From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001
From: Thomas Voss <mail@thomasvoss.com>
Date: Wed, 27 Nov 2024 20:54:24 +0100
Subject: doc: Add RFC documents

---
 doc/rfc/rfc6904.txt | 843 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 843 insertions(+)
 create mode 100644 doc/rfc/rfc6904.txt

(limited to 'doc/rfc/rfc6904.txt')

diff --git a/doc/rfc/rfc6904.txt b/doc/rfc/rfc6904.txt
new file mode 100644
index 0000000..4c30a4f
--- /dev/null
+++ b/doc/rfc/rfc6904.txt
@@ -0,0 +1,843 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF)                         J. Lennox
+Request for Comments: 6904                                         Vidyo
+Updates: 3711                                                 April 2013
+Category: Standards Track
+ISSN: 2070-1721
+
+
+                    Encryption of Header Extensions
+           in the Secure Real-time Transport Protocol (SRTP)
+
+Abstract
+
+   The Secure Real-time Transport Protocol (SRTP) provides
+   authentication, but not encryption, of the headers of Real-time
+   Transport Protocol (RTP) packets.  However, RTP header extensions may
+   carry sensitive information for which participants in multimedia
+   sessions want confidentiality.  This document provides a mechanism,
+   extending the mechanisms of SRTP, to selectively encrypt RTP header
+   extensions in SRTP.
+
+   This document updates RFC 3711, the Secure Real-time Transport
+   Protocol specification, to require that all future SRTP encryption
+   transforms specify how RTP header extensions are to be encrypted.
+
+Status of This Memo
+
+   This is an Internet Standards Track document.
+
+   This document is a product of the Internet Engineering Task Force
+   (IETF).  It represents the consensus of the IETF community.  It has
+   received public review and has been approved for publication by the
+   Internet Engineering Steering Group (IESG).  Further information on
+   Internet Standards is available in Section 2 of RFC 5741.
+
+   Information about the current status of this document, any errata,
+   and how to provide feedback on it may be obtained at
+   http://www.rfc-editor.org/info/rfc6904.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 1]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+Copyright Notice
+
+   Copyright (c) 2013 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
+   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
+   3.  Encryption Mechanism  . . . . . . . . . . . . . . . . . . . .   4
+     3.1.  Example Encryption Mask . . . . . . . . . . . . . . . . .   6
+     3.2.  Header Extension Keystream Generation for Existing
+           Encryption Transforms . . . . . . . . . . . . . . . . . .   7
+     3.3.  Header Extension Keystream Generation for Future
+           Encryption Transforms . . . . . . . . . . . . . . . . . .   8
+   4.  Signaling (Setup) Information . . . . . . . . . . . . . . . .   8
+     4.1.  Backward Compatibility  . . . . . . . . . . . . . . . . .   9
+   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
+   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
+   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  11
+   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
+     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
+     8.2.  Informative References  . . . . . . . . . . . . . . . . .  12
+   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  13
+     A.1.  Key Derivation Test Vectors . . . . . . . . . . . . . . .  13
+     A.2.  Header Encryption Test Vectors Using AES-CM . . . . . . .  14
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 2]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+1.  Introduction
+
+   The Secure Real-time Transport Protocol [RFC3711] specification
+   provides confidentiality, message authentication, and replay
+   protection for multimedia payloads sent using the Real-time Protocol
+   (RTP) [RFC3550].  However, in order to preserve RTP header
+   compression efficiency, SRTP provides only authentication and replay
+   protection for the headers of RTP packets, not confidentiality.
+
+   For the standard portions of an RTP header, providing only
+   authentication and replay protection does not normally present a
+   problem, as the information carried in an RTP header does not provide
+   much information beyond that which an attacker could infer by
+   observing the size and timing of RTP packets.  Thus, there is little
+   need for confidentiality of the header information.
