Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
John Mattsson <john.mattsson@ericsson.com> Fri, 04 April 2014 14:41 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1B31A018C for <avt@ietfa.amsl.com>; Fri, 4 Apr 2014 07:41:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pl3FLcRgNsGF for <avt@ietfa.amsl.com>; Fri, 4 Apr 2014 07:41:53 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id C383E1A014E for <avt@ietf.org>; Fri, 4 Apr 2014 07:41:52 -0700 (PDT)
X-AuditID: c1b4fb2d-b7f328e0000012ab-b3-533ec4ab74d3
Received: from ESESSHC020.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id A5.41.04779.BA4CE335; Fri, 4 Apr 2014 16:41:47 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.185]) by ESESSHC020.ericsson.se ([153.88.183.78]) with mapi id 14.03.0174.001; Fri, 4 Apr 2014 16:41:46 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: "avt@ietf.org" <avt@ietf.org>
Thread-Topic: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
Thread-Index: AQHPTbHqYA0+4J/QFkaFglVygy3scZr8rzOAgASIoQCAAFT1gA==
Date: Fri, 04 Apr 2014 14:41:46 +0000
Message-ID: <CF648E69.13E07%john.mattsson@ericsson.com>
References: <20140401135432.22732.42412.idtracker@ietfa.amsl.com> <533ACC0F.9060103@ericsson.com> <CF6432F5.13D01%john.mattsson@ericsson.com>
In-Reply-To: <CF6432F5.13D01%john.mattsson@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [153.88.183.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C97917DF1BAB6948A607ED5BACB373B6@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBLMWRmVeSWpSXmKPExsUyM+Jvje7qI3bBBicXKlq87FnJ7sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujCtfeAvOBFc8n3adrYFxR2AXIyeHhICJxOL26WwQtpjEhXvr gWwuDiGBw4wSv38ehHIWM0rc3/COBaSKTcBAYu6eBrAOEQFFidZrnxlBbGEBT4mdp6awdjFy AMW9JHZNkYcocZK4+n8dE4jNIqAicfTKVLByXgFziZ3vp0LN72eUOHD2AitIglPAQuLskx3M IDYj0EXfT60Ba2YWEJe49WQ+E8SlAhJL9pxnhrBFJV4+/gfWKyqgJ3Hv0VwWiLiixMdX+xhB 7mEW0JRYv0sfYoy1xOXmi+wQtqLElO6H7BD3CEqcnPmEZQKj+Cwk22YhdM9C0j0LSfcsJN0L GFlXMbLnJmbmpJcbbmIExs7BLb91dzCeOidyiFGag0VJnPfDW+cgIYH0xJLU7NTUgtSi+KLS nNTiQ4xMHJxSDYx+FutWhy28c8CZse9UxTL1sKznp6XO3LC7Ej9lofLztSt3fzJ83cob7/i2 dKLuZY51f1eu1vI3OMt2fkaqxqpW0efcnNd/C3Hlf75Xtn1xZtW6Nbs82bd2/tZtVWvU33PS gJXpguiR/8cjRbZm3PhfsP3yQeMct13238tEG0Q+L93K+iTrhCW7EktxRqKhFnNRcSIAwiFj L2sCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/k6x4wKA8SlgOTXF05Jx-9gf3JSc
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 14:41:58 -0000
After checking more carefully I see that some of my previous comments were only partly fixed. The P_MAX misalignment (or?) with RFC5116 needs to be addressed in some way. Cheers John Previous comments not addressed or only partly fixed --------------------- - [RFC5116] states that P_MAX is 2^24 - 1 octets for CCM. While your draft states Section 6: P_MAX = 2^28 – 16 Section 11: C_MAX = 2^28 Section 14: Maximum block counter = 2^24-1 After reading the NIST specification for CCM I see that P_MAX is not only bound by the length of the block counter but also the variable q, which in RFC5116 is set to 3 => P_MAX < 2^24 - 1 octets. The values in RFC5116 therefore seem correct to me and must not be exceeded (unless you increase q). The values in your draft should therefore probably be (assuming you want block length alignment): P_MAX (and keystream) = 2^24-16 octets C_MAX = 2^24 octets Maximum block counter = 2^20-1 As you have not fixed this, can you please comment how the values are in line with RFC5116? Unless they are, this needs to be addressed in some way. > - The values for the maximum number on invocations (2^48 and 2^31) > for GCM_8 do not seem to agree with the constraints in Appendix C > of 800-38D. This seems to be missing in RFC5285 as well. You have only updated parts of the document. Section 11 and Section 13.1, still has (2^48 and 2^31) for GCM_8 and GCM in general. Maybe add a specific value for GCM_8 in section 11. > - The values for the maximum Ciphertext length for GCM_8 do not > seem to agree with the constraints in Appendix C of 800-38D: "For > any implementation that supports 32-bit or 64-bit tags, one of the > rows in Table 1 or Table 2, respectively, shall be enforced." This > seems to be missing in RFC5285 as well. To be more specific, I mean the general GCM value 2^36-16 given in Section 11. Maybe add a specific value for GCM_8. > - [s9.2, s10.2, s10.3] The SRT(C)P MKI and the SRT(C)P > authentication tag both have variable lengths (i.e. not 32 bit). 