Re: [AVTCORE] I-D Action: draft-ietf-avtcore-aria-srtp-03.txt

Woo-Hwan Kim <whkim5@ensec.re.kr> Fri, 23 August 2013 05:33 UTC

Return-Path: <woohwankim@gmail.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD4E11E822E for <avt@ietfa.amsl.com>; Thu, 22 Aug 2013 22:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxzoRE0JQ60O for <avt@ietfa.amsl.com>; Thu, 22 Aug 2013 22:33:21 -0700 (PDT)
Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 03AF211E821D for <avt@ietf.org>; Thu, 22 Aug 2013 22:33:16 -0700 (PDT)
Received: by mail-wg0-f45.google.com with SMTP id n12so132696wgh.0 for <avt@ietf.org>; Thu, 22 Aug 2013 22:33:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:cc:content-type; bh=+pIP4k0Ka2TmePZOGeBuLU12UYhOyJUFYEkV3YCA8Ko=; b=PUrwZPUeBFA21Y7xOtaPhj2u9Wg2JeO9T/ZvEMtlawe10XFmxUNfFQp1oGeMQfFMVL CKITEISmAp+6r1OTuuqjTDkmket8E5hO2HJEwcKeSUtq8Qwl1+Q+vrSyTJZw2VkOeAJU mJHkiPN0SohQ0uQ8NG2c7cmCDEjt4s7arc3895rM5bOqeaYUlldak3vK6ZgUbbsLhTux hkJiDv5QtxzZsIYCDCLLxwdKSiHoN7trNUfhOz4lMTw5AV23n+m7FCi6VJkrUIgN4pig 1aLAG7WCqB7OFU0R5K0XXXhKfvdRO9B5ViQPLuBJCj7wIC3AsN0dYWDxAkzYdGKoYDrP 5KcQ==
MIME-Version: 1.0
X-Received: by 10.194.75.165 with SMTP id d5mr13088061wjw.18.1377235996128; Thu, 22 Aug 2013 22:33:16 -0700 (PDT)
Sender: woohwankim@gmail.com
Received: by 10.216.152.202 with HTTP; Thu, 22 Aug 2013 22:33:16 -0700 (PDT)
Date: Fri, 23 Aug 2013 14:33:16 +0900
X-Google-Sender-Auth: _Os82GHqzoPppWmsAA6EmwM6Oc0
Message-ID: <CAMRi9CftTZD5+Vm5WcE+s7VUzz64X1bK6yFxbu2ycXXoaeYH9w@mail.gmail.com>
From: Woo-Hwan Kim <whkim5@ensec.re.kr>
To: avt@ietf.org, Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: multipart/alternative; boundary="047d7bb04bc2523bd204e496bec5"
Cc: draft-ietf-avtcore-aria-srtp@tools.ietf.org
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-aria-srtp-03.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 05:33:22 -0000

1. I agree to your comment and I'll divide the table into two tables, one
for 'Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm' and
the other for 'Mapping MIKEY parameters to AEAD algorithm'.

2. As your comments, the encrypted payload should contain the tag in AEAD.
I'll revise the draft sooner.

Thank you for your effort and time.

Sincerely,
Woo-Hwan Kim

----- Original Message -----
From: "Magnus Westerlund" <magnus.westerlund@ericsson.com>
To: <draft-ietf-avtcore-aria-srtp@tools.ietf.org>
Cc: <avt@ietf.org>
Sent: Thursday, August 15, 2013 4:11 PM
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-aria-srtp-03.txt


