[AVTCORE] Comments on draft-ietf-avtcore-aria-srtp-01
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 08 May 2013 14:07 UTC
Return-Path: <prvs=5840aa5913=magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7ECF21F8FB6 for <avt@ietfa.amsl.com>; Wed, 8 May 2013 07:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.41
X-Spam-Level:
X-Spam-Status: No, score=-105.41 tagged_above=-999 required=5 tests=[AWL=0.839, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBJUJJp9Yc4C for <avt@ietfa.amsl.com>; Wed, 8 May 2013 07:07:46 -0700 (PDT)
Received: from mailgw7.ericsson.se (mailgw7.ericsson.se [193.180.251.48]) by ietfa.amsl.com (Postfix) with ESMTP id 21EC621F8FA9 for <avt@ietf.org>; Wed, 8 May 2013 07:07:45 -0700 (PDT)
X-AuditID: c1b4fb30-b7f3a6d0000007a4-e3-518a5c30ba09
Received: from esessmw0247.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw7.ericsson.se (Symantec Mail Security) with SMTP id DB.AB.01956.03C5A815; Wed, 8 May 2013 16:07:44 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0247.eemea.ericsson.se (153.88.115.94) with Microsoft SMTP Server id 8.3.279.1; Wed, 8 May 2013 16:07:44 +0200
Message-ID: <518A5C25.4050204@ericsson.com>
Date: Wed, 08 May 2013 16:07:33 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: draft-ietf-avtcore-aria-srtp@tools.ietf.org, IETF AVTCore WG <avt@ietf.org>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAJMWRmVeSWpSXmKPExsUyM+Jvra5BTFegwayz2hYve1ayW0yeLODA 5LFkyU8mjy+XP7MFMEVx2yQllpQFZ6bn6dslcGdc3HCEpWCee8Xio9uZGhj/GXQxcnJICJhI LHs1gRnCFpO4cG89G4gtJHCKUWLlJO4uRi4gexmjxLpLJ1hAErwC2hJL5s0Ds1kEVCR6V/9m BLHZBCwkbv5oBGrm4BAVCJbY2hoDUS4ocXLmE7ByEYEgibWLu8B2CQPtXbn5BtReSYktL9rZ QWxmAT2JKVdbGCFseYnmrbOZIe7Rlmho6mCdwMg/C8nYWUhaZiFpWcDIvIqRPTcxMye93HwT IzDADm75bbCDcdN9sUOM0hwsSuK8yVyNgUIC6YklqdmpqQWpRfFFpTmpxYcYmTg4QQSXVANj cXT37+RNAYyyKUdn9N2YGVaoqvMzQmSBduje9i3TJHwZla7M89+/5dHWrdN2C/PYTjjyr+Fc Tb5E747j0/fNbFv5P+fw7AW/C79/FfIynGp3brpKfX771d46Nov9ya4F745pFShrWOW41rLy rNhoNXdPDP+tw6UXlhSH18c2RTBFLf2o0/pWiaU4I9FQi7moOBEAWndvVAMCAAA=
Subject: [AVTCORE] Comments on draft-ietf-avtcore-aria-srtp-01
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2013 14:07:53 -0000
Hi, I have reviewed draft-ietf-avtcore-aria-srtp-01 and have some comments. Please review these and don't hesitate to ask for clarification or disagree with them. 1) Section 2: (1) ARIA in Counter Mode, (2) ARIA in Counter with CBC-MAC (CCM) Mode and (3) ARIA in Galois/Counter Mode (GCM). As you in the next heading are using ARIA-CTR shouldn't (CTR) be added as acronym for (1)? 2) Section 2.1 and 4: What are the security implications of using a 256 bit key length for the crypto but have as weak integrity protection as SAH1 32 bits? I think you need to discuss the implications of this, it doesn't appear to be particular balanced. 3) Section 2.2: The internet draft[I-D.ietf-avtcore-srtp-aes-gcm] describes the use of AES-GCM and AES-CCM with SRTP. The use of ARIA-CCM and ARIA-GCM with SRTP is defined the same as that of AES-CCM and AES-GCM. Looking in AES-GCM it appears to define a generic AEAD procedures for SRTP cipher suits. Can you please be more explicit and clear on how you use that generic procedure? 4) Section 2.1, 2.2: These procedures are define by reference to existing algorithms like these sentences: ARIA counter modes are defined in a similar manner, and are denoted by ARIA_128_CTR, ARIA_192_CTR and ARIA_256_CTR respectively, according to the key lengths. The plaintext inputs to the block cipher are formed as in AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs are processed as in AES-CTR. The internet draft[I-D.ietf-avtcore-srtp-aes-gcm] describes the use of AES-GCM and AES-CCM with SRTP. The use of ARIA-CCM and ARIA-GCM with SRTP is defined the same as that of AES-CCM and AES-GCM. I think using words as "similar" and not being very explicit about what procedures from the other specification that applies here provide some risk for misunderstanding. I hope you can be more explicit and clear on which procedures and usage are applicable. 