Re: [AVT] SRTCP key derivation

[Mats Näslund <mats.naslund@ericsson.com>]

Hi,

I think the RFC is quite clear on this issue. (Perhaps there
isn't a "one-liner" that tells you this in one shot, but all
information is there).

First, notice that what really matters is the format/size of
"index DIV key_derivation_rate", because that is what is input to
the KDF. The RFC says:

    Let "a DIV t" denote integer division of a by t, rounded down, and
    with the convention that "a DIV 0 = 0" for all a.  We also make the
    convention of treating "a DIV t" as a bit string of the same length
    as a, and thus "a DIV t" will in general have leading zeros.

This means that when it later states:

    *  Let r = index DIV key_derivation_rate (with DIV as defined above).

    *  Let key_id = <label> || r.

r shall have the same bit-size as "index" has. For SRTP,
the index is clearly 48 bits, hence, so should the corresponding r be.

For SRTCP, a bit later it says:

    Replate the SRTP index by the 32-bit quantity: 0 || SRTCP index

here it is explcitly stated that it is a 32-bit quantity, hence
the same size is used for the result of the DIV operation and the
result/input to the KDF is 32 bits, same as before the DIV took
place.

Of course, there may be better ways to do it form implementation point
of view.

Best,

/Mats

Guoqiang Lu wrote:

>>This means that, e.g., the labels will not be in the same octet position for SRTP and SRTCP.
> 
> 
> This seems to contradict the reference implementation by David McGrew found in srtp.sourceforge.net: The SRTCP key was derived as:
> 
>  srtp_kdf_generate(&kdf, (uint64_t) label_rtcp_encryption, 
> 		     tmp_key, cipher_get_key_length(srtp->rtcp_cipher));
> While SRTCP key was derived as:
> 
>  srtp_kdf_generate(&kdf, (uint64_t) label_rtp_encryption, 
> 		     tmp_key, cipher_get_key_length(srtp->rtp_cipher));
> 
> And within the srtp_kdf_generate() function, the label is always assigned to nonce.octet[7].
> 
> Thanks!
> 
> Guoqiang Lu
> ESN: 39-36277
> Phone: (613) 763-6277
> guoqian@nortel.com
> --------------------------
> The contents of the this e-mail may be Nortel Confidential! 
> 
> 
> -----Original Message-----
> From: Karl Norrman (KI/EAB) [mailto:karl.norrman@ericsson.com] 
> Sent: Thursday, July 21, 2005 5:47 AM
> To: Lu, Guoqiang [CAR:9D40:EXCH]
> Cc: mcgrew@cisco.com; Mats Näslund (KI/EAB); avt@ietf.org
> Subject: RE: [AVT] SRTCP key derivation
> 
> 
> Hello!
> 
> The SRTCP index should not be padded with zeros to be 48 bits long.  This means that, e.g., the labels will not be in the same octet position for SRTP and SRTCP.
> 
> Regards,
> Karl
> 
> 
>>-----Original Message-----
>>From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org]On Behalf Of 
>>Guoqiang Lu
>>Sent: den 20 juli 2005 18:40
>>To: avt@ietf.org
>>Cc: mcgrew@cisco.com; Mats Näslund (KI/EAB)
>>Subject: [AVT] SRTCP key derivation
>>
>>
>>Hi,
>>In RFC3711, section 4.3.2. SRTCP Key Derivation, it says:
>>
>>"Replace the SRTP index by the 32-bit quantity: 0 || SRTCP index ..."
>>
>>My question is that SRTP index is a 48-bit quantity, should
>>the SRTCP 32-bit quantity "0 || SRTCP index" be patched with 
>>16 leading zeros?
>>
>>Thanks!
>>
>>Guoqiang Lu
>>ESN: 39-36277
>>Phone: (613) 763-6277
>>guoqian@nortel.com
>>--------------------------
>>The contents of the this e-mail may be Nortel Confidential!
>>
>>
>>_______________________________________________
>>Audio/Video Transport Working Group
>>avt@ietf.org
>>https://www1.ietf.org/mailman/listinfo/avt
>>
--------------------------------------
Mats Näslund, PhD, Senior Specialist
Communications Security Lab
Ericsson Research
SE-16480 Stockholm, Sweden
Visiting adr: Torshamnsgatan 23, Kista
Phone/Fax: (+46 8) 58533739/4047020


_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt