summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8723.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8723.txt')
-rw-r--r--doc/rfc/rfc8723.txt879
1 files changed, 879 insertions, 0 deletions
diff --git a/doc/rfc/rfc8723.txt b/doc/rfc/rfc8723.txt
new file mode 100644
index 0000000..cf9d33a
--- /dev/null
+++ b/doc/rfc/rfc8723.txt
@@ -0,0 +1,879 @@
+
+
+
+
+Internet Engineering Task Force (IETF) C. Jennings
+Request for Comments: 8723 P. Jones
+Category: Standards Track R. Barnes
+ISSN: 2070-1721 Cisco Systems
+ A.B. Roach
+ Mozilla
+ April 2020
+
+
+Double Encryption Procedures for the Secure Real-Time Transport Protocol
+ (SRTP)
+
+Abstract
+
+ In some conferencing scenarios, it is desirable for an intermediary
+ to be able to manipulate some parameters in Real-time Transport
+ Protocol (RTP) packets, while still providing strong end-to-end
+ security guarantees. This document defines a cryptographic transform
+ for the Secure Real-time Transport Protocol (SRTP) that uses two
+ separate but related cryptographic operations to provide hop-by-hop
+ and end-to-end security guarantees. Both the end-to-end and hop-by-
+ hop cryptographic algorithms can utilize an authenticated encryption
+ with associated data (AEAD) algorithm or take advantage of future
+ SRTP transforms with different properties.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8723.
+
+Copyright Notice
+
+ Copyright (c) 2020 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Terminology
+ 3. Cryptographic Context
+ 3.1. Key Derivation
+ 4. Original Header Block
+ 5. RTP Operations
+ 5.1. Encrypting a Packet
+ 5.2. Relaying a Packet
+ 5.3. Decrypting a Packet
+ 6. RTCP Operations
+ 7. Use with Other RTP Mechanisms
+ 7.1. RTP Retransmission (RTX)
+ 7.2. Redundant Audio Data (RED)
+ 7.3. Forward Error Correction (FEC)
+ 7.4. DTMF
+ 8. Recommended Inner and Outer Cryptographic Algorithms
+ 9. Security Considerations
+ 10. IANA Considerations
+ 10.1. DTLS-SRTP
+ 11. References
+ 11.1. Normative References
+ 11.2. Informative References
+ Appendix A. Encryption Overview
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction
+
+ Cloud conferencing systems that are based on switched conferencing
+ have a central Media Distributor (MD) device that receives media from
+ endpoints and distributes it to other endpoints, but does not need to
+ interpret or change the media content. For these systems, it is
+ desirable to have one cryptographic key that enables encryption and
+ authentication of the media end-to-end while still allowing certain
+ information in the header of an RTP packet to be changed by the MD.
+ At the same time, a separate cryptographic key provides integrity and
+ optional confidentiality for the media flowing between the MD and the
+ endpoints. The framework document [PRIVATE-MEDIA-FRAMEWORK]
+ describes this concept in more detail.
+
+ This specification defines a transform for SRTP that uses 1) the AES
+ Galois/Counter Mode (AES-GCM) algorithm [RFC7714] to provide
+ encryption and integrity for an RTP packet for the end-to-end
+ cryptographic key and 2) a hop-by-hop cryptographic encryption and
+ integrity between the endpoint and the MD. The MD decrypts and
+ checks integrity of the hop-by-hop security. The MD MAY change some
+ of the RTP header information that would impact the end-to-end
+ integrity. In that case, the original value of any RTP header field
+ that is changed is included in an "Original Header Block" that is
+ added to the packet. The new RTP packet is encrypted with the hop-
+ by-hop cryptographic algorithm before it is sent. The receiving
+ endpoint decrypts and checks integrity using the hop-by-hop
+ cryptographic algorithm and then replaces any parameters the MD
+ changed using the information in the Original Header Block before
+ decrypting and checking the end-to-end integrity.
+
+ One can think of the double transform as a normal SRTP transform for
+ encrypting the RTP in a way such that things that only know half of
+ the key, can decrypt and modify part of the RTP packet but not other
+ parts, including the media payload.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+ Terms used throughout this document include:
+
+ Media Distributor (MD): A device that receives media from endpoints
+ and distributes it to other endpoints, but does not need to
+ interpret or change the media content (see also
+ [PRIVATE-MEDIA-FRAMEWORK]).
