diff options
Diffstat (limited to 'doc/rfc/rfc8269.txt')
-rw-r--r-- | doc/rfc/rfc8269.txt | 1067 |
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc8269.txt b/doc/rfc/rfc8269.txt new file mode 100644 index 0000000..ab8f1be --- /dev/null +++ b/doc/rfc/rfc8269.txt @@ -0,0 +1,1067 @@ + + + + + + +Internet Engineering Task Force (IETF) W. Kim +Request for Comments: 8269 J. Lee +Category: Informational J. Park +ISSN: 2070-1721 D. Kwon + NSRI + D. Kim + Kookmin Univ. + October 2017 + + + The ARIA Algorithm and Its Use with + the Secure Real-Time Transport Protocol (SRTP) + +Abstract + + This document defines the use of the ARIA block cipher algorithm + within the Secure Real-time Transport Protocol (SRTP). It details + two modes of operation (CTR and GCM) and the SRTP key derivation + functions for ARIA. Additionally, this document defines DTLS-SRTP + protection profiles and Multimedia Internet KEYing (MIKEY) parameter + sets for use with ARIA. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8269. + + + + + + + + + + + + + + +Kim, et al. Informational [Page 1] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +Copyright Notice + + Copyright (c) 2017 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 + 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 + 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 + 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8 + 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 + 7.2. Informative References . . . . . . . . . . . . . . . . . 11 + Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12 + A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12 + A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 + A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13 + A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 14 + A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 14 + A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 15 + A.3. Key Derivation Test Vectors . . . . . . . . . . . . . . . 15 + A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 15 + A.3.2. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 17 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 + + + + + + + + +Kim, et al. Informational [Page 2] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +1. Introduction + + This document defines the use of the ARIA block cipher algorithm + [RFC5794] in the Secure Real-time Transport Protocol (SRTP) [RFC3711] + for providing confidentiality for Real-time Transport Protocol (RTP) + [RFC3550] traffic and for RTP Control Protocol (RTCP) [RFC3550] + traffic. + +1.1. ARIA + + ARIA is a general-purpose block cipher algorithm developed by Korean + cryptographers in 2003. It is an iterated block cipher with 128-, + 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 + rounds, depending on the key size. It is secure and suitable for + most software and hardware implementations on 32-bit and 8-bit + processors. It was established as a Korean standard block cipher + algorithm in 2004 [ARIAKS] and has been widely used in Korea, + especially for government-to-public services. It was included in + Public-Key Cryptography Standards (PKCS) #11 in 2007 [ARIAPKCS]. The + algorithm specification and object identifiers are described in + [RFC5794]. + +1.2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in BCP + 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +2. Cryptographic Transforms + + Block ciphers ARIA and AES share common characteristics including + mode, key size, and block size. ARIA does not have any restrictions + for modes of operation that are used with this block cipher. We + define two modes of running ARIA within SRTP: (1) ARIA in Counter + Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-GCM). + +2.1. ARIA-CTR + + Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, + which it refers to as "AES_CM". Section 2 of [RFC6188] defines + "AES_256_CM" in SRTP. ARIA counter modes are defined in the same + manner except that each invocation of AES is replaced by that of ARIA + [RFC5794] and are denoted by ARIA_128_CTR and ARIA_256_CTR, + respectively, according to the key lengths. The plaintext inputs to + the block cipher are formed as in AES-CTR (AES_CM, AES_256_CM) and + the block cipher outputs are processed as in AES-CTR. Note that, + + + +Kim, et al. Informational [Page 3] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + ARIA-CTR MUST be used only in conjunction with an authentication + transform. + + Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension + keystream generation. When ARIA-CTR is used, the header extension + keystream SHALL be generated in the same manner except that each + invocation of AES is replaced by that of ARIA [RFC5794]. + +2.2. ARIA-GCM + + Galois/Counter Mode [GCM] [RFC5116] is an Authenticated Encryption + with Associated Data (AEAD) block cipher mode. A detailed + description of ARIA-GCM is defined similarly as AES-GCM found in + [RFC5116] and [RFC5282]. + + [RFC7714] describes the use of AES-GCM with SRTP. The use of ARIA- + GCM with SRTP is defined the same as AES-GCM except that each + invocation of AES is replaced by ARIA [RFC5794]. When encryption of + header extensions [RFC6904] is in use, a separate keystream to + encrypt selected RTP header extension elements MUST be generated in + the same manner defined in [RFC7714] except that AES-CTR is replaced + by ARIA-CTR. + +3. Key Derivation Functions + + Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key + derivation function, which it refers to as "AES-CM PRF". Section 3 + of [RFC6188] defines the AES-256 counter mode key derivation + function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR + Pseudorandom Function (PRF) is defined in a same manner except that + each invocation of AES is replaced by that of ARIA. According to the + key lengths of the underlying encryption algorithm, ARIA-CTR PRFs are + denoted by "ARIA_128_CTR_PRF" and "ARIA_256_CTR_PRF". The usage + requirements of [RFC6188] and [RFC7714] regarding the AES-CM PRF + apply to the ARIA-CTR PRF as well. + +4. Protection Profiles + + This section defines SRTP protection profiles that use the ARIA + transforms and key derivation functions defined in this document. + The following list indicates the SRTP transform parameters for each + protection profile. Those are described for use with DTLS-SRTP + [RFC5764]. + + The parameters cipher_key_length, cipher_salt_length, + auth_key_length, and auth_tag_length express the number of bits in + the values to which they refer. The maximum_lifetime parameter + indicates the maximum number of packets that can be protected with + + + +Kim, et al. Informational [Page 4] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + each single set of keys when the parameter profile is in use. All of + these parameters apply to both RTP and RTCP, unless the RTCP + parameters are separately specified. + + SRTP_ARIA_128_CTR_HMAC_SHA1_80 + cipher: ARIA_128_CTR + cipher_key_length: 128 bits + cipher_salt_length: 112 bits + key derivation function: ARIA_128_CTR_PRF + auth_function: HMAC-SHA1 + auth_key_length: 160 bits + auth_tag_length: 80 bits + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + SRTP_ARIA_128_CTR_HMAC_SHA1_32 + cipher: ARIA_128_CTR + cipher_key_length: 128 bits + cipher_salt_length: 112 bits + key derivation function: ARIA_128_CTR_PRF + auth_function: HMAC-SHA1 + auth_key_length: 160 bits + SRTP auth_tag_length: 32 bits + SRTCP auth_tag_length: 80 bits + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + SRTP_ARIA_256_CTR_HMAC_SHA1_80 + cipher: ARIA_256_CTR + cipher_key_length: 256 bits + cipher_salt_length: 112 bits + key derivation function: ARIA_256_CTR_PRF + auth_function: HMAC-SHA1 + auth_key_length: 160 bits + auth_tag_length: 80 bits + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + + + + + + + + + + + + + +Kim, et al. Informational [Page 5] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + SRTP_ARIA_256_CTR_HMAC_SHA1_32 + cipher: ARIA_256_CTR + cipher_key_length: 256 bits + cipher_salt_length: 112 bits + key derivation function: ARIA_256_CTR_PRF + auth_function: HMAC-SHA1 + auth_key_length: 160 bits + SRTP auth_tag_length: 32 bits + SRTCP auth_tag_length: 80 bits + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + SRTP_AEAD_ARIA_128_GCM + cipher: ARIA_128_GCM + cipher_key_length: 128 bits + cipher_salt_length: 96 bits + aead_auth_tag_length: 128 bits + auth_function: NULL + auth_key_length: N/A + auth_tag_length: N/A + key derivation function: ARIA_128_CTR_PRF + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + SRTP_AEAD_ARIA_256_GCM + cipher: ARIA_256_GCM + cipher_key_length: 256 bits + cipher_salt_length: 96 bits + aead_auth_tag_length: 128 bits + auth_function: NULL + auth_key_length: N/A + auth_tag_length: N/A + key derivation function: ARIA_256_CTR_PRF + maximum_lifetime: at most 2^31 SRTCP packets and + at most 2^48 SRTP packets + + The ARIA-CTR protection profiles use the same authentication + transform that is mandatory to implement in SRTP: HMAC-SHA1 with a + 160-bit key. + + Note that SRTP protection profiles that use AEAD algorithms do not + specify an auth_function, auth_key_length, or auth_tag_length, since + they do not use a separate auth_function, auth_key, or auth_tag. The + term aead_auth_tag_length is used to emphasize that this refers to + the authentication tag provided by the AEAD algorithm and that this + tag is not located in the authentication tag field provided by SRTP/ + SRTCP. + + + + +Kim, et al. Informational [Page 6] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of + the equal key length with the encryption algorithm (see Section 2). + SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the + ARIA_128_CTR_PRF key derivation function. And SRTP_ARIA_256_CTR_HMAC + and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF key + derivation function. + + MIKEY specifies the SRTP protection profile definition separately + from the key length (which is specified by the session encryption key + length) and the authentication tag length. The DTLS-SRTP [RFC5764] + protection profiles are mapped to MIKEY parameter sets as shown + below. + + +--------------------------------------+ + | Encryption | Encryption | Auth. | + | Algorithm | Key Length | Tag Length | + +======================================+ + SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | + SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | + SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | + SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | + +======================================+ + + Figure 1: Mapping MIKEY Parameters to ARIA-CTR with the HMAC + Algorithm + + +--------------------------------------+ + | Encryption | Encryption | AEAD Auth. | + | Algorithm | Key Length | Tag Length | + +======================================+ + SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | + SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | + +======================================+ + + Figure 2: Mapping MIKEY Parameters to the ARIA-GCM Algorithm + +5. Security Considerations + + At the time of publication of this document, no security problem has + been found on ARIA. Previous security analysis results are + summarized in [ATY]. + + The security considerations in [GCM], [RFC3711], [RFC5116], + [RFC6188], [RFC6904], and [RFC7714] apply to this document as well. + This document includes crypto suites with authentication tags of a + length less than 80 bits. These suites MAY be used for certain + application contexts where longer authentication tags may be + undesirable, for example, those mentioned in [RFC3711], Section 7.5. + + + +Kim, et al. Informational [Page 7] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + Otherwise, short authentication tags SHOULD NOT be used, since they + may reduce authentication strength. See [RFC3711], Section 9.5 for a + discussion of risks related to weak authentication in SRTP. + + At the time of publication of this document, SRTP recommends HMAC- + SHA1 as the default and mandatory-to-implement MAC algorithm. All + currently registered SRTP crypto suites except the GCM-based ones use + HMAC-SHA1 as their HMAC algorithm to provide message authentication. + Due to security concerns with SHA-1 [RFC6194], the IETF is gradually + moving away from SHA-1 and towards stronger hash algorithms such as + SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in + the calculation of an HMAC, and no security issue is known for this + usage at the time of this publication. + +6. IANA Considerations + +6.1. DTLS-SRTP + + DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP protection profile". + In order to allow the use of the algorithms defined in this document + in DTLS-SRTP, IANA has added the following protection profiles below + to the "DTLS-SRTP Protection Profiles" registry (see + <http://www.iana.org/assignments/srtp-protection/>) created by + [RFC5764]: + + SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {0x00, 0x0B} + SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {0x00, 0x0C} + SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {0x00, 0x0D} + SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {0x00, 0x0E} + SRTP_AEAD_ARIA_128_GCM = {0x00, 0x0F} + SRTP_AEAD_ARIA_256_GCM = {0x00, 0x10} + +6.2. MIKEY + + [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the + SRTP policy in MIKEY. In order to allow the use of the algorithms + defined in this document in MIKEY, IANA has updated the "Multimedia + Internet KEYing (MIKEY) Payload Name Spaces" registry (see + <http://www.iana.org/assignments/mikey-payloads/>.) + + + + + + + + + + + + +Kim, et al. Informational [Page 8] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + IANA has registered the following two encryption algorithms in the + "Encryption algorithm (Value 0)" subregistry within the "MIKEY + Security Protocol Parameters" registry: + + +---------------+-------+ + | SRTP encr alg | Value | + +---------------+-------+ + | ARIA-CTR | 7 | + | ARIA-GCM | 8 | + +---------------+-------+ + + The default session encryption key length is 16 octets. + + IANA has registered the following PRF in the "SRTP Pseudo Random + Function (Value 5)" subregistry within the "MIKEY Security Protocol + Parameters" registry: + + +----------+-------+ + | SRTP PRF | Value | + +----------+-------+ + | ARIA-CTR | 2 | + +----------+-------+ + +7. References + +7.1. Normative References + + [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of + Operation: Galois/Counter Mode (GCM) and GMAC", NIST + Special publication 800-38D, DOI 10.6028/NIST.SP.800-38D, + November 2007. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, + July 2003, <https://www.rfc-editor.org/info/rfc3550>. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + <https://www.rfc-editor.org/info/rfc3711>. + + + + + +Kim, et al. Informational [Page 9] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. + Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, + DOI 10.17487/RFC3830, August 2004, + <https://www.rfc-editor.org/info/rfc3830>. + + [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated + Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, + <https://www.rfc-editor.org/info/rfc5116>. + + [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption + Algorithms with the Encrypted Payload of the Internet Key + Exchange version 2 (IKEv2) Protocol", RFC 5282, + DOI 10.17487/RFC5282, August 2008, + <https://www.rfc-editor.org/info/rfc5282>. + + [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer + Security (DTLS) Extension to Establish Keys for the Secure + Real-time Transport Protocol (SRTP)", RFC 5764, + DOI 10.17487/RFC5764, May 2010, + <https://www.rfc-editor.org/info/rfc5764>. + + [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A + Description of the ARIA Encryption Algorithm", RFC 5794, + DOI 10.17487/RFC5794, March 2010, + <https://www.rfc-editor.org/info/rfc5794>. + + [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure + RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, + <https://www.rfc-editor.org/info/rfc6188>. + + [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure + Real-time Transport Protocol (SRTP)", RFC 6904, + DOI 10.17487/RFC6904, April 2013, + <https://www.rfc-editor.org/info/rfc6904>. + + [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption + in the Secure Real-time Transport Protocol (SRTP)", + RFC 7714, DOI 10.17487/RFC7714, December 2015, + <https://www.rfc-editor.org/info/rfc7714>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + + + + + + + +Kim, et al. Informational [Page 10] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +7.2. Informative References + + [ARIAKS] Korean Agency for Technology and Standards, "128 bit block + encryption algorithm ARIA - Part 1: General (in Korean)", + KS X 1213-1:2014, December 2014. + + [ARIAPKCS] + RSA Laboratories, "Additional PKCS #11 Mechanisms", + PKCS #11 v2.20, Amendment 3, Revision 1, January 2007. + + [ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved + Linear Cryptanalysis of Round-Reduced ARIA", Information + Security - ISC 2016, Lecture Notes in Computer Science + (LNCS), Vol. 9866, pp. 18-34, + DOI 10.1007/978-3-319-45871-7_2, September 2016. + + [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA + Registry Update for Support of the SEED Cipher Algorithm + in Multimedia Internet KEYing (MIKEY)", RFC 5748, + DOI 10.17487/RFC5748, August 2010, + <https://www.rfc-editor.org/info/rfc5748>. + + [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security + Considerations for the SHA-0 and SHA-1 Message-Digest + Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, + <https://www.rfc-editor.org/info/rfc6194>. + + + + + + + + + + + + + + + + + + + + + + + + + +Kim, et al. Informational [Page 11] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +Appendix A. Test Vectors + + All values are in hexadecimal and represented by the network order + (called big endian). + +A.1. ARIA-CTR Test Vectors + + Common values are organized as follows: + + Rollover Counter: 00000000 + Sequence Number: 315e + SSRC: 20e8f5eb + Authentication Key: f93563311b354748c978913795530631 + 16452309 + Session Salt: cd3a7c42c671e0067a2a2639b43a + Initialization Vector: cd3a7c42e69915ed7a2a263985640000 + RTP Header: 8008315ebf2e6fe020e8f5eb + RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a + 5af5c5e5c5fdf5c55ad57a4a7272d572 + 62e9729566ed66e97ac54a4a5a7ad5e1 + 5ae5fdd5fd5ac5d56ae56ad5c572d54a + e54ac55a956afd6aed5a4ac562957a95 + 16991691d572fd14e97ae962ed7a9f4a + 955af572e162f57a956666e17ae1f54a + 95f566d54a66e16e4afd6a9f7ae1c5c5 + 5ae5d56afde916c5e94a6ec56695e14a + fde1148416e94ad57ac5146ed59d1cc5 + + Note: + SSRC = Synchronization Source + + +A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 + + Session Key: 0c5ffd37a11edc42c325287fc0604f2e + + Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 + a6ccdcb463fbed9cfb3de2fb76fdffa9 + e481f5efb64c92487f59dabbc7cc72da + 092485f3fbad87888820b86037311fa4 + 4330e18a59a1e1338ba2c21458493a57 + 463475c54691f91cec785429119e0dfc + d9048f90e07fecd50b528e8c62ee6e71 + 445de5d7f659405135aff3604c2ca4ff + 4aaca40809cb9eee42cc4ad232307570 + 81ca289f2851d3315e9568b501fdce6d + + + + + +Kim, et al. Informational [Page 12] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + Authenticated Portion || Rollover Counter: + 8008315ebf2e6fe020e8f5eb1bf753f4 + 12e6f35058cc398dc851aae3a6ccdcb4 + 63fbed9cfb3de2fb76fdffa9e481f5ef + b64c92487f59dabbc7cc72da092485f3 + fbad87888820b86037311fa44330e18a + 59a1e1338ba2c21458493a57463475c5 + 4691f91cec785429119e0dfcd9048f90 + e07fecd50b528e8c62ee6e71445de5d7 + f659405135aff3604c2ca4ff4aaca408 + 09cb9eee42cc4ad23230757081ca289f + 2851d3315e9568b501fdce6d00000000 + + Authentication Tag: f9de4e729054672b0e35 + +A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 + + Session Key: 0c5ffd37a11edc42c325287fc0604f2e + 3e8cd5671a00fe3216aa5eb105783b54 + + Encrypted RTP Payload: c424c59fd5696305e5b13d8e8ca76566 + 17ccd7471088af9debf07b55c750f804 + a5ac2b737be48140958a9b420524112a + e72e4da5bca59d2b1019ddd7dbdc30b4 + 3d5f046152ced40947d62d2c93e7b8e5 + 0f02db2b6b61b010e4c1566884de1fa9 + 702cdf8157e8aedfe3dd77c76bb50c25 + ae4d624615c15acfdeeb5f79482aaa01 + d3e4c05eb601eca2bd10518e9d46b021 + 16359232e9eac0fabd05235dd09e6dea + + Authenticated Portion || Rollover Counter: + 8008315ebf2e6fe020e8f5ebc424c59f + d5696305e5b13d8e8ca7656617ccd747 + 1088af9debf07b55c750f804a5ac2b73 + 7be48140958a9b420524112ae72e4da5 + bca59d2b1019ddd7dbdc30b43d5f0461 + 52ced40947d62d2c93e7b8e50f02db2b + 6b61b010e4c1566884de1fa9702cdf81 + 57e8aedfe3dd77c76bb50c25ae4d6246 + 15c15acfdeeb5f79482aaa01d3e4c05e + b601eca2bd10518e9d46b02116359232 + e9eac0fabd05235dd09e6dea00000000 + + Authentication Tag: 192f515fab04bbb4e62c + + + + + + +Kim, et al. Informational [Page 13] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +A.2. ARIA-GCM Test Vectors + + Common values are organized as follows: + + Rollover Counter: 00000000 + Sequence Number: 315e + SSRC: 20e8f5eb + Encryption Salt: 000000000000000000000000 + + Initialization Vector: 000020e8f5eb00000000315e + RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a + 5af5c5e5c5fdf5c55ad57a4a7272d572 + 62e9729566ed66e97ac54a4a5a7ad5e1 + 5ae5fdd5fd5ac5d56ae56ad5c572d54a + e54ac55a956afd6aed5a4ac562957a95 + 16991691d572fd14e97ae962ed7a9f4a + 955af572e162f57a956666e17ae1f54a + 95f566d54a66e16e4afd6a9f7ae1c5c5 + 5ae5d56afde916c5e94a6ec56695e14a + fde1148416e94ad57ac5146ed59d1cc5 + Associated Data: 8008315ebf2e6fe020e8f5eb + + The encrypted RTP payload is longer than the RTP payload by exactly + the GCM authentication tag length (16 octets). + +A.2.1. SRTP_AEAD_ARIA_128_GCM + + + Key: e91e5e75da65554a48181f3846349562 + + Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c + d6f7da34f2fe1b3db7cb3dfb9697102e + a0f3c1fc2dbc873d44bceeae8e444297 + 4ba21ff6789d3272613fb9631a7cf3f1 + 4bacbeb421633a90ffbe58c2fa6bdca5 + 34f10d0de0502ce1d531b6336e588782 + 78531e5c22bc6c85bbd784d78d9e680a + a19031aaf89101d669d7a3965c1f7e16 + 229d7463e0535f4e253f5d18187d40b8 + ae0f564bd970b5e7e2adfb211e89a953 + 5abace3f37f5a736f4be984bbffbedc1 + + + + + + + + + + +Kim, et al. Informational [Page 14] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +A.2.2. SRTP_AEAD_ARIA_256_GCM + + Key: 0c5ffd37a11edc42c325287fc0604f2e + 3e8cd5671a00fe3216aa5eb105783b54 + + Encrypted RTP Payload: 6f9e4bcbc8c85fc0128fb1e4a0a20cb9 + 932ff74581f54fc013dd054b19f99371 + 425b352d97d3f337b90b63d1b082adee + ea9d2d7391897d591b985e55fb50cb53 + 50cf7d38dc27dda127c078a149c8eb98 + 083d66363a46e3726af217d3a00275ad + 5bf772c7610ea4c23006878f0ee69a83 + 97703169a419303f40b72e4573714d19 + e2697df61e7c7252e5abc6bade876ac4 + 961bfac4d5e867afca351a48aed52822 + e210d6ced2cf430ff841472915e7ef48 + +A.3. Key Derivation Test Vectors + + This section provides test vectors for the default key derivation + function that uses ARIA in Counter Mode. In the following, we walk + through the initial key derivation for the ARIA Counter Mode cipher + that requires a session encryption key of 16/24/32 octets according + to the session encryption key length, a 14-octet session salt, and an + authentication function that requires a 94-octet session + authentication key. These values are called the cipher key, the + cipher salt, and the auth key in the following. The test vectors are + generated in the same way with the test vectors of key derivation + functions in [RFC3711] and [RFC6188] but with each invocation of AES + replaced with an invocation of ARIA. + +A.3.1. ARIA_128_CTR_PRF + + The inputs to the key derivation function are the 16-octet master key + and the 14-octet master salt: + + master key: e1f97a0d3e018be0d64fa32c06de4139 + master salt: 0ec675ad498afeebb6960b3aabe6 + + index DIV kdr: 000000000000 + label: 00 + master salt: 0ec675ad498afeebb6960b3aabe6 + ----------------------------------------------- + xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) + + cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) + + + +Kim, et al. Informational [Page 15] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + ARIA-CTR