an HMAC, it encrypts the data
+ blocks, computes the HMAC over the encrypted data blocks using its
+ HMAC_SEND_KEY, and appends the first hmacLength bytes of that hash
+ after the final encrypted data block.
+
+ When an endpoint has negotiated to receive an HMAC, the endpoint
+ computes the HMAC over the encrypted data blocks using its
+ HMAC_RECV_KEY and then compares the first receive hmacLength bytes of
+ the computed HMAC to the HMAC field in the packet. If they are
+ identical, the packet is verified; if they are not identical, the
+ packet is corrupt and MUST be discarded as though it was never
+ received.
+
+
+
+
+Thornburgh Informational [Page 30]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ HMAC and simple checksum verification are mutually exclusive.
+
+4.7.3.3. Session Sequence Number
+
+ Session sequence numbers are used to detect and reject a packet that
+ was duplicated in the network or replayed by an attacker and to
+ ensure the first chained cipher block of every packet is unique, in
+ lieu of a full-block initialization vector. Sequence numbers start
+ at zero, increase by one for each packet sent in the session, do not
+ wrap, and do not repeat.
+
+ When session sequence numbers are negotiated to be used, the receiver
+ MUST allow for packets to be reordered in the network by up to at
+ least 32 sequence numbers; note, however, that reordering by more
+ than three packets can trigger loss detection and retransmission by
+ negative acknowledgement, just as with TCP, and is therefore not
+ likely to occur in the real Internet.
+
+ [RFC4302], [RFC4303], and [RFC6479] describe Anti-Replay Window
+ methods that can be employed to detect duplicate sequence numbers.
+ Other methods are possible.
+
+ Any packet received having a session sequence number that was already
+ seen in that session, either directly or by being less than the
+ lowest sequence number in the Anti-Replay Window, is a duplicate and
+ MUST be discarded as though never received.
+
+5. Flash Communication
+
+ The Flash platform uses RTMP [RTMP] messages for media streaming and
+ communication. This section describes how to transport RTMP messages
+ over RTMFP flows and additional messages and semantics unique to this
+ transport.
+
+5.1. RTMP Messages
+
+ An RTMP message comprises a virtual header and a payload. The
+ virtual header comprises a Message Type, a Payload Length, a
+ Timestamp, and a Stream ID. The format of the payload is dependent
+ on the type of message.
+
+ An RTMP message is mapped onto a lower transport layer, such as RTMP
+ Chunk Stream [RTMP] or RTMFP. RTMP messages were initially designed
+ along with, and for transport on, RTMP Chunk Stream. This design
+ constrains the possible values of RTMP message header fields. In
+ particular:
+
+
+
+
+
+Thornburgh Informational [Page 31]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ Message Type is 8 bits wide, and is therefore constrained to
+ values from 0 to 255 inclusive;
+
+ Payload Length is 24 bits wide, so messages can be at most
+ 16777215 bytes long;
+
+ Timestamp is 32 bits wide, so timestamps range from 0 to
+ 4294967295 and wrap around;
+
+ Stream ID is 24 bits wide, and is therefore constrained to values
+ from 0 to 16777215 inclusive.
+
+ RTMP Chunk Stream Protocol Control messages (message types 1, 2, 3,
+ 5, and 6) are not used when transporting RTMP messages in RTMFP
+ flows. Messages of those types SHOULD NOT be sent and MUST be
+ ignored.
+
+5.1.1. Flow Metadata
+
+ All messages in RTMFP are transported in flows. In this profile, an
+ RTMFP flow for RTMP messages carries the messages for exactly one
+ RTMP Stream ID. Multiple flows can carry messages for the same
+ Stream ID; for example, the video and audio messages of a stream
+ could be sent on separate flows, allowing the audio to be given
+ higher transmission priority.
+
+ The User Metadata for flows in this profile begins with a distinct
+ signature to distinguish among different kinds of flows. The User
+ Metadata for a flow used for RTMP messages begins with the two-
+ character signature "TC".
+
+ The Stream ID is encoded in the flow's User Metadata so that it
+ doesn't need to be sent with each message.
+
+ The sender can have a priori knowledge about the kind of media it
+ intends to send on a flow and its intended use and can give the
+ receiver a hint as to whether messages should be delivered as soon as
+ possible or in their original queuing order. For example, the sender
+ might be sending real-time, delay-sensitive audio messages on a flow,
+ and hint that the receiver should take delivery of the messages on
+ that flow as soon as they arrive in the network, to reduce the end-
+ to-end latency of the audio.
