From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc4738.txt | 1067 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1067 insertions(+) create mode 100644 doc/rfc/rfc4738.txt (limited to 'doc/rfc/rfc4738.txt') diff --git a/doc/rfc/rfc4738.txt b/doc/rfc/rfc4738.txt new file mode 100644 index 0000000..812c61f --- /dev/null +++ b/doc/rfc/rfc4738.txt @@ -0,0 +1,1067 @@ + + + + + + +Network Working Group D. Ignjatic +Request for Comments: 4738 Polycom +Updates: 3830 L. Dondeti +Category: Standards Track QUALCOMM + F. Audet + P. Lin + Nortel + November 2006 + + + MIKEY-RSA-R: An Additional Mode of Key Distribution + in Multimedia Internet KEYing (MIKEY) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2006). + +Abstract + + The Multimedia Internet Keying (MIKEY) specification describes + several modes of key distribution solution that address multimedia + scenarios (e.g., SIP calls and Real Time Streaming Protocol (RTSP) + sessions) using pre-shared keys, public keys, and optionally a + Diffie-Hellman key exchange. In the public-key mode, the Initiator + encrypts a random key with the Responder's public key and sends it to + the Responder. In many communication scenarios, the Initiator may + not know the Responder's public key, or in some cases the Responder's + ID (e.g., call forwarding) in advance. We propose a new MIKEY mode + that works well in such scenarios. This mode also enhances the group + key management support in MIKEY; it supports member-initiated group + key download (in contrast to group manager pushing the group keys to + all members). This document updates RFC 3830 with the RSA-R mode. + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 1] + +RFC 4738 MIKEY-RSA-R November 2006 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Terminology Used in This Document ..........................3 + 2. Motivation ......................................................3 + 2.1. Description of the MIKEY Modes .............................3 + 2.2. Use Case Motivating the Proposed Mode ......................5 + 3. A New MIKEY-RSA Mode: MIKEY-RSA-R ...............................5 + 3.1. Outline ....................................................5 + 3.2. Group Communication Using the MIKEY RSA-R Mode .............6 + 3.3. Preparing RSA-R Messages ...................................6 + 3.4. Components of the I_MESSAGE ................................6 + 3.5. Processing the I_MESSAGE ...................................8 + 3.6. Components of the R_MESSAGE ................................9 + 3.7. Processing the R_MESSAGE ..................................10 + 3.8. Certificate Handling ......................................10 + 3.9. Additions to RFC 3830 Message Types and Other Values ......11 + 3.9.1. Modified Table 6.1a from RFC 3830 ..................11 + 3.9.2. Modified Table 6.12 from RFC 3830 ..................12 + 3.9.3. Modified Table 6.15 from RFC 3830 ..................12 + 4. Applicability of the RSA-R and RSA Modes .......................13 + 4.1. Limitations ...............................................13 + 5. Security Considerations ........................................14 + 5.1. Impact of the Responder Choosing the TGK ..................15 + 5.2. Updates to Security Considerations in RFC 3830 ............15 + 6. IANA Considerations ............................................15 + 7. Acknowledgments ................................................16 + 8. References .....................................................16 + 8.1. Normative References ......................................16 + 8.2. Informative References ....................................16 + + + + + + + + + + + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 2] + +RFC 4738 MIKEY-RSA-R November 2006 + + +1. Introduction + + The MIKEY protocol [RFC3830] has three different methods for key + transport or exchange: a pre-shared key mode (PSK), a public-key + (RSA) mode, and an optional Diffie-Hellman exchange (DHE) mode. In + addition, there is also an optional DH-HMAC mode [RFC4650], bringing + the total number of modes to four. The primary motivation for the + MIKEY protocol design is low-latency requirements of real-time + communication, and thus all the exchanges finish in one-half to 1 + roundtrip; note that this offers no room for security parameter + negotiation of the key management protocol itself. In this document, + we note that the MIKEY modes defined in [RFC3830] and [RFC4650] are + insufficient to address some deployment scenarios and common use + cases, and we propose a new mode called MIKEY-RSA in Reverse mode, or + simply MIKEY-RSA-R. This document updates RFC 3830 with the addition + of this new