5) Section 3): The ARIA- CTR PRF is defined in a similar manner, but with each invocation of AES replaced with an invocation of ARIA. Similar to the above comment, using "similar" rather than same. Please be normative defining here. 6) Cipher suit definitions: According to Section 8.2 of RFC 3711 the following parameters are defined and have the specified default values: Parameter Mandatory-to-support Default --------- -------------------- ------- SRTP and SRTCP encr transf. AES_CM, NULL AES_CM (Other possible values: AES_f8) SRTP and SRTCP auth transf. HMAC-SHA1 HMAC-SHA1 SRTP and SRTCP auth params: n_tag (tag length) 80 80 SRTP prefix_length 0 0 Key derivation PRF AES_CM AES_CM Key material params (for each master key): master key length 128 128 n_e (encr session key length) 128 128 n_a (auth session key length) 160 160 master salt key length of the master salt 112 112 n_s (session salt key length) 112 112 key derivation rate 0 0 key lifetime SRTP-packets-max-lifetime 2^48 2^48 SRTCP-packets-max-lifetime 2^31 2^31 from-to-lifetime <From, To> MKI indicator 0 0 length of the MKI 0 0 value of the MKI Are really these default value correct for these cipher suits. For example is still a 112 bit salt used for 256 bits keylengts? For ARIA_256_CTR clearly the key derivation PRF is not AES_CM? Thus I would suggest that you include the actual tables for the different cipher suits that you define with their relevant values. 7) Section 5. A) I would suggest creating different sub-section for each registry that is being manipulated. B) You are not providing the explicit names for the IANA Registries that you are adding into. Please go to IANA and copy and paste the names from the relevant registries into IANA section. For example: IANA is requested to add the below crypto suites to the "SRTP Crypto Suite Registrations" created by [RFC4568], at time of writing located on the following IANA page: http://www.iana.org/assignments/sdp-security-descriptions/sdp-security-descriptions.xml#sdp-security-descriptions-3 Thus making it very clear which registry the listed values should be added to. 8) Section 5: Looking in RFC 5764 in Section 4.1.2 the registered SRTP protection profiles for DTLS each have a block defined like this: SRTP_AES128_CM_HMAC_SHA1_80 cipher: AES_128_CM cipher_key_length: 128 cipher_salt_length: 112 maximum_lifetime: 2^31 auth_function: HMAC-SHA1 auth_key_length: 160 auth_tag_length: 80 See also the AES-GCM draft that also includes tehm including some AEAD specifics like this one: AEAD_AES_256_GCM_8 cipher: AES_256_GCM cipher_key_length: 256 bits cipher_salt_length: 96 bits aead_auth_tag_length: 8 octets auth_function: NULL auth_key_length: N/A auth_tag_length: N/A maximum lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets I would recommend that you add these. 9) Section 5: [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the SRTP policy in MIKEY. In order to allow the use of the algorithms defined in this document in MIKEY, IANA is requested to allocate the following numbers in the MIKEY sub-registries. SRTP Enc. alg | Value ---------------------- NULL | 0 AES-CM | 1 AES-F8 | 2 SEED-CTR | 3 SEED-CCM | 4 SEED-GCM | 5 ARIA-128-CTR | 6 (NEW) ARIA-128-CCM | 7 (NEW) ARIA-128-GCM | 8 (NEW) ARIA-128-GCM-8 | 9 (NEW) ARIA-128-GCM-12| 10 (NEW) Figure 4: Figure 1 from RFC 5748 (revised) A) Please don't suggest new values that hasn't been formally assigned yet, better to write them as TBA or TBD (To Be Assigned / Decided). B) To my understanding with MIKEY's structure the above registry (Encryption algorithm (Value 0)) actually should not include the key-length as that is a separate parameter in MIKEY. See MIKEY Security Protocol Parameters on the http://www.iana.org/assignments/mikey-payloads/mikey-payloads.xml IANA page. C) You should definitely look at the AES-GCM drafts IANA section, especially Section 14.3: 14.3. MIKEY In accordance with "MIKEY: Multimedia Internet KEYing" [RFC3830], IANA maintains several Payload Name Spaces under Multimedia Internet KEYing (MIKEY). This document requires additions to two of the lists maintained under MIKEY Security Protocol Parameters. On the SRTP policy Type/Value list (derived from Table 6.10.1.a of [RFC3830]) we request the following addition: Type | Meaning | Possible values ---------------------------------------------------------------- TBD | AEAD authentication tag length | 8, 12, or 16 (in octets) On the Encryption Algorithm List (derived from Table 6.10.1.b of [RFC3830]) we request the following additions: SRTP encr alg. | Value | Default Session Encr. Key Length ----------------------------------------------------------- AES-CCM | TBD | 16 octets AES-GCM | TBD | 16 octets The SRTP encryption algorithm, session encryption key length, and AEAD authentication tag values received from MIKEY fully determine the AEAD algorithm (e.g., AEAD_AES_256_GCM_8). The exact mapping is described in section 15. 10) Test Vectors Have you considered including test vectors like RFC 6188? Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [AVTCORE] Comments on draft-ietf-avtcore-aria-srt… Magnus Westerlund
- Re: [AVTCORE] Comments on draft-ietf-avtcore-aria… Woo-Hwan Kim
- Re: [AVTCORE] Comments on draft-ietf-avtcore-aria… Magnus Westerlund
- [AVTCORE] Re: Comments on draft-ietf-avtcore-aria… Woo-Hwan Kim