protection profile requires a 14-octet cipher salt while + ARIA-GCM protection profile requires a 12-octet cipher salt. + + index DIV kdr: 000000000000 + label: 02 + master salt: 0ec675ad498afeebb6960b3aabe6 + ---------------------------------------------- + xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) + + 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) + + cipher salt: 9700657f5f34161830d7d85f5dc8 (ARIA-CTR profile) + 9700657f5f34161830d7d85f (ARIA-GCM profile) + index DIV kdr: 000000000000 + label: 01 + master salt: 0ec675ad498afeebb6960b3aabe6 + ----------------------------------------------- + xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) + + Below, the auth key is shown on the left, while the corresponding + ARIA input blocks are shown on the right. + + auth key ARIA input blocks + + d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 + f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 + 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 + 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 + 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 + 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 + + + + + + + + + + + + + + + + + +Kim, et al. Informational [Page 16] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +A.3.2. ARIA_256_CTR_PRF + + The inputs to the key derivation function are the 32-octet master key + and the 14-octet master salt: + + master key: 0c5ffd37a11edc42c325287fc0604f2e + 3e8cd5671a00fe3216aa5eb105783b54 + master salt: 0ec675ad498afeebb6960b3aabe6 + + index DIV kdr: 000000000000 + label: 00 + master salt: 0ec675ad498afeebb6960b3aabe6 + ----------------------------------------------- + xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) + + cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) + f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) + + ARIA-CTR protection profile requires a 14-octet cipher salt while + ARIA-GCM protection profile requires a 12-octet cipher salt. + + index DIV kdr: 000000000000 + label: 02 + master salt: 0ec675ad498afeebb6960b3aabe6 + ---------------------------------------------- + xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) + + 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) + + cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR profile) + 194abaa8553a8eba8a413a34 (ARIA-GCM profile) + + index DIV kdr: 000000000000 + label: 01 + master salt: 0ec675ad498afeebb6960b3aabe6 + ----------------------------------------------- + xor: 0ec675ad498afeeab6960b3aabe6 (x, PRF input) + + x*2^16: 0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input) + + + + + + + + +Kim, et al. Informational [Page 17] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + + Below, the auth key is shown on the left, while the corresponding + ARIA input blocks are shown on the right. + + auth key ARIA input blocks + + e58d42915873b71899234807334658f2 0ec675ad498afeeab6960b3aabe60000 + 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 + 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 + e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 + fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 + 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kim, et al. Informational [Page 18] + +RFC 8269 ARIA Algorithm for SRTP October 2017 + + +Authors' Addresses + + Woo-Hwan Kim + National Security Research Institute + P.O. Box 1, Yuseong + Daejeon 34188 + Korea + + Email: whkim5@nsr.re.kr + + + Jungkeun Lee + National Security Research Institute + P.O. Box 1, Yuseong + Daejeon 34188 + Korea + + Email: jklee@nsr.re.kr + + + Je-Hong Park + National Security Research Institute + P.O. Box 1, Yuseong + Daejeon 34188 + Korea + + Email: jhpark@nsr.re.kr + + + Daesung Kwon + National Security Research Institute + P.O. Box 1, Yuseong + Daejeon 34188 + Korea + + Email: ds_kwon@nsr.re.kr + + + Dong-Chan Kim + Kookmin University + 77 Jeongneung-ro, Seongbuk-gu + Seoul 02707 + Korea + + Email: dckim@kookmin.ac.kr + + + + + + +Kim, et al. Informational [Page 19] + |