+
+ The receiver can choose to take delivery of messages on flows as soon
+ as they arrive in the network or in the messages' original queuing
+ order. A receiver that chooses to take delivery of messages as soon
+ as they arrive in the network MUST be prepared for the messages to
+
+
+
+
+Thornburgh Informational [Page 32]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ arrive out-of-order. For example, a receiver may choose not to
+ render a newly received audio message having a timestamp earlier than
+ the most recently rendered audio timestamp.
+
+ The sender can choose to abandon a message that it has queued in a
+ flow before the message has been delivered to the receiver. For
+ example, the sender may abandon a real-time, delay-sensitive audio
+ message that has not been delivered within one second, to avoid
+ spending transmission resources on stale media that is no longer
+ relevant.
+
+ Note: A gap will cause a delay at the receiver of at least one round-
+ trip time if the receiver is taking delivery of messages in original
+ queuing order.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+~~~~~~~~~~~~~/~+
+ | | | |S|r|R| \ |
+ | 0x54 'T' | 0x43 'C' | rsv |I|s|X| streamID / |
+ | | | |D|v|I| \ |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+~~~~~~~~~~~~~/~+
+
+ struct RTMPMetadata_t
+ {
+ uint8_t signature[2] == { 'T', 'C' };
+ uintn_t reserved1 :5; // rsv
+ bool_t streamIDPresent :1; // SID
+ uintn_t reserved2 :1; // rsv
+ uintn_t receiveIntent :1; // RXI
+ // 0: original queuing order, 1: network arrival order
+ if(streamIDPresent)
+ vlu_t streamID :variable*8;
+ } :variable*8;
+
+ signature: Metadata signature for RTMP message flows, being the two
+ UTF-8 coded characters "TC".
+
+ streamIDPresent: A boolean flag indicating whether the streamID
+ field is present. In this profile, this flag MUST be set.
+
+ receiveIntent: A hint by the sender as to the best order in which to
+ take delivery of messages from the flow. A value of zero
+ indicates a hint that the flow's messages should be received in
+ the order they were originally queued by the sender (that is, in
+ ascending sequence number order); a value of one indicates a hint
+ that the flow's messages should be received in the order they
+ arrive in the network, even if there are sequence number gaps or
+ reordering. Network arrival order is typically hinted for live,
+
+
+
+Thornburgh Informational [Page 33]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ delay-sensitive flows, such as for audio media. To take delivery
+ of a message as soon as it arrives in the network: receive it from
+ the receiving flow's RECV_BUFFER as soon as it becomes complete
+ (Section 3.6.3.3 of RFC 7016), and remove it from the RECV_BUFFER.
+ Section 3.6.3.3 of RFC 7016 describes how to take delivery of
+ messages in original queuing order.
+
+ streamID: If the streamIDPresent flag is set, this field is present
+ and is the RTMP stream ID to which the messages in this flow
+ belong. In this profile, this field MUST be present.
+
+ A receiver SHOULD reject an RTMP message flow if its streamIDPresent
+ flag is clear. This profile doesn't define a stream mapping for this
+ case.
+
+ Derived or composed profiles can define additional flow types and
+ corresponding metadata signatures. A receiver SHOULD reject a flow
+ having an unrecognized metadata signature.
+
+5.1.2. Message Mapping
+
+ This section describes the format of an RTMP message (Section 5.1) in
+ an RTMFP flow.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | messageType |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | timestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | messagePayload |
+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
+
+ struct RTMPMessage_t
+ {
+ uint8_t messageType;
+ uint32_t timestamp;
+ uint8_t messagePayload[remainder()];
+ } :flowMessageLength*8;
+
+ messageType: The RTMP Message Type;
+
+ timestamp: The RTMP Timestamp, in network byte order;
+
+ messagePayload: The payload of the RTMP message;
+
+ payload length: The RTMP message payload length is inferred from the
+ length of the RTMFP message;
+
+
+
+Thornburgh Informational [Page 34]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ Stream ID: The Stream ID for this message is taken from the metadata
+ of the flow on which this message was received.
+
+5.2. Flow Synchronization
+
+ RTMFP flows are independent and have no inter-flow ordering
+ guarantee. RTMP was designed for transport over a single, reliable,
+ strictly ordered byte stream. Some RTMP message semantics take
+ advantage of this ordering; for example, a Stream EOF User Control
+ event must not be processed until after all media messages for the
+ corresponding stream have been received. Flow Synchronization
+ messages provide a barrier to align message delivery across flows
+ when required by RTMP semantics.