10.2 still states: “The 32-bit optional SRTCP MKI index and 32-bit SRTCP authentication tag” > - [Figure 2,4,5] I suggest writing "SRTP authentication tag" and > "SRTCP authentication tag" instead of just "authentication tag". Figure 6 still has “authentication tag” instead of “SRTCP authentication tag” > - [s13] In the tables, shouldn’t ”Default key lifetime” be ”Maximum > key lifetime” You made this change in 13.2 but not in 13.1 > - [s15.3] If there is a default key length, there should also be a > default "AEAD authentication tag length" You have instead added “Default Auth Tag Length” = 16, which I think is wrong. The default “Authentication tag length” when using AEAD should be 0. > - [s17] If you would like to thank my Ericsson colleagues, their > names are "Westerlund" and "Ohlsson" On 04/04/14 11:37, "John Mattsson" <john.mattsson@ericsson.com> wrote: >Hi, > >In general I think this updated version looks good! > >I’ll have at least one remaining issue (relating to RFC5116) that I >commented on before and did not get any reply on, but I’ll make a separate >post about that when I have looked through my previous comments. > >Cheers John > > >Here are some comments on the new text: >--------------------------------------------------------------------- > >- [s3] “AES-GCM and AES-CCM to work with SDES, DTLS and MIKEY” > >-> “AES-GCM and AES-CCM to work with SDES, DTLS-SRTP and MIKEY” > >- [s9.2] “Payload Type PT (8 bits)” >-> “Payload Type PT (7 bits)” > >- [s10.4] “SRTCP cycles back to the starting value” >-> “SRTCP index cycles back to the starting value” > >- “SRTCP MKI”, is for some reason called “SRTCP MKI index”? > >- “optional” and “OPTIONAL” is both used in the figures: > >“SRTP MKI (OPTIONAL)” >“SRTCP MKI (optional)” >“contributing source (CSRC) identifiers (optional)” >“RTP extension (OPTIONAL)” > >- [s14.1] “IV uniqueness is ensured by the inclusion of SSRC/ROC/SEQ or >SRTCP Index in the IV” > >As SSRC is used even for SRTCP, maybe better to write “SSRC/ROC/SEQ or >SSRC/SRTCP Index” > >- [s14.1] “the first block of key produced” >->“the first block of keystream produced” > >- [Table 15] For 16 byte tags, the values for CCM and GCM are swapped. > > > >------------------------------------------------------------- > >JOHN MATTSSON >MSc Engineering Physics, MSc Business Administration and Economics >Ericsson IETF Security Coordinator >Senior Researcher, Security > >Ericsson AB >Security Research >Färögatan 6 >SE-164 80 Stockholm, Sweden >Phone +46 10 71 43 501 >SMS/MMS +46 76 11 53 501 >john.mattsson@ericsson.com >www.ericsson.com <http://www.ericsson.com/> > > > > > > >On 01/04/14 16:24, "Magnus Westerlund" <magnus.westerlund@ericsson.com> >wrote: > >>WG, >> >>As result of the AD review and some comments within the WG, a number of >>changes has been done to this document. I will let the authors comment >>on what changes has been done. >> >>Anyway, before progressing to IETF last call, I like to have the WG have >>one week until the 8th of April to review the changes to this document. >>So please any comments on these changes as soon as possible. >> >>Cheers >> >>Magnus >> >>On 2014-04-01 15:54, internet-drafts@ietf.org wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>>directories. >>> This draft is a work item of the Audio/Video Transport Core >>>Maintenance Working Group of the IETF. >>> >>> Title : AES-GCM and AES-CCM Authenticated Encryption >>>in Secure RTP (SRTP) >>> Authors : David A. McGrew >>> Kevin M. Igoe >>> Filename : draft-ietf-avtcore-srtp-aes-gcm-11.txt >>> Pages : 36 >>> Date : 2014-04-01 >>> >>> Abstract: >>> This document defines how AES-GCM and AES-CCM Authenticated >>> Encryption with Associated Data algorithms can be used to provide >>> confidentiality and data authentication in the SRTP protocol. >>> >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/ >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-11 >>> >>> A diff from the previous version is available at: >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-srtp-aes-gcm-11 >>> >>> >>> Please note that it may take a couple of minutes from the time of >>>submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> Audio/Video Transport Core Maintenance >>> avt@ietf.org >>> https://www.ietf.org/mailman/listinfo/avt >>> >>> >> >> >>-- >> >>Magnus Westerlund >> >>---------------------------------------------------------------------- >>Services, Media and Network features, Ericsson Research EAB/TXM >>---------------------------------------------------------------------- >>Ericsson AB | Phone +46 10 7148287 >>Färögatan 6 | Mobile +46 73 0949079 >>SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com >>---------------------------------------------------------------------- >> >>_______________________________________________ >>Audio/Video Transport Core Maintenance >>avt@ietf.org >>https://www.ietf.org/mailman/listinfo/avt >
- [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes… internet-drafts
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… Magnus Westerlund
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… John Mattsson
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… John Mattsson
- [AVTCORE] FW: I-D Action: draft-ietf-avtcore-srtp… Igoe, Kevin M.
- Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-… John Mattsson
- Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-… Igoe, Kevin M.