diff options
Diffstat (limited to 'doc/rfc/rfc8870.txt')
-rw-r--r-- | doc/rfc/rfc8870.txt | 1168 |
1 files changed, 1168 insertions, 0 deletions
diff --git a/doc/rfc/rfc8870.txt b/doc/rfc/rfc8870.txt new file mode 100644 index 0000000..fcb0384 --- /dev/null +++ b/doc/rfc/rfc8870.txt @@ -0,0 +1,1168 @@ + + + + +Internet Engineering Task Force (IETF) C. Jennings +Request for Comments: 8870 Cisco Systems +Category: Standards Track J. Mattsson +ISSN: 2070-1721 Ericsson AB + D. McGrew + Cisco Systems + D. Wing + Citrix + F. Andreasen + Cisco Systems + January 2021 + + + Encrypted Key Transport for DTLS and Secure RTP + +Abstract + + Encrypted Key Transport (EKT) is an extension to DTLS (Datagram + Transport Layer Security) and the Secure Real-time Transport Protocol + (SRTP) that provides for the secure transport of SRTP master keys, + rollover counters, and other information within SRTP. This facility + enables SRTP for decentralized conferences by distributing a common + key to all of the conference endpoints. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8870. + +Copyright Notice + + Copyright (c) 2021 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction + 2. Overview + 3. Conventions Used in This Document + 4. Encrypted Key Transport + 4.1. EKTField Formats + 4.2. SPIs and EKT Parameter Sets + 4.3. Packet Processing and State Machine + 4.3.1. Outbound Processing + 4.3.2. Inbound Processing + 4.4. Ciphers + 4.4.1. AES Key Wrap + 4.4.2. Defining New EKT Ciphers + 4.5. Synchronizing Operation + 4.6. Timing and Reliability Considerations + 5. Use of EKT with DTLS-SRTP + 5.1. DTLS-SRTP Recap + 5.2. SRTP EKT Key Transport Extensions to DTLS-SRTP + 5.2.1. Negotiating an EKTCipher + 5.2.2. Establishing an EKT Key + 5.3. Offer/Answer Considerations + 5.4. Sending the DTLS EKTKey Reliably + 6. Security Considerations + 7. IANA Considerations + 7.1. EKT Message Types + 7.2. EKT Ciphers + 7.3. TLS Extensions + 7.4. TLS Handshake Type + 8. References + 8.1. Normative References + 8.2. Informative References + Acknowledgments + Authors' Addresses + +1. Introduction + + The Real-time Transport Protocol (RTP) is designed to allow + decentralized groups with minimal control to establish sessions, such + as for multimedia conferences. Unfortunately, Secure RTP (SRTP) + [RFC3711] cannot be used in many minimal-control scenarios, because + it requires that synchronization source (SSRC) values and other data + be coordinated among all of the participants in a session. For + example, if a participant joins a session that is already in + progress, that participant needs to be informed of the SRTP keys + along with the SSRC, rollover counter (ROC), and other details of the + other SRTP sources. + + The inability of SRTP to work in the absence of central control was + well understood during the design of the protocol; the omission was + considered less important than optimizations such as bandwidth + conservation. Additionally, in many situations, SRTP is used in + conjunction with a signaling system that can provide the central + control needed by SRTP. However, there are several cases in which + conventional signaling systems cannot easily provide all of the + coordination required. + + This document defines Encrypted Key Transport (EKT) for SRTP and + reduces the amount of external signaling control that is needed in an + SRTP session with multiple receivers. EKT securely distributes the + SRTP master key and other information for each SRTP source. With + this method, SRTP entities are free to choose SSRC values as they see + fit and to start up new SRTP sources with new SRTP master keys within + a session without coordinating with other entities via external + signaling or other external means. + + EKT extends DTLS and SRTP to enable a common key encryption key + (called an "EKTKey") to be distributed to all endpoints, so that each + endpoint can securely send its SRTP master key and current SRTP ROC + to the other participants in the session. This data furnishes the + information needed by the receiver to instantiate an SRTP receiver + context. + + EKT can be used in conferences where the central Media Distributor or + conference bridge cannot decrypt the media, such as the type defined + in [RFC8871]. It can also be used for large-scale conferences where + the conference bridge or Media Distributor can decrypt all the media + but wishes to encrypt the media it is sending just once and then send + the same encrypted media to a large number of participants. This + reduces encryption CPU time in general and is necessary when sending + multicast media. + + EKT does not control the manner in which the SSRC is generated. It + is only concerned with distributing the security parameters that an + endpoint needs to associate with a given SSRC in order to decrypt + SRTP packets from that sender. + + EKT is not intended to replace external key establishment mechanisms. + Instead, it is used in conjunction with those methods, and it + relieves those methods of the burden of delivering the context for + each SRTP source to every SRTP participant. This document defines + how EKT works with the DTLS-SRTP approach to key establishment, by + using keys derived from the DTLS-SRTP handshake to encipher the + EKTKey in addition to the SRTP media. + +2. Overview + + This specification defines a way for the server in a DTLS-SRTP + negotiation (see Section 5) to provide an EKTKey to the client during + the DTLS handshake. The EKTKey thus obtained can be used to encrypt + the SRTP master key that is used to encrypt the media sent by the + endpoint. This specification also defines a way to send the + encrypted SRTP master key (with the EKTKey) along with the SRTP + packet (see Section 4). Endpoints that receive this packet and know + the EKTKey can use the EKTKey to decrypt the SRTP master key, which + can then be used to decrypt the SRTP packet. + + One way to use this specification is described in the architecture + defined by [RFC8871]. Each participant in the conference forms a + DTLS-SRTP connection to a common Key Distributor that distributes the + same EKTKey to all the endpoints. Then, each endpoint picks its own + SRTP master key for the media it sends. When sending media, the + endpoint may also include the SRTP master key encrypted with the + EKTKey in the SRTP packet. This allows all the endpoints to decrypt + the media. + +3. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +4. Encrypted Key Transport + + EKT defines a new method of providing SRTP master keys to an + endpoint. In order to convey the ciphertext corresponding to the + SRTP master key, and other additional information, an additional + field, called the "EKTField", is added to the SRTP packets. The + EKTField appears at the end of the SRTP packet. It appears after the + optional authentication tag, if one is present; otherwise, the + EKTField appears after the ciphertext portion of the packet. + + EKT MUST NOT be used in conjunction with SRTP's MKI (Master Key + Identifier) or with SRTP's <From, To> [RFC3711], as those SRTP + features duplicate some of the functions of EKT. Senders MUST NOT + include the MKI when using EKT. Receivers SHOULD simply ignore any + MKI field received if EKT is in use. + + This document defines the use of EKT with SRTP. Its use with the + Secure Real-time Transport Control Protocol (SRTCP) would be similar, + but that topic is left for a future specification. SRTP is preferred + for transmitting keying material because (1) it shares fate with the + transmitted media, (2) SRTP rekeying can occur without concern for + RTCP transmission limits, and (3) it avoids the need for SRTCP + compound packets with RTP translators and mixers. + +4.1. EKTField Formats + + The EKTField uses the formats defined in Figures 1 and 2 for the + FullEKTField and ShortEKTField. The EKTField appended to an SRTP + packet can be referred to as an "EKT Tag". + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + : : + : EKT Ciphertext : + : : + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Security Parameter Index | Epoch | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Length |0 0 0 0 0 0 1 0| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1: FullEKTField Format + + 0 1 2 3 4 5 6 7 + +-+-+-+-+-+-+-+-+ + |0 0 0 0 0 0 0 0| + +-+-+-+-+-+-+-+-+ + + Figure 2: ShortEKTField Format + + Figure 3 shows the syntax of the EKTField, expressed in ABNF + [RFC5234]. The EKTField is added to the end of an SRTP packet. The + EKTPlaintext is the concatenation of SRTPMasterKeyLength, + SRTPMasterKey, SSRC, and ROC, in that order. The EKTCiphertext is + computed by encrypting the EKTPlaintext using the EKTKey. Future + extensions to the EKTField MUST conform to the syntax of the + ExtensionEKTField. + + BYTE = %x00-FF + + EKTMsgTypeFull = %x02 + EKTMsgTypeShort = %x00 + EKTMsgTypeExtension = %x03-FF ; Message Type %x01 is not available + ; for assignment due to its usage by + ; legacy implementations. + + EKTMsgLength = 2BYTE + + SRTPMasterKeyLength = BYTE + SRTPMasterKey = 1*242BYTE + SSRC = 4BYTE ; SSRC from RTP + ROC = 4BYTE ; ROC from SRTP for the given SSRC + + EKTPlaintext = SRTPMasterKeyLength SRTPMasterKey SSRC ROC + + EKTCiphertext = 1*251BYTE ; EKTEncrypt(EKTKey, EKTPlaintext) + Epoch = 2BYTE + SPI = 2BYTE + + FullEKTField = EKTCiphertext SPI Epoch EKTMsgLength EKTMsgTypeFull + + ShortEKTField = EKTMsgTypeShort + + ExtensionData = 1*1024BYTE + ExtensionEKTField = ExtensionData EKTMsgLength EKTMsgTypeExtension + + EKTField = FullEKTField / ShortEKTField / ExtensionEKTField + + Figure 3: EKTField Syntax + + These fields and data elements are defined as follows: + + EKTPlaintext: + This is the data that is input to the EKT encryption operation. + This data never appears on the wire; it is used only in + computations internal to EKT. This is the concatenation of the + SRTP master key and its length, the SSRC, and the ROC. + + EKTCiphertext: + This is the data that is output from the EKT encryption operation + (see Section 4.4). This field is included in SRTP packets when + EKT is in use. The length of the EKTCiphertext can be larger than + the length of the EKTPlaintext that was encrypted. + + SRTPMasterKey: + On the sender side, this is the SRTP master key associated with + the indicated SSRC. + + SRTPMasterKeyLength: + This is the length of the SRTPMasterKey in bytes. This depends on + the cipher suite negotiated for SRTP using Session Description + Protocol (SDP) Offer/Answer [RFC3264]. + + SSRC: + On the sender side, this is the SSRC for this SRTP source. The + length of this field is 32 bits. The SSRC value in the EKT Tag + MUST be the same as the one in the header of the SRTP packet to + which the tag is appended. + + Rollover Counter (ROC): + On the sender side, this is set to the current value of the SRTP + ROC in the SRTP context associated with the SSRC in the SRTP + packet. The length of this field is 32 bits. + + Security Parameter Index (SPI): + This field indicates the appropriate EKTKey and other parameters + for the receiver to use when processing the packet, within a given + conference. The length of this field is 16 bits, representing a + two-byte integer in network byte order. The parameters identified + by this field are as follows: + + * The EKT Cipher used to process the packet. + + * The EKTKey used to process the packet. + + * The SRTP master salt associated with any master key encrypted + with this EKT Key. The master salt is communicated separately, + via signaling, typically along with the EKTKey. (Recall that + the SRTP master salt is used in the formation of Initialization + Vectors (IVs) / nonces.) + + Epoch: + This field indicates how many SRTP keys have been sent for this + SSRC under the current EKTKey, prior to the current key, as a + two-byte integer in network byte order. It starts at zero at the + beginning of a session and resets to zero whenever the EKTKey is + changed (i.e., when a new SPI appears). The epoch for an SSRC + increments by one every time the sender transmits a new key. The + recipient of a FullEKTField MUST reject any future FullEKTField + for this SPI and SSRC that has an epoch value equal to or lower + than an epoch already seen. + + Together, these data elements are called an "EKT parameter set". To + avoid ambiguity, each distinct EKT parameter set that is used MUST be + associated with a distinct SPI value. + + EKTMsgLength: + All EKT Message Types other than the ShortEKTField include a + length in octets (in network byte order) of either the + FullEKTField or the ExtensionEKTField, including this length field + and the EKT Message Type (as defined in the next paragraph). + + Message Type: + The last byte is used to indicate the type of the EKTField. This + MUST be 2 for the FullEKTField format and 0 for the ShortEKTField + format. If a received EKT Tag has an unknown Message Type, then + the receiver MUST discard the whole EKT Tag. + +4.2. SPIs and EKT Parameter Sets + + The SPI identifies the parameters for how the EKT Tag should be + processed: + + * The EKTKey and EKT Cipher used to process the packet. + + * The SRTP master salt associated with any master key encrypted with + this EKT Key. The master salt is communicated separately, via + signaling, typically along with the EKTKey. + + Together, these data elements are called an "EKT parameter set". To + avoid ambiguity, each distinct EKT parameter set that is used MUST be + associated with a distinct SPI value. The association of a given + parameter set with a given SPI value is configured by some other + protocol, e.g., the DTLS-SRTP extension defined in Section 5. + +4.3. Packet Processing and State Machine + + At any given time, the SSRC for each SRTP source has associated with + it a single EKT parameter set. This parameter set is used to process + all outbound packets and is called the "outbound parameter set" for + that SSRC. There may be other EKT parameter sets that are used by + other SRTP sources in the same session, including other SRTP sources + on the same endpoint (e.g., one endpoint with voice and video might + have two EKT parameter sets, or there might be multiple video sources + on an endpoint, each with their own EKT parameter set). All of the + received EKT parameter sets SHOULD be stored by all of the + participants in an SRTP session, for use in processing inbound SRTP + traffic. If a participant deletes an EKT parameter set (e.g., + because of space limitations), then it will be unable to process Full + EKT Tags containing updated media keys and thus will be unable to + receive media from a participant that has changed its media key. + + Either the FullEKTField or ShortEKTField is appended at the tail end + of all SRTP packets. The decision regarding which parameter to send + and when is specified in Section 4.6. + +4.3.1. Outbound Processing + + See Section 4.6, which describes when to send an SRTP packet with a + FullEKTField. If a FullEKTField is not being sent, then a + ShortEKTField is sent so the receiver can correctly determine how to + process the packet. + + When an SRTP packet is sent with a FullEKTField, the EKTField for + that packet is created per either the steps below or an equivalent + set of steps. + + 1. The Security Parameter Index (SPI) field is set to the value of + the SPI that is associated with the outbound parameter set. + + 2. The EKTPlaintext field is computed from the SRTP master key, + SSRC, and ROC fields, as shown in Section 4.1. The ROC, SRTP + master key, and SSRC used in EKT processing MUST be the same as + the one used in SRTP processing. + + 3. The EKTCiphertext field is set to the ciphertext created by + encrypting the EKTPlaintext with the EKTCipher using the EKTKey + as the encryption key. The encryption process is detailed in + Section 4.4. + + 4. Then, the FullEKTField is formed using the EKTCiphertext and the + SPI associated with the EKTKey used above. Also appended are the + length and Message Type using the FullEKTField format. + + | Note: The value of the EKTCiphertext field is identical in + | successive packets protected by the same EKTKey and SRTP master + | key. This value MAY be cached by an SRTP sender to minimize + | computational effort. + + The computed value of the FullEKTField is appended to the end of the + SRTP packet, after the encrypted payload. + + When a packet is sent with the ShortEKTField, the ShortEKTField is + simply appended to the packet. + + Outbound packets SHOULD continue to use the old SRTP master key for + 250 ms after sending any new key in a FullEKTField value. This gives + all the receivers in the system time to get the new key before they + start receiving media encrypted with the new key. (The specific + value of 250 ms is chosen to represent a reasonable upper bound on + the amount of latency and jitter that is tolerable in a real-time + context.) + +4.3.2. Inbound Processing + + When receiving a packet on an RTP stream, the following steps are + applied for each received SRTP packet. + + 1. The final byte is checked to determine which EKT format is in + use. When an SRTP packet contains a ShortEKTField, the + ShortEKTField