+
+ end-to-end: The path from one endpoint through one or more MDs to
+ the endpoint at the other end.
+
+ hop-by-hop: The path from the endpoint to or from the MD.
+
+ Original Header Block (OHB): An octet string that contains the
+ original values from the RTP header that might have been changed
+ by an MD.
+
+3. Cryptographic Context
+
+ This specification uses a cryptographic context with two parts:
+
+ * An inner (end-to-end) part that is used by endpoints that
+ originate and consume media to ensure the integrity of media end-
+ to-end, and
+
+ * An outer (hop-by-hop) part that is used between endpoints and MDs
+ to ensure the integrity of media over a single hop and to enable
+ an MD to modify certain RTP header fields. RTCP is also handled
+ using the hop-by-hop cryptographic part.
+
+ The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithms
+ is AES-GCM. Other combinations of SRTP ciphers that support the
+ procedures in this document can be added to the IANA registry.
+
+ The keys and salt for these algorithms are generated with the
+ following steps:
+
+ * Generate key and salt values of the length required for the
+ combined inner (end-to-end) and outer (hop-by-hop) algorithms.
+
+ * Assign the key and salt values generated for the inner (end-to-
+ end) algorithm to the first half of the key and the first half of
+ the salt for the double algorithm.
+
+ * Assign the key and salt values for the outer (hop-by-hop)
+ algorithm to the second half of the key and second half of the
+ salt for the double algorithm. The first half of the key is
+ referred to as the inner key while the second half is referred to
+ as the outer key. When a key is used by a cryptographic
+ algorithm, the salt that is used is the part of the salt generated
+ with that key.
+
+ * the synchronization source (SSRC) is the same for both the inner
+ and outer algorithms as it cannot be changed.
+
+ * The sequence number (SEQ) and rollover counter (ROC) are tracked
+ independently for the inner and outer algorithms.
+
+ If the MD is to be able to modify header fields but not decrypt the
+ payload, then it must have a cryptographic key for the outer
+ algorithm but not the inner (end-to-end) algorithm. This document
+ does not define how the MD should be provisioned with this
+ information. One possible way to provide keying material for the
+ outer (hop-by-hop) algorithm is to use [DTLS-TUNNEL].
+
+3.1. Key Derivation
+
+ Although SRTP uses a single master key to derive keys for an SRTP
+ session, this transform requires separate inner and outer keys. In
+ order to allow the inner and outer keys to be managed independently
+ via the master key, the transforms defined in this document MUST be
+ used with the following pseudorandom function (PRF), which preserves
+ the separation between the two halves of the key. Given a positive
+ integer "n" representing the desired output length, a master key
+ "k_master", and an input "x":
+
+ PRF_double_n(k_master,x) = PRF_(n/2)(inner(k_master),x) ||
+ PRF_(n/2)(outer(k_master),x)
+
+ Here "PRF_double_n(k_master, x)" represents the AES_CM PRF Key
+ Derivation Function (KDF) (see Section 4.3.3 of [RFC3711]) for
+ DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF
+ KDF [RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm.
+ The term "inner(k_master)" represents the first half of the key;
+ "outer(k_master)" represents the second half of the key.
+
+4. Original Header Block
+
+ The OHB contains the original values of any modified RTP header
+ fields. In the encryption process, the OHB is included in an SRTP
+ packet as described in Section 5. In the decryption process, the
+ receiving endpoint uses it to reconstruct the original RTP header so
+ that it can pass the proper additional authenticated data (AAD) value
+ to the inner transform.
+
+ The OHB can reflect modifications to the following fields in an RTP
+ header: the payload type (PT), the SEQ, and the marker bit. All
+ other fields in the RTP header MUST remain unmodified; since the OHB
+ cannot reflect their original values, the receiver will be unable to
+ verify the end-to-end integrity of the packet.