mode to that specification. + +1.1. Terminology Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in BCP 14, RFC 2119 + [RFC2119]. + + Furthermore, this document reuses the terminology of the MIKEY + specification [RFC3830]. + +2. Motivation + + As noted in the introduction, the MIKEY specification and other + proposals define four different modes of efficient key management for + real-time applications. Those modes differ from each other in either + the authentication method of choice (public-key, or symmetric shared + key-based), or the key establishment method of choice (key download, + or key agreement using a Diffie-Hellman exchange). We summarize + these modes below, including their advantages and shortcomings. We + then discuss the use cases where these modes are unusable or + inefficient. + +2.1. Description of the MIKEY Modes + + The PSK mode requires that the Initiator and the Responder have a + common secret key established offline. In this mode, the Initiator + selects a TEK Generation Key (TGK), encrypts it with a key derived + from the PSK, and sends it to the Responder as part of the first + message, namely, I_MESSAGE. The I_MESSAGE is replay protected with + timestamps, and integrity protected with another key derived from the + PSK. An optional Verification message from the Responder to the + + + +Ignjatic, et al. Standards Track [Page 3] + +RFC 4738 MIKEY-RSA-R November 2006 + + + Initiator provides mutual authentication. This mode does not scale + well as it requires pre-establishment of a shared key between + communicating parties; for example, consider the use cases where any + user may want to communicate to any other user in an Enterprise or + the Internet at large. The RSA mode might be more suitable for such + applications. + + In the RSA mode, the Initiator selects a TGK, encrypts and + authenticates it with an envelope key, and sends it to the Responder + as part of the I_MESSAGE. The Initiator includes the envelope key, + encrypted with the Responder's public key, in the I_MESSAGE. The + I_MESSAGE is replay protected with timestamps, and signed with the + Initiator's public key. The Initiator's ID, Certificate (CERT), and + the Responder's ID may be included in the I_MESSAGE. If the + Initiator knows several public keys of the Responder, it can indicate + the key used in the optional CHASH payload. An optional Verification + message from the Responder to the Initiator provides mutual + authentication. The RSA mode works well if the Initiator knows the + Responder's ID and the corresponding CERT (or can obtain the CERT + independent of the MIKEY protocol). RFC 3830 suggests that an + Initiator, in the event that it does not have the Responder's CERT, + may obtain the CERT from a directory agent using one or more + roundtrips. However, in some cases, the Initiator may not even know + the Responder's ID in advance, and because of that or for other + reasons cannot obtain the Responder's CERT. + + In addition to the case where the Responder may have several IDs, + some applications may allow for the Responder's ID to change + unilaterally, as is typical in telephony (e.g., forwarding). In + those cases and in others, the Initiator might be willing to let the + other party establish identity and prove it via an Initiator-trusted + third party (e.g., a Certification Authority (CA)). + + The DH mode or the DH-HMAC mode of MIKEY might be useful in cases + where the Initiator does not have access to the Responder's exact + identity and/or CERT. In these modes, the two parties engage in an + authenticated DH exchange to derive the TGK. On the downside, the DH + modes have higher computational and communication overhead compared + to the RSA and the PSK modes. More importantly, these modes are + unsuitable for group key distribution. The DH-HMAC mode also + requires establishment of PSKs between all possible communicating + entities and thus has similar scaling issues as any PSK-based key + management protocol. + + In summary, in some communication scenarios -- where the Initiator + might not have the correct ID and/or the CERT of the Responder -- + none of the MIKEY modes described in [RFC3830] or [RFC4650] are + suitable and efficient for multimedia session key establishment. + + + +Ignjatic, et al. Standards Track [Page 4] + +RFC 4738 MIKEY-RSA-R November 2006 + + +2.2. Use Case Motivating the Proposed Mode + + In addition to the issues listed above, there are some types of + applications that motivate the new MIKEY mode design proposed in this + document. + + Note that in the MIKEY-RSA mode (as in case of the PSK mode), the + Initiator proposes the session security policy and chooses