Re: [AVTCORE] [Technical Errata Reported] RFC7714 (4938)
"Mo Zanaty (mzanaty)" <mzanaty@cisco.com> Fri, 31 March 2017 00:56 UTC
Return-Path: <mzanaty@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB2B129404 for <avt@ietfa.amsl.com>; Thu, 30 Mar 2017 17:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3GxsvhLn0xq for <avt@ietfa.amsl.com>; Thu, 30 Mar 2017 17:56:43 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FB11295E9 for <avt@ietf.org>; Thu, 30 Mar 2017 17:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33078; q=dns/txt; s=iport; t=1490921800; x=1492131400; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=7z+HO5LWA7eHW4iopfIuHoT5EQGIxbG2syRm4/oXg+g=; b=Mi5Az2Q5kKVazHY3fT6xl8oE27a5RMBEiBL73z0BkwovR2niBSApt+Af xPXLQ9qD0sVL2TLV2GzBFd2x7cQKBgsHYZLcJcF6gD7jlBxlhpfoL7xXF Jd/mOXmzyyY+NKwnRnsp3bcTIrMFU2kKRNnGw/4djvMzFMnrq12fYonre U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BuAgBlqN1Y/4kNJK1EGhkBAQEBAQEBAQEBAQcBAQEBAYJuPSthgQsHg1uKEZFVgjqFX4sogg+CDiqCHQGDWgIagx8/GAECAQEBAQEBAWsdC4UVAQEBAQMjBEcXBAIBBgIRAwEBASgDAgICMBMBCQgCBBMbiVgDFQ4CL4w+nVuBbDqKXQEBAQEBAQEBAQEBAQEBAQEBAQEBAR2GToRvgTyBFUaBDxEBMwkWglCCXwWHRgyBUBGIAIp8OwGGfIMqg3eEMoF8hSqKEYpyiHoBHzgVaAhbFRgphFkNEIFjdQETh02BIYENAQEB
X-IronPort-AV: E=Sophos;i="5.36,249,1486425600"; d="scan'208,217";a="225117043"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 31 Mar 2017 00:56:39 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v2V0udK2002675 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <avt@ietf.org>; Fri, 31 Mar 2017 00:56:39 GMT
Received: from xch-aln-005.cisco.com (173.36.7.15) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 30 Mar 2017 19:56:38 -0500
Received: from xch-aln-005.cisco.com ([173.36.7.15]) by XCH-ALN-005.cisco.com ([173.36.7.15]) with mapi id 15.00.1210.000; Thu, 30 Mar 2017 19:56:38 -0500
From: "Mo Zanaty (mzanaty)" <mzanaty@cisco.com>
To: "avt@ietf.org" <avt@ietf.org>
Thread-Topic: [AVTCORE] [Technical Errata Reported] RFC7714 (4938)
Thread-Index: AQHSqbmmZLElxVm79UGtFI+figtIMQ==
Date: Fri, 31 Mar 2017 00:56:38 +0000
Message-ID: <D5032168.6BEF6%mzanaty@cisco.com>
References: <20170216202330.94C25B8020D@rfc-editor.org> <emcee78341-8202-42e7-86bb-2f67f51ac896@sydney> <6E58094ECC8D8344914996DAD28F1CCD7751D9@DGGEMM506-MBX.china.huawei.com> <DE5A6898-ABEF-40ED-AB09-7C1DA5D18A20@packetizer.com> <D500725E.6BB40%mzanaty@cisco.com>
In-Reply-To: <D500725E.6BB40%mzanaty@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.2.170228
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.218.121]
Content-Type: multipart/alternative; boundary="_000_D50321686BEF6mzanatyciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/cJhm6XF8YLZFxvYY_7BuVTVszj4>
Subject: Re: [AVTCORE] [Technical Errata Reported] RFC7714 (4938)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 00:56:46 -0000
The root cause of the ambiguity on whether to zero-pad the salt on the left or right stems from the different salt sizes specified in RFC 7714 GCM (96 bits) versus RFC 3711/6188 AES 128/192/256 CM (112 bits).