+
+ The OHB has the following syntax (in ABNF [RFC5234]):
+
+ OCTET = %x00-FF
+
+ PT = OCTET
+ SEQ = 2OCTET
+ Config = OCTET
+ OHB = [ PT ] [ SEQ ] Config
+
+ If present, the PT and SEQ parts of the OHB contain the original
+ payload type and sequence number fields, respectively. The final
+ "Config" octet of the OHB specifies whether these fields are present,
+ and the original value of the marker bit (if necessary):
+
+ +-+-+-+-+-+-+-+-+
+ |R R R R B M P Q|
+ +-+-+-+-+-+-+-+-+
+
+ * P: PT is present
+
+ * Q: SEQ is present
+
+ * M: Marker bit is present
+
+ * B: Value of marker bit
+
+ * R: Reserved, MUST be set to 0
+
+ In particular, an all-zero OHB Config octet ("0x00") indicates that
+ there have been no modifications from the original header.
+
+ If the marker bit is not present (M=0), then "B" MUST be set to zero.
+ That is, if "C" represents the value of the Config octet, then the
+ masked value "C & 0x0C" MUST NOT have the value "0x80".
+
+5. RTP Operations
+
+ As implied by the use of the word "double" above, this transform
+ applies AES-GCM to the SRTP packet twice. This allows media
+ distributors to be able to modify some header fields while allowing
+ endpoints to verify the end-to-end integrity of a packet.
+
+ The first, "inner" application of AES-GCM encrypts the SRTP payload
+ and protects the integrity of a version of the SRTP header with
+ extensions truncated. Omitting extensions from the inner integrity
+ check means that they can be modified by an MD holding only the outer
+ key.
+
+ The second, "outer" application of AES-GCM encrypts the ciphertext
+ produced by the inner encryption (i.e., the encrypted payload and
+ authentication tag), plus an OHB that expresses any changes made
+ between the inner and outer transforms.
+
+ An MD that has the outer key but not the inner key may modify the
+ header fields that can be included in the OHB by decrypting,
+ modifying, and re-encrypting the packet.
+
+5.1. Encrypting a Packet
+
+ An endpoint encrypts a packet by using the inner (end-to-end)
+ cryptographic key and then the outer (hop-by-hop) cryptographic key.
+ The encryption also supports a mode for repair packets that only does
+ the outer (hop-by-hop) encryption. The processes is as follows:
+
+ 1. Form an RTP packet. If there are any header extensions, they
+ MUST use [RFC8285].
+
+ 2. If the packet is for repair mode data, skip to step 6.
+
+ 3. Form a synthetic RTP packet with the following contents:
+
+ * Header: The RTP header of the original packet with the
+ following modifications:
+
+ - The X bit is set to zero.
+
+ - The header is truncated to remove any extensions (i.e.,
+ keep only the first 12 + 4 * CSRC count (CC) bytes of the
+ header).
+
+ * Payload: The RTP payload of the original packet (including
+ padding when present).
+
+ 4. Apply the inner cryptographic algorithm to the synthetic RTP
+ packet from the previous step.
+
+ 5. Replace the header of the protected RTP packet with the header of
+ the original packet (to restore any header extensions and reset
+ the X bit), and append an empty OHB ("0x00") to the encrypted
+ payload (with the authentication tag) obtained from step 4.
+
+ 6. Apply the outer cryptographic algorithm to the RTP packet. If
+ encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
+ be used when encrypting the RTP packet using the outer
+ cryptographic key.
+
+ When using Encrypted Key Transport (EKT) [EKT-SRTP], the EKTField
+ comes after the SRTP packet, exactly like using EKT with any other
+ SRTP transform.
+
+5.2. Relaying a Packet
+
+ The MD has the part of the key for the outer (hop-by-hop)
+ cryptographic algorithm, but it does not have the part of the key for
+ the inner (end-to-end) cryptographic algorithm. The cryptographic
+ algorithm and key used to decrypt a packet and any encrypted RTP
+ header extensions would be the same as those used in the endpoint's
+ outer algorithm and key.