> Authors and WG,
>
> I have reviewed this new version. Thanks for addressing my issue. During
> this review I only noticed a small number of minor issues.
>
> Note, I have not verified in any way the test vectors. Nor am I certain
> that I can spot any fact error regarding the crypto-algorithms. What I
> have done is reviewed the draft consistency and correctness in their
> actions to IANA and towards SRTP.
>
>
> 1. Section 5.3:
>
>
>                              +--------------------------------------+
>                              | Encryption | Encryption | AEAD Auth. |
>                              | Algorithm  | Key Length | Tag Length |
>                              +======================================+
>    SRTP_ARIA_128_CTR_HMAC_80 |  ARIA-CTR  | 16 octets  |  80 bits   |
>    SRTP_ARIA_128_CTR_HMAC_32 |  ARIA-CTR  | 16 octets  |  32 bits   |
>    SRTP_ARIA_192_CTR_HMAC_80 |  ARIA-CTR  | 24 octets  |  80 bits   |
>    SRTP_ARIA_192_CTR_HMAC_32 |  ARIA-CTR  | 24 octets  |  32 bits   |
>    SRTP_ARIA_256_CTR_HMAC_80 |  ARIA-CTR  | 32 octets  |  80 bits   |
>    SRTP_ARIA_256_CTR_HMAC_32 |  ARIA-CTR  | 32 octets  |  32 bits   |
>
>
>
> Kim, et al.             Expires December 29, 2013              [Page 18]
>
> Internet-Draft           ARIA Algorithm for SRTP               June 2013
>
>
>    SRTP_AEAD_ARIA_128_GCM    |  ARIA-GCM  | 16 octets  | 128 bits   |
>    SRTP_AEAD_ARIA_128_CCM    |  ARIA-CCM  | 16 octets  | 128 bits   |
>    SRTP_AEAD_ARIA_128_GCM_12 |  ARIA-GCM  | 16 octets  |  96 bits   |
>    SRTP_AEAD_ARIA_128_CCM_12 |  ARIA-CCM  | 16 octets  |  96 bits   |
>    SRTP_AEAD_ARIA_128_GCM_8  |  ARIA-GCM  | 16 octets  |  64 bits   |
>    SRTP_AEAD_ARIA_128_CCM_8  |  ARIA-CCM  | 16 octets  |  64 bits   |
>    SRTP_AEAD_ARIA_256_GCM    |  ARIA-GCM  | 32 octets  | 128 bits   |
>    SRTP_AEAD_ARIA_256_CCM    |  ARIA-CCM  | 32 octets  | 128 bits   |
>    SRTP_AEAD_ARIA_256_GCM_12 |  ARIA-GCM  | 32 octets  |  96 bits   |
>    SRTP_AEAD_ARIA_256_CCM_12 |  ARIA-CCM  | 32 octets  |  96 bits   |
>    SRTP_AEAD_ARIA_256_GCM_8  |  ARIA-GCM  | 32 octets  |  64 bits   |
>    SRTP_AEAD_ARIA_256_CCM_8  |  ARIA-CCM  | 32 octets  |  64 bits   |
>                              +======================================+
>
>           Figure 1: Mapping MIKEY parameters to AEAD algorithm
>
> Shouldn't you split this into two tables as the last column and legend
> are wrong for the first ARIA CTR + SHA-1 HMAC suits which are not AEAD
> suites? That way you can use the correct labels on the last column for
> auth tag lengths and in the legend.
>
>
> 2. Section A.2. and A.3
>
> In section A.1 I do understand the structure for the test vectors. They
> contain both just the Encrypted part and the full RTP header + payload +
> ROC that authentication is calculated over, and then the resulting output.
>
> However in A.2 and A.3 where there are AEAD algorithms I am bit
> surprised over the split in Encrypted RTP payload and Authentication
> tag. Due to AEAD shouldn't the relevant unit to test as input be the
> full SRTP packet which contains both the encrypted and the data that is
> just authenticated including the AEAD output in the payload location?
>
> You might need a bit more explanation what the test vectors really are
> so that one can correctly use them to verify ones implementation.
>
>
>
> Next Steps:
>
> Please address the above issues.
>
> I personally think this is ready for going forward to WG last call when
> the above is addressed. However, in that last call we will need to get a
> review from someone that has sufficient crypto knowledge to be reduce
> the risk for any such error making it through. Thus I intended to make
> the WG last call's completion dependent on getting such a review.
>
> Cheers
>
> Magnus
>
>
>
>
> On 2013-06-27 07:43, internet-drafts@ietf.org wrote:
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
directories.
>>  This draft is a work item of the Audio/Video Transport Core Maintenance
Working Group of the IETF.
>>
>> Title           : The ARIA Algorithm and Its Use with the Secure
Real-time Transport Protocol(SRTP)
>> Author(s)       : Woo-Hwan Kim
>>                           Jungkeun Lee
>>                           Dong-Chan Kim
>>                           Je-Hong Park
>>                           Daesung Kwon
>> Filename        : draft-ietf-avtcore-aria-srtp-03.txt
>> Pages           : 32
>> Date            : 2013-06-26
>>
>> Abstract:
>>    This document describes the use of the ARIA block cipher algorithm
>>    within the Secure Real-time Transport Protocol (SRTP) for providing
>>    confidentiality for the Real-time Transport Protocol (RTP) traffic
>>    and for the control traffic for RTP, the Real-time Transport Control
>>    Protocol (RTCP).  It details three modes of operation (CTR, CCM, GCM)
>>    and a SRTP Key Derivation Function for ARIA.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-avtcore-aria-srtp
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-avtcore-aria-srtp-03
>>
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-aria-srtp-03
>>
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> Audio/Video Transport Core Maintenance
>> avt@ietf.org
>> https://www.ietf.org/mailman/listinfo/avt
>>
>