Re: [Perc] Question on diet Design?
Eric Rescorla <ekr@rtfm.com> Wed, 22 March 2017 00:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67E3F128708 for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 17:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvzrVCZPoAAn for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 17:04:55 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 828CB127977 for <perc@ietf.org>; Tue, 21 Mar 2017 17:04:55 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id i203so5788149ywc.3 for <perc@ietf.org>; Tue, 21 Mar 2017 17:04:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ghyHUhXjom0AUPGCINSOZp+M6IHG3e+ARvl/f7jS9Ow=; b=2AGGRG90EZxUOLT74plyuCaKmNcEgsupAL2n7oVWJUHl0jDNpcYJH4hlz3RvnCa7en d/RLeoqAm4HcG641E9fhT2x+2sA75S3UH+54TerPr8JffBLCaBcfxsbd8TGTX8hJ8uYM 5PVSRgfBYuoqEqHZd4eIR4mpgNgO7mO3uVAHoqqzXf1gD1UxGoKoBt0C/PpxR2p81gAV G0NN+Z2iuU5sGjtJB1nVpsBB8vpMdYGlDesEt+ymDpUT4v8G4wXAtt2Kfz+g3Kg7sStm NMzdq4snt7V5BXAnXRJYyKjmYFeEIFAjkqZJ83IC9APGElkyYTR0lrAglMSL2d/E3nnF 2lkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ghyHUhXjom0AUPGCINSOZp+M6IHG3e+ARvl/f7jS9Ow=; b=Mlnpi3ras5zltu9vnZCcPIbv/fgMW/1cxqZgNtq5LIjRhRIqfSWpqMZMZb0oRiWmRE p2/83Bqd2RH+78jqSt5Z5wGbcH5gfX0Nc06qwqpo6ROTpBMBG4qbIjst3OQj+nyVIFaA vigWCXUFr5yo9K6KECzPh7DO3h/ct3SZFLe3qAXA+bZNZNHTu+/KcvV7WKv5icMcaFWc Xvk2CeCmy7F485UNmUtycr+VC5hJU/7lpHpIVHnvq9wTBMiBTGt7F/wUbfYz9AXMg8Ag 9AlD7yuLTDadZ19ftPajUxzfW5UWSYyVfLd+oBDy1+Wx0blYOGtSg0AxKfBfJQnyt2yI ljbA==
X-Gm-Message-State: AFeK/H3Razxjk7txZhjrNAJwmvFKEWaG0t/kn2zK/YsN5QBPUlGJBxxUtWgT55Quz9TArNTTaiLoJ9cpH2cp1w==
X-Received: by 10.13.204.142 with SMTP id o136mr750564ywd.87.1490141094641; Tue, 21 Mar 2017 17:04:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Tue, 21 Mar 2017 17:04:14 -0700 (PDT)
In-Reply-To: <em918d187a-1839-494c-a969-b298d03965d7@sydney>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com> <em918d187a-1839-494c-a969-b298d03965d7@sydney>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Mar 2017 17:04:14 -0700
Message-ID: <CABcZeBNFSmM4VjKzKLmrTzTEMxke=gYzH7x9GuhPcv=gFqRvQQ@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Cc: perc@ietf.org
Content-Type: multipart/alternative; boundary="001a114f12a49cea5c054b468202"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/-wvq4pgj8aZKqcyhT3xP2UjbcqI>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 00:04:58 -0000
On Tue, Mar 21, 2017 at 4:48 PM, Paul E. Jones <paulej@packetizer.com> wrote: > Ekr, > > For each endpoint, a HBH key is established using DTLS-SRTP (RFC 5764) > procedures via an association established between the endpoint and key > distributor. Those procedures are (mostly) unaltered from the endpoint's > perspective and independent of EKT. The only aspect that is "alternated" > is that, since we're using a "double" cipher, half of the bits generated > for the HBH key are discarded (as they're not used). In the framework > document, this is referred to as Key(j). For simplicity in keeping your > notation below, let's call this K_h. This is the SRTP master key. There is > also an SRTP master salt S_h created via the DTLS-SRTP procedures. > > Over that DTLS association, the key distributor will send an "EKTKey" > message containing the conference key (what you called the group key, > K_g). The same conference key is given to each endpoint in the > conference. In the same message, an SRTP master salt S_g is provided by > the key distributor. > Let's ignore salts for now. I'd also like to ignore all the hop-by-hop keys, because I'm primarily concerned with the e2e keys. As the "EKTKey" message is transmitted to the endpoint, the values {K_h, > S_h} are delivered to the media distributor via the tunnel protocol. > > At this point, the endpoint has {K_h, S_h, K_g, S_g} and the media > distributor has {K_h, S_h}. For every endpoint i, the K_h and S_h values > differ. > > Each endpoint then manufacturers a random SRTP master key E_i used for E2E > encryption. The endpoint then generates the various keys for RTP > encryption, RTP authentication, RTCP encryption, and RTCP authentication > using the KDF defined in RFC 3711 from the pair {E_i, S_g}. This produces > k_e, k_a, k_s (Section 4.3.1 of RFC 3711). Since we will have these for > both E2E and HBH, let's suffix whese with _e (for E2E). So, we'll have > K_e_e. > > The endpoint then generates the various keys for RTP encryption, RTP > authentication, RTCP encryption, and RTCP authentication using the KDF > defined in RFC 3711 from the pair {K_h, S_h}. As above, we'll have k_e, > k_a, k_s, which let's suffix as k_e_h (for HBH). > > The endpoint then performs these steps: > 1) encrypts the RTP packet using the keys derived via the KDF for E2E, > K_e_e and salt k_s_e. > 2) encrypts the RTP packet using the keys derives via the KDF for HBH, > namely K_e_h and k_s_h. > > The EKT field is then added to the end of the packet. If it's the "short > EKT field", it has no keying material inside. It would just be a single 0 > octet. > > The long EKT field is used periodically to allow the endpoint to transmit > E_i to other endpoints. The plaintext of this field is constructed and > then encrypted using AESKeyWrap(K_g, ekt_field). The ciphertext is then > appended to the packet, along with a few plaintext fields indicating the > field type and length. > I'm going to stop here, because I think this is the relevant point, that I had misunderstood and I want to summarize looking just at the E2E portion. 1. You start out with every agent i having a pairwise key K_d_i (the DTLS traffic key) with the KD. 2. The KD then generates a single shared key K_g which it provides to each agent i under K_d_i (in DTLS). 2. Each agent then generates its own transmission key E_i which it transmits to everyone under K_g. Do I have this right? If so, my question is. Why? In particular, why can't we use K_g directly to encrypt SRTP packets (i.e., as one ginormous SRTP session). I am assuming your answer here is going to be that then if you have SSRC collisions then we get two-time pad [0]? If not, then is there some other reason I am missing? -Ekr [0] If so, I have another way to address this. As the media distributor receives the packet, it removes the EKT field, > then decrypts the packet using the keys derived from {K_h,S_h}. It then > re-encrypts the packet using {K_h',S_h'} (where ' denotes the HBH keys > shared with the endpoint to which the media distributor intends to forward > the packet) and then attached the EKT field to the end untouched. > > Upon receipt of the packet, the receiving endpoint first processes the EKT > field. It decrypts the field using K_g. It extracts the SRTP master key > E_i. It already has S_g via the EKTKey message from its own exchange with > the key distributor. So, using its own HBH keying material {K_h',S_h'} > and the E2E keying material {E_i,S_g}, it can perform HBH and E2E > decryption of the packet. > > I hope that helps. As you can see, EKT plays a very limited role in the > overall architecture. We're still very much relying on DTLS-SRTP > procedures and on standard SRTP procedures. Juggling all these keys is > certainly confusing, though. I guess a pretty picture showing all the > pieces would be useful. > > Paul > > ------ Original Message ------ > From: "Eric Rescorla" <ekr@rtfm.com> > To: perc@ietf.org > Sent: 3/21/2017 5:48:17 PM > Subject: [Perc] Question on diet Design? > > I've read this document and I'm finding it hard to understand the > basic design. Ignoring all the details, we have a node i which > connects to the Key Distributor (KD), and we want to establish a > shared key for each node i = 0, 1, ... n (this is just to establish > E2E keys. I'm ignoring HBH keys for now). So, as I read it, the system > works like this. > > - Node i connects to KD and establishes a DTLS connection which establishes > a pairwise key K_d_i. > - The KD then generates a fresh EKT key K_e_i and sends it to i encrypted > under K_d_i. > - The KD then generates a shared group key K_g and sends it individually > to all i in SRTP/EKT encrypted under K_e_i. > > Is that correct so far? > > If so, my question is why you need K_e_i? You have already established > a shared secret via the DTLS connection and you can make as many fresh > pairwise encryption keys as you want from that, so why do you need > to make a new encryption key K_e_i and send it from KD to i? > > -Ekr > >
- [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Cullen Jennings