IETF Logo Mail Archive

Re: [Perc] Question on diet Design?

Eric Rescorla <ekr@rtfm.com> Thu, 23 March 2017 23:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7724A129516 for <perc@ietfa.amsl.com>; Thu, 23 Mar 2017 16:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1UHgObaiXym for <perc@ietfa.amsl.com>; Thu, 23 Mar 2017 16:46:11 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44991129A8C for <perc@ietf.org>; Thu, 23 Mar 2017 16:46:09 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id d191so30999710ywe.2 for <perc@ietf.org>; Thu, 23 Mar 2017 16:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LKRiBvewd9ir0iA8kW8hb4JT0xGMkRP/9cWOT1Wi37U=; b=C4C+Mp1mXvgm2czODIe7mhBi7xBMx5jrqMG1GCjavJ4z2FcVdwhd3SiTaIoJhqNRRB 484cMNZL3nK8f+uJ3Pco/9GZvYB/IQ0M0hfpvRpmbDgJCCV1PfKBcniIlTBr668HG/HI akwWGYKI1rXIf0zYHkDcUI0l1e/A5kQ+a9o9uB5Mn8VTdWheWi8rMeXx0FAeTB2YcxA5 hyZqhT/m92DC1JIETmGtDAk0JM2rgWdUvLu/6ipGPj/PsLFQyANN9MYJKdl6HaNnCjJe yTH5ryhbQNeVULY1ikImxkHMSn/q110hWDrB/c//JWpDDpAkCbCeqvTPh9fD5oekN+AR zqmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LKRiBvewd9ir0iA8kW8hb4JT0xGMkRP/9cWOT1Wi37U=; b=YHqzQ3rBHPJNwjGGEGU4Elmq2+3lOcJ6Wt0ZwLIaIU9QDtxkNHJJKzzuys7Mwr7uge VtXehCTgddOi12/HCT2gfC/MZdsR57fcM/PUImh2ddB+r3tDN2Q3K5/cDQqdjgVZnLUO yNq9Z2TKK8vw73xR9WoHmai3Pk/IfNWc1SFgLi9JCgsdTBbZU8ARJJUe5TdYGD72ydwr qxc2MDS4zHsicBpGpeOsLyLMP/Qv+/jkZontuhwwvCnLdr2evhyQmX3ecwzhazKqixAF CbDZeTaJXNEx8XEzeyohju6LzBWNxeqMeH6c+IpJiz2pCuxj118FB7yKIg/fm1sF1bsO VB3A==
X-Gm-Message-State: AFeK/H3dnyKimPBKUImVxwbkJoU88Vhf17aT9K1YNNJLOqmGc2t7LP3V1vGskGDorXp2Sci3fepIw6yc0dR6Pg==
X-Received: by 10.13.204.206 with SMTP id o197mr4076892ywd.87.1490312768429; Thu, 23 Mar 2017 16:46:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Thu, 23 Mar 2017 16:45:27 -0700 (PDT)
In-Reply-To: <em8cc80c10-b9a1-4c1c-9f13-098d43739673@sydney>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com> <em918d187a-1839-494c-a969-b298d03965d7@sydney> <CABcZeBNFSmM4VjKzKLmrTzTEMxke=gYzH7x9GuhPcv=gFqRvQQ@mail.gmail.com> <ema2355ca7-fc19-48f6-972e-7dd73ac7a9a9@sydney> <CABcZeBMXWoQ1jeDFGUU2maO3ehJ4Z9-o6_pckUaC_wbmNPPnGg@mail.gmail.com> <emba00a16e-6ca9-41ac-85ae-e53f6115c95c@sydney> <CABcZeBPSATAonu87OaJuUX1QWkuPufi=HpKQQ5AZZB6ZWP759A@mail.gmail.com> <emb912fdf7-1123-46c4-ba3d-8ff4d73e87b2@sydney> <CABcZeBNFbpAKu-PkuB+zxxpduJStViJX=_xZD5s7R4ejCMx5FA@mail.gmail.com> <em8cc80c10-b9a1-4c1c-9f13-098d43739673@sydney>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 23 Mar 2017 16:45:27 -0700
Message-ID: <CABcZeBOyvQ2zZkr4Z5jnjNJ=CAoMWbYws6QN-TSgv_KZvaWgyA@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Cc: perc@ietf.org
Content-Type: multipart/alternative; boundary="001a114e6b3c2abcf3054b6e7bbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/-VD9xO9CSaX9vOsIEen2dgYAjUE>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 23:46:13 -0000