is removed from the packet and then normal SRTP + processing occurs. If the packet contains a FullEKTField, then + processing continues as described below. The reason for using + the last byte of the packet to indicate the type is that the + length of the SRTP part is not known until the decryption has + occurred. At this point in the processing, there is no easy way + to know where the EKTField would start. However, the whole SRTP + packet has been received, so instead of starting at the front of + the packet, the parsing works backwards at the end of the packet, + and thus the type is placed at the very end of the packet. + + 2. The Security Parameter Index (SPI) field is used to find the + right EKT parameter set to be used for processing the packet. If + there is no matching SPI, then the verification function MUST + return an indication of authentication failure, and the steps + described below are not performed. The EKT parameter set + contains the EKTKey, the EKTCipher, and the SRTP master salt. + + 3. The EKTCiphertext is authenticated and decrypted, as described in + Section 4.4, using the EKTKey and EKTCipher found in the previous + step. If the EKT decryption operation returns an authentication + failure, then EKT processing MUST be aborted. The receiver + SHOULD discard the whole SRTP packet. + + 4. The resulting EKTPlaintext is parsed as described in Section 4.1, + to recover the SRTP master key, SSRC, and ROC fields. The SRTP + master salt that is associated with the EKTKey is also retrieved. + If the value of the srtp_master_salt (see Section 5.2.2) sent as + part of the EKTKey is longer than needed by SRTP, then it is + truncated by taking the first N bytes from the srtp_master_salt + field. + + 5. If the SSRC in the EKTPlaintext does not match the SSRC of the + SRTP packet received, then this FullEKTField MUST be discarded + and the subsequent steps in this list skipped. After stripping + the FullEKTField, the remainder of the SRTP packet MAY be + processed as normal. + + 6. The SRTP master key, ROC, and SRTP master salt from the previous + steps are saved in a map indexed by the SSRC found in the + EKTPlaintext and can be used for any future crypto operations on + the inbound packets with that SSRC. + + * Unless the transform specifies other acceptable key lengths, + the length of the SRTP master key MUST be the same as the + master key length for the SRTP transform in use. If this is + not the case, then the receiver MUST abort EKT processing and + SHOULD discard the whole SRTP packet. + + * If the length of the SRTP master key is less than the master + key length for the SRTP transform in use and the transform + specifies that this length is acceptable, then the SRTP master + key value is used to replace the first bytes in the existing + master key. The other bytes remain the same as in the old + key. For example, the double GCM transform [RFC8723] allows + replacement of the first ("end-to-end") half of the master + key. + + 7. At this point, EKT processing has successfully completed, and the + normal SRTP processing takes place. + + The value of the EKTCiphertext field is identical in successive + packets protected by the same EKT parameter set, SRTP master key, and + ROC. SRTP senders and receivers MAY cache an EKTCiphertext value to + optimize processing in cases where the master key hasn't changed. + Instead of encrypting and decrypting, senders can simply copy the + precomputed value and receivers can compare a received EKTCiphertext + to the known value. + + Section 4.3.1 recommends that SRTP senders continue using an old key + for some time after sending a new key in an EKT Tag. Receivers that + wish to avoid packet loss due to decryption failures MAY perform + trial decryption with both the old key and the new key, keeping the + result of whichever decryption succeeds. Note that this approach is + only compatible with SRTP transforms that include integrity + protection. + + When receiving a new EKTKey, implementations need to use the ekt_ttl + field (see Section 5.2.2) to create a time after which this key + cannot be used, and they also need to create a counter that keeps + track of how many times the key has been used to encrypt data, to + ensure that it does not exceed the T value for that cipher (see + Section 4.4). If either of these limits is exceeded, the key can no + longer be used for encryption. At this point, implementations need + to either use call signaling to renegotiate a new session or + terminate the existing session. Terminating the session is a + reasonable implementation choice because these limits should not be + exceeded, except under an attack or error condition. + +4.4. Ciphers + + EKT uses an authenticated cipher to encrypt and authenticate the + EKTPlaintext. This specification defines the interface to the + cipher, in order to abstract the interface away from the details of + that function. This specification also defines the default cipher + that is used in EKT. The default cipher described in Section 4.4.1 + MUST be implemented, but another cipher that conforms to this + interface MAY be used. The cipher used for a given EKTCiphertext + value is negotiated using the supported_ekt_ciphers extension (see + Section 5.2) and indicated with the SPI value in the FullEKTField. + + An EKTCipher consists of an encryption function and a decryption + function. The encryption function E(K, P) takes the following + inputs: + + * a secret key K with a length of L bytes, and + + * a plaintext value P with a length of M bytes. + + The encryption function returns a ciphertext value C whose length is + N bytes, where N may be larger than M. The decryption function + D(K, C) takes the