That discrepancy, in turn, is due to the block counter size expansion from 16 bits to 32 bits in GCM, which expands the max packet size from 1 MB (64K*16B) to 64 GB (4G*16B). Was this intentional to accommodate IPv6 jumbograms? Or an unintended carryover from non-network GCM uses like file encryption?
Are there any security considerations of not salting the 16 bits before the 16-bit block counter in the PRF IV?
For clarity, here is the IV layout of CM vs GCM vs PRF (used by both CM and GCM).
RFC 3711/6188 CM IV:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00| SSRC | packet index | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v
| salt (k_s) |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
RFC 3711 PRF IV:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00|00|00|00|LB| index/rate | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v
| salt (k_s) |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
RFC 7714 GCM IV:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00| SSRC | packet index | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v
| salt (k_s) |00|00|00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Mo
From: avt <avt-bounces@ietf.org<mailto:avt-bounces@ietf.org>> on behalf of Paul Jones <paulej@packetizer.com<mailto:paulej@packetizer.com>>
Date: Sunday, February 19, 2017 at 10:18 AM
To: Roni Even <roni.even@huawei.com<mailto:roni.even@huawei.com>>, RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>, "David McGrew (mcgrew)" <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, "mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>" <mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>>, "ben@nostrum.com<mailto:ben@nostrum.com>" <ben@nostrum.com<mailto:ben@nostrum.com>>, "alissa@cooperw.in<mailto:alissa@cooperw.in>" <alissa@cooperw.in<mailto:alissa@cooperw.in>>, "aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>" <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>>, 'Magnus Westerlund' <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Cc: "text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>" <text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>>, "avt@ietf.org<mailto:avt@ietf.org>" <avt@ietf.org<mailto:avt@ietf.org>>
Subject: Re: [AVTCORE] [Technical Errata Reported] RFC7714 (4938)
Roni,
Sure, we could do that. However, I do wonder how useful that would be. In the outside chance one encounters such an implementation, what would they do about it?
Paul
________________________________
From: Roni Even <roni.even@huawei.com<mailto:roni.even@huawei.com>>
Sent: February 19, 2017 2:38:21 AM EST
To: "Paul E. Jones" <paulej@packetizer.com<mailto:paulej@packetizer.com>>, RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>, "mcgrew@cisco.com<mailto:mcgrew@cisco.com>" <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>, "mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>" <mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>>, "ben@nostrum.com<mailto:ben@nostrum.com>" <ben@nostrum.com<mailto:ben@nostrum.com>>, "alissa@cooperw.in<mailto:alissa@cooperw.in>" <alissa@cooperw.in<mailto:alissa@cooperw.in>>, "aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>" <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>>, "magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>" <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Cc: "avt@ietf.org<mailto:avt@ietf.org>" <avt@ietf.org<mailto:avt@ietf.org>>, "text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>" <text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>>
Subject: RE: [Technical Errata Reported] RFC7714 (4938)
Paul,
I saw the email with what looks like this direction but maybe the new text should mention as a note that since this was not specified before there may be few implementations that added padding on the other side.
Roni Even
As individual
-----Original Message-----
From: Paul E. Jones [mailto:paulej@packetizer.com]
Sent: יום ה 16 פברואר 2017 23:45
To: RFC Errata System; mcgrew@cisco.com<mailto:mcgrew@cisco.com>; mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>;
ben@nostrum.com<mailto:ben@nostrum.com>; alissa@cooperw.in<mailto:alissa@cooperw.in>; aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>; Roni Even;
magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
Cc: avt@ietf.org<mailto:avt@ietf.org>; text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>
Subject: Re: [Technical Errata Reported] RFC7714 (4938)
Since this issue needs closure in order to ensure that we have interoperable
solutions, it would be good to have confirmation / agreement on the
proposed change.