+
+ In order to modify a packet, the MD decrypts the received packet,
+ modifies the packet, updates the OHB with any modifications not
+ already present in the OHB, and re-encrypts the packet using the
+ outer (hop-by-hop) cryptographic key before transmitting using the
+ following steps:
+
+ 1. Apply the outer (hop-by-hop) cryptographic algorithm to decrypt
+ the packet. If decrypting RTP header extensions hop-by-hop, then
+ [RFC6904] MUST be used. Note that the RTP payload produced by
+ this decryption operation contains the original encrypted payload
+ with the tag from the inner transform and the OHB appended.
+
+ 2. Make any desired changes to the fields that are allowed to be
+ changed, i.e., PT, SEQ, and M. The MD MAY also make
+ modifications to header extensions, without the need to reflect
+ these changes in the OHB.
+
+ 3. Reflect any changes to header fields in the OHB:
+
+ * If the MD changed a field that is not already in the OHB, then
+ it MUST add the original value of the field to the OHB. Note
+ that this might result in an increase in the size of the OHB.
+
+ * If the MD took a field that had previously been modified and
+ reset to its original value, then it SHOULD drop the
+ corresponding information from the OHB. Note that this might
+ result in a decrease in the size of the OHB.
+
+ * Otherwise, the MD MUST NOT modify the OHB.
+
+ 4. Apply the outer (hop-by-hop) cryptographic algorithm to the
+ packet. If the RTP sequence number has been modified, SRTP
+ processing happens as defined in SRTP and will end up using the
+ new sequence number. If encrypting RTP header extensions hop-by-
+ hop, then [RFC6904] MUST be used.
+
+ In order to avoid nonce reuse, the cryptographic contexts used in
+ steps 1 and 4 MUST use different, independent master keys. Note that
+ this means that the key used for decryption by the MD MUST be
+ different from the key used for re-encryption to the end recipient.
+
+ Note that if multiple MDs modify the same packet, then the first MD
+ to alter a given header field is the one that adds it to the OHB. If
+ a subsequent MD changes the value of a header field that has already
+ been changed, then the original value will already be in the OHB, so
+ no update to the OHB is required.
+
+ An MD that decrypts, modifies, and re-encrypts packets in this way
+ MUST use an independent key for each recipient, and MUST NOT re-
+ encrypt the packet using the sender's keys. If the MD decrypts and
+ re-encrypts with the same key and salt, it will result in the reuse
+ of a (key, nonce) pair, undermining the security of AES-GCM.
+
+5.3. Decrypting a Packet
+
+ To decrypt a packet, the endpoint first decrypts and verifies using
+ the outer (hop-by-hop) cryptographic key, then uses the OHB to
+ reconstruct the original packet, which it decrypts and verifies with
+ the inner (end-to-end) cryptographic key using the following steps:
+
+ 1. Apply the outer cryptographic algorithm to the packet. If the
+ integrity check does not pass, discard the packet. The result of
+ this is referred to as the outer SRTP packet. If decrypting RTP
+ header extensions hop-by-hop, then [RFC6904] MUST be used when
+ decrypting the RTP packet using the outer cryptographic key.
+
+ 2. If the packet is for repair mode data, skip the rest of the
+ steps. Note that the packet that results from the repair
+ algorithm will still have encrypted data that needs to be
+ decrypted as specified by the repair algorithm sections.
+
+ 3. Remove the inner authentication tag and the OHB from the end of
+ the payload of the outer SRTP packet.
+
+ 4. Form a new synthetic SRTP packet with:
+
+ * Header = Received header, with the following modifications:
+
+ - Header fields replaced with values from OHB (if any).
+
+ - The X bit is set to zero.
+
+ - The header is truncated to remove any extensions (i.e.,
+ keep only the first 12 + 4 * CC bytes of the header).
+
+ * Payload is the encrypted payload from the outer SRTP packet
+ (after the inner tag and OHB have been stripped).
+
+ * Authentication tag is the inner authentication tag from the
+ outer SRTP packet.
+
+ 5. Apply the inner cryptographic algorithm to this synthetic SRTP
+ packet. Note if the RTP sequence number was changed by the MD,
+ the synthetic packet has the original sequence number. If the
+ integrity check does not pass, discard the packet.
+
+ Once the packet has been successfully decrypted, the application
+ needs to be careful about which information it uses to get the
+ correct behavior. The application MUST use only the information
+ found in the synthetic SRTP packet and MUST NOT use the other data
+ that was in the outer SRTP packet with the following exceptions:
+
+ * The PT from the outer SRTP packet is used for normal matching to
+ Session Description Protocol (SDP) and codec selection.
+
+ * The sequence number from the outer SRTP packet is used for normal
+ RTP ordering.
+
+ The PT and sequence number from the inner SRTP packet can be used for
+ collection of various statistics.
+
+ If the RTP header of the outer packet contains extensions, they MAY
+ be used. However, because extensions are not protected end-to-end,
+ implementations SHOULD reject an RTP packet containing headers that
+ would require end-to-end protection.
+
+6. RTCP Operations
+
+ Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
+ two separate cryptographic keys, RTCP is encrypted using only the
+ outer (hop-by-hop) cryptographic key. The procedures for RTCP
+ encryption are specified in [RFC3711], and this document introduces
+ no additional steps.
+
+7. Use with Other RTP Mechanisms
+
+ MDs sometimes interact with RTP media packets sent by endpoints,
+ e.g., to provide recovery or receive commands via dual-tone multi-
+ frequency (DTMF) signaling. When media packets are encrypted end-to-
+ end, these procedures require modification. (End-to-end
+ interactions, including end-to-end recovery, are not affected by end-
+ to-end encryption.)
+
+ Repair mechanisms, in general, will need to perform recovery on
+ encrypted packets (double-encrypted when using this transform), since
+ the MD does not have access to the plaintext of the packet, only an
+ intermediate, E2E-encrypted form.
+
+ When the recovery mechanism calls for the recovery packet itself to
+ be encrypted, it is encrypted with only the outer, hop-by-hop key.
+ This allows an MD to generate recovery packets without having access
+ to the inner, end-to-end keys. However, it also results in recovery
+ packets being triple-encrypted, twice for the base transform, and
+ once for the recovery protection.
+
+7.1. RTP Retransmission (RTX)
+
+ When using RTX [RFC4588] with the double transform, the cached
+ payloads MUST be the double-encrypted packets, i.e., the bits that
+ are sent over the wire to the other side. When encrypting a
+ retransmission packet, it MUST be encrypted like a packet in repair
+ mode (i.e., with only the hop-by-hop key).
+
+ If the MD were to cache the inner, E2E-encrypted payload and
+ retransmit it with an RTX original sequence number field prepended,
+ then the modifications to the payload would cause the inner integrity
+ check to fail at the receiver.
+
+ A typical RTX receiver would decrypt the packet, undo the RTX
+ transformation, then process the resulting packet normally by using
+ the steps in Section 5.3.
+
+7.2. Redundant Audio Data (RED)
+
+ When using RED [RFC2198] with the double transform, the processing at
+ the sender and receiver is the same as when using RED with any other
+ SRTP transform.
+
+ The main difference between the double transform and any other
+ transform is that in an intermediated environment, usage of RED must
+ be end-to-end. An MD cannot synthesize RED packets, because it lacks
+ access to the plaintext media payloads that are combined to form a
+ RED payload.
+
+ Note that Flexible Forward Error Correction (Flex FEC) may often
+ provide similar or better repair capabilities compared to RED. For
+ most applications, Flex FEC is a better choice than RED; in
+ particular, Flex FEC has modes in which the MD can synthesize
+ recovery packets.
+
+7.3. Forward Error Correction (FEC)
+
+ When using Flex FEC [RFC8627] with the double transform, repair
+ packets MUST be constructed by first double-encrypting the packet,
+ then performing FEC. Processing of repair packets proceeds in the
+ opposite order, performing FEC recovery and then decrypting. This
+ ensures that the original media is not revealed to the MD but, at the
+ same time, allows the MD to repair media. When encrypting a packet
+ that contains the Flex FEC data, which is already encrypted, it MUST
+ be encrypted with only the outer, hop-by-hop transform.
+
+ The algorithm recommended in [WEBRTC-FEC] for repair of video is Flex
+ FEC [RFC8627]. Note that for interoperability with WebRTC,
+ [WEBRTC-FEC] recommends not using additional FEC-only "m=" lines in
+ SDP for the repair packets.