following inputs: + + * a secret key K with a length of L bytes, and + + * a ciphertext value C with a length of N bytes. + + The decryption function returns a plaintext value P that is M bytes + long, or it returns an indication that the decryption operation + failed because the ciphertext was invalid (i.e., it was not generated + by the encryption of plaintext with the key K). + + These functions have the property that D(K, E(K, P)) = P for all + values of K and P. Each cipher also has a limit T on the number of + times that it can be used with any fixed key value. The EKTKey MUST + NOT be used for encryption more than T times. Note that if the same + FullEKTField is retransmitted three times, that only counts as one + encryption. + + Security requirements for EKT Ciphers are discussed in Section 6. + +4.4.1. AES Key Wrap + + The default EKT Cipher is the Advanced Encryption Standard (AES) Key + Wrap with Padding algorithm [RFC5649]. It requires a plaintext + length M that is at least one octet, and it returns a ciphertext with + a length of N = M + (M mod 8) + 8 octets. It can be used with key + sizes of L = 16 octets or L = 32 octets, and its use with those key + sizes is indicated as AESKW128 or AESKW256, respectively. The key + size determines the length of the AES key used by the Key Wrap + algorithm. With this cipher, T=2^(48). + + +==========+====+========+ + | Cipher | L | T | + +==========+====+========+ + | AESKW128 | 16 | 2^(48) | + +----------+----+--------+ + | AESKW256 | 32 | 2^(48) | + +----------+----+--------+ + + Table 1: EKT Ciphers + + As AES-128 is the mandatory-to-implement transform in SRTP, AESKW128 + MUST be implemented for EKT. AESKW256 MAY be implemented. + +4.4.2. Defining New EKT Ciphers + + Other specifications may extend this document by defining other + EKTCiphers, as described in Section 7. This section defines how + those ciphers interact with this specification. + + An EKTCipher determines how the EKTCiphertext field is written and + how it is processed when it is read. This field is opaque to the + other aspects of EKT processing. EKT Ciphers are free to use this + field in any way, but they SHOULD NOT use other EKT or SRTP fields as + an input. The values of the parameters L and T MUST be defined by + each EKTCipher. The cipher MUST provide integrity protection. + +4.5. Synchronizing Operation + + If a source has its EKTKey changed by key management, it MUST also + change its SRTP master key, which will cause it to send out a new + FullEKTField and eventually begin encrypting with it, as described in + Section 4.3.1. This ensures that if key management thought the + EKTKey needs changing (due to a participant leaving or joining) and + communicated that to a source, the source will also change its SRTP + master key, so that traffic can be decrypted only by those who know + the current EKTKey. + +4.6. Timing and Reliability Considerations + + A system using EKT learns the SRTP master keys distributed with the + FullEKTField sent with SRTP, rather than with call signaling. A + receiver can immediately decrypt an SRTP packet, provided the SRTP + packet contains a FullEKTField. + + This section describes how to reliably and expediently deliver new + SRTP master keys to receivers. + + There are three cases to consider. In the first case, a new sender + joins a session and needs to communicate its SRTP master key to all + the receivers. In the second case, a sender changes its SRTP master + key, which needs to be communicated to all the receivers. In the + third case, a new receiver joins a session already in progress and + needs to know the sender's SRTP master key. + + The three cases are as follows: + + New sender: + A new sender SHOULD send a packet containing the FullEKTField as + soon as possible, ideally in its initial SRTP packet. To + accommodate packet loss, it is RECOMMENDED that the FullEKTField + be transmitted in three consecutive packets. If the sender does + not send a FullEKTField in its initial packets and receivers have + not otherwise been provisioned with a decryption key, then + decryption will fail and SRTP packets will be dropped until the + receiver receives a FullEKTField from the sender. + + Rekey: + By sending an EKT Tag over SRTP, the rekeying event shares fate + with the SRTP packets protected with that new SRTP master key. To + accommodate packet loss, it is RECOMMENDED that three consecutive + packets containing the FullEKTField be transmitted. + + New receiver: + When a new receiver joins a session, it does not need to + communicate its sending SRTP master key (because it is a + receiver). Also, when a new receiver joins a session, the sender + is generally unaware of the receiver joining the session; thus, + senders SHOULD periodically transmit the FullEKTField. That + interval depends on how frequently new receivers join the session, + the acceptable delay before those receivers can start processing + SRTP packets, and the acceptable overhead of sending the + FullEKTField. If sending audio and video, the RECOMMENDED + frequency is the same as the rate of intra-coded video frames. If + only sending audio, the RECOMMENDED frequency is every 100 ms. + + If none of the above three cases apply, a ShortEKTField SHOULD be + sent. + + In general, sending FullEKTField tags less frequently will consume + less bandwidth but will increase the time it takes for a join or + rekey to take effect. Applications should schedule the sending of + FullEKTField tags in a way that makes sense for their bandwidth and + latency requirements. + +5. Use of EKT with DTLS-SRTP + + This document defines an extension to DTLS-SRTP called "SRTP EKTKey + Transport", which enables secure transport of