[AVT] comments on draft-ietf-avt-seed-srtp-09.txt
David McGrew <mcgrew@cisco.com> Tue, 24 March 2009 17:00 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C65E3A69A1; Tue, 24 Mar 2009 10:00:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGw-RtduURdg; Tue, 24 Mar 2009 10:00:19 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 1880D3A6AFA; Tue, 24 Mar 2009 10:00:19 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,413,1233532800"; d="scan'208";a="146144909"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-3.cisco.com with ESMTP; 24 Mar 2009 17:01:10 +0000
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n2OH1A1p013839; Tue, 24 Mar 2009 10:01:10 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id n2OH0xVf003526; Tue, 24 Mar 2009 17:01:10 GMT
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Mar 2009 13:01:07 -0400
Received: from dhcp-13b3.meeting.ietf.org ([10.82.219.25]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Mar 2009 13:01:06 -0400
Message-Id: <8C0A3977-B4DC-432D-94B4-311286D67357@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: ietf@ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 24 Mar 2009 10:01:05 -0700
X-Mailer: Apple Mail (2.930.3)
X-OriginalArrivalTime: 24 Mar 2009 17:01:06.0804 (UTC) FILETIME=[1F632340:01C9ACA2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3779; t=1237914070; x=1238778070; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20David=20McGrew=20<mcgrew@cisco.com> |Subject:=20comments=20on=20draft-ietf-avt-seed-srtp-09.txt |Sender:=20; bh=CgjI2518qpELEn4FQlGp00kIzyMTmC/yl+mJ9NJd4tI=; b=cblCZH7f7UEkVYcYTVL/7NTNg3hzEo5PEwGoRPbSXV75H6MxY0f8FBLLjx EWyc1nn3w118X/ftouPRG4Q5lX4kCJP78oUFo59JRwx0IM6NEnMuP/Z8+tN8 BTIcsOHjed;
Authentication-Results: sj-dkim-2; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: AVT WG <avt@ietf.org>
Subject: [AVT] comments on draft-ietf-avt-seed-srtp-09.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2009 17:00:20 -0000
Hello, I have some concerns about draft-ietf-avt-seed-srtp-09; there are several issues that deserve to be addressed. This message is a response to the last call. There is no definition of how CCM and GCM are to be used to protect RTCP. It would not be possible to use this specification to protect RTCP packets with those algorithms. Section 2.2 defines the "Additional Authentication Data (AAD)" as "the header of the RTP packet", which does not include the RTP Contributing Source (CSRC) identifiers and optional RTP header extension. Since these fields are not included in SRTP encryption, their omission from the AAD input means that they are left unauthenticated. Presumably this omission was inadvertent. Section 2.1 defines the CTR counter format to match RFC 3711, while Section 3 defines a different counter format for CCM and GCM. The latter format does not have any "salt" in it, unlike the former format. This omission seems like a bad idea, since there is essentially zero cost for including the salt in the counter, and the salt provides quantifiable security benefits. It protects against key collision attacks and time-memory tradeoff attacks (see http://citeseer.ist.psu.edu/old/mcgrew00attacks.html for example) and also makes integral cryptanalysis (the "SQUARE" attack) considerably more difficult. This last point is important for CCM and GCM since counter mode provides exactly the inputs that are needed in order to prosecute this type of attack. SEED was designed not long after the initial description of integral cryptanalysis, but before that attack was fully developed. The prudent thing to do would be to use a GCM and CCM counter format that that includes the salt value. Below I have some editorial comments. In Section 2, I don't understand the meaning of "and valuables" and I suggest just removing the phrase. Section 2.1 says: Implementations of this specification MUST use SEED-CTR in conjunction with an authentication function. I think that what is actually meant is: When SEED-CTR is used, it must be used only in conjunction with an authentication function. Section 2.2 says: This does not comply with the SRTP packet processing defined in section 3.3 of [RFC3711]. I think that what is meant is that the specification is meant to supersede RFC 3711, or one section of it. This needs to be clarified. Section 2.2 says that "the number of octets in the nonce SHOULD be 12". SHOULD needs to be changed to MUST in order to ensure interoperability. Section 4 says "The SEED-CTR PRF is defined in a similar manner." Presumably it means " ... defined in a similar manner, but with each invocation of AES replaced with an invocation of SEED." In Section 5, I suggest clarifying that "mandatory to implement" means conformance to the specification, and that Table 1 does not supersede RFC 3711. Lastly, I suggest that the status of the SEED algorithm within the Republic of Korea be clarified. RFC 4009 says that it is "a national standard encryption algorithm", which suggests a special governmental status, while RFC 4269 does not say that, and instead says that it "has been adopted by most of the security systems", and draft-ietf-avt- seed-srtp says that it is "a Korean National Industrial Association standard and is widely used in South Korea for electronic commerce and financial services that are operated on wired and wireless communications." Does SEED have a particular standing with the government of the Republic of Korea, as RFC 4009 suggests? If so, it would be good to state that. Best regards, David
- [AVT] comments on draft-ietf-avt-seed-srtp-09.txt David McGrew