+
+7.4. DTMF
+
+ When DTMF is sent using the mechanism in [RFC4733], it is end-to-end
+ encrypted; the relay cannot read it, so it cannot be used to control
+ the relay. Other out-of-band methods to control the relay need to be
+ used instead.
+
+8. Recommended Inner and Outer Cryptographic Algorithms
+
+ This specification recommends and defines AES-GCM as both the inner
+ and outer cryptographic algorithms, identified as
+ DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
+ DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithms provide
+ for authenticated encryption and will consume additional processing
+ time double-encrypting for hop-by-hop and end-to-end. However, the
+ approach is secure and simple; thus, it is viewed as an acceptable
+ trade-off in processing efficiency.
+
+ Note that names for the cryptographic transforms are of the form
+ DOUBLE_(inner algorithm)_(outer algorithm).
+
+ While this document only defines a profile based on AES-GCM, it is
+ possible for future documents to define further profiles with
+ different inner and outer algorithms in this same framework. For
+ example, if a new SRTP transform were defined that encrypts some or
+ all of the RTP header, it would be reasonable for systems to have the
+ option of using that for the outer algorithm. Similarly, if a new
+ transform were defined that provided only integrity, that would also
+ be reasonable to use for the outer transform as the payload data is
+ already encrypted by the inner transform.
+
+ The AES-GCM cryptographic algorithm introduces an additional 16
+ octets to the length of the packet. When using AES-GCM for both the
+ inner and outer cryptographic algorithms, the total additional length
+ is 32 octets. The OHB will consume an additional 1-4 octets.
+ Packets in repair mode will carry additional repair data, further
+ increasing their size.
+
+9. Security Considerations
+
+ This SRTP transform provides protection against two classes of
+ attacker: a network attacker that knows neither the inner nor outer
+ keys and a malicious MD that knows the outer key. Obviously, it
+ provides no protections against an attacker that holds both the inner
+ and outer keys.
+
+ The protections with regard to the network are the same as with the
+ normal SRTP AES-GCM transforms. The major difference is that the
+ double transforms are designed to work better in a group context. In
+ such contexts, it is important to note that because these transforms
+ are symmetric, they do not protect against attacks within the group.
+ Any member of the group can generate valid SRTP packets for any SSRC
+ in use by the group.
+
+ With regard to a malicious MD, the recipient can verify the integrity
+ of the base header fields and confidentiality and integrity of the
+ payload. The recipient has no assurance, however, of the integrity
+ of the header extensions in the packet.
+
+ The main innovation of this transform relative to other SRTP
+ transforms is that it allows a partly trusted MD to decrypt, modify,
+ and re-encrypt a packet. When this is done, the cryptographic
+ contexts used for decryption and re-encryption MUST use different,
+ independent master keys. If the same context is used, the nonce
+ formation rules for SRTP will cause the same key and nonce to be used
+ with two different plaintexts, which substantially degrades the
+ security of AES-GCM.
+
+ In other words, from the perspective of the MD, re-encrypting packets
+ using this protocol will involve the same cryptographic operations as
+ if it had established independent AES-GCM crypto contexts with the
+ sender and the receiver. This property allows the use of an MD that
+ supports AES-GCM but does not modify any header fields, without
+ requiring any modification to the MD.
+
+10. IANA Considerations
+
+10.1. DTLS-SRTP
+
+ IANA has added the following protection profiles to the "DTLS-SRTP
+ Protection Profiles" registry defined in [RFC5764].
