IETF Logo Mail Archive

[AVTCORE] header extensions and draft-ietf-avtcore-srtp-aes-gcm-04.txt

"Igoe, Kevin M." <kmigoe@nsa.gov> Fri, 08 February 2013 16:11 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD83E21F8AC3 for <avt@ietfa.amsl.com>; Fri, 8 Feb 2013 08:11:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.332
X-Spam-Level:
X-Spam-Status: No, score=-10.332 tagged_above=-999 required=5 tests=[AWL=0.266, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKeTa5Dmw8uG for <avt@ietfa.amsl.com>; Fri, 8 Feb 2013 08:11:30 -0800 (PST)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id A29D121F8ADB for <avt@ietf.org>; Fri, 8 Feb 2013 08:11:29 -0800 (PST)
X-TM-IMSS-Message-ID: <1a058a8d00070014@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 1a058a8d00070014 ; Fri, 8 Feb 2013 11:12:11 -0500
Received: from MSMR-GH1-UEA05.corp.nsa.gov (10.215.228.28) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.1.289.1; Fri, 8 Feb 2013 11:11:25 -0500
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA05.corp.nsa.gov ([10.215.228.28]) with mapi id 14.01.0289.001; Fri, 8 Feb 2013 11:11:24 -0500
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Jonathan Lennox' <jonathan@vidyo.com>, IETF AVTCore WG <avt@ietf.org>
Thread-Topic: header extensions and draft-ietf-avtcore-srtp-aes-gcm-04.txt
Thread-Index: AQHOBhbwHlJ7EBP010qUNWkgdxexEQ==
Date: Fri, 08 Feb 2013 16:11:23 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CA6AA9DCC8@MSMR-GH1-UEA03.corp.nsa.gov>
References: <20130204181454.8284.73608.idtracker@ietfa.amsl.com> <461FB470-9F33-4B72-BDCC-402E44208789@vidyo.com> <3C4AAD4B5304AB44A6BA85173B4675CA69669890@MSMR-GH1-UEA03.corp.nsa.gov> <F46785E4-8447-44CB-B169-E64F25665274@vidyo.com>
In-Reply-To: <F46785E4-8447-44CB-B169-E64F25665274@vidyo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.153]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CA6AA9DCC8MSMRGH1UEA03cor_"
MIME-Version: 1.0
Subject: [AVTCORE] header extensions and draft-ietf-avtcore-srtp-aes-gcm-04.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 16:11:46 -0000

If the header extensions are to use the same key as the
AEAD but with different salts, I've got a problem with
preventing IV reuse.  Currently the IV's are formed by

               0  0  0  0  0  0  0  0  0  0  1  1
               0  1  2  3  4  5  6  7  8  9  0  1
             +--+--+--+--+--+--+--+--+--+--+--+--+
             |00|00|    SSRC   |     ROC   | SEQ |---+
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |      SRTP Encryption Salt         |->(+)
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |       Initialization Vector       |<--+
             +--+--+--+--+--+--+--+--+--+--+--+--+

           Figure 1: AES-GCM and AES-CCM SRTP
                     Initialization Vector formation.

and your proposal for header extensions seems to call for
the IV to be

               0  0  0  0  0  0  0  0  0  0  1  1
               0  1  2  3  4  5  6  7  8  9  0  1
             +--+--+--+--+--+--+--+--+--+--+--+--+
             |00|00|    SSRC   |     ROC   | SEQ |---+
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |       HE Encryption Salt          |->(+)
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |       Initialization Vector       |<--+
             +--+--+--+--+--+--+--+--+--+--+--+--+

We MUST insure the IV's are all distinct, so even between packets
with different SSRC, ROC and SEQ we must insure

     base_0 XOR SRTP_SALT != base_1 XOR HE_SALT_1

where base_i = 0x0000 || SSRC_i || ROC_i || SEQ_i.

We have a problem whenever HE_SALT XOR SRTP_SALT = base_0 XOR base_1.

I believe we can avoid this by playing games with the most significant
bytes of the SALT {and hence of the IV, since he base starts with 0x00).

For SRTP, force the msB of the SRTP salt to be 0x0000 by taking
the msB of the SRTP salt to be 0x00:

               0  0  0  0  0  0  0  0  0  0  1  1
               0  1  2  3  4  5  6  7  8  9  0  1
             +--+--+--+--+--+--+--+--+--+--+--+--+
             |00|00|    SSRC   |     ROC   | SEQ |---+
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |00|     SRTP Encryption Salt        |->(+)
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |    SRTP Initialization Vector     |<--+
             +--+--+--+--+--+--+--+--+--+--+--+--+

so the high order byte of the IV is 0x00,

When we are using a 1-byte extentsion element headers,
the extension starts with the byte HH = ID ||L (both ID
and L are 4 bits each), so we proceed as below:

               0  0  0  0  0  0  0  0  0  0  1  1
               0  1  2  3  4  5  6  7  8  9  0  1
             +--+--+--+--+--+--+--+--+--+--+--+--+
             |00|00|    SSRC   |     ROC   | SEQ |---+
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |HH|     HE Encryption Salt         |->(+)
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |    HE Initialization Vector       |<--+
             +--+--+--+--+--+--+--+--+--+--+--+--+

so the first nibble of the IV is the ID.

