From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc6188.txt | 899 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 899 insertions(+) create mode 100644 doc/rfc/rfc6188.txt (limited to 'doc/rfc/rfc6188.txt') diff --git a/doc/rfc/rfc6188.txt b/doc/rfc/rfc6188.txt new file mode 100644 index 0000000..1e59d81 --- /dev/null +++ b/doc/rfc/rfc6188.txt @@ -0,0 +1,899 @@ + + + + + + +Internet Engineering Task Force (IETF) D. McGrew +Request for Comments: 6188 Cisco Systems, Inc. +Category: Standards Track March 2011 +ISSN: 2070-1721 + + + The Use of AES-192 and AES-256 in Secure RTP + +Abstract + + This memo describes the use of the Advanced Encryption Standard (AES) + with 192- and 256-bit keys within the Secure RTP (SRTP) protocol. It + details counter mode encryption for SRTP and Secure Realtime + Transport Control Protocol (SRTCP) and a new SRTP Key Derivation + Function (KDF) for AES-192 and AES-256. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6188. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + + +McGrew Standards Track [Page 1] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Conventions Used in This Document ..........................3 + 2. AES-192 and AES-256 Encryption ..................................3 + 3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions ..4 + 3.1. Usage Requirements .........................................5 + 4. Crypto Suites ...................................................6 + 5. IANA Considerations .............................................9 + 6. Security Considerations .........................................9 + 7. Test Cases .....................................................10 + 7.1. AES-256-CM Test Cases .....................................10 + 7.2. AES_256_CM_PRF Test Cases .................................11 + 7.3. AES-192-CM Test Cases .....................................13 + 7.4. AES_192_CM_PRF Test Cases .................................13 + 8. Acknowledgements ...............................................15 + 9. References .....................................................15 + 9.1. Normative References ......................................15 + 9.2. Informative References ....................................15 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew Standards Track [Page 2] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +1. Introduction + + This memo describes the use of the Advanced Encryption Standard (AES) + [FIPS197] with 192- and 256-bit keys within the Secure RTP (SRTP) + protocol [RFC3711]. Below, those block ciphers are referred to as + AES-192 and AES-256, respectively, and the use of AES with a 128-bit + key is referred to as AES-128. This document describes counter mode + encryption for SRTP and SRTCP and appropriate SRTP key derivation + functions for AES-192 and AES-256. It also defines new crypto suites + that use these new functions. + + While AES-128 is widely regarded as more than adequately secure, some + users may be motivated to adopt AES-192 or AES-256 due to a perceived + need to pursue a highly conservative security strategy. For + instance, the Suite B profile requires AES-256 for the protection of + TOP SECRET information [suiteB]. (Note that while the AES-192 and + AES-256 encryption methods defined in this document use Suite B + algorithms, the crypto suites in this document use the HMAC-SHA-1 + algorithm, which is not included in Suite B.) See Section 6 for more + discussion of security issues. + + The crypto functions described in this document are an addition to, + and not a replacement for, the crypto functions defined in [RFC3711]. + +1.1. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +2. AES-192 and AES-256 Encryption + + Section 4.1.1 of [RFC3711] defines AES counter mode encryption, which + it refers to as AES_CM. This definition applies to all of the AES + key sizes. In this note, AES-192 counter mode and AES-256 counter + mode and are denoted as AES_192_CM and AES_256_CM, respectively. In + both of these ciphers, the plaintext inputs to the block cipher are + formed as in AES_CM, and the block cipher outputs are processed as in + AES_CM. The only difference in the processing is that AES_192_CM + uses AES-192, and AES_256_CM uses AES-256. Both AES_192_CM and + AES_256_CM use a 112-bit salt as an input, as does AES_CM. + + For the convenience of the reader, the structure of the counter + blocks in SRTP counter mode encryption is illustrated in Figure 1, + using the terminology from Section 4.1.1 of [RFC3711]. In this + diagram, the symbol (+) denotes the bitwise exclusive-or operation, + and the AES encrypt operation uses AES-128, AES-192, or AES-256 for + AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled + + + +McGrew Standards Track [Page 3] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + b_c contains a block counter, the value of which increments once for + each invocation of the "AES Encrypt" function. The SSRC field is + part of the RTP header [RFC3550]. + + one octet + <--> + 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ + |00|00|00|00| SSRC | packet index | b_c |---+ + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v + | salt (k_s) |00|00|->(+) + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | + v + +-------------+ + encryption key (k_e) -> | AES encrypt | + +-------------+ + | + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | keystream block |<--+ + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ + + Figure 1: AES Counter Mode + +3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions + + Section 4.3.3 of [RFC3711] defines an AES counter mode key derivation + function, which it refers to as AES_CM PRF (and sometimes as AES-CM + PRF). (That specification uses the term PRF, or pseudo-random + function, interchangeably with the phrase "key derivation function".) + This key derivation function can be used with any AES key size. In + this note, the AES-192 counter mode PRF and AES-256 counter mode PRF + are denoted as AES_192_CM_PRF and AES_256_CM_PRF, respectively. In + both of these PRFs, the plaintext inputs to the block cipher are + formed as in the AES_CM PRF, and the block cipher outputs are + processed as in the AES_CM PRF. The only difference in the + processing is that AES_192_CM_PRF uses AES-192, and AES_256_CM_PRF + uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF use a 112-bit + salt as an input, as does the AES_CM PRF. + + For the convenience of the reader, the structure of the counter + blocks in SRTP counter mode key derivation is illustrated in + Figure 2, using the terminology from Section 4.3.3 of [RFC3711]. In + this diagram, the symbol (+) denotes the bitwise exclusive-or + operation, and the "AES Encrypt" operation uses AES-128, AES-192, or + AES-256 for the AES_CM PRF, AES_192_CM_PRF, and AES_256_CM_PRF, + + + +McGrew Standards Track [Page 4] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + respectively. The field "LB" contains the 8-bit constant "label", + which is provided as an input to the key derivation function (and + which is distinct for each type of key generated by that function). + The field labeled b_c contains a block counter, the value of which + increments once for each invocation of the "AES Encrypt" function. + The DIV operation is defined in Section 4.3.1 of [RFC3711] as + follows. Let "a DIV t" denote integer division of a by t, rounded + down, and with the convention that "a DIV 0 = 0" for all a. We also + make the convention of treating "a DIV t" as a bit string of the same + length as a, and thus "a DIV t" will, in general, have leading zeros. + + one octet + <--> + 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ + |00|00|00|00|00|00|00|LB| index DIV kdr | b_c |---+ + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v + | master salt |00|00|->(+) + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | + v + +-------------+ + master key -> | AES encrypt | + +-------------+ + | + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | + | output block |<--+ + +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ + + Figure 2: The AES Counter Mode Key Derivation Function + +3.1. Usage Requirements + + When AES_192_CM is used for encryption, AES_192_CM_PRF SHOULD be used + as the key derivation function, and AES_128_CM_PRF MUST NOT be used + as the key derivation function. + + When AES_256_CM is used for encryption, AES_256_CM_PRF SHOULD be used + as the key derivation function. Both AES_128_CM_PRF and + AES_192_CM_PRF MUST NOT be used as the key derivation function. + + AES_256_CM_PRF MAY be used as the key derivation function when AES_CM + is used for encryption, and when AES_192_CM is used for encryption. + AES_192_CM_PRF MAY be used as the key derivation function when AES_CM + is used for encryption. + + + + +McGrew Standards Track [Page 5] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + Rationale: it is essential that the cryptographic strength of the + key derivation meets or exceeds that of the encryption method. It + is natural to use the same function for both encryption and key + derivation. However, it is not required to do so because it is + desirable to allow these ciphers to be used with alternative key + derivation functions that may be defined in the future. + +4. Crypto Suites + + This section defines SRTP crypto suites