+
+ A Flow Synchronization message is coded as a User Control event
+ message (Type 4) having Event Type 34. Message timestamps are
+ ignored and MAY be set to 0.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | timestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | eventType = 34 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | syncID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ struct flowSyncUserControlMessagePayload_t
+ {
+ uint16_t eventType = 34;
+ uint32_t syncID;
+ uint32_t count;
+ } :10*8;
+
+ eventType: The RTMP User Control Message Event Type. Flow
+ Synchronization messages have type 34 (0x22);
+
+ syncID: The identifier for this barrier;
+
+ count: The number of flows being synchronized by syncID. This field
+ MUST be at least 1 and SHOULD be at least 2.
+
+
+
+
+
+
+Thornburgh Informational [Page 35]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ On receipt of a Flow Synchronization message, a receiver SHOULD
+ suspend receipt of further messages on that flow until count Flow
+ Synchronization messages (including this one) with the same syncID
+ have been received on flows in the same flow association tree.
+
+ Example: Consider flows F1 and F2 in the same NetConnection carrying
+ messages M, and let Sync(syncID,count) denote a Flow Synchronization
+ message.
+
+ | |
+ F1: M1 M2 M4 Sync(8,2) | Sync(13,2).....| M7
+ | |
+ F2: M3 Sync(8,2).......| M5 Sync(13,2) | M6
+ | |
+ Barrier 8 Barrier 13
+
+ Figure 2: Example Flow Synchronization Barriers
+
+ Flow Synchronization messages form a delivery barrier to impart at
+ least a partial message ordering across flows. In this example,
+ message M5 comes after M1..4 and before M6..7; however, M3 could be
+ delivered before or after any of M1, M2, or M4, and M6 could come
+ before or after M7.
+
+ Flow Synchronization can cause a priority inversion; therefore, it
+ SHOULD NOT be used except when necessary to preserve RTMP ordering
+ semantics.
+
+5.3. Client-to-Server Connection
+
+ The client connects to a server. The connection comprises one main
+ control flow in each direction from client to server and from server
+ to client for NetConnection messages, and zero or more flows in each
+ direction for NetStream media messages. NetStream flows may come and
+ go naturally over time according to media transport needs. An
+ exception on a NetConnection control sending flow indicates the
+ closure by the other end of the NetConnection and all associated
+ NetStreams.
+
+ The client MUST NOT use the same client certificate for more than one
+ server connection; that is, a client's peer ID MUST NOT be reused.
+
+5.3.1. Connecting
+
+ The client desires a connection to a server having an RTMFP URI, for
+ example, "rtmfp://server.example.com/app/instance". The client
+ gathers one or more initial candidate addresses for the server named
+ in the URI (for example, by using the Domain Name System (DNS)
+
+
+
+Thornburgh Informational [Page 36]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ [RFC1035]). The client creates an EPD having an Ancillary Data
+ option (Section 4.4.2.2) encoding the URI. The client initiates an
+ RTMFP session to the one or more candidate addresses using the EPD.
+
+ When the session transitions to the S_OPEN state, the client opens a
+ new flow in that session for Stream ID 0 and Receive Intent 0
+ "original queuing order". This is the client's NetConnection main
+ control flow. The client sends an RTMP "connect" command on the flow
+ and waits for a response or exception.
+
+5.3.2. Server-to-Client Return Control Flow
+
+ The server, on accepting the client's NetConnection control flow, and
+ receiving and accepting the "connect" command, opens one or more
+ return flows to the client having Stream ID 0 and associated to the
+ control flow from the client. Flows for Stream ID 0 are the server's
+ NetConnection control flows. The server sends a "_result" or
+ "_error" transaction response for the client's connect command.
+
+ When the client receives the first return flow from the server for
+ Stream ID 0 and associated to the client's NetConnection control
+ flow, the client assumes that flow is the canonical return
+ NetConnection control flow from the server, to which all new client-
+ to-server flows should be associated.
+
+ On receipt of a "_result" transaction response on Stream ID 0 for the
+ client's connect command, the connection is up.
+
+ The client MAY open additional return control flows to the server on
+ Stream ID 0, associated to the server's canonical NetConnection
+ control flow.
+
+5.3.3. setPeerInfo Command
+
+ The "setPeerInfo" command is sent by the client to the server over
+ the NetConnection control flow to inform the server of candidate
+ socket addresses through which the client might be reachable. This
+ list SHOULD include all directly connected interface addresses and
+ proxy addresses except as provided below. The list MAY be empty.
+ The list need not include the address of the server, even if the
+ server is to act as an introducer for the client. The list SHOULD
+ NOT include link-local or loopback addresses.