For 2-byte extension headers, we have an 8-bit ID, so we use


               0  0  0  0  0  0  0  0  0  0  1  1
               0  1  2  3  4  5  6  7  8  9  0  1
             +--+--+--+--+--+--+--+--+--+--+--+--+
             |00|00|    SSRC   |     ROC   | SEQ |---+
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |ID|     HE Encryption Salt         |->(+)
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                     |
             +--+--+--+--+--+--+--+--+--+--+--+--+   |
             |    HE Initialization Vector       |<--+
             +--+--+--+--+--+--+--+--+--+--+--+--+

and hence the first byte of the IV is the ID.

Since the ID is never allowed to be zero, and recalling that a given
session never mixes 1-byte and 2-byte extensions, the inclusion of the ID
directly in the IV insures all of the IV's are distinct.

I presume the ID and length fields are to be sent in the clear?
I'd recommend that AEAD treat them as AAD.  Indeed, it would be
prudent to have AEAD treat the encrypted header extension data
field as AAD.  This eliminates all sorts of potential spoofing
attack worries.

What do you think?





From: Jonathan Lennox [mailto:jonathan@vidyo.com]
Sent: Wednesday, February 06, 2013 5:23 PM
To: Igoe, Kevin M.
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm-04.txt

Sorry, I was probably too brief in my comment.  I was specifically referring to draft-ietf-avtcore-srtp-encrypted-header-ext (currently in AD review), which works out all these issues but adds a requirement that new SRTP encryption transforms define how they generate the encrypted header keystream.

I've attached my e-mail exchange with David from the aes-gcm WGLC, which includes text I proposed be added to the aes-gcm draft.


On Feb 6, 2013, at 3:44 PM, Igoe, Kevin M. wrote:

> I'm not sure I understand header extensions well enough to come up with
> a "one size fits all" solution.  Which parts are to be treated as PT
> to be encrypted and authenticated, which as additional authenticated data
> to be only authenticated, and which as raw data?  Will this change form
> one flavor of extension to another?  I hope to tap your expertise on
> these points.
>
> RFC 5283 talks about the presence and format of a header extension being
> negotiated out-of-band.  The best solution I can think of is that this
> out-of-band negotiation should also decide how AEAD will treat the various
> fields in the header extension.  If that is sufficient for our needs, then
> I believe we can add that in w/o too much trouble.  But I really don't want
> to get bogged down in how the out-of-band negotiation is to be done.
>
> Another point I'd like your input on: does the requirement that the AEAD
> authentication tag MUST be validated before any of the cipher is decrypted
> or any of the AAD be processed in any way cause problems for existing header
> extensions?
>
>> -----Original Message-----
>> From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On Behalf Of
>> Jonathan Lennox
>> Sent: Monday, February 04, 2013 6:00 PM
>> To: IETF AVTCore WG
>> Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm-
>> 04.txt
>>
>> This new version still doesn't appear to have any text about header
>> extension encryption.  Is there a reason this was omitted?
>>
>> On Feb 4, 2013, at 1:14 PM, <internet-drafts@ietf.org> wrote:
>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>>> This draft is a work item of the Audio/Video Transport Core
>> Maintenance Working Group of the IETF.
>>>
>>>      Title           : AES-GCM and AES-CCM Authenticated Encryption in
>> Secure RTP (SRTP)
>>>      Author(s)       : David A. McGrew
>>>                         Kevin M. Igoe
>>>      Filename        : draft-ietf-avtcore-srtp-aes-gcm-04.txt
>>>      Pages           : 28
>>>      Date            : 2013-02-04
>>>
>>> Abstract:
>>>  This document defines how AES-GCM and AES-CCM Authenticated
>>>  Encryption with Associated Data algorithms can be used to provide
>>>  confidentiality and data authentication in the SRTP protocol.
>>>
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-04
>>>
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-srtp-aes-gcm-04
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> Audio/Video Transport Core Maintenance
>>> avt@ietf.org
>>> https://www.ietf.org/mailman/listinfo/avt
>>>
>>
>> --
>> Jonathan Lennox
>> jonathan@vidyo.com
>>
>>
>> _______________________________________________
>> Audio/Video Transport Core Maintenance
>> avt@ietf.org
>> https://www.ietf.org/mailman/listinfo/avt

--
Jonathan Lennox
jonathan@vidyo.com

v2.23.0 | Report a Bug | By Email