+
+   However, the security requirements can be different for information
+   carried in RTP header extensions.  A number of recent proposals for
+   header extensions using the mechanism described in "A General
+   Mechanism for RTP Header Extensions" [RFC5285] carry information for
+   which confidentiality could be desired or essential.  Notably, two
+   recent specifications ([RFC6464] and [RFC6465]) contain information
+   about per-packet sound levels of the media data carried in the RTP
+   payload and specify that exposing this information to an eavesdropper
+   is unacceptable in many circumstances (as described in the Security
+   Considerations sections of those RFCs).
+
+   This document, therefore, defines a mechanism by which encryption can
+   be applied to RTP header extensions when they are transported using
+   SRTP.  As an RTP sender may wish some extension information to be
+   sent in the clear (for example, it may be useful for a network
+   monitoring device to be aware of RTP transmission time offsets
+   [RFC5450]), this mechanism can be selectively applied to a subset of
+   the header extension elements carried in an SRTP packet.
+
+   The mechanism defined by this document encrypts packets' header
+   extensions using the same cryptographic algorithms and parameters as
+   are used to encrypt the packets' RTP payloads.  This document defines
+   how this is done for the encryption transforms defined in [RFC3711],
+   [RFC5669], and [RFC6188], which are the SRTP encryption transforms
+   defined by Standards Track RFCs at the time of this writing.  It also
+   updates [RFC3711] to indicate that specifications of future SRTP
+   encryption transforms must define how header extension encryption is
+   to be performed.
+
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 3]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+2.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119] and
+   indicate requirement levels for compliant implementations.
+
+3.  Encryption Mechanism
+
+   Encrypted header extension elements are carried in the same manner as
+   non-encrypted header extension elements, as defined by [RFC5285].
+   The one- or two-byte header of the extension elements is not
+   encrypted, nor is any of the header extension padding.  If multiple
+   different header extension elements are being encrypted, they have
+   separate element identifier values, just as they would if they were
+   not encrypted.  Similarly, encrypted and non-encrypted header
+   extension elements have separate identifier values.
+
+   Encrypted header extension elements are carried only in packets
+   encrypted using the Secure Real-time Transport Protocol [RFC3711].
+   To encrypt (or decrypt) encrypted header extension elements, an SRTP
+   participant first uses the SRTP key derivation algorithm, specified
+   in Section 4.3.1 of [RFC3711], to generate header encryption and
+   header salting keys, using the same pseudorandom function family as
+   is used for the key derivation for the SRTP session.  These keys are
+   derived as follows:
+
+   o  k_he (SRTP header encryption): <label> = 0x06, n=n_e.
+
+   o  k_hs (SRTP header salting key): <label> = 0x07, n=n_s.
+
+   where n_e and n_s are from the cryptographic context: the same size
+   encryption key and salting key are used as are used for the SRTP
+   payload.  Additionally, the same master key, master salt, index, and
+   key_derivation_rate are used as for the SRTP payload.  (Note that
+   since RTP headers, including header extensions, are authenticated in
+   SRTP, no new authentication key is needed for header extensions.)
+
+   A header extension keystream is generated for each packet containing
+   encrypted header extension elements.  The details of how this header
+   extension keystream is generated depend on the encryption transform
+   that is used for the SRTP packet.  For encryption transforms that
+   have been standardized as of the date of publication of this
+   document, see Section 3.2; for requirements for new transforms, see
+   Section 3.3.
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 4]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   After the header extension keystream is generated, the SRTP
+   participant then computes an encryption mask for the header
+   extension, identifying the portions of the header extension that are,
+   or are to be, encrypted.  (For an example of this procedure, see
+   Section 3.1.)  This encryption mask corresponds to the entire
+   payload of each header extension element that is encrypted.  It does
+   not include any non-encrypted header extension elements, any
+   extension element headers, or any padding octets.  The encryption
+   mask has all-bits-1 octets (i.e., hexadecimal 0xff) for header
+   extension octets that are to be encrypted and all-bits-0 octets for
+   header extension octets that are not to be encrypted.  The set of
+   extension elements to be encrypted is communicated between the sender
+   and the receiver using the signaling mechanisms described in
+   Section 4.
+
+   This encryption mask is computed separately for every packet that
+   carries a header extension.  Based on the non-encrypted portions of
+   the headers and the signaled list of encrypted extension elements, a
+   receiver can always determine the correct encryption mask for any
+   encrypted header extension.