+
+ This command is sent as a regular RTMP NetConnection command; that
+ is, as an RTMP Type 20 Command Message or an RTMP Type 17 Command
+ Extended Message on Stream ID 0. A Type 20 Command Message SHOULD be
+ used if the object encoding negotiated during the "connect" and
+
+
+
+
+Thornburgh Informational [Page 37]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ "_result" handshake is AMF0 [AMF0], and a Type 17 Command Extended
+ Message SHOULD be used if the negotiated object encoding is AMF3
+ [AMF3].
+
+ Note: A Type 20 Command Message payload is a sequence of AMF objects
+ encoded in AMF0.
+
+ Note: A Type 17 Command Extended Message payload begins with a format
+ selector byte, followed by a sequence of objects in a format-specific
+ encoding. At the time of writing, only format 0 is defined;
+ therefore, the format selector byte MUST be 0. Format 0 is a
+ sequence of AMF objects, each encoded in AMF0 by default; AMF3
+ encoding for an object can be selected by prefixing it with an
+ "avmplus-object-marker" (0x11) as defined in [AMF0].
+
+ To complete the RTMFP NetConnection handshake, an RTMFP client MUST
+ send a setPeerInfo command to the server after receiving a successful
+ response to the "connect" command.
+
+ (
+ "setPeerInfo", // AMF String, command name
+ 0.0, // AMF Number, transaction ID
+ NULL, // AMF Null, no command object
+ ... // zero or more AMF Strings, each an address
+ )
+
+ Each listed socket address includes an IPv4 or IPv6 address in
+ presentation format and a UDP port number in decimal, separated by a
+ colon. Since the IPv6 address presentation format uses colons, IPv6
+ addresses are enclosed in square brackets [RFC3986].
+
+ (
+ "setPeerInfo",
+ 0.0,
+ NULL,
+ "192.0.2.129:50001",
+ "[2001:db8:1::2]:50002"
+ )
+
+ Figure 3: Example setPeerInfo Command
+
+ A server SHOULD assume that the client is behind a Network Address
+ Translator (NAT) if and only if the observed far endpoint address of
+ the session for the flow on which this command was received does not
+ appear in the setPeerInfo address list.
+
+
+
+
+
+
+Thornburgh Informational [Page 38]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+5.3.4. Set Keepalive Timers Command
+
+ The server can advise the client to set or change the client's
+ session keepalive timer periods for its connection to the server and
+ for its P2P connections. The server MAY choose keepalive periods
+ based on static configuration, application- or deployment-specific
+ circumstances, whether the client appears to be behind a NAT, or for
+ any other reason.
+
+ The Set Keepalive Timers command is sent by the server to the client
+ on Stream ID 0 as a User Control event message (Type 4) having Event
+ Type 41. Message timestamps are ignored and MAY be set to 0.
+
+ 0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | timestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | eventType = 41 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | serverKeepalivePeriodMsec |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | peerKeepalivePeriodMsec |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ struct setKeepaliveUserControlMessagePayload_t
+ {
+ uint16_t eventType = 41;
+ uint32_t serverKeepalivePeriodMsec;
+ uint32_t peerKeepalivePeriodMsec;
+ } :10*8;
+
+ eventType: The RTMP User Control Message Event Type. Set Keepalive
+ Timers messages have type 41 (0x29);
+
+ serverKeepalivePeriodMsec: The keepalive period, in milliseconds,
+ that the client is advised to set on its RTMFP session with the
+ server;
+
+ peerKeepalivePeriodMsec: The keepalive period, in milliseconds, that
+ the client is advised to use on its RTMFP sessions with any peer
+ that is not the server.
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 39]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ The client MUST define minimum values for these keepalive periods,
+ below which it will not set them, regardless of the values in this
+ message. The minimum keepalive timer periods SHOULD be at least five
+ seconds. The client MAY define maximum values for these keepalive
+ periods, above which it will not set them.
+
+ On receipt of this message from the server, a client SHOULD set its
+ RTMFP server and peer keepalive timer periods to the indicated values
+ subject to the client's minimum and maximum values. The server MAY
+ send this message more than once, particularly if conditions that it
+ uses to determine the timer periods change.
+
+5.3.5. Additional Flows for Streams
+
+ The client or server opens additional flows to the other side to
+ carry messages for any stream. Additional flows are associated to
+ the canonical NetConnection control flow from the other side.