the TGK. + However, it is also possible that the Initiator wants to allow the + Responder to specify the security policy and send the TGK. Consider + for example, the case of a conferencing scenario where the convener + sends an invitation to a group of people to attend a meeting. The + procedure then might be for the invitees to request group key + material from the convener by sending a MIKEY I_MESSAGE. Thus, in + the MIKEY definition of initiators and responders, the Initiator is + asking the Responder for keying material. Note that this mode of + operation is in line with the MSEC group key management architecture + [RFC4046]. + +3. A New MIKEY-RSA Mode: MIKEY-RSA-R + +3.1. Outline + + The proposed MIKEY mode requires 1 full roundtrip. The Initiator + sends a signed I_MESSAGE to the intended Responder requesting the + Responder to send the traffic keying material. The I_MESSAGE MAY + contain the Initiator's CERT or a link (URL) to the CERT, and + similarly the Responder's reply, R_MESSAGE, MAY contain the + Responder's CERT or a link to it. The Responder can use the + Initiator's public key from the CERT in the I_MESSAGE to send the + encrypted TGK in the R_MESSAGE. Upon receiving the R_MESSAGE, the + Initiator can use the CERT in the R_MESSAGE to verify whether the + Responder is in fact the party that it wants to communicate to, and + accept the TGK. We refer to this protocol as MIKEY-RSA in the + reverse mode, or simply as MIKEY-RSA-R. + + The MIKEY-RSA-R mode exchange is defined as follows: + + Initiator Responder + --------- --------- + + I_MESSAGE = HDR, T, [RAND], [IDi|CERTi], [IDr], {SP}, SIGNi + + R_MESSAGE = HDR, [GenExt(CSB_ID)], T, [RAND], [IDr|CERTr], [SP], + KEMAC, PKE, SIGNr + + Figure 1: MIKEY-RSA-R Unicast Mode + + + + +Ignjatic, et al. Standards Track [Page 5] + +RFC 4738 MIKEY-RSA-R November 2006 + + +3.2. Group Communication Using the MIKEY RSA-R Mode + + For group conferencing using MIKEY RSA-R mode, the members receive an + invitation to initiate MIKEY with the group key server to download + the secure session information. In this case, the Responder is + either the group sender or group key server. Group members request + group policy and keying material as MIKEY RSA-R Initiators. + Initiators MUST NOT send the SP payload. The Responder sends all the + payloads necessary to distribute the secure group policy as well as + payloads used in the group key derivation: specifically, the SP + payload is used to convey the session policy, and the GenExt(CSB-ID), + TGK, and the RAND payloads selected by the Responder and included in + the R_Message are used to compute the Secure Realtime Transport + Protocol (SRTP) session keys. + + MIKEY RSA-R for group communication: + + Initiator Responder + --------- --------- + + I_MESSAGE = HDR, T, [RAND], [IDi|CERTi], [IDr], SIGNi + + R_MESSAGE = HDR, GenExt(CSB_ID), T, RAND, [IDr|CERTr], SP, + KEMAC, PKE, SIGNr + + Figure 2: MIKEY-RSA-R in Group Mode + + Note that the SP payload in the I_MESSAGE is not present. In the + R_MESSAGE, the CSB_ID, RAND, and SP payloads are not optional. + +3.3. Preparing RSA-R Messages + + Preparation and parsing of RSA-R messages are as described in + Sections 5.2 and 5.3 of RFC 3830. Error handling is described in + Section 5.1.2 and replay protection guidelines are in Section 5.4 of + RFC 3830. In the following, we describe the components of RSA-R + messages and specify message processing and parsing rules in addition + to those in RFC 3830. + +3.4. Components of the I_MESSAGE + + MIKEY-RSA-R requires a full roundtrip to download the TGKs. The + I_MESSAGE MUST have the MIKEY HDR and the timestamp payload for + replay protection. The HDR field contains a CSB_ID (Crypto Session + Bundle ID) randomly selected by the Initiator. The V bit MUST be set + to '1' and ignored by the Responder, as a response is MANDATORY in + this mode. The Initiator SHOULD indicate the number of CSs + supported, and SHOULD fill in the CS ID map type and CS ID info + + + +Ignjatic, et al. Standards Track [Page 6] + +RFC 4738 MIKEY-RSA-R November 2006 + + + fields for the RTP/RTCP streams it originates. This is because the + sender of the streams chooses the SSRC that is carried in the CS ID + info field; see Section 6.1.1 of RFC 3830. The exception to + Initiators not specifying SSRC values is to allow the Responder to + pick them to avoid SSRC collisions. Initiators of MIKEY messages + that do not originate RTP streams MUST specify a '0' as the number of + CSs supported. This typically applies to group communication and to + the entities in the listen-only mode. + + The I_MESSAGE MUST be signed by the Initiator following the procedure + to