that use the ciphers and key + derivation functions defined in this document. The parameters in + these crypto suites are described in Section 8.2 of [RFC3711]. These + suites are registered with IANA for use with the SDP Security + Descriptions attributes (Section 10.3.2.1 of [RFC4568]). Other SRTP + key management methods that use the crypto functions defined in this + document are encouraged to also use these crypto suite definitions. + + Rationale: the crypto suites use the same authentication function + that is mandatory to implement in SRTP, HMAC-SHA1 with a 160-bit + key. HMAC-SHA1 would accept larger key sizes, but when it is used + with keys larger than 160 bits, it does not provide resistance to + cryptanalysis greater than that security level, because it has + only 160 bits of internal state. By retaining 160-bit + authentication keys, the crypto suites in this note have more + compatibility with existing crypto suites and implementations of + them. + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew Standards Track [Page 6] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + +------------------------------+------------------------------------+ + | Parameter | Value | + +------------------------------+------------------------------------+ + | Master key length | 192 bits | + | Master salt length | 112 bits | + | Key Derivation Function | AES_192_CM_PRF (Section 3) | + | Default key lifetime | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | + | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | + | | [RFC3711]) | + | SRTP authentication key | 160 bits | + | length | | + | SRTP authentication tag | 80 bits | + | length | | + | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | + | function | [RFC3711]) | + | SRTCP authentication key | 160 bits | + | length | | + | SRTCP authentication tag | 80 bits | + | length | | + +------------------------------+------------------------------------+ + + Table 1: The AES_192_CM_HMAC_SHA1_80 Crypto Suite + + +------------------------------+------------------------------------+ + | Parameter | Value | + +------------------------------+------------------------------------+ + | Master key length | 192 bits | + | Master salt length | 112 bits | + | Key Derivation Function | AES_192_CM_PRF (Section 3) | + | Default key lifetime | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | + | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | + | | [RFC3711]) | + | SRTP authentication key | 160 bits | + | length | | + | SRTP authentication tag | 32 bits | + | length | | + | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | + | function | [RFC3711]) | + | SRTCP authentication key | 160 bits | + | length | | + | SRTCP authentication tag | 80 bits | + | length | | + +------------------------------+------------------------------------+ + + Table 2: The AES_192_CM_HMAC_SHA1_32 Crypto Suite + + + + +McGrew Standards Track [Page 7] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + +------------------------------+------------------------------------+ + | Parameter | Value | + +------------------------------+------------------------------------+ + | Master key length | 256 bits | + | Master salt length | 112 bits | + | Key Derivation Function | AES_256_CM_PRF (Section 3) | + | Default key lifetime | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | + | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | + | | [RFC3711]) | + | SRTP authentication key | 160 bits | + | length | | + | SRTP authentication tag | 80 bits | + | length | | + | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | + | function | [RFC3711]) | + | SRTCP authentication key | 160 bits | + | length | | + | SRTCP authentication tag | 80 bits | + | length | | + +------------------------------+------------------------------------+ + + Table 3: The AES_256_CM_HMAC_SHA1_80 Crypto Suite + + +------------------------------+------------------------------------+ + | Parameter | Value | + +------------------------------+------------------------------------+ + | Master key length | 256 bits | + | Master salt length | 112 bits | + | Key Derivation Function | AES_256_CM_PRF (Section 3) | + | Default key lifetime | 2^31 packets | + | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | + | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | + | | [RFC3711]) | + | SRTP authentication key | 160 bits | + | length | | + | SRTP authentication tag | 32 bits | + | length | | + | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | + | function | [RFC3711]) | + | SRTCP authentication key | 160 bits | + | length | | + | SRTCP authentication tag | 80 bits | + | length | | + +------------------------------+------------------------------------+ + + Table 4: The AES_256_CM_HMAC_SHA1_32 Crypto Suite + + + + +McGrew Standards Track [Page 8] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +5. IANA Considerations + + IANA has assigned the following parameters in the Session Description + Protocol (SDP) Security Descriptions registry. + + +-------------------------+-----------+ + | Crypto Suite Name | Reference | + +-------------------------+-----------+ + | AES_192_CM_HMAC_SHA1_80 | [RFC6188] | + | AES_192_CM_HMAC_SHA1_32 | [RFC6188] | + | AES_256_CM_HMAC_SHA1_80 | [RFC6188] | + | AES_256_CM_HMAC_SHA1_32 | [RFC6188] | + +-------------------------+-----------+ + +6. Security Considerations + + AES-128 provides a level of security that is widely regarded as being + more than sufficient for providing confidentiality. It is believed + that the economic cost of breaking AES-128 is significantly higher + than the cost of more direct approaches to violating system security, + e.g., theft, bribery, wiretapping, and other forms of malfeasance. + + Future advances in state-of-the art cryptanalysis could eliminate + this confidence in AES-128, and motivate the use of AES-192 or AES- + 256. AES-192 is regarded as being secure even against some + adversaries for which breaking AES-128 may be feasible. Similarly, + AES-256 is regarded as being secure even against some adversaries for + which it may be feasible to break AES-192. The availability of the + larger key size versions of AES provides a fallback plan in case of + unanticipated cryptanalytic results. + + It is conjectured that AES-256 provides adequate security even + against adversaries that possess the ability to construct a quantum + computer that works on 256 or more quantum bits. No such computer is + known to exist; its feasibility is an area of active speculation and + research. + + Despite the apparent sufficiency of AES-128, some users are + interested in the larger AES key sizes. For some applications, the + 40% increase in computational cost for AES-256 over AES-128 is a + worthwhile bargain when traded for the security advantages outlined + above. These applications include those with a perceived need for + very high security, e.g., due to a desire for very long-term + confidentiality. + + AES-256 (as it is used in this note) provides the highest level of + security, and it SHOULD be used whenever the highest possible + security is desired. AES-192 provides a middle ground between the + + + +McGrew Standards Track [Page 9] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + 128-bit and 256-bit versions of AES, and it MAY be used when security + higher than that of AES-128 is desired. In this note, AES-192 and + AES-256 are used with keys that are generated via a strong pseudo- + random source, and thus the related-key attacks that have been + described in the theoretical literature are not applicable. + + As with any cipher, the conjectured security level of AES may change + over time. The considerations in this section reflect the best + knowledge available at the time of publication of this document. + + It is desirable that AES_192_CM and AES_192_CM_PRF be used with an + authentication function that uses a 192-bit key, and that AES_256_CM + and AES_256_CM_PRF be used with an authentication function that uses + a 256-bit key. However, this desire is not regarded as security + critical. Cryptographic authentication is resilient against future + advances in cryptanalysis, since the opportunity for a forgery attack + against a session closes when that session closes. For this reason, + this note defines new ciphers, but not new authentication functions. + +7. Test Cases + + The test cases in this section are based on Appendix B of [RFC3711]. + +7.1. AES-256-CM Test Cases + + + Keystream segment length: 1044512 octets (65282 AES blocks) + Session Key: 57f82fe3613fd170a85ec93c40b1f092 + 2ec4cb0dc025b58272147cc438944a98 + Rollover Counter: 00000000 + Sequence Number: 0000 + SSRC: 00000000 + Session Salt: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted) + Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 + + Counter Keystream + + f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 92bdd28a93c3f52511c677d08b5515a4 + f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 9da71b2378a854f67050756ded165bac + f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 63c4868b7096d88421b563b8c94c9a31 + ... ... + f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff cea518c90fd91ced9cbb18c078a54711 + f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 3dbc4814f4da5f00a08772b63c6a046d + f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 