EKT keying material + from the DTLS-SRTP peer in the server role to the client. This + allows such a peer to process EKT keying material in SRTP and + retrieve the embedded SRTP keying material. This combination of + protocols is valuable because it combines the advantages of DTLS, + which has strong authentication of the endpoint and flexibility, + along with allowing secure multi-party RTP with loose coordination + and efficient communication of per-source keys. + + In cases where the DTLS termination point is more trusted than the + media relay, the protection that DTLS affords to EKT keying material + can allow EKT Keys to be tunneled through an untrusted relay such as + a centralized conference bridge. For more details, see [RFC8871]. + +5.1. DTLS-SRTP Recap + + DTLS-SRTP [RFC5764] uses an extended DTLS exchange between two peers + to exchange keying material, algorithms, and parameters for SRTP. + The SRTP flow operates over the same transport as the DTLS-SRTP + exchange (i.e., the same 5-tuple). DTLS-SRTP combines the + performance and encryption flexibility benefits of SRTP with the + flexibility and convenience of DTLS-integrated key and association + management. DTLS-SRTP can be viewed in two equivalent ways: as a new + key management method for SRTP and as a new RTP-specific data format + for DTLS. + +5.2. SRTP EKT Key Transport Extensions to DTLS-SRTP + + This document defines a new TLS negotiated extension called + "supported_ekt_ciphers" and a new TLS handshake message type called + "ekt_key". The extension negotiates the cipher to be used in + encrypting and decrypting EKTCiphertext values, and the handshake + message carries the corresponding key. + + Figure 4 shows a message flow between a DTLS 1.3 client and server + using EKT configured using the DTLS extensions described in this + section. (The initial cookie exchange and other normal DTLS messages + are omitted.) To be clear, EKT can be used with versions of DTLS + prior to 1.3. The only difference is that in pre-1.3 TLS, stacks + will not have built-in support for generating and processing ACK + messages. + + Client Server + + ClientHello + + use_srtp + + supported_ekt_ciphers + --------> + + ServerHello + {EncryptedExtensions} + + use_srtp + + supported_ekt_ciphers + {... Finished} + <-------- + + {... Finished} --------> + + [ACK] + <-------- [EKTKey] + + [ACK] --------> + + |SRTP packets| <-------> |SRTP packets| + + <EKT Tags> + <EKT Tags> + + + {} Messages protected using DTLS handshake keys + + [] Messages protected using DTLS application traffic keys + + <> Messages protected using the EKTKey and EKT Cipher + + || Messages protected using the SRTP master key sent in + a Full EKT Tag + + Figure 4: DTLS 1.3 Message Flow + + In the context of a multi-party SRTP session in which each endpoint + performs a DTLS handshake as a client with a central DTLS server, the + extensions defined in this document allow the DTLS server to set a + common EKTKey for all participants. Each endpoint can then use EKT + Tags encrypted with that common key to inform other endpoints of the + keys it uses to protect SRTP packets. This avoids the need for many + individual DTLS handshakes among the endpoints, at the cost of + preventing endpoints from directly authenticating one another. + + Client A Server Client B + + <----DTLS Handshake----> + <--------EKTKey--------- + <----DTLS Handshake----> + ---------EKTKey--------> + + -------------SRTP Packet + EKT Tag-------------> + <------------SRTP Packet + EKT Tag-------------- + +5.2.1. Negotiating an EKTCipher + + To indicate its support for EKT, a DTLS-SRTP client includes in its + ClientHello an extension of type supported_ekt_ciphers listing the + ciphers used for EKT by the client, in preference order, with the + most preferred version first. If the server agrees to use EKT, then + it includes a supported_ekt_ciphers extension in its + EncryptedExtensions (or ServerHello for DTLS 1.2) containing a cipher + selected from among those advertised by the client. + + The extension_data field of this extension contains an "EKTCipher" + value, encoded using the syntax defined in [RFC8446]: + + enum { + reserved(0), + aeskw_128(1), + aeskw_256(2), + } EKTCipherType; + + struct { + select (Handshake.msg_type) { + case client_hello: + EKTCipherType supported_ciphers<1..255>; + + case server_hello: + EKTCipherType selected_cipher; + + case encrypted_extensions: + EKTCipherType selected_cipher; + + }; + } EKTCipher; + +5.2.2. Establishing an EKT Key + + Once a client and server have concluded a handshake that negotiated + an EKTCipher, the server MUST provide to the client a key to be used + when encrypting and decrypting EKTCiphertext values. EKTKeys are + sent in encrypted handshake records, using handshake type + ekt_key(26). The body of the handshake message contains an EKTKey + structure as follows: + + struct { + opaque ekt_key_value<1..256>; + opaque srtp_master_salt<1..256>; + uint16 ekt_spi; + uint24 ekt_ttl; + } EKTKey; + + The contents of the fields in this message are as follows: + + ekt_key_value + The EKTKey that the recipient should use when generating + EKTCiphertext values + + srtp_master_salt + The SRTP master salt to be used with any master key encrypted with + this EKT Key + + ekt_spi + The SPI value to be used to reference this EKTKey and SRTP master + salt in EKT Tags (along with the EKT Cipher negotiated in the + handshake) + + ekt_ttl + The maximum amount of time, in seconds, that this EKTKey can be + used. The ekt_key_value in this message MUST NOT be used for + encrypting or decrypting information after the TTL expires. + + If the server did not provide a supported_ekt_ciphers extension in + its EncryptedExtensions (or ServerHello for DTLS 1.2), then EKTKey + messages MUST NOT be sent by the client or the server. + + When an EKTKey is received and processed successfully, the recipient + MUST respond with an ACK message as described in Section 7 of + [TLS-DTLS13]. The EKTKey message and ACK MUST be retransmitted + following the rules of the negotiated version of DTLS. + + EKT MAY be used with versions of DTLS prior to 1.3. In such cases, + to provide reliability, the ACK message is still used. Thus, DTLS + implementations supporting EKT with pre-1.3 versions of DTLS will + need to have explicit affordances for sending the ACK message in + response to an EKTKey message and for verifying that an ACK message + was received. The retransmission rules for both sides are otherwise + defined by the negotiated version of DTLS. + + If an EKTKey message is received that cannot be processed, then the + recipient MUST respond with an appropriate DTLS alert. + +5.3. Offer/Answer Considerations + + When using EKT with DTLS-SRTP, the negotiation to use EKT is done at + the DTLS handshake level and does not change the SDP Offer/Answer + messaging [RFC3264]. + +5.4. Sending the DTLS EKTKey Reliably + + The DTLS EKTKey message is sent using the retransmissions specified + in Section 4.2.4 of DTLS [RFC6347]. Retransmission is finished with + an ACK message, or an alert is received. + +6. Security Considerations + + EKT inherits the security properties of the key management protocol + that is used to establish the EKTKey, e.g., the DTLS-SRTP extension + defined in this document. + + With EKT, each SRTP sender and receiver MUST generate distinct SRTP + master keys. This property avoids any security concerns over the + reuse of keys, by empowering the SRTP layer to create keys on demand. + Note that the inputs of EKT are the same as for SRTP with key- + sharing: a single key is provided to protect an entire SRTP session. + However, EKT remains secure even when SSRC values collide. + + SRTP master keys MUST be randomly generated, and [RFC4086] offers + some guidance about random number generation. SRTP master keys MUST + NOT be reused for any other purpose, and SRTP master keys MUST NOT be + derived from other SRTP master keys. + + The EKT Cipher includes its own authentication/integrity check. + + The presence of the SSRC in the EKTPlaintext ensures that an attacker + cannot substitute an EKTCiphertext from one SRTP stream into another + SRTP stream. This mitigates the impact of cut-and-paste attacks that + arise due to the lack of a cryptographic binding between the EKT Tag + and the rest of the SRTP packet. SRTP tags can only be cut-and- + pasted within the stream of packets sent by a given RTP endpoint; an + attacker cannot "cross the streams" and use an EKT Tag from one SSRC + to reset the key for another SSRC. The Epoch field in the + FullEKTField also prevents an attacker from rolling back to a + previous key. + + An attacker could send packets containing a FullEKTField, in an + attempt to consume additional CPU resources of the receiving system + by causing the receiving system to decrypt the EKT ciphertext and + detect an authentication failure. In some cases, caching the + previous values of the ciphertext as described in Section 4.3.2 helps + mitigate this issue. + + In a similar vein, EKT has no replay protection, so an attacker could + implant improper keys in receivers by capturing EKTCiphertext values + encrypted with a given EKTKey and replaying them in a different + context, e.g., from a different sender. When the underlying SRTP + transform provides integrity protection, this attack will just result + in packet loss. If it does not, then it will result in random data + being fed to RTP payload processing. An attacker that is in a + position to mount these attacks, however, could achieve the same + effects more easily without attacking EKT. + + The key encryption keys distributed with EKTKey messages are group + shared symmetric keys, which means they do not provide protection + within the group. Group members can impersonate each other; for + example, any group member can generate an EKT Tag for any SSRC. The + entity that distributes EKTKeys can decrypt any keys distributed + using EKT and thus any media protected with those keys. + + Each EKT Cipher specifies a value T that is the maximum number of + times a given key can be used. An endpoint MUST NOT encrypt more + than T different FullEKTField values using the same EKTKey. In + addition, the EKTKey MUST NOT be used beyond the lifetime provided by + the TTL described in Section 5.2. + + The key length of the EKT Cipher MUST be at least as long as the SRTP + cipher and at least as long as the DTLS-SRTP ciphers. + + Part of the EKTPlaintext is known or is easily guessable to an + attacker. Thus, the EKT Cipher MUST resist known plaintext attacks. + In practice, this requirement does not impose any restrictions on our + choices, since the ciphers in use provide high security even when + much plaintext is known. + + An EKT Cipher MUST resist attacks in which both ciphertexts and + plaintexts can be adaptively chosen by an attacker querying both the + encryption and decryption functions. + + In some systems, when a member of a conference leaves the conference, + that conference is rekeyed so that the member who left the conference + no longer has the key. When changing to a new EKTKey, it is possible + that the attacker could block the EKTKey message getting to a + particular endpoint and that endpoint would keep sending media + encrypted using the old key. To mitigate that risk, the lifetime of + the EKTKey MUST be limited by using the ekt_ttl. + +7. IANA Considerations + +7.1. EKT Message Types + + IANA has created a new table for "EKT Message Types" in the "Real- + Time Transport Protocol (RTP) Parameters" registry. The initial + values in this registry are as follows: + + +==============+=======+===============+ + | Message Type | Value | Specification | + +==============+=======+===============+ + | Short | 0 | RFC 8870 | + +--------------+-------+---------------+ + | Unassigned | 1 | | + +--------------+-------+---------------+ + | Full | 2 | RFC 8870 | + +--------------+-------+---------------+ + | Unassigned | 3-254 | | + +--------------+-------+---------------+ + | Reserved | 255 | RFC 8870 | + +--------------+-------+---------------+ + + Table 2: EKT Message Types + + New entries in this table can be added via "Specification Required" + as defined in [RFC8126]. To avoid conflicts with pre-standard + versions of EKT that have been deployed, IANA SHOULD give preference + to the allocation of even values over odd values until the even code + points are consumed. Allocated values MUST be in the range of 0 to + 254. + + All new EKT messages MUST be defined to include a length parameter, + as specified in Section 4.1. + +7.2. EKT Ciphers + + IANA has created a new table for "EKT Ciphers" in the "Real-Time + Transport Protocol (RTP) Parameters" registry. The initial values in + this registry are as follows: + + +============+=======+===============+ + | Name | Value | Specification | + +============+=======+===============+ + | AESKW128 | 0 | RFC 8870 | + +------------+-------+---------------+ + | AESKW256 | 1 | RFC 8870 | + +------------+-------+---------------+ + | Unassigned | 2-254 | | + +------------+-------+---------------+ + | Reserved | 255 | RFC 8870 | + +------------+-------+---------------+ + + Table 3: EKT Cipher Types + + New entries in this table can be added via "Specification Required" + as defined in [RFC8126]. The expert SHOULD ensure that the + specification defines the values for L and T as required in + Section 4.4 of this document. Allocated values MUST be in the range + of 0 to 254. + +7.3. TLS Extensions + + IANA has added supported_ekt_ciphers as a new extension name to the + "TLS ExtensionType Values" table of the "Transport Layer Security + (TLS) Extensions" registry: + + Value: 39 + + Extension Name: supported_ekt_ciphers + + TLS 1.3: CH, EE + + Recommended: Y + + Reference: RFC 8870 + +7.4. TLS Handshake Type + + IANA has added ekt_key as a new entry in the "TLS HandshakeType" + table of the "Transport Layer Security (TLS) Parameters" registry: + + Value: 26 + + Description: ekt_key + + DTLS-OK: Y + + Reference: RFC 8870 + + Comment: + +8. References + +8.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model + with Session Description Protocol (SDP)", RFC 3264, + DOI 10.17487/RFC3264, June 2002, + <https://www.rfc-editor.org/info/rfc3264>. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + <https://www.rfc-editor.org/info/rfc3711>. + + [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", STD 68, RFC 5234, + DOI 10.17487/RFC5234, January 2008, + <https://www.rfc-editor.org/info/rfc5234>. + + [RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard + (AES) Key Wrap with Padding Algorithm", RFC 5649, + DOI 10.17487/RFC5649, September 2009, + <https://www.rfc-editor.org/info/rfc5649>. + + [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer + Security (DTLS) Extension to Establish Keys for the Secure + Real-time Transport Protocol (SRTP)", RFC 5764, + DOI 10.17487/RFC5764, May 2010, + <https://www.rfc-editor.org/info/rfc5764>. + + [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer + Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, + January 2012, <https://www.rfc-editor.org/info/rfc6347>. + + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for + Writing an IANA Considerations Section in RFCs", BCP 26, + RFC 8126, DOI 10.17487/RFC8126, June 2017, + <https://www.rfc-editor.org/info/rfc8126>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + <https://www.rfc-editor.org/info/rfc8446>. + +8.2. Informative References + + [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC 4086, + DOI 10.17487/RFC4086, June 2005, + <https://www.rfc-editor.org/info/rfc4086>. + + [RFC8723] Jennings, C., Jones, P., Barnes, R., and A.B. Roach, + "Double Encryption Procedures for the Secure Real-Time + Transport Protocol (SRTP)", RFC 8723, + DOI 10.17487/RFC8723, April 2020, + <https://www.rfc-editor.org/info/rfc8723>. + + [RFC8871] Jones, P., Benham, D., and C. Groves, "A Solution + Framework for Private Media in Privacy-Enhanced RTP + Conferencing (PERC)", RFC 8871, DOI 10.17487/RFC8871, + January 2021, <https://www.rfc-editor.org/info/rfc8871>. + + [TLS-DTLS13] + Rescorla, E., Tschofenig, H., and N. Modadugu, "The + Datagram Transport Layer Security (DTLS) Protocol Version + 1.3", Work in Progress, Internet-Draft, draft-ietf-tls- + dtls13-39, 2 November 2020, + <https://tools.ietf.org/html/draft-ietf-tls-dtls13-39>. + +Acknowledgments + + Thank you to Russ Housley, who provided a detailed review and + significant help with crafting text for this document. Thanks to + David Benham, Yi Cheng, Lakshminath Dondeti, Kai Fischer, Nermeen + Ismail, Paul Jones, Eddy Lem, Jonathan Lennox, Michael Peck, Rob + Raymond, Sean Turner, Magnus Westerlund, and Felix Wyss for fruitful + discussions, comments, and contributions to this document. + +Authors' Addresses + + Cullen Jennings + Cisco Systems + + Email: fluffy@iii.ca + + + John Mattsson + Ericsson AB + + Email: john.mattsson@ericsson.com + + + David A. McGrew + Cisco Systems + + Email: mcgrew@cisco.com + + + Dan Wing + Citrix Systems, Inc. + + Email: dwing-ietf@fuggles.com + + + Flemming Andreasen + Cisco Systems + + Email: fandreas@cisco.com |