sign MIKEY messages specified in RFC 3830. The SIGNi payload + contains this signature. Thus, the I_MESSAGE is integrity and replay + protected. + + The RAND payload SHOULD be included in the I_MESSAGE when MIKEY-RSA-R + mode is used for unicast communication. The reason for recommending + the inclusion of the RAND payload in the I_MESSAGE for unicast + communication is to allow the Initiator to contribute entropy to the + key derivation process (in addition to the CSB_ID). When the RAND + payload is not included, the Initiator will be relying on the + Responder to supply all the entropy for SRTP key generation, which is + in fact similar (but with the reversal of roles) to the MIKEY-RSA + mode, where the Responder supplies all the entropy. + + The RAND payload MAY be included when MIKEY-RSA-R is used to + establish group keys. However, the RAND payload in the I_MESSAGE + MUST NOT be used for MIKEY key generation, in case of group + communication. The Responder MUST include a RAND payload in the + R_MESSAGE for TEK generation from a TGK when MIKEY-RSA-R is used for + group communication. + + IDi and CERTi SHOULD be included, but they MAY be left out when it is + expected that the peer already knows the Initiating party's ID (or + can obtain the certificate in some other manner). For example, this + could be the case if the ID is extracted from SIP. For certificate + handling, authorization, and policies, see Sections 4.3 and 6.7 of + RFC 3830. If CERTi is included, it MUST correspond to the private + key used to sign the I_MESSAGE. + + If the Responder has multiple identities, the Initiator MAY also + include the specific identity, IDr, of the Responder with whom + communication is desired. If the Initiator's policy does not allow + acceptance of an R_MESSAGE from any entity other than one that can + assert a specific identity, the Initiator MUST include that specific + identity in an IDr payload in the I_MESSAGE. + + + + + + +Ignjatic, et al. Standards Track [Page 7] + +RFC 4738 MIKEY-RSA-R November 2006 + + + The Initiator MAY also send security policy (SP) payload(s) + containing all the security policies that it supports. If the + Responder does not support any of the policies included, it SHOULD + reply with an Error message of type "Invalid SPpar" (Error no. 10). + The Responder has the option not to send the Error message in MIKEY + if a generic session establishment failure indication is deemed + appropriate and communicated via other means (see Section 4.1.2 of + [RFC4567] for additional guidance). + + SIGNi is a signature covering the Initiator's MIKEY message, + I_MESSAGE, using the Initiator's signature key (see Section 5.2 of + RFC 3830 for the exact definition). The signature assures the + Responder that the claimed Initiator has indeed generated the + message. This automatically provides message integrity as well. + +3.5. Processing the I_MESSAGE + + Upon receiving an I_MESSAGE of the RSA-R format, the Responder MUST + respond with one of the following messages: + + o The Responder SHOULD send an Error message "Message type not + supported" (Error no. 13), if it cannot correctly parse the + received MIKEY message. Error message format is as specified in + Section 5.1.2 of RFC 3830. Error no. 13 is not defined in RFC + 3830, and so RFC 3830 compliant implementations MAY return "an + unspecified error occurred" (Error no. 12). + + o The Responder MUST send an R_MESSAGE, if SIGNi can be correctly + verified and the timestamp is current; if an SP payload is present + in the I_MESSAGE the Responder MUST return one of the proposed + security policies that matches the Responder's local policy. + + o If a RAND payload is present in the I_MESSAGE, both sides use that + RAND payload as the RAND value in the MIKEY key computation. In + case of multicast, if a RAND payload is present in the I_MESSAGE, + the Responder SHOULD ignore the payload. In any case, the + R_MESSAGE for multicast communication MUST contain a RAND payload + and that RAND payload is used for key computation. + + o The rest of the error message rules are as described in Section + 5.1.2 of RFC 3830, and message processing rules are as described + in Section 5.3 of RFC 3830. + + + + + + + + + +Ignjatic, et al. Standards Track [Page 8] + +RFC 4738 MIKEY-RSA-R November 2006 + + +3.6. Components of the R_MESSAGE + + The HDR payload in the R_MESSAGE is formed following the procedure + described in RFC 3830. Specifically, the CSB_ID in the HDR payload + MUST be the same as the one in the HDR of the I_MESSAGE. The + Responder MUST fill in the number of CSs and the CS ID map type and + CS ID info fields of the HDR payload. + + For group