Re: [AVTCORE] WGLC on Encryption of Header Extensions in SRTP
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 23 February 2012 14:25 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8C9121F861B for <avt@ietfa.amsl.com>; Thu, 23 Feb 2012 06:25:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.234
X-Spam-Level:
X-Spam-Status: No, score=-110.234 tagged_above=-999 required=5 tests=[AWL=0.365, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFWt0lI8Tvrb for <avt@ietfa.amsl.com>; Thu, 23 Feb 2012 06:25:50 -0800 (PST)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id 778D321F85EC for <avt@ietf.org>; Thu, 23 Feb 2012 06:25:49 -0800 (PST)
X-AuditID: c1b4fb39-b7bf2ae0000069a1-cf-4f464c6cea2f
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 49.F0.27041.C6C464F4; Thu, 23 Feb 2012 15:25:48 +0100 (CET)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0237.eemea.ericsson.se (153.88.115.91) with Microsoft SMTP Server id 8.3.213.0; Thu, 23 Feb 2012 15:25:47 +0100
Message-ID: <4F464C6B.3000006@ericsson.com>
Date: Thu, 23 Feb 2012 15:25:47 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: avt@ietf.org
References: <4f3e518e.e465340a.47a8.3fa7@mx.google.com>
In-Reply-To: <4f3e518e.e465340a.47a8.3fa7@mx.google.com>
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [AVTCORE] WGLC on Encryption of Header Extensions in SRTP
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 14:25:50 -0000
Hi, (as individual) I done a review and found the following issues that I believe should be addressed prior to requesting publication of this document. I do support the publication of this document when the issues has been addressed. 1. Title: Encryption of Header Extensions in the Secure Real-Time Transport Protocol (SRTP) Contains spurious space between Secure and Real-Time. 2. Section 1 and ref-list: The client-mixer and mixer-client audio levels references need to be updated to the RFCs. Also the reference to the AES-GCM draft needs to be updated. 3. Section 3. For SRTP encryption transforms that operate by generating a keystream, a header keystream is generated for each packet containing an encrypted header, using the same encryption transform and Initialization Vector (IV) as is used for the SRTP payload, except that the SRTP encryption and salting keys k_e and k_s are replaced by the SRTP header encryption and header salting keys k_he and k_hs, respectively. I wished this section used; SHALL use the same encryption transform to further enforce and clarify this. This is of high importance both from security perspective and the avoidance of any new crypto suit parameters that would need to be retroactively fit to the key-managagement systems. 4. Section 3. Due to the requirement on any SRTP crypto suit that doesn't generate a keystream to specify how the header encryption transform is uniquly determined based on the selected crypto suit I do think this document may in fact have to update RFC 3711. That would mean the following additions to the draft. 1. Updates in front page header 2. Explicit mention it in introduction and header. 3. Add a section that makes clear what the additional requirements this document put on the crypto suite rules defined in RFC 3711. 5. Section 3. "... for each packet containing an encrypted header, ..." Is really singular form the right form here. As there might be one or more header extensions that are included in the given packet? For me "encrypted headers" seems more accurate. 6. Section 3. For those octets indicated in the encryption mask, the SRTP participant bitwise exclusive-ors the header extension with the keystream to produce the ciphertext version of the header extension. Although the above sentence is correct it appears to me a bit easy to misunderstand as it is not the straightforward method of doing it. To me you take the header mask and AND it with the header extension keystream generated for this packets IV. Then you take that masked keystream and XOR with the plaintext header extensions to create the cipher text. The below is missing one step in that process. Those octets not indicated in the encryption mask are left unmodified. Thus, conceptually, the encryption mask is logically ANDed with the keystream to produce a masked keystream. The sender and receiver MUST use the same encryption mask. The set of extension elements to be encrypted is communicated between the sender and the receiver using the signaling mechanisms described in Section 4. The MUST in the above also seems a bit strange. They should be the same if both the encryptor and the decryptor are equally configured. So I don't see how this is something that can be mandated to work, at least not without a specification part that says how this is ensured. 7. I wonder if there should be any mentioning that also non RFC 5285 header extensions can also not be protected. Along these lines shouldn't the 3.1 section example actually contain the first RFC 3550 header extension word including the keyword. Otherwise if one takes the RFC 3550 definition of header extension and apply the mask as outlined, your off-set with 4 bytes. 8. Section 4. So if I understand this specification correctly, the header extensions can only be encrypted by also encrypting the full RTP payload. The combination of encrypting a header extension but not the payload is not possible as the crypto algorithm for the encryption in that case would be NULL. Does this need to be pointed out? 9. Section 4. Shouldn't there be ABNF for the specific usage of the extension attribute that this document usages? What I can see the proposal will clearly fall into the allowed syntax by RFC 5285, however, shouldn't one clarify that extensionattributes = byte-string / enc-extensionattributes enc-extensionattributes = extensionname [SP extensionattributes] 10. Section 4.1: (Note that, as always, users of best- effort encryption MUST be cautious of bid-down attacks, and ensure, for example, that signaling is integrity-protected.) I think a reference to an explanation of bid-down attack would be good. Or alternatively some more words on the attack. I also think there needs to be discussion on what type of integrity protection you actually need to prevent that. And the answer there is that is depends on the threat model if it needs to be end-to-end or can be hop by hop. 11. Section 5: If a middlebox does not have access to the SRTP authentication keys, it has no way to verify the authenticity of unencrypted RTP header extension elements (or the unencrypted RTP header), even though it can monitor them. Therefore, such middleboxes MUST treat such headers as untrusted and potentially generated by an attacker. I am curious of the MUST here. It seems strange. If you are a middlebox and you don't have access to the security context for this stream. Why should the header extensions be treated differently than non integrity protected packets? They are equally vulnerable from an attack perspective. I think the warning is good, but is the MUST really warranted? 12. Section A. As a warning. I haven't checked these values. Has anyone beyond the author sat down and made the calculations? Cheers Magnus On 2012-02-17 14:09, Roni Even wrote: > Hi, > > I would like to start a WGLC on Encryption of Header Extensions in the > Secure Real-Time Transport Protocol (SRTP) in > http://tools.ietf.org/html/draft-ietf-avtcore-srtp-encrypted-header-ext-01 > > > > This is the abstract of the draft: > > > > "The Secure Real-Time Transport Protocol (SRTP) provides authentication, but not encryption, of the headers of Real-Time Transport Protocol (RTP) packets. However, RTP header extensions may carry sensitive information for which participants in multimedia sessions want confidentiality. This document provides a mechanism, extending the mechanisms of SRTP, to selectively encrypt RTP header extensions in SRTP." > > > > > > Please send any comments by March 8^th . > > > > Thanks > > Roni Even > > > > > -- Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [AVTCORE] WGLC on Encryption of Header Extens… Magnus Westerlund
- [AVTCORE] WGLC on Encryption of Header Extensions… Roni Even
- Re: [AVTCORE] WGLC on Encryption of Header Extens… Roni Even