On Thu, Mar 23, 2017 at 4:31 PM, Paul E. Jones <paulej@packetizer.com>
wrote:

> Ekr,
>
> The SSRC is used in the IV when encrypting packets, but not directly in
> the KDF to derive k_e, k_a, or k_s.  That said, that will avoid the
> two-time pad problem.
>

Sure, my mistake. In any case, it's not a problem for multiple SSRCs.


Current guidance is that a given key should not be used more than 2^48
> times.  By how much would having 1,000 participants in a conference sending
> a total of 2,000 media flows using keys derived from the same K_g reduce
> key lifetime?
>

These are totally unrelated. The guidance is about the lifetime of a single
GCM key, not about
the keying material from which it was derived.


I'm still struggling with the overall benefit, though.  With both, we have
> a need to exchange keying material, thus a need for DTLS-SRTP + EKT (or
> other) procedures.
>
> With EKT, an endpoint sends its SRTP master key and ROC  periodically.
> AES_Keywrap() doesn't have to be called on every packet, since the
> ciphertext is static.  Other than the size of the EKT field (which we could
> reduce and which is only sent periodically), it doesn't seem like a burden.
>
> What you're proposing will require assignment of a unique participant
> identifier (which we can do over the DTLS tunnel) and sending that ID and
> the ROC periodically in packets.
>
> It seems roughly the same in terms of complexity, with the K_g approach
> (ID || ROC) perhaps using slightly fewer bits on the wire compared to the
> the EKT field.
>
> I'd like to hear others weigh in on pros/cons.  I don't want to send
> negative signals if others favor this approach.  Other than my question on
> key lifetime impact, the K_g approach seems fine.
>

Well, at the moment, I'm just trying to understand what the current design
is supposed
to achieve, and that means getting clear on what keying material you are
trying to
establish.

In that process, I am seeing some things that make me sad in particular;

- Having two key transport phases, which is pretty hard to wrap your head
around,
though perhaps it's just a writing issue.
- Grabbing a DTLS code point (why can't you just shove this in the
application data),
so I'm trying to remove that [0].

So I'm trying to push on what's really needed.

-Ekr

[0] I concede that what I wrote above doesn't do that, but reducing the
number of
key wrap phases might let us do so, for instance by carrying K_g in EKT.


> Paul
>
> ------ Original Message ------
> From: "Eric Rescorla" <ekr@rtfm.com>
> To: "Paul E. Jones" <paulej@packetizer.com>
> Cc: perc@ietf.org
> Sent: 3/23/2017 7:12:51 AM
> Subject: Re: [Perc] Question on diet Design?
>
> It's part of the SRTP KDF.
>
> -Ekr
>
>
> On Wed, Mar 22, 2017 at 9:42 PM, Paul E. Jones <paulej@packetizer.com>
> wrote:
>
>> Eric,
>>
>> I think what you propose would work, but each stream from a given
>>> endpoint would need to have a unique key since we do not want the any two
>>> media flows using the same key. Thus, I think we'd need:
>>>   KDF(K_g, ID || stream_id)
>>>
>>
>> The SSRC addresses that, no?
>>
>>
>> Yeah, SSRC is fine for that.  We just need to ensure it is a part of the
>> KDF input.
>>
>> Paul
>>
>
>

v2.23.0 | Report a Bug | By Email