communication, all the members MUST use the same CSB_ID and + CS ID in computing the traffic keying material. Therefore, for group + key establishment, the Responder MUST include a General Extension + Payload containing a new CSB_ID in the R_MESSAGE. If a new CSB_ID is + present in the R_MESSAGE, the Initiator and the Responder MUST use + that value in key material computation. Furthermore, the CS ID map + type and CS ID map info MUST be populated by the Responder. The + General Extension Payload carrying a CSB_ID MUST NOT be present in + case of unicast communication. + + The T payload is exactly the same as that received in the I_MESSAGE. + + If the I_MESSAGE did not include the RAND payload, it MUST be present + in the R_MESSAGE. In case it has been included in the I_MESSAGE, it + MUST NOT be present in the R_MESSAGE. In group communication, the + Responder always sends the RAND payload and in unicast communication, + either the Initiator or the Responder (but not both) generate and + send the RAND payload. + + IDr and CERTr SHOULD be included, but they MAY be left out when it + can be expected that the peer already knows the other party's ID (or + can obtain the certificate in some other manner). For example, this + could be the case if the ID is extracted from SIP. For certificate + handling, authorization, and policies, see Section 4.3. of RFC 3830. + If CERTr is included, it MUST correspond to the private key used to + sign the R_MESSAGE. + + An SP payload MAY be included in the R_MESSAGE. If an SP payload was + in the I_MESSAGE, then the R_MESSAGE MUST contain an SP payload + specifying the security policies of the secure RTP session being + negotiated. More specifically, the Initiator may have provided + multiple options, but the Responder MUST choose one option per + Security Policy Parameter. + + The KEMAC payload contains a set of encrypted sub-payloads and a MAC: + KEMAC = E(encr_key, IDr || {TGK}) || MAC. The first payload (IDr) in + KEMAC is the identity of the Responder (not a certificate, but + generally the same ID as the one specified in the certificate). Each + of the following payloads (TGK) includes a TGK randomly and + independently chosen by the Responder (and possible other related + + + +Ignjatic, et al. Standards Track [Page 9] + +RFC 4738 MIKEY-RSA-R November 2006 + + + parameters, e.g., the key lifetime). The encrypted part is then + followed by a MAC, which is calculated over the KEMAC payload. The + encr_key and the auth_key are derived from the envelope key, env_key, + as specified in Section 4.1.4. of RFC 3830. The payload definitions + are specified in Section 6.2 of RFC 3830. + + The Responder encrypts and integrity protects the TGK with keys + derived from a randomly or pseudo-randomly chosen envelope key, and + encrypts the envelope key itself with the public key of the + Initiator. The PKE payload contains the encrypted envelope key, + env_key: PKE = E(PKi, env_key). PKi denotes the Initiator's public + key. Note that, as suggested in RFC 3830, the envelope key MAY be + cached and used as the PSK for re-keying. + + To compute the signature that goes in the SIGNr payload, the + Responder MUST sign: + + R_MESSAGE (excluding the SIGNr payload itself) || IDi || IDr || T. + + Note that the added identities and timestamp are identical to those + transported in the ID and T payloads. + +3.7. Processing the R_MESSAGE + + In addition to the processing rules in RFC 3830, the following rules + apply to processing of the R_MESSAGE of MIKEY RSA-R mode. + + If the I_MESSAGE contained a RAND payload, the Initiator MUST + silently discard an R_MESSAGE that contains a RAND payload. + Similarly, if the I_MESSAGE did not contain a RAND payload, the + Initiator MUST silently discard an R_MESSAGE that does not contain + a RAND payload. + + If the SP payload contains a policy not specified in the SP + message, if present, in the I_MESSAGE, such an R_MESSAGE MUST be + discarded silently. + +3.8. Certificate Handling + + If a Certificate payload is present, the X.509v3 URL Cert type from + Table 6.7.b [RFC3830] is the default method in RSA-R mode and MUST be + implemented. The HTTP URL to fetch a certificate as specified in RFC + 2585 [RFC2585] MUST be supported. Devices are not required to + support the FTP URLs. When retrieving data from the URL, + application/pkix-cert MIME type with X.509 certificates DER-encoded + MUST be supported. + + + + + +Ignjatic, et al. Standards Track [Page 10] + +RFC 4738 MIKEY-RSA-R November 2006 + + + The RECOMMENDED way of doing certificate validation is by using OCSP + as specified by RFC 2560 [RFC2560]. When OCSP is used and nextUpdate + time is present in the