+
+   The SRTP participant bitwise-ANDs the encryption mask with the
+   keystream to produce a masked keystream.  It then bitwise
+   exclusive-ORs the header extension with this masked keystream to
+   produce the ciphertext version of the header extension.  (Thus,
+   octets indicated as all-bits-1 in the encrypted mask are encrypted,
+   whereas those indicated as all-bits-0 are not.)
+
+   The header extension encryption process does not include the "defined
+   by profile" or "length" fields of the header extension, only the
+   field that Section 5.3.1 of [RFC3550] calls "header extension"
+   proper, starting with the first [RFC5285] ID and length.  Thus, both
+   the encryption mask and the keystream begin at this point.
+
+   This header extension encryption process could, equivalently, be
+   computed by considering the encryption mask as a mixture of the
+   encrypted and unencrypted headers, i.e., as
+
+       EncryptedHeader = (Encrypt(Key, Plaintext) AND MASK) OR
+                         (Plaintext AND (NOT MASK))
+
+   where Encrypt is the encryption function, MASK is the encryption
+   mask, and AND, OR, and NOT are bitwise operations.  This formulation
+   of the encryption process might be preferred by implementations for
+   which encryption is performed by a separate module and cannot be
+   modified easily.
+
+
+
+
+
+Lennox                       Standards Track                    [Page 5]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   The SRTP authentication tag is computed across the encrypted header
+   extension, i.e., the data that is actually transmitted on the wire.
+   Thus, header extension encryption MUST be done before the
+   authentication tag is computed, and authentication tag validation
+   MUST be done on the encrypted header extensions.  For receivers,
+   header extension decryption SHOULD be done only after the receiver
+   has validated the packet's message authentication tag, and the
+   receiver MUST NOT take any actions based on decrypted headers, prior
+   to validating the authentication tag, that could affect the security
+   or proper functioning of the system.
+
+3.1.  Example Encryption Mask
+
+   If a sender wished to send a header extension containing an encrypted
+   SMPTE timecode [RFC5484] with ID 1, a plaintext transmission time
+   offset [RFC5450] with ID 2, an encrypted audio level indication
+   [RFC6464] with ID 3, and an encrypted NTP timestamp [RFC6051] with ID
+   4, the plaintext RTP header extension might look like this:
+
+    0                   1                   2                   3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  ID=1 | len=7 |     SMTPE timecode (long form)                |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |       SMTPE timecode (continued)                              |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   | SMTPE (cont'd)|  ID=2 | len=2 | toffset                       |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   | toffset (ct'd)|  ID=3 | len=0 | audio level   |  ID=4 | len=6 |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |       NTP timestamp (Variant B)                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |       NTP timestamp (Variant B, cont'd)       | padding = 0   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+         Figure 1: Structure of Plaintext Example Header Extension
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 6]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   The corresponding encryption mask would then be:
+
+    0                   1                   2                   3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|1 1 1 1 1 1 1 1|0 0 0 0 0 0 0 0|
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+          Figure 2: Encryption Mask for Example Header Extension
+
+   In the mask, the octets corresponding to the payloads of the
+   encrypted header extension elements are set to all-1 values, and the
+   octets corresponding to non-encrypted header extension elements,
+   element headers, and header extension padding are set to all-zero
+   values.
+
+3.2.  Header Extension Keystream Generation for Existing Encryption
+      Transforms
+
+   For the AES-CM and AES-f8 transforms [RFC3711], the SEED-CTR
+   transform [RFC5669], and the AES_192_CM and AES_256_CM transforms
+   [RFC6188], the header extension keystream SHALL be generated for each
+   packet containing encrypted header extension elements using the same
+   encryption transform and Initialization Vector (IV) as are used for
+   that packet's SRTP payload, except that the SRTP encryption and
+   salting keys k_e and k_s are replaced by the SRTP header encryption
+   and header salting keys k_he and k_hs, respectively, as defined
+   above.