+
+ Client Server
+ ------>--C2S-Control-Flow------------------------->--+
+ |
+ +--<------------------------S2C-Control-Flow---<--+
+ | |
+ | <------------------------S2C-Stream-Flow-1--<--+
+ | : |
+ | <------------------------S2C-Stream-Flow-M--<--+
+ |
+ +-->--C2S-Stream-Flow-1------------------------>
+ | :
+ +-->--C2S-Stream-Flow-N------------------------>
+
+ Figure 4: Schematic Flow Association Tree for a NetConnection
+
+5.3.5.1. To Server
+
+ Additional flows from the client to the server for stream messages
+ are opened with the Stream ID for that stream and associated in
+ return to the server's canonical NetConnection control flow.
+
+ The client MAY create as many flows as desired for any Stream ID
+ (including Stream ID 0) at any time.
+
+5.3.5.2. From Server
+
+ Additional flows from the server to the client for stream messages
+ are opened with the Stream ID for that stream, and associated in
+ return to the client's NetConnection control flow.
+
+
+
+
+Thornburgh Informational [Page 40]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ The server MAY create as many flows as desired for any Stream ID
+ (including Stream ID 0) at any time.
+
+5.3.5.3. Closing Stream Flows
+
+ Either end MAY close a sending flow that is not for Stream ID 0 at
+ any time with no semantic meaning for the stream.
+
+ At any time, either end MAY reject a receiving flow that is not one
+ of the other end's NetConnection control flows. No flow exception
+ codes are defined by this profile, so the receiving end SHOULD use
+ exception code 0 when rejecting the flow. The sending end, on
+ notification of any exception for a stream flow, SHOULD NOT open a
+ new flow to take the rejected flow's place for transport of messages
+ for that stream. If an end rejects any flow for a stream, it SHOULD
+ reject all the flows for that stream, otherwise Flow Synchronization
+ messages (Section 5.2) that were in flight could be discarded and
+ some flows might become or remain stuck in a suspended state.
+
+5.3.6. Closing the Connection
+
+ The client or server can signal an orderly close of the connection by
+ closing its NetConnection control sending flows and all stream
+ sending flows. The other end, on receiving a close/complete
+ notification for the canonical NetConnection control receiving flow,
+ closes its sending flows. When both ends observe all receiving flows
+ have closed and completed, the connection has cleanly terminated.
+
+ Either end can abruptly terminate the connection by rejecting the
+ NetConnection control receiving flows or by closing the underlying
+ RTMFP session. On notification of any exception on a NetConnection
+ control sending flow, the end seeing the exception knows the other
+ end has terminated abruptly, and can immediately close all sending
+ and receiving flows for that connection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 41]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+5.3.7. Example
+
+ Client Server
+ |IHello (EPD:anc=URI) |
+ -+- |------------------------>|
+ | | |
+ | | RHello (RCert:anc)|
+ RTMFP | |<------------------------|
+ Session| | |
+ Hand- | |IIKeying |
+ shake | |------------------------>|
+ | | |
+ | | RIKeying|
+ -+- |<------------------------|
+ | |
+ -+- |"connect" command |
+ (Str.ID=0)|-CFlow-0---------------->|
+ | | |
+ | | "_result" response|
+ RTMP | |<----------------SFlow-0-|(Str.ID=0,
+ Connect| | | Assoc=CFlow-0)
+ Hand- | |"setPeerInfo" command |
+ shake | |-CFlow-0---------------->|
+ -+- | |
+ |"createStream" command |
+ -+- |-CFlow-0---------------->|
+ | | |
+ | | "_result" (str.ID=5)|
+ | |<----------------SFlow-0-|
+ | | |
+ | |"play" command |
+ (Str.ID=5,|-CFlow-1---------------->|
+ Assoc=SFlow-0)| |
+ | | StreamBegin User Control|
+ | |<----------------SFlow-1-|(Str.ID=5,
+ | | | Assoc=CFlow-0)
+ | | (RTMP stream events) |
+ Streaming | |<----------------SFlow-1-|
+ | | |
+ | | Audio Data |
+ | |<----------------SFlow-2-|(Str.ID=5,
+ | | | Assoc=CFlow-0)
+ | | Video Data |
+ | |<----------------SFlow-3-|(Str.ID=5,
+ | | : | Assoc=CFlow-0)
+ | : |
+
+ Figure 5: Example NetConnection Message Exchange
+
+
+
+Thornburgh Informational [Page 42]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+5.4. Direct Peer-to-Peer Streams
+
+ Clients can connect directly to other clients for P2P streaming and
+ data exchange. A client MAY have multiple separate P2P NetStreams
+ with a peer in one RTMFP session, each a separate logical connection.