6eb246913062a16891433e97dd01a57f + + + + + + + +McGrew Standards Track [Page 10] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +7.2. AES_256_CM_PRF Test Cases + + This section provides test data for the AES_256_CM_PRF key derivation + function, which uses AES-256 in counter mode. In the following, we + walk through the initial key derivation for the AES-256 counter mode + cipher, which requires a 32-octet session encryption key and a 14- + octet session salt, and the HMAC-SHA1 authentication function, which + requires a 20-octet session authentication key. These values are + called the cipher key, the cipher salt, and the auth key in the + following. Since this is the initial key derivation and the key + derivation rate is equal to zero, the value of (index DIV + key_derivation_rate) is zero (actually, a six-octet string of zeros). + In the following, we shorten key_derivation_rate to kdr. + + The inputs to the key derivation function are the 32-octet master key + and the 14-octet master salt: + + master key: f0f04914b513f2763a1b1fa130f10e29 + 98f6f6e43e4309d1e622a0e332b9f1b6 + master salt: 3b04803de51ee7c96423ab5b78d2 + + We first show how the cipher key is generated. The input block for + AES-256-CM is generated by exclusive-oring the master salt with the + concatenation of the encryption key label 0x00 with (index DIV kdr), + then padding on the right with two null octets (which implements the + multiply-by-2^16 operation, see Section 4.3.3 of RFC 3711). The + resulting value is then AES-256-CM-encrypted using the master key to + get the cipher key. + + index DIV kdr: 000000000000 + label: 00 + master salt: 3b04803de51ee7c96423ab5b78d2 + ----------------------------------------------- + xor: 3b04803de51ee7c96423ab5b78d2 (x, PRF input) + + x*2^16: 3b04803de51ee7c96423ab5b78d20000 (AES-256-CM input) + x*2^16 + 1: 3b04803de51ee7c96423ab5b78d20001 (2nd AES input) + + cipher key: 5ba1064e30ec51613cad926c5a28ef73 (1st AES output) + 1ec7fb397f70a960653caf06554cd8c4 (2nd AES output) + + Next, we show how the cipher salt is generated. The input block for + AES-256-CM is generated by exclusive-oring the master salt with the + concatenation of the encryption salt label. That value is padded and + encrypted as above. + + + + + + +McGrew Standards Track [Page 11] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + index DIV kdr: 000000000000 + label: 02 + master salt: 3b04803de51ee7c96423ab5b78d2 + + ---------------------------------------------- + xor: 3b04803de51ee7cb6423ab5b78d2 (x, PRF input) + + x*2^16: 3b04803de51ee7cb6423ab5b78d20000 (AES-256-CM input) + + fa31791685ca444a9e07c6c64e93ae6b (AES-256 ouptut) + + cipher salt: fa31791685ca444a9e07c6c64e93 + + We now show how the auth key is generated. The input block for AES- + 256-CM is generated as above, but using the authentication key label. + + index DIV kdr: 000000000000 + label: 01 + master salt: 3b04803de51ee7c96423ab5b78d2 + ----------------------------------------------- + xor: 3b04803de51ee7c86423ab5b78d2 (x, PRF input) + + x*2^16: 3b04803de51ee7c86423ab5b78d20000 (AES-256-CM in) + + Below, the AES-256 output blocks that form the auth key are shown + on the left, while the corresponding AES-256 input blocks are shown + on the right. Note that the final AES-256 output is truncated to a + 4-byte length. The final auth key is shown below. + + auth key blocks AES-256 input blocks + fd9c32d39ed5fbb5a9dc96b30818454d 3b04803de51ee7c86423ab5b78d20000 + 1313dc05 3b04803de51ee7c86423ab5b78d20001 + + auth key: fd9c32d39ed5fbb5a9dc96b30818454d1313dc05 + + + + + + + + + + + + + + + + + +McGrew Standards Track [Page 12] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +7.3. AES-192-CM Test Cases + + Keystream segment length: 1044512 octets (65282 AES blocks) + Session Key: eab234764e517b2d3d160d587d8c8621 + 9740f65f99b6bcf7 + Rollover Counter: 00000000 + Sequence Number: 0000 + SSRC: 00000000 + Session Salt: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted) + Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 + + Counter Keystream + + f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 35096cba4610028dc1b57503804ce37c + f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 5de986291dcce161d5165ec4568f5c9a + f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 474a40c77894bc17180202272a4c264d + ... ... + f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff d108d1a31a00bad6367ec23eb044b415 + f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 c8f57129fdeb970b59f917b257662d4c + f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 a5dab625811034e8cebdfeb6dc158dd3 + +7.4. AES_192_CM_PRF Test Cases + + This section provides