+
+   For the SEED-CCM and SEED-GCM transforms [RFC5669], the header
+   extension keystream SHALL be generated using the algorithm specified
+   above for the SEED-CTR algorithm.  (Because the Authenticated
+   Encryption with Associated Data (AEAD) transform used on the payload
+   in these algorithms includes the RTP header, including the RTP header
+   extension, in its Associated Authenticated Data (AAD), counter-mode
+   encryption for the header extension is believed to be of equivalent
+   cryptographic strength to the CCM and GCM transforms.)
+
+
+
+
+Lennox                       Standards Track                    [Page 7]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   For the NULL encryption transform [RFC3711], the header extension
+   keystream SHALL be all-zero.
+
+3.3.  Header Extension Keystream Generation for Future Encryption
+      Transforms
+
+   When new SRTP encryption transforms are defined, this document
+   updates [RFC3711] as follows: in addition to the rules specified in
+   Section 6 of RFC 3711, the Standards Track RFC defining the new
+   transform MUST specify how the encryption transform is to be used
+   with header extension encryption.
+
+   It is RECOMMENDED that new transformations follow the same mechanisms
+   as are defined in Section 3.2 of this document if they are applicable
+   and are believed to be cryptographically adequate for the transform
+   in question.
+
+4.  Signaling (Setup) Information
+
+   Encrypted header extension elements are signaled in the Session
+   Description Protocol (SDP) extmap attribute using the URI
+   "urn:ietf:params:rtp-hdrext:encrypt" followed by the URI of the
+   header extension element being encrypted, as well as any
+   extensionattributes that extension normally takes.  Figure 3 gives a
+   formal Augmented Backus-Naur Form (ABNF) [RFC5234] showing this
+   grammar extension, extending the grammar defined in [RFC5285].
+
+   enc-extensionname = %x75.72.6e.3a.69.65.74.66.3a.70.61.72.61.6d.73.3a
+       %x72.74.70.2d.68.64.72.65.78.74.3a.65.6e.63.72.79.70.74
+       ; "urn:ietf:params:rtp-hdrext:encrypt" in lower case
+
+   extmap =/ mapentry SP enc-extensionname SP extensionname
+       [SP extensionattributes]
+
+   ; extmap, mapentry, extensionname, and extensionattributes
+   ; are defined in [RFC5285]
+
+                 Figure 3: Syntax of the "encrypt" extmap
+
+   Thus, for example, to signal an SRTP session using encrypted SMPTE
+   timecodes [RFC5484], while simultaneously signaling plaintext
+   transmission time offsets [RFC5450], an SDP document could contain
+   the text shown in Figure 4 (line breaks have been added for
+   formatting).
+
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 8]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   m=audio 49170 RTP/SAVP 0
+   a=crypto:1 AES_CM_128_HMAC_SHA1_32 \
+     inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32
+   a=extmap:1 urn:ietf:params:rtp-hdrext:encrypt \
+       urn:ietf:params:rtp-hdrext:smpte-tc 25@600/24
+   a=extmap:2 urn:ietf:params:rtp-hdrext:toffset
+
+         Figure 4: Sample SDP Document Offering Encrypted Headers
+
+   This example uses SDP security descriptions [RFC4568] for SRTP
+   keying, but this is merely for illustration.  Any SRTP keying
+   mechanism to establish session keys will work.
+
+   The extmap SDP attribute is defined in [RFC5285] as being either a
+   session or media attribute.  If the extmap for an encrypted header
+   extension is specified as a media attribute, it MUST be specified
+   only for media that use SRTP-based RTP profiles.  If such an extmap
+   is specified as a session attribute, there MUST be at least one media
+   in the SDP session that uses an SRTP-based RTP profile.  The session-
+   level extmap applies to all the SRTP-based media in the session and
+   MUST be ignored for all other (non-SRTP or non-RTP) media.
+
+   The "urn:ietf:params:rtp-hdrext:encrypt" extension MUST NOT be
+   recursively applied to itself.
+
+4.1.  Backward Compatibility
+
+   Following the procedures in [RFC5285], an SDP endpoint that does not
+   understand the "urn:ietf:params:rtp-hdrext:encrypt" extension URI
+   will ignore the extension and, for SDP offer/answer, will negotiate
+   not to use it.