+ P2P NetStreams are unidirectional, initiated by a subscriber (the
+ side issuing the "play" command) to a publisher. The subscribing
+ peer has a control flow to the publisher. The publisher has zero or
+ more return flows to the subscriber associated to the subscriber's
+ control flow, for the stream media and data.
+
+5.4.1. Connecting
+
+ A client desires to subscribe directly to a stream being published in
+ P2P mode by a publishing peer. The client learns the peer ID of the
+ publisher and the stream name through application-specific means.
+
+ If the client does not already have an RTMFP session with that peer
+ ID, it initiates a new session, creating an EPD containing a
+ Fingerprint option (Section 4.4.2.3) for the publisher's peer ID and
+ using the server session's DESTADDR as the initial candidate address
+ for the session to the peer. The server acts as an Introducer
+ (Section 3.5.1.6 of RFC 7016), using forward and redirect messages to
+ help the client and the peer establish a session.
+
+ When an S_OPEN session exists to the desired peer, the client creates
+ a new independent flow to that peer. The flow MUST have a non-zero
+ Stream ID. The client sends an RTMP "play" command over the flow,
+ giving the name of the desired stream at the publisher. This flow is
+ the subscriber's control flow.
+
+5.4.2. Return Flows for Stream
+
+ The publisher, on accepting a new flow not indicating a return
+ association with any of its sending flows and having a non-zero
+ Stream ID, receives and processes the "play" command. If and when
+ the request is acceptable to the publisher, it opens one or more
+ return flows to the subscribing peer, associated to the subscriber's
+ control flow and having the same Stream ID. The publisher sends a
+ StreamBegin User Control message, appropriate RTMP status events, and
+ the stream media over the one or more return flows.
+
+ The subscriber uses the return association of the media flows to the
+ subscriber control flow to determine the stream to which the media
+ belongs.
+
+
+
+
+
+
+Thornburgh Informational [Page 43]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ The publisher MAY open any number of media flows for the stream and
+ close them at any time. The opening and closing of media flows has
+ no semantic meaning for the stream, except that the opening of at
+ least one flow and the reception of at least one media message or a
+ StreamBegin User Control message indicates that the publisher is
+ publishing the requested stream to the subscriber.
+
+ Subscriber Publisher
+ ------>--Subscriber-Control-Flow------------------>--+
+ |
+ <------------------Publisher-Stream-Flow-1--<--+
+ : |
+ <------------------Publisher-Stream-Flow-N--<--+
+
+ Figure 6: Schematic Flow Association Tree for a P2P Direct Connection
+
+5.4.3. Closing the Connection
+
+ Either end can close the stream by closing or rejecting the
+ subscriber's control flow. The publisher SHOULD close and unpublish
+ to the subscriber on receipt of a close/complete of the control flow.
+ The subscriber SHOULD consider the stream closed on notification of
+ any exception on the control flow.
+
+6. IANA Considerations
+
+ This memo specifies option type code values for Certificate fields
+ (Section 4.3.3), Endpoint Discriminator fields (Section 4.4.2), and
+ Session Keying Component fields (Section 4.5.2). It also specifies a
+ flow metadata signature (Section 5.1.1). The type code values and
+ signatures for this profile are assigned and maintained by Adobe, and
+ therefore require no action from IANA.
+
+6.1. RTMFP URI Scheme Registration
+
+ This memo describes use of an RTMFP URI scheme (Section 4.4.2.2,
+ Section 5.3.1, Figure 5). Per this section, the "rtmfp" URI scheme
+ has been registered by IANA.
+
+ The syntax and semantics of this URI scheme are described using the
+ Augmented Backus-Naur Form (ABNF) [RFC5234] rules from RFC 3986.
+
+
+
+
+
+
+
+
+
+
+Thornburgh Informational [Page 44]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ URI scheme name: rtmfp
+
+ Status: provisional
+
+ URI scheme syntax:
+
+ rtmfp-uri-scheme = "rtmfp:"
+ / "rtmfp://" host [ ":" port ] path-abempty
+
+ URI scheme semantics: The first form is used in the APIs of some
+ implementations to indicate instantiation of an RTMFP client
+ according to this memo, but without connecting to a server. Such
+ an instantiation might be used for pure peer-to-peer
+ communication.
+
+ The second form provides location information for the server to
+ which to connect and optional additional information to pass to
+ the server. The only operation for this URI form is to connect to
+ a server (initial candidate address(es) for which are named by
+ host and port) according to Section 5.3. The UDP port for initial
+ candidate addresses, if not specified, is 1935. If the host is a
+ reg-name, the initial candidate address set SHOULD comprise all
+ IPv4 and IPv6 addresses to which reg-name resolves. The semantics
+ of path-abempty are specific to the server. Connections are made
+ using RTMFP as specified by this memo.