+
+ +--------+------------------------------------------+-----------+
+ | Value | Profile | Reference |
+ +========+==========================================+===========+
+ | {0x00, | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFC 8723 |
+ | 0x09} | | |
+ +--------+------------------------------------------+-----------+
+ | {0x00, | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFC 8723 |
+ | 0x0A} | | |
+ +--------+------------------------------------------+-----------+
+
+ Table 1: Updates to the DTLS-SRTP Protection Profiles Registry
+
+ The SRTP transform parameters for each of these protection profiles
+ are:
+
+ +---------------------------------------------------------+
+ | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM |
+ +-----------------------+---------------------------------+
+ | cipher: | AES_128_GCM then AES_128_GCM |
+ +-----------------------+---------------------------------+
+ | cipher_key_length: | 256 bits |
+ +-----------------------+---------------------------------+
+ | cipher_salt_length: | 192 bits |
+ +-----------------------+---------------------------------+
+ | aead_auth_tag_length: | 256 bits |
+ +-----------------------+---------------------------------+
+ | auth_function: | NULL |
+ +-----------------------+---------------------------------+
+ | auth_key_length: | N/A |
+ +-----------------------+---------------------------------+
+ | auth_tag_length: | N/A |
+ +-----------------------+---------------------------------+
+ | maximum lifetime: | at most 2^(31) SRTCP packets |
+ | | and at most 2^(48) SRTP packets |
+ +-----------------------+---------------------------------+
+
+ Table 2: SRTP Transform Parameters for
+ DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM
+
+ +---------------------------------------------------------+
+ | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM |
+ +-----------------------+---------------------------------+
+ | cipher: | AES_256_GCM then AES_256_GCM |
+ +-----------------------+---------------------------------+
+ | cipher_key_length: | 512 bits |
+ +-----------------------+---------------------------------+
+ | cipher_salt_length: | 192 bits |
+ +-----------------------+---------------------------------+
+ | aead_auth_tag_length: | 256 bits |
+ +-----------------------+---------------------------------+
+ | auth_function: | NULL |
+ +-----------------------+---------------------------------+
+ | auth_key_length: | N/A |
+ +-----------------------+---------------------------------+
+ | auth_tag_length: | N/A |
+ +-----------------------+---------------------------------+
+ | maximum lifetime: | at most 2^(31) SRTCP packets |
+ | | and at most 2^(48) SRTP packets |
+ +-----------------------+---------------------------------+
+
+ Table 3: SRTP Transform Parameters for
+ DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM
+
+ The first half of the key and salt is used for the inner (end-to-end)
+ algorithm and the second half is used for the outer (hop-by-hop)
+ algorithm.
+
+11. References
+
+11.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
+ Norrman, "The Secure Real-time Transport Protocol (SRTP)",
+ RFC 3711, DOI 10.17487/RFC3711, March 2004,
+ <https://www.rfc-editor.org/info/rfc3711>.
+
+ [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
+ Security (DTLS) Extension to Establish Keys for the Secure
+ Real-time Transport Protocol (SRTP)", RFC 5764,
+ DOI 10.17487/RFC5764, May 2010,
+ <https://www.rfc-editor.org/info/rfc5764>.
+
+ [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
+ RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011,
+ <https://www.rfc-editor.org/info/rfc6188>.
+
+ [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
+ Real-time Transport Protocol (SRTP)", RFC 6904,
+ DOI 10.17487/RFC6904, April 2013,
+ <https://www.rfc-editor.org/info/rfc6904>.
+
+ [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
+ in the Secure Real-time Transport Protocol (SRTP)",
+ RFC 7714, DOI 10.17487/RFC7714, December 2015,
+ <https://www.rfc-editor.org/info/rfc7714>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8285] Singer, D., Desineni, H., and R. Even, Ed., "A General
+ Mechanism for RTP Header Extensions", RFC 8285,
+ DOI 10.17487/RFC8285, October 2017,
+ <https://www.rfc-editor.org/info/rfc8285>.
+
+11.2. Informative References
+
+ [DTLS-TUNNEL]
+ Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
+ between a Media Distributor and Key Distributor to
+ Facilitate Key Exchange", Work in Progress, Internet-
+ Draft, draft-ietf-perc-dtls-tunnel-06, 16 October 2019,
+ <https://tools.ietf.org/html/draft-ietf-perc-dtls-tunnel-
+ 06>.
+
+ [EKT-SRTP] Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
+ Andreasen, "Encrypted Key Transport for DTLS and Secure
+ RTP", Work in Progress, Internet-Draft, draft-ietf-perc-
+ srtp-ekt-diet-10, 8 July 2019,
+ <https://tools.ietf.org/html/draft-ietf-perc-srtp-ekt-
+ diet-10>.