+
+   For backward compatibility with endpoints that do not implement this
+   specification, in a negotiated session (whether using offer/answer or
+   some other means), best-effort encryption of a header extension
+   element is possible: an endpoint MAY offer the same header extension
+   element both encrypted and unencrypted.  An offerer MUST offer only
+   best-effort negotiation when lack of confidentiality would be
+   acceptable in the backward-compatible case.  Answerers (or equivalent
+   peers in a negotiation) that understand header extension encryption
+   SHOULD choose the encrypted form of the offered header extension
+   element and mark the unencrypted form "inactive", unless they have an
+   explicit reason to prefer the unencrypted form.  In all cases,
+   answerers MUST NOT negotiate the use of, and senders MUST NOT send,
+   both encrypted and unencrypted forms of the same header extension.
+
+
+
+
+
+
+Lennox                       Standards Track                    [Page 9]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   Note that, as always, users of best-effort encryption MUST be
+   cautious of bid-down attacks, where a man-in-the-middle attacker
+   removes a higher-security option, forcing endpoints to negotiate a
+   lower-security one.  Appropriate countermeasures depend on the
+   signaling protocol in use, but users can ensure, for example, that
+   signaling is integrity-protected.
+
+5.  Security Considerations
+
+   The security properties of header extension elements protected by the
+   mechanism in this document are equivalent to those for SRTP payloads.
+
+   The mechanism defined in this document does not provide
+   confidentiality about which header extension elements are used for a
+   given SRTP packet, only for the content of those header extension
+   elements.  This appears to be in the spirit of SRTP itself, which
+   does not encrypt RTP headers.  If this is a concern, an alternate
+   mechanism would be needed to provide confidentiality.
+
+   For the two-byte-header form of header extension elements (0x100N,
+   where "N" is the appbits field), this mechanism does not provide any
+   protection to zero-length header extension elements (for which their
+   presence or absence is the only information they carry).  It also
+   does not provide any protection for the appbits (field 256, the
+   lowest four bits of the "defined by profile" field) of the two-byte
+   headers.  Neither of these features is present in the one-byte-header
+   form of header extension elements (0xBEDE), so these limitations do
+   not apply in that case.
+
+   This mechanism cannot protect RTP header extensions that do not use
+   the mechanism defined in [RFC5285].
+
+   This document does not specify the circumstances in which extension
+   header encryption should be used.  Documents defining specific header
+   extension elements should provide guidance on when encryption is
+   appropriate for these elements.
+
+   If a middlebox does not have access to the SRTP authentication keys,
+   it has no way to verify the authenticity of unencrypted RTP header
+   extension elements (or the unencrypted RTP header), even though it
+   can monitor them.  Therefore, such middleboxes MUST treat such
+   headers as untrusted and potentially generated by an attacker, in the
+   same way as they treat unauthenticated traffic.  (This does not mean
+   that middleboxes cannot view and interpret such traffic, of course,
+   only that appropriate skepticism needs to be maintained about the
+   results of such interpretation.)
+
+
+
+
+
+Lennox                       Standards Track                   [Page 10]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   There is no mechanism defined to protect header extensions with
+   different algorithms or encryption keys than are used to protect the
+   RTP payloads.  In particular, it is not possible to provide
+   confidentiality for a header extension while leaving the payload in
+   cleartext.
+
+   The dangers of using weak or NULL authentication with SRTP, described
+   in Section 9.5 of [RFC3711], apply to encrypted header extensions as
+   well.  In particular, since some header extension elements will have
+   some easily guessed plaintext bits, strong authentication is REQUIRED
+   if an attacker setting such bits could have a meaningful effect on
+   the behavior of the system.
+
+   The technique defined in this document can be applied only to
+   encryption transforms that work by generating a pseudorandom
+   keystream and bitwise exclusive-ORing it with the plaintext, such as
+   CTR or f8.  It will not work with ECB, CBC, or any other encryption
+   method that does not use a keystream.