+
+ Encoding considerations: The path-abempty component represents
+ textual data consisting of characters from the Universal Character
+ Set. This component SHOULD be encoded according to Section 2.5 of
+ RFC 3986.
+
+ Applications/protocols that use this URI scheme name: The Flash
+ runtime (including Flash Player) from Adobe Systems Incorporated,
+ communication servers such as Adobe Media Server, and
+ interoperable clients and servers provided by other parties, using
+ RTMFP according to this memo.
+
+ Interoperability considerations: This scheme requires use of RTMFP
+ as defined by RFC 7016 in the manner described by this memo.
+
+ Security considerations: See Security Considerations (Section 7) in
+ this memo.
+
+ Contact: Michael Thornburgh, Adobe Systems Incorporated,
+ <mthornbu@adobe.com>.
+
+ Author/Change controller: Michael Thornburgh, Adobe Systems
+ Incorporated, <mthornbu@adobe.com>.
+
+
+
+Thornburgh Informational [Page 45]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ References:
+ Thornburgh, M., "Adobe's Secure Real-Time Media Flow Protocol",
+ RFC 7016, November 2013.
+
+ This memo.
+
+7. Security Considerations
+
+ Section 4 details the cryptographic aspects of this profile.
+
+ This profile does not define or use a Public Key Infrastructure
+ (PKI). Clients SHOULD use static Diffie-Hellman keys in their
+ certificates (Section 4.3.3.5). Clients MUST create a new
+ certificate with a distinct fingerprint for each new NetConnection
+ (Section 5.3). These constraints make client identities ephemeral
+ but unable to be forged. A man-in-the-middle cannot successfully
+ interpose itself in a connection to a target client addressed by its
+ fingerprint/peer ID if the target client uses a static Diffie-Hellman
+ public key.
+
+ Servers can have long-lived RTMFP instances, so they SHOULD use
+ ephemeral Diffie-Hellman public keys for forward secrecy. This
+ allows server peer IDs to be forged; however, clients do not connect
+ to servers by peer ID, so this is irrelevant.
+
+ When a client connects to a server, the client will accept the
+ response of any endpoint claiming to be "a server". It is assumed
+ that an attacker that can passively observe traffic on a network
+ segment can also inject its own packets with any source or
+ destination and any payload. An attacker can trick a client into
+ connecting to a rogue server or man-in-the-middle, either by
+ observing Initiator Hello packets from the client and responding
+ earliest with a matching Responder Hello or by using tricks such as
+ DNS spoofing or poisoning to direct a client to connect directly to
+ the rogue. A TCP-based transport would be vulnerable to similar
+ attacks. Since there is no PKI, this profile gives no guarantee that
+ the client has actually connected to the desired server, versus a
+ rogue or man-in-the-middle. In circumstances where assurance is
+ required that the connection is directly to the desired server, the
+ client can use the Session Nonces (Section 4.6.5) to challenge the
+ server, for example, over a different channel having acceptable
+ security properties (such as an HTTPS) to transitively establish the
+ server's identity and verify that the end-to-end communication is
+ private and authentic.
+
+ When session sequence numbers (Section 4.7.3.3) are not used, it is
+ possible for an attacker to use traffic analysis techniques and
+ record encrypted packets containing the start of a new flow, and
+
+
+
+Thornburgh Informational [Page 46]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ later to replay those packets after the flow has closed, which can
+ look to the receiver like a brand new flow. In circumstances where
+ this can be detrimental, session sequence numbers SHOULD be used.
+ Replay of packets for existing flows is not detrimental as the
+ receiver detects and discards duplicate flow sequence numbers, and
+ flow sequence numbers do not wrap or otherwise repeat.
+
+ Packet encryption uses CBC with the same (null) initialization vector
+ for each packet. This can reveal to an observer whether two packets
+ contain identical plaintext. However, the maximum-length RTMFP
+ common header and User Data or Data Acknowledgement header, including
+ flow sequence number, always fit within the first 16-byte cipher
+ block, so each initial cipher block for most packets will already be
+ unique even if timestamps are suppressed. Sending identical messages
+ in a flow uses unique flow sequence numbers, so cipher blocks will be
+ unique in this case. Keepalive pings and retransmission of lost data
+ can result in identical cipher blocks; however, traffic analysis can
+ also reveal likely keepalives or retransmissions, and retransmission
+ only occurs as a result of observable network loss, so this is
+ usually irrelevant. In circumstances where any identical cipher
+ block is unacceptable, session sequence numbers SHOULD be used as
+ they guarantee each initial cipher block will be unique.