response, it defines how long the certificate + can be considered valid and cached. If OCSP is not supported or + nextUpdate time is not present in the response, the certificate cache + timeout is a matter of local policy. + + The communicating peers (such as SIP User Agents for instance) MAY + choose to create a URL pointing to certificate files residing on + themselves or by appending their ID and a ".cer" extension to a + provisioned root path to the certificate. Other methods MAY also be + used, subject to local policy. + +3.9. Additions to RFC 3830 Message Types and Other Values + + This document introduces two new message types (Table 6.1a of RFC + 3830), an Error no (Table 6.12 of RFC 3830), and a general extension + payload (Table 6.15 of RFC 3830). This section specifies those + additions. + +3.9.1. Modified Table 6.1a from RFC 3830 + + Modified Table 6.1a from RFC 3830: + + + Data type | Value | Comment + ------------------------------------------------------------------ + Pre-shared | 0 | Initiator's pre-shared key message + PSK ver msg | 1 | Verification message of a Pre-shared key msg + Public key | 2 | Initiator's public-key transport message + PK ver msg | 3 | Verification message of a public-key message + D-H init | 4 | Initiator's DH exchange message + D-H resp | 5 | Responder's DH exchange message + Error | 6 | Error message + DHHMAC init | 7 | DH HMAC message 1 + DHHMAC resp | 8 | DH HMAC message 2 + RSA-R I_MSG | 9 | Initiator's RSA-R public-key message (NEW) + RSA-R R_MSG | 10 | Responder's RSA-R public-key message (NEW) + + Figure 3: Table 6.1a from RFC 3830 (Revised) + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 11] + +RFC 4738 MIKEY-RSA-R November 2006 + + +3.9.2. Modified Table 6.12 from RFC 3830 + + Modified Table 6.12 from RFC 3830: + + Error no | Value | Comment + ------------------------------------------------------- + Auth failure | 0 | Authentication failure + Invalid TS | 1 | Invalid timestamp + Invalid PRF | 2 | PRF function not supported + Invalid MAC | 3 | MAC algorithm not supported + Invalid EA | 4 | Encryption algorithm not supported + Invalid HA | 5 | Hash function not supported + Invalid DH | 6 | DH group not supported + Invalid ID | 7 | ID not supported + Invalid Cert | 8 | Certificate not supported + Invalid SP | 9 | SP type not supported + Invalid SPpar | 10 | SP parameters not supported + Invalid DT | 11 | not supported Data type + Unspecified error | 12 | an unspecified error occurred + Unsupported | | + message type | 13 | unparseable MIKEY message (NEW) + + + Figure 4: Table 6.12 from RFC 3830 (Revised) + +3.9.3. Modified Table 6.15 from RFC 3830 + + Modified Table 6.15 from RFC 3830: + + Type | Value | Comments + --------------------------------------- + Vendor ID | 0 | Vendor specific byte string + SDP IDs | 1 | List of SDP key mgmt IDs (allocated for use in + | | [RFC4567]) + TESLA I-Key| 2 | [RFC4442] + Key ID | 3 | information on type and identity of keys + | | [RFC4563]) + CSB_ID | 4 | Responder's modified CSB_ID (group mode) + + Figure 5: Table 6.15 from RFC 3830 (Revised) + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 12] + +RFC 4738 MIKEY-RSA-R November 2006 + + +4. Applicability of the RSA-R and RSA Modes + + MIKEY-RSA-R mode and RSA mode are both very useful: deciding on which + mode to use depends on the application. + + The RSA-R mode is useful when you have reasons to believe that the + Responder may be a different party than the one to which the MIKEY + I_MESSAGE was sent. This is quite common in telephony and multimedia + applications where the session or the call can be retargeted or + forwarded. When the security policy allows it, leaving some + flexibility for the Initiator to see who the Responder may turn out + to be, before making the decision to continue or discontinue the + session, may be appropriate. In such cases, the main objective of + the Initiator's RSA-R message is to present its public key/ + certificate to the Responder, and wait for a Responder to present its + identity. + + The second scenario is when the Initiator already has the Responder's + certificate but wants to allow the Responder to come up with all the + keying material. This is applicable in conferences where the + Responder is the key distributor and the Initiators contact the + Responder to initiate key download. Notice that this is quite + similar to the group key download model as specified in GDOI + [RFC3547], GSAKMP [RFC4535], and GKDP [GKDP] protocols (also see + [RFC4046]). The catch, however, is that the participating entities + must know that they need to contact a well-known address as far as + that conferencing group is concerned. Note that they only need the + Responder's address, not necessarily its CERT. If the group members + have the Responder's CERT, there is no harm; they simply do not need + the CERT to compose the I_MESSAGE. + + The RSA mode is useful when the Initiator knows the Responder's + identity and CERT. This mode is also useful when the key exchange is + happening in an established session with a Responder (for example, + when switching from a non-secure mode to a secure mode), and when the + policy is such that it is only appropriate to establish a MIKEY + session with the Responder that is targeted by the Initiator. + +4.1. Limitations + + The RSA-R mode may not easily support 3-way calling, under the + assumptions that motivated the design. An extra message may be + required compared to the MIKEY-RSA mode specified in RFC 3830. + Consider that A wants to talk to B and C, but does not have B's or + C's CERT. A might contact B and request that B supply a key for a + 3-way call. Now if B knows C's CERT, then B can simply use the + MIKEY-RSA mode (as defined in RFC 3830) to send the TGK to C. If + not, then the solution is not straightforward. For instance, A might + + + +Ignjatic, et al. Standards Track [Page 13] + +RFC 4738 MIKEY-RSA-R November 2006 + + + ask C to contact B or itself to get the TGK, in effect initiating a + 3-way exchange. It should be noted that 3-way calling is typically + implemented using a bridge, in which case there are no issues (it + looks like 3 point-to-point sessions, where one end of each session + is a bridge mixing the traffic into a single stream). + +5. Security Considerations + + We offer a brief overview of the security properties of the exchange. + There are two messages: the I_MESSAGE and the R_MESSAGE. The + I_MESSAGE is a signed request by an Initiator requesting the + Responder to select a TGK to be used to protect multimedia (e.g., + Secure RTP or SRTP [RFC3711]) sessions. + + The message is signed, which assures the Responder that the claimed + Initiator has indeed generated the message. This automatically + provides message integrity as well. + + There is a timestamp in the I_MESSAGE, which when generated and + interpreted in the context of the MIKEY specification assures the + Responder that the request is live and not a replay. Indirectly, + this also provides protection against a denial of service (DoS) + attack in that the I_MESSAGE must itself be signed. The Responder, + however, would have to verify the Initiator's signature and the + timestamp, and thus would spend significant computing resources. It + is possible to mitigate this by caching recently received and + verified requests. + + Note that the I_MESSAGE in this method basically equals DoS + protection properties of the DH method and not the public-key method + as there are no payloads encrypted by the Responder's public key in + the I_MESSAGE. If IDr is not included in the I_MESSAGE, the + Responder will accept the message and a response (and state) would be + created for the malicious request. + + The R_MESSAGE is quite similar to the I_MESSAGE in the MIKEY-RSA mode + and has all the same security properties. + + When using the RSA-R mode, the Responder may be a different party + than the one to which the MIKEY I_MESSAGE was sent. It is the + responsibility of the Initiator to verify that the identity of the + Responder is acceptable (based on its local policy) if it changes + from the party to which the MIKEY I_MESSAGE was sent, and to take + appropriate action based on the outcome. In some cases, it could be + appropriate to accept a Responder's identity if it can be strongly + authenticated; in other cases, a blacklist or a whitelist may be + appropriate. + + + + +Ignjatic, et al. Standards Track [Page 14] + +RFC 4738 MIKEY-RSA-R November 2006 + + + When both unicast and multicast streams need to be negotiated, it is + RECOMMENDED to use multiple instances of MIKEY-RSA-R rather than a + single instance in group mode. This is to avoid potential key reuse + with counter mode. + +5.1. Impact of the Responder Choosing the TGK + + In the MIKEY-RSA or PSK modes, the Initiator chooses the TGK, and the + Responder has the option to accept the key or not. In the RSA-R mode + for unicast communication, the RECOMMENDED mode of operation is for + the Initiator and the Responder to contribute random information in + generating the TEK (RAND from the Initiator and the TGK from the + Responder). For group communication, the sender (MIKEY Responder) + will choose the TGK and the RAND; note that it is in the interest of + the sender to provide sufficient entropy to TEK generation since the + TEK protects data sent by