+
+6.  IANA Considerations
+
+   This document defines a new extension URI to the RTP Compact Header
+   Extensions subregistry of the Real-Time Transport Protocol (RTP)
+   Parameters registry, according to the following data:
+
+      Extension URI:  urn:ietf:params:rtp-hdrext:encrypt
+      Description:    Encrypted header extension element
+      Contact:        jonathan@vidyo.com
+      Reference:      RFC 6904
+
+7.  Acknowledgments
+
+   Thanks to Benoit Claise, Roni Even, Stephen Farrell, Kevin Igoe, Joel
+   Jaeggli, David McGrew, David Singer, Robert Sparks, Magnus
+   Westerlund, Qin Wu, and Felix Wyss for their comments and suggestions
+   in the development of this specification.
+
+8.  References
+
+8.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
+              Jacobson, "RTP: A Transport Protocol for Real-Time
+              Applications", STD 64, RFC 3550, July 2003.
+
+
+
+
+Lennox                       Standards Track                   [Page 11]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
+              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
+              RFC 3711, March 2004.
+
+   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
+              Specifications: ABNF", STD 68, RFC 5234, January 2008.
+
+   [RFC5285]  Singer, D. and H. Desineni, "A General Mechanism for RTP
+              Header Extensions", RFC 5285, July 2008.
+
+   [RFC5669]  Yoon, S., Kim, J., Park, H., Jeong, H., and Y. Won, "The
+              SEED Cipher Algorithm and Its Use with the Secure Real-
+              Time Transport Protocol (SRTP)", RFC 5669, August 2010.
+
+   [RFC6188]  McGrew, D., "The Use of AES-192 and AES-256 in Secure
+              RTP", RFC 6188, March 2011.
+
+8.2.  Informative References
+
+   [RFC4568]  Andreasen, F., Baugher, M., and D. Wing, "Session
+              Description Protocol (SDP) Security Descriptions for Media
+              Streams", RFC 4568, July 2006.
+
+   [RFC5450]  Singer, D. and H. Desineni, "Transmission Time Offsets in
+              RTP Streams", RFC 5450, March 2009.
+
+   [RFC5484]  Singer, D., "Associating Time-Codes with RTP Streams", RFC
+              5484, March 2009.
+
+   [RFC6051]  Perkins, C. and T. Schierl, "Rapid Synchronisation of RTP
+              Flows", RFC 6051, November 2010.
+
+   [RFC6464]  Lennox, J., Ivov, E., and E. Marocco, "A Real-time
+              Transport Protocol (RTP) Header Extension for Client-to-
+              Mixer Audio Level Indication", RFC 6464, December 2011.
+
+   [RFC6465]  Ivov, E., Marocco, E., and J. Lennox, "A Real-time
+              Transport Protocol (RTP) Header Extension for Mixer-to-
+              Client Audio Level Indication", RFC 6465, December 2011.
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                   [Page 12]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+Appendix A.  Test Vectors
+
+A.1.  Key Derivation Test Vectors
+
+   This section provides test data for the header extension key
+   derivation function, using AES-128 in Counter Mode.  (The algorithms
+   and keys used are the same as those for the test vectors in Appendix
+   B.3 of [RFC3711].)
+
+   The inputs to the key derivation function are the 16-octet master key
+   and the 14-octet master salt:
+
+      master key: E1F97A0D3E018BE0D64FA32C06DE4139
+
+      master salt: 0EC675AD498AFEEBB6960B3AABE6
+
+   Following [RFC3711], the input block for AES-CM is generated by
+   exclusive-ORing the master salt with the concatenation of the
+   encryption key label 0x06 with (index DIV kdr), then padding on the
+   right with two null octets, which implements the multiply-by-2^16
+   operation (see Section 4.3.3 of [RFC3711]).  The resulting value is
+   then AES-CM-encrypted using the master key to get the cipher key.