+
+ Packet verification can use a 16-bit simple checksum
+ (Section 4.7.3.1). The checksum is inside the encrypted packet, so
+ for external packet modifications the checksum is equivalent to a
+ 16-bit cryptographic digest. In circumstances where this is
+ insufficient, HMAC verification (Section 4.7.3.2) SHOULD be used.
+
+8. References
+
+8.1. Normative References
+
+ [AES] National Institute of Standards and Technology, "Advanced
+ Encryption Standard (AES)", FIPS PUB 197, November 2001,
+ <http://csrc.nist.gov/publications/fips/fips197/
+ fips-197.pdf>.
+
+ [AMF0] Adobe Systems Incorporated, "Action Message Format -- AMF
+ 0", December 2007, <http://www.adobe.com/go/spec_amf0>.
+
+ [AMF3] Adobe Systems Incorporated, "Action Message Format -- AMF
+ 3", January 2013, <http://www.adobe.com/go/spec_amf3>.
+
+ [CBC] Dworkin, M., "Recommendation for Block Cipher Modes of
+ Operation", NIST Special Publication 800-38A, December
+ 2001, <http://csrc.nist.gov/publications/nistpubs/800-38a/
+ sp800-38a.pdf>.
+
+
+
+Thornburgh Informational [Page 47]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ [DH] Diffie, W. and M. Hellman, "New Directions in
+ Cryptography", IEEE Transactions on Information Theory, V.
+ IT-22, n. 6, June 1977.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104, February
+ 1997, <http://www.rfc-editor.org/info/rfc2104>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
+ Diffie-Hellman groups for Internet Key Exchange (IKE)",
+ RFC 3526, May 2003,
+ <http://www.rfc-editor.org/info/rfc3526>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, November 2003,
+ <http://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66, RFC
+ 3986, January 2005,
+ <http://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", STD 68, RFC 5234, January 2008,
+ <http://www.rfc-editor.org/info/rfc5234>.
+
+ [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011,
+ <http://www.rfc-editor.org/info/rfc6234>.
+
+ [RFC7016] Thornburgh, M., "Adobe's Secure Real-Time Media Flow
+ Protocol", RFC 7016, November 2013,
+ <http://www.rfc-editor.org/info/rfc7016>.
+
+ [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
+ Kivinen, "Internet Key Exchange Protocol Version 2
+ (IKEv2)", STD 79, RFC 7296, October 2014,
+ <http://www.rfc-editor.org/info/rfc7296>.
+
+ [RTMP] Adobe Systems Incorporated, "Real-Time Messaging Protocol
+ (RTMP) specification", December 2012,
+ <http://www.adobe.com/go/spec_rtmp>.
+
+
+
+
+
+Thornburgh Informational [Page 48]
+
+RFC 7425 Adobe RTMFP for Flash Communication December 2014
+
+
+ [SHA256] National Institute of Standards and Technology, "Secure
+ Hash Standard", FIPS PUB 180-4, March 2012,
+ <http://csrc.nist.gov/publications/fips/fips180-4/
+ fips-180-4.pdf>.
+
+8.2. Informative References
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987,
+ <http://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC1071] Braden, R., Borman, D., Partridge, C., and W. Plummer,
+ "Computing the Internet checksum", RFC 1071, September
+ 1988, <http://www.rfc-editor.org/info/rfc1071>.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
+ 2005, <http://www.rfc-editor.org/info/rfc4302>.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
+ 4303, December 2005,
+ <http://www.rfc-editor.org/info/rfc4303>.
+
+ [RFC6479] Zhang, X. and T. Tsou, "IPsec Anti-Replay Algorithm
+ without Bit Shifting", RFC 6479, January 2012,
+ <http://www.rfc-editor.org/info/rfc6479>.
+
+Acknowledgements
+
+ Special thanks go to Glenn Eguchi, Matthew Kaufman, and Adam Lane for
+ their contributions to the design of this profile.
+
+ Thanks to Philipp Hancke, Kevin Igoe, Paul Kyzivat, and Milos
+ Trboljevac for their detailed reviews of this memo.
+
+Author's Address
+
+ Michael C. Thornburgh
+ Adobe Systems Incorporated
+ 345 Park Avenue
+ San Jose, CA 95110-2704
+ United States
+
+ Phone: +1 408 536 6000
+ EMail: mthornbu@adobe.com
+ URI: http://www.adobe.com/
+
+
+
+
+
+
+Thornburgh Informational [Page 49]
+