test data for the AES_192_CM_PRF key derivation + function, which uses AES-192 in counter mode. In the following, we + walk through the initial key derivation for the AES-192 counter mode + cipher, which requires a 24-octet session encryption key and a 14- + octet session salt, and the HMAC-SHA1 authentication function, which + requires a 20-octet session authentication key. These values are + called the cipher key, the cipher salt, and the auth key in the + following. Since this is the initial key derivation and the key + derivation rate is equal to zero, the value of (index DIV + key_derivation_rate) is zero (actually, a six-octet string of zeros). + In the following, we shorten key_derivation_rate to kdr. + + The inputs to the key derivation function are the 24-octet master key + and the 14-octet master salt: + + master key: 73edc66c4fa15776fb57f9505c171365 + 50ffda71f3e8e5f1 + master salt: c8522f3acd4ce86d5add78edbb11 + + We first show how the cipher key is generated. The input block for + AES-192-CM is generated by exclusive-oring the master salt with the + concatenation of the encryption key label 0x00 with (index DIV kdr), + then padding on the right with two null octets (which implements the + + + + + +McGrew Standards Track [Page 13] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + multiply-by-2^16 operation, see Section 4.3.3 of RFC 3711). The + resulting value is then AES-192-CM encrypted using the master key to + get the cipher key. + + index DIV kdr: 000000000000 + label: 00 + master salt: c8522f3acd4ce86d5add78edbb11 + ----------------------------------------------- + xor: c8522f3acd4ce86d5add78edbb11 (x, PRF input) + + x*2^16: c8522f3acd4ce86d5add78edbb110000 (AES-192-CM input) + x*2^16 + 1: c8522f3acd4ce86d5add78edbb110001 (2nd AES input) + + cipher key: 31874736a8f1143870c26e4857d8a5b2 (1st AES output) + c4a354407faadabb (2nd AES output) + + Next, we show how the cipher salt is generated. The input block for + AES-192-CM is generated by exclusive-oring the master salt with the + concatenation of the encryption salt label. That value is padded and + encrypted as above. + + index DIV kdr: 000000000000 + label: 02 + master salt: c8522f3acd4ce86d5add78edbb11 + + ---------------------------------------------- + xor: c8522f3acd4ce86f5add78edbb11 (x, PRF input) + + x*2^16: c8522f3acd4ce86f5add78edbb110000 (AES-192-CM input) + + 2372b82d639b6d8503a47adc0a6c2590 (AES-192 ouptut) + + cipher salt: 2372b82d639b6d8503a47adc0a6c + + We now show how the auth key is generated. The input block for AES- + 192-CM is generated as above, but using the authentication key label. + + index DIV kdr: 000000000000 + label: 01 + master salt: c8522f3acd4ce86d5add78edbb11 + ----------------------------------------------- + xor: c8522f3acd4ce86c5add78edbb11 (x, PRF input) + + x*2^16: c8522f3acd4ce86c5add78edbb110000 (AES-192-CM in) + + + + + + + +McGrew Standards Track [Page 14] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + + Below, the AES-192 output blocks that form the auth key are shown + on the left, while the corresponding AES-192 input blocks are shown + on the right. Note that the final AES-192 output is truncated to a + four-byte length. The final auth key is shown below. + + auth key blocks AES-192 input blocks + 355b10973cd95b9eacf4061c7e1a7151 c8522f3acd4ce86c5add78edbb110000 + e7cfbfcb c8522f3acd4ce86c5add78edbb110001 + + auth key: 355b10973cd95b9eacf4061c7e1a7151e7cfbfcb + +8. Acknowledgements + + Thanks are due to John Mattsson for verifying the test cases in the + document and providing comments, to Bob Bell for feedback and + encouragement, and to Richard Barnes and Hilarie Orman for + constructive review. + +9. References + +9.1. Normative References + + [FIPS197] "The Advanced Encryption Standard (AES)", FIPS-197 Federal + Information Processing Standard. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, July 2003. + + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, March 2004. + + [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session + Description Protocol (SDP) Security Descriptions for Media + Streams", RFC 4568, July 2006. + +9.2. Informative References + + [suiteB] "Suite B Cryptography", http://www.nsa.gov/ia/programs/ + suiteb_cryptography/index.shtml. + + + + + + + +McGrew Standards Track [Page 15] + +RFC 6188 SRTP AES-192 and AES-256 March 2011 + + +Author's Address + + David A. McGrew + Cisco Systems, Inc. + 510 McCarthy Blvd. + Milpitas, CA 95035 + US + + Phone: (408) 525 8651 + EMail: mcgrew@cisco.com + URI: http://www.mindspring.com/~dmcgrew/dam.htm + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +McGrew Standards Track [Page 16] + -- cgit v1.2.3