+
+ [PRIVATE-MEDIA-FRAMEWORK]
+ Jones, P., Benham, D., and C. Groves, "A Solution
+ Framework for Private Media in Privacy Enhanced RTP
+ Conferencing (PERC)", Work in Progress, Internet-Draft,
+ draft-ietf-perc-private-media-framework-12, 5 June 2019,
+ <https://tools.ietf.org/html/draft-ietf-perc-private-
+ media-framework-12>.
+
+ [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V.,
+ Handley, M., Bolot, J.C., Vega-Garcia, A., and S. Fosse-
+ Parisis, "RTP Payload for Redundant Audio Data", RFC 2198,
+ DOI 10.17487/RFC2198, September 1997,
+ <https://www.rfc-editor.org/info/rfc2198>.
+
+ [RFC4588] Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
+ Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
+ DOI 10.17487/RFC4588, July 2006,
+ <https://www.rfc-editor.org/info/rfc4588>.
+
+ [RFC4733] Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
+ Digits, Telephony Tones, and Telephony Signals", RFC 4733,
+ DOI 10.17487/RFC4733, December 2006,
+ <https://www.rfc-editor.org/info/rfc4733>.
+
+ [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", STD 68, RFC 5234,
+ DOI 10.17487/RFC5234, January 2008,
+ <https://www.rfc-editor.org/info/rfc5234>.
+
+ [RFC8627] Zanaty, M., Singh, V., Begen, A., and G. Mandyam, "RTP
+ Payload Format for Flexible Forward Error Correction
+ (FEC)", RFC 8627, DOI 10.17487/RFC8627, July 2019,
+ <https://www.rfc-editor.org/info/rfc8627>.
+
+ [WEBRTC-FEC]
+ Uberti, J., "WebRTC Forward Error Correction
+ Requirements", Work in Progress, Internet-Draft, draft-
+ ietf-rtcweb-fec-10, 16 July 2019,
+ <https://tools.ietf.org/html/draft-ietf-rtcweb-fec-10>.
+
+Appendix A. Encryption Overview
+
+ The following figures show a double-encrypted SRTP packet. The sides
+ indicate the parts of the packet that are encrypted and authenticated
+ by the hop-by-hop and end-to-end operations.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |V=2|P|X| CC |M| PT | sequence number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | timestamp |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | synchronization source (SSRC) identifier |
+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ | contributing source (CSRC) identifiers |
+ | .... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | RTP extension (OPTIONAL) ... |
+ +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ O I | payload ... |
+ O I | +-------------------------------+
+ O I | | RTP padding | RTP pad count |
+ O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ O | | E2E authentication tag |
+ O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ O | | OHB ... |
+ +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | | HBH authentication tag |
+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | +- E2E Encrypted Portion
+ |
+ +--- HBH Encrypted Portion
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
+ |V=2|P|X| CC |M| PT | sequence number | I O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
+ | timestamp | I O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
+ | synchronization source (SSRC) identifier | I O
+ +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
+ | contributing source (CSRC) identifiers | I O
+ | .... | I O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
+ | RTP extension (OPTIONAL) ... | | O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
+ | payload ... | I O
+ | +-------------------------------+ I O
+ | | RTP padding | RTP pad count | I O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
+ | E2E authentication tag | | O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
+ | OHB ... | | O
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+
+ | HBH authentication tag | | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
+ | |
+ E2E Authenticated Portion ---+ |
+ |
+ HBH Authenticated Portion -----+
+
+Acknowledgments
+
+ Thank you to Alex Gouaillard, David Benham, Magnus Westerlund, Nils
+ Ohlmeier, Roni Even, and Suhas Nandakumar for reviews and
+ improvements to this specification. In addition, thank you to Sergio
+ Garcia Murillo, who proposed the change of transporting the OHB
+ information in the RTP payload instead of the RTP header.
+
+Authors' Addresses
+
+ Cullen Jennings
+ Cisco Systems
+
+ Email: fluffy@iii.ca
+
+
+ Paul E. Jones
+ Cisco Systems
+
+ Email: paulej@packetizer.com
+
+
+ Richard Barnes
+ Cisco Systems
+
+ Email: rlb@ipv.sx
+
+
+ Adam Roach
+ Mozilla
+
+ Email: adam@nostrum.com