Paul
------ Original Message ------
From: "RFC Errata System" <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>>
To: mcgrew@cisco.com<mailto:mcgrew@cisco.com>; mythicalkevin@yahoo.com<mailto:mythicalkevin@yahoo.com>; ben@nostrum.com<mailto:ben@nostrum.com>;
alissa@cooperw.in<mailto:alissa@cooperw.in>; aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>; roni.even@huawei.com<mailto:roni.even@huawei.com>;
magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
Cc: paulej@packetizer.com<mailto:paulej@packetizer.com>; avt@ietf.org<mailto:avt@ietf.org>; rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org> Content-
Type; text/plain@rfc-editor.org<mailto:text/plain@rfc-editor.org>; ; charset=UTF-8@rfc-editor.org<mailto:charset=UTF-8@rfc-editor.org>
Sent: 2/16/2017 3:23:30 PM
Subject: [Technical Errata Reported] RFC7714 (4938)
The following errata report has been submitted for RFC7714, "AES-GCM
Authenticated Encryption in the Secure Real-time Transport Protocol
(SRTP)".
________________________________
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=7714&eid=4938
________________________________
Type: Technical
Reported by: Paul E. Jones <paulej@packetizer.com<mailto:paulej@packetizer.com>>
Section: 11
Original Text
-------------
A Key Derivation Function (KDF) is used to derive all of the required
encryption and authentication keys from a secret value shared by the
endpoints. The AEAD_AES_128_GCM algorithm MUST use the (128-bit)
AES_CM PRF KDF described in [RFC3711]. AEAD_AES_256_GCM MUST use
the
AES_256_CM_PRF KDF described in [RFC6188].
Corrected Text
--------------
A Key Derivation Function (KDF) is used to derive all of the required
encryption and authentication keys from a secret value shared by the
endpoints. The AEAD_AES_128_GCM algorithm MUST use the (128-bit)
AES_CM PRF KDF described in [RFC3711]. AEAD_AES_256_GCM MUST use
the
AES_256_CM_PRF KDF described in [RFC6188]. Since the KDF functions in
those RFCs assume as input a 112-bit master salt, the 96-bit master
salt specified in this document must be multiplied by 2^16 to form the
112-bit salt used as the master salt in those key derivation functions.
Notes
-----
The salt specified in RFC 7714 is 96 bits in length, but intended for
use in KDF functions defined in RFC 3711. This led to different
interpretations when implementing this RFC. A more complete
description was presented on the avtcore mailing list
(https://mailarchive.ietf.org/arch/msg/avt/IRfLuNKglD3qhqwSz3v3t0CG6fA
)
and, after some dialog, there seemed to be agreement to adopt the
approach most widely implemented
(https://mailarchive.ietf.org/arch/msg/avt/-
C1cIWQXpyzS2KfBjGR6B2kK92w).
This suggested text is intended to reflect that agreement. In
effect,
16 zero bits are padded to the right of the salt value defined in RFC
7714 (creating a 112 bit salt value) before it is used as described in
the KDF functions defined in RFC 3711 that require a 112 bit salt
value.
Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or rejected.
When a decision is reached, the verifying party can log in to change
the status and edit the report, if necessary.
________________________________
RFC7714 (draft-ietf-avtcore-srtp-aes-gcm-17)
________________________________
Title : AES-GCM Authenticated Encryption in the Secure
Real-time Transport Protocol (SRTP)
Publication Date : December 2015
Author(s) : D. McGrew, K. Igoe
Category : PROPOSED STANDARD
Source : Audio/Video Transport Core Maintenance
Area : Applications and Real-Time
Stream : IETF
Verifying Party : IESG
- [AVTCORE] [Technical Errata Reported] RFC7714 (49… RFC Errata System
- Re: [AVTCORE] [Technical Errata Reported] RFC7714… Paul E. Jones
- Re: [AVTCORE] [Technical Errata Reported] RFC7714… Roni Even
- Re: [AVTCORE] [Technical Errata Reported] RFC7714… Paul E. Jones
- Re: [AVTCORE] [Technical Errata Reported] RFC7714… Mo Zanaty (mzanaty)