+
+     index DIV kdr:                    000000000000
+     label:                          06
+     master salt:      0EC675AD498AFEEBB6960B3AABE6
+     --------------------------------------------------
+     XOR:              0EC675AD498AFEEDB6960B3AABE6     (x, PRF input)
+
+     x*2^16:           0EC675AD498AFEEDB6960B3AABE60000 (AES-CM input)
+
+     hdr. cipher key:  549752054D6FB708622C4A2E596A1B93 (AES-CM output)
+
+
+   Next, we show how the cipher salt is generated.  The input block for
+   AES-CM is generated by exclusive-ORing the master salt with the
+   concatenation of the encryption salt label.  That value is padded and
+   encrypted as above.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                   [Page 13]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+     index DIV kdr:                    000000000000
+     label:                          07
+     master salt:      0EC675AD498AFEEBB6960B3AABE6
+
+     --------------------------------------------------
+     XOR:              0EC675AD498AFEECB6960B3AABE6     (x, PRF input)
+
+     x*2^16:           0EC675AD498AFEECB6960B3AABE60000 (AES-CM input)
+
+                       AB01818174C40D39A3781F7C2D270733 (AES-CM ouptut)
+
+     hdr. cipher salt: AB01818174C40D39A3781F7C2D27
+
+A.2.  Header Encryption Test Vectors Using AES-CM
+
+   This section provides test vectors for the encryption of a header
+   extension using the AES_CM cryptographic transform.
+
+   The header extension is encrypted using the header cipher key and
+   header cipher salt computed in Appendix A.1.  The header extension is
+   carried in an SRTP-encrypted RTP packet with SSRC 0xCAFEBABE,
+   sequence number 0x1234, and an all-zero rollover counter.
+
+       Session Key:      549752054D6FB708622C4A2E596A1B93
+       Session Salt:     AB01818174C40D39A3781F7C2D27
+
+       SSRC:                     CAFEBABE
+       Rollover Counter:                 00000000
+       Sequence Number:                          1234
+       ----------------------------------------------
+       Init. Counter:    AB018181BE3AB787A3781F7C3F130000
+
+   The SRTP session was negotiated to indicate that header extension ID
+   values 1, 3, and 4 are encrypted.
+
+   In hexadecimal, the header extension being encrypted is as follows
+   (spaces have been added to show the internal structure of the header
+   extension):
+
+     17 414273A475262748 22 0000C8 30 8E 46 55996386B395FB 00
+
+   This header extension is 24 bytes long.  (Its values are intended to
+   represent plausible values of the header extension elements shown in
+   Section 3.1, but their specific meaning is not important for the
+   example.)  The header extension "defined by profile" and "length"
+   fields, which in this case are BEDE 0006 in hexadecimal, are not
+   included in the encryption process.
+
+
+
+
+Lennox                       Standards Track                   [Page 14]
+
+RFC 6904            Encrypted SRTP Header Extensions          April 2013
+
+
+   In hexadecimal, the corresponding encryption mask selecting the
+   bodies of header extensions 1, 2, and 4 (corresponding to the mask in
+   Figure 2) is:
+
+      00 FFFFFFFFFFFFFFFF 00 000000 00 FF 00 FFFFFFFFFFFFFF 00
+
+   Finally, we compute the keystream from the session key and the
+   initial counter, apply the mask to the keystream, and then exclusive-
+   OR the keystream with the plaintext:
+
+       Initial keystream:  1E19C8E1D481C779549ED1617AAA1B7A
+                           FC0D933AE7ED6CC8
+       Mask (hex):         00FFFFFFFFFFFFFFFF0000000000FF00
+                           FFFFFFFFFFFFFF00
+       Masked keystream:   0019C8E1D481C7795400000000001B00
+                           FC0D933AE7ED6C00
+       Plaintext:          17414273A475262748220000C8308E46
+                           55996386B395FB00
+       Ciphertext:         17588A9270F4E15E1C220000C8309546
+                           A994F0BC54789700
+
+Author's Address
+
+   Jonathan Lennox
+   Vidyo, Inc.
+   433 Hackensack Avenue
+   Seventh Floor
+   Hackensack, NJ  07601
+   US
+
+   EMail: jonathan@vidyo.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lennox                       Standards Track                   [Page 15]
+
-- 
cgit v1.2.3