the Responder. + + Thus, in case of unicast communication, the RSA-R mode is slightly + better than the RSA mode in that it allows the Initiator as well as + the Responder to contribute entropy to the TEK generation process. + This comes at the expense of the additional message. However, as + noted earlier, the new mode needs the additional message to allow + simpler provisioning. + +5.2. Updates to Security Considerations in RFC 3830 + + MIKEY requires clock synchronization, and a secure network clock + synchronization protocol SHOULD be used, e.g., [ISO3] or secure NTP + [NTPv4]. + + RFC 3830 has additional notes on the security properties of the MIKEY + protocol, key derivation functions, and other components. + +6. IANA Considerations + + The following IANA assignments were added to the MIKEY registry: + + Added to "Error payload name spaces:" + + Unsupported message type ------- 13 + + Added to "Common Header payload name spaces:" + + RSA-R I_MSG ------------- 9 + RSA-R R_MSG ------------- 10 + + + + + + +Ignjatic, et al. Standards Track [Page 15] + +RFC 4738 MIKEY-RSA-R November 2006 + + + Added to "General Extensions payload name spaces:" + + CSB_ID ----------------- 4 + +7. Acknowledgments + + Many thanks to Mark Baugher, Steffen Fries, Russ Housley, Cullen + Jennings, and Vesa Lehtovirta for their reviews of earlier version of + this document. + +8. References + +8.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. + Adams, "X.509 Internet Public Key Infrastructure Online + Certificate Status Protocol - OCSP", RFC 2560, June 1999. + + [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key + Infrastructure Operational Protocols: FTP and HTTP", + RFC 2585, May 1999. + + [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. + Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, + August 2004. + +8.2. Informative References + + [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The + Group Domain of Interpretation", RFC 3547, July 2003. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, March 2004. + + [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, + "Multicast Security (MSEC) Group Key Management + Architecture", RFC 4046, April 2005. + + [RFC4650] Euchner, M., "HMAC-Authenticated Diffie-Hellman for + Multimedia Internet KEYing (MIKEY)", RFC 4650, September + 2006. + + + + + + +Ignjatic, et al. Standards Track [Page 16] + +RFC 4738 MIKEY-RSA-R November 2006 + + + [RFC4535] Harney, H., Meth, U., Colegrove, A., and G. Gross, + "GSAKMP: Group Secure Association Key Management + Protocol", RFC 4535, June 2006. + + [GKDP] Dondeti, L., "GKDP: Group Key Distribution Protocol", Work + in Progress, March 2006. + + [RFC4567] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. + Carrara, "Key Management Extensions for Session + Description Protocol (SDP) and Real Time Streaming + Protocol (RTSP)", RFC 4567, July 2006. + + [RFC4442] Fries, S. and H. Tschofenig, "Bootstrapping Timed + Efficient Stream Loss-Tolerant Authentication (TESLA)", + RFC 4442, March 2006. + + [RFC4563] Carrara, E., Lehtovirta, V., and K. Norrman, "The Key ID + Information Type for the General Extension Payload in + Multimedia Internet KEYing (MIKEY)", RFC 4563, June 2006. + + [NTPv4] Burbank, J., "The Network Time Protocol Version 4 Protocol + Specification", Work in Progress, May 2006. + + [ISO3] ISO, "ISO/IEC 18014 Information technology - Security + techniques - Time-stamping services, Part 1-3", 2002. + + + + + + + + + + + + + + + + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 17] + +RFC 4738 MIKEY-RSA-R November 2006 + + +Authors' Addresses + + Dragan Ignjatic + Polycom + 1000 W. 14th Street + North Vancouver, BC V7P 3P3 + Canada + + Phone: +1 604 982 3424 + EMail: dignjatic@polycom.com + + + Lakshminath Dondeti + QUALCOMM + 5775 Morehouse drive + San Diego, CA 92121 + US + + Phone: +1 858 845 1267 + EMail: ldondeti@qualcomm.com + + + Francois Audet + Nortel + 4655 Great America Parkway + Santa Clara, CA 95054 + US + + Phone: +1 408 495 3756 + EMail: audet@nortel.com + + + Ping Lin + Nortel + 250 Sidney St. + Belleville, Ontario K8P3Z3 + Canada + + Phone: +1 613 967 5343 + EMail: linping@nortel.com + + + + + + + + + + + +Ignjatic, et al. Standards Track [Page 18] + +RFC 4738 MIKEY-RSA-R November 2006 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2006). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, + AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT + THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY + IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR + PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + +Ignjatic, et al. Standards Track [Page 19] + -- cgit v1.2.3