Re: [Cfrg] SRTP with SHA2?

Jon Callas <> Fri, 01 July 2011 22:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A7D111E80FB for <>; Fri, 1 Jul 2011 15:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.494
X-Spam-Status: No, score=-0.494 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ToDDN6JOb-kc for <>; Fri, 1 Jul 2011 15:27:35 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 45F4811E8085 for <>; Fri, 1 Jul 2011 15:27:34 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D3EB2E107 for <>; Fri, 1 Jul 2011 15:28:11 -0700 (PDT)
Received: from ([]) by localhost (host.domain.tld []) (amavisd-maia, port 10024) with ESMTP id 09750-01 for <>; Fri, 1 Jul 2011 15:28:09 -0700 (PDT)
Received: from ( []) (Authenticated sender: jon) by (Postfix) with ESMTPA id 4381F2E101 for <>; Fri, 1 Jul 2011 15:28:09 -0700 (PDT)
Received: from ([]) by (PGP Universal service); Fri, 01 Jul 2011 15:27:31 -0700
X-PGP-Universal: processed; by on Fri, 01 Jul 2011 15:27:31 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
From: Jon Callas <>
In-Reply-To: <>
Date: Fri, 1 Jul 2011 15:27:30 -0700
Message-Id: <>
References: <>
To: "Severns-Williams, Christine E (Christine)" <>
X-Mailer: Apple Mail (2.1084)
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/signed; boundary="PGP_Universal_90FBED5B_ECF6AB71_D065C845_62C6BB0F"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Virus-Scanned: Maia Mailguard
Subject: Re: [Cfrg] SRTP with SHA2?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Jul 2011 22:27:37 -0000

On Jun 30, 2011, at 10:40 AM, Severns-Williams, Christine E (Christine) wrote:

> Hi All,
>   I’m not sure this is really the right mail list for this question.  But I see SHA2 being added to many security protocols (IPsec, TLS, etc) and discussion of other algorithms fading such as MD5.
> I know SRTP supports AES-CM (128, 192, 256), AES-f8, and there is a draft for AES-CCM and AES-GCM (128 and 256).
> Has anyone considered or is looking at using/adding SHA2 to the SRTP protocol?     Just curious.
> I know the digest size is larger but it could still be truncated. 

You could, but there's no real need, and a number of reasons not to.

SRTP uses HMAC-SHA1 for integrity, and even provides for truncated integrity. If you believe that 80 bits of security is enough and that lots of times 32 bits is fine, then SHA256 is overkill. HMACs don't have the weaknesses that a straight hash does. You don't gain anything by using a truncated SHA256, security-wise.

(The truncated integrity is reasonable in many applications, particularly those where the payload is simply media. If the media has other integrity checks in it, even better. Suppose, for example, that the total payload was audio on the X codec, and if the X codec gets thrown into a bogus state, it will discard the packet. In this case, not only does the codec supply secondary authentication, but should a bad packet actually be inserted into the media stream, the only effect of that is an audio glitch. Almost certainly that glitch will just be a blip of noise.)

However, SHA256 is slower than SHA1, and since you're using it in an HMAC, you're having to do two hashes. That's big, from a performance point of view.

In many environments, the lion's share of the crypto cost for SRTP is that SHA1 HMAC. It is often over 2/3 of the total cost. Switching to SHA256 could bring the integrity cost to 80% or more of the total crypto cost, as well as driving it up, not down.

The real need for SRTP is to find an integrity check that's faster. That's something that ZRTP (RFC 6189) does. (Full disclosure: I'm a ZRTP co-author.) Some ZRTP implementations found that 75% of the cost of the crypto was that HMAC. So ZRTP provides the option to use the one-pass MAC feature of the Skein-512 hash function, which is one of the SHA3 finalists. (Full disclosure: I'm a Skein co-author, as well.) Not only is Skein-512 faster than SHA1, often running at 2/3 the speed of SHA1, but the one-pass MAC means you're only doing one hash, not two. That means that a Skein-MAC has only 1/3 the cost of HMAC-SHA1! It also has at least as good security as SHA256, so you get both better security and better performance.

(In the name of the algorithm, the -512 refers to the internal state size of Skein, not the output size. All three variants of Skein (256, 512, 1024) can have any length output. When you might want whatever internal state size is a long discussion that I could bore you at great length on. I believe that Skein-512 is adequate for any reasonable use.)