Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-srtp-encrypted-header-ext
"David McGrew (mcgrew)" <mcgrew@cisco.com> Wed, 12 September 2012 12:08 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25CC221F8584 for <avt@ietfa.amsl.com>; Wed, 12 Sep 2012 05:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPtvXjPJEQFR for <avt@ietfa.amsl.com>; Wed, 12 Sep 2012 05:08:11 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id EB63221F8564 for <avt@ietf.org>; Wed, 12 Sep 2012 05:08:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9972; q=dns/txt; s=iport; t=1347451691; x=1348661291; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=4sp0UaJ4zG+E5lKqewQCxPQ9B3X/hjlDx7e17Q71ZPY=; b=Ki1xPHpDFHwVUZZLLN2aBFJb11+imgq2VyjrNkw97ptdUb1qlShvY3zr UL9ymnx7wyUFdmpcVxk49VpZrRVsfcEKvRD1vZqGijO1Ikm1wXc1ozD9v T4X9W1m+qnIjNn1NND8HYRRwnImrkfTLcqNlvxyyK63FMm2/mDYyhlqZC M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFACV6UFCtJXG8/2dsb2JhbABFgkuwHwGIVYEHgiABAgQSAXgBCBEDAQIoKBEUCQgCBAESIodcAwwLnAyWYg2JU4otY4ZCA5QKgVWBFIoBgyGBaYJmgVwjGA
X-IronPort-AV: E=Sophos; i="4.80,408,1344211200"; d="scan'208,217"; a="120763415"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-8.cisco.com with ESMTP; 12 Sep 2012 12:08:10 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q8CC8AqF017651 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 12 Sep 2012 12:08:10 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.159]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.02.0318.001; Wed, 12 Sep 2012 07:08:10 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Ron Even <ron.even.tlv@gmail.com>, "avt@ietf.org" <avt@ietf.org>
Thread-Topic: [AVTCORE] Second WGLC on draft-ietf-avtcore-srtp-encrypted-header-ext
Thread-Index: AQHNkN9FPSdFfPNgyEirfdRzihGPdQ==
Date: Wed, 12 Sep 2012 12:08:08 +0000
Message-ID: <CC75E6DD.E6D23%mcgrew@cisco.com>
In-Reply-To: <CAHy0fzCrRwd5b-b2ij+xaD1gVW=QFHgiAAtvdRQhAWaoJ6Le-A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19178.005
x-tm-as-result: No--49.721100-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_CC75E6DDE6D23mcgrewciscocom_"
MIME-Version: 1.0
Subject: Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-srtp-encrypted-header-ext
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 12:08:12 -0000
Hi Roni,
I've read the new version. I think this is a good idea, and the draft is well written. I have only a few specific suggestions. Most importantly, it is not clear (to me, anyway) how the mask is generated. It will be essential for interoperability that all of the participants in the session use identical values for the mask, but the draft doesn't describe how a receiver would know the mask value that the sender has selected. I had expected that the mask value would be sent as a part of "urn:ietf:params:rtp-hdrext:encrypt", or something like that. I think this point needs to be clarified in the draft.
The header encryption operation is described in a way that would change the CTR (or f8) encryption operation ("The SRTP participant bitwise-ANDs the encryption mask with the keystream to produce a masked keystream"). However, what I hope/expect that implementations will do is implement header encryption in a way that does not change any of the crypto functions. The header encryption can be described in terms of manipulations of the plaintext and ciphertext, like this:
EncryptedHeader = (Encrypt(Key, Plaintext) AND MASK) OR (Plaintext AND (NOT MASK))
Many implementations would prefer this approach, because it enables them to use their encryption functions in a way that is unchanged. For instance, the crypto function might be implemented in a separate software library, or provided by a hardware function; the encryption function might be part of a validated crypto module, and thus there would be strong motivation not to alter it (and undo the validation). The current text in the draft is clear, so I don't recommend changing it. But I suggest providing an alternative description of the algorithm in a separate paragraph that follows the current description.
The security of the mask-based mechanism is sound, when used with the existing SRTP crypto transforms, as described in Section 3. However, if the mechanism is applied to other encryption methods, like ECB or CBC, then it would not be a sound approach. The alternative way of describing the encryption scheme in terms of plaintext manipulations might make it look like the scheme could be applied to ECB or CBC. So I suggest putting a statement in the security considerations saying "This technique can only be applied to encryption transforms that work by generating a pseudorandom keystream and bitwise exclusive-oring it with the plaintext, such as CTR or f8; it MUST NOT be used with ECB, CBC, or any other encryption method that does not use a keystream, or a loss of security will entail."
David
From: Ron Even <ron.even.tlv@gmail.com<mailto:ron.even.tlv@gmail.com>>
Date: Monday, September 10, 2012 11:32 AM
To: "avt@ietf.org<mailto:avt@ietf.org>" <avt@ietf.org<mailto:avt@ietf.org>>
Subject: Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-srtp-encrypted-header-ext
Hi,
Plesae review the document
Roni
On Mon, Aug 27, 2012 at 8:38 PM, Roni Even <ron.even.tlv@gmail.com<mailto:ron.even.tlv@gmail.com>> wrote:
Hi,
I would like to start a second WGLC on http://tools.ietf.org/html/draft-ietf-avtcore-srtp-encrypted-header-ext-02 .
The draft finished a WGLC and there were comments from the WG chairs. These comments were addressed but since we did not have enough reviewers we are asking for more reviews
Please review the documents and send any comments by September 15th
Thanks
Roni Even
AVTCore co-chair
- [AVTCORE] Second WGLC on draft-ietf-avtcore-srtp-… Roni Even
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… Ron Even
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… Colin Perkins
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… Magnus Westerlund
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… David McGrew (mcgrew)
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… Brandenburg, R. (Ray) van
- Re: [AVTCORE] Second WGLC ondraft-ietf-avtcore-sr… Qin Wu
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… Jonathan Lennox
- Re: [AVTCORE] Second WGLC on draft-ietf-avtcore-s… David McGrew (mcgrew)