Re: [Perc] Question on diet Design?
"Paul E. Jones" <paulej@packetizer.com> Tue, 21 March 2017 23:48 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D9B128708 for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 16:48:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgXybj7qcSv5 for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 16:48:33 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BED9C129409 for <perc@ietf.org>; Tue, 21 Mar 2017 16:48:33 -0700 (PDT)
Received: from [192.168.1.20] (cpe-098-122-167-029.nc.res.rr.com [98.122.167.29] (may be forged)) (authenticated bits=0) by dublin.packetizer.com (8.15.2/8.15.2) with ESMTPSA id v2LNmVKZ016081 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 21 Mar 2017 19:48:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1490140112; bh=ZsaR8OmrAkVXKtY2Yu5pG0JvAUdQchHJGiBB8HiG/+o=; h=From:To:Subject:Date:In-Reply-To:References:Reply-To; b=AxwIr9dKmnzm3i2i51l9ObTve7wCZS+/Rn1Wm/tqjEZFoED4HpApc71MPyFcYowwr guIhpOyNkJElayvc9/fCmD33VJUuyVml6WxfIi5z17yyemAGLXbDpLn9wONfQuNV6s 51kqXhhgt49RHrt8u9HbSemDvViy7s6wCH3NaDNU=
From: "Paul E. Jones" <paulej@packetizer.com>
To: Eric Rescorla <ekr@rtfm.com>, perc@ietf.org
Date: Tue, 21 Mar 2017 23:48:31 +0000
Message-Id: <em918d187a-1839-494c-a969-b298d03965d7@sydney>
In-Reply-To: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/7.0.28492.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB86B4C182-59F2-4C4E-A81F-509C6740757A"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (dublin.packetizer.com [10.165.122.250]); Tue, 21 Mar 2017 19:48:32 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/0awWhSh_y1oWy8imcDRZctV369A>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 23:48:36 -0000
Ekr, For each endpoint, a HBH key is established using DTLS-SRTP (RFC 5764) procedures via an association established between the endpoint and key distributor. Those procedures are (mostly) unaltered from the endpoint's perspective and independent of EKT. The only aspect that is "alternated" is that, since we're using a "double" cipher, half of the bits generated for the HBH key are discarded (as they're not used). In the framework document, this is referred to as Key(j). For simplicity in keeping your notation below, let's call this K_h. This is the SRTP master key. There is also an SRTP master salt S_h created via the DTLS-SRTP procedures. Over that DTLS association, the key distributor will send an "EKTKey" message containing the conference key (what you called the group key, K_g). The same conference key is given to each endpoint in the conference. In the same message, an SRTP master salt S_g is provided by the key distributor. As the "EKTKey" message is transmitted to the endpoint, the values {K_h, S_h} are delivered to the media distributor via the tunnel protocol. At this point, the endpoint has {K_h, S_h, K_g, S_g} and the media distributor has {K_h, S_h}. For every endpoint i, the K_h and S_h values differ. Each endpoint then manufacturers a random SRTP master key E_i used for E2E encryption. The endpoint then generates the various keys for RTP encryption, RTP authentication, RTCP encryption, and RTCP authentication using the KDF defined in RFC 3711 from the pair {E_i, S_g}. This produces k_e, k_a, k_s (Section 4.3.1 of RFC 3711). Since we will have these for both E2E and HBH, let's suffix whese with _e (for E2E). So, we'll have K_e_e. The endpoint then generates the various keys for RTP encryption, RTP authentication, RTCP encryption, and RTCP authentication using the KDF defined in RFC 3711 from the pair {K_h, S_h}. As above, we'll have k_e, k_a, k_s, which let's suffix as k_e_h (for HBH). The endpoint then performs these steps: 1) encrypts the RTP packet using the keys derived via the KDF for E2E, K_e_e and salt k_s_e. 2) encrypts the RTP packet using the keys derives via the KDF for HBH, namely K_e_h and k_s_h. The EKT field is then added to the end of the packet. If it's the "short EKT field", it has no keying material inside. It would just be a single 0 octet. The long EKT field is used periodically to allow the endpoint to transmit E_i to other endpoints. The plaintext of this field is constructed and then encrypted using AESKeyWrap(K_g, ekt_field). The ciphertext is then appended to the packet, along with a few plaintext fields indicating the field type and length. As the media distributor receives the packet, it removes the EKT field, then decrypts the packet using the keys derived from {K_h,S_h}. It then re-encrypts the packet using {K_h',S_h'} (where ' denotes the HBH keys shared with the endpoint to which the media distributor intends to forward the packet) and then attached the EKT field to the end untouched. Upon receipt of the packet, the receiving endpoint first processes the EKT field. It decrypts the field using K_g. It extracts the SRTP master key E_i. It already has S_g via the EKTKey message from its own exchange with the key distributor. So, using its own HBH keying material {K_h',S_h'} and the E2E keying material {E_i,S_g}, it can perform HBH and E2E decryption of the packet. I hope that helps. As you can see, EKT plays a very limited role in the overall architecture. We're still very much relying on DTLS-SRTP procedures and on standard SRTP procedures. Juggling all these keys is certainly confusing, though. I guess a pretty picture showing all the pieces would be useful. Paul ------ Original Message ------ From: "Eric Rescorla" <ekr@rtfm.com> To: perc@ietf.org Sent: 3/21/2017 5:48:17 PM Subject: [Perc] Question on diet Design? >I've read this document and I'm finding it hard to understand the >basic design. Ignoring all the details, we have a node i which >connects to the Key Distributor (KD), and we want to establish a >shared key for each node i = 0, 1, ... n (this is just to establish >E2E keys. I'm ignoring HBH keys for now). So, as I read it, the system >works like this. > >- Node i connects to KD and establishes a DTLS connection which >establishes > a pairwise key K_d_i. >- The KD then generates a fresh EKT key K_e_i and sends it to i >encrypted > under K_d_i. >- The KD then generates a shared group key K_g and sends it >individually > to all i in SRTP/EKT encrypted under K_e_i. > >Is that correct so far? > >If so, my question is why you need K_e_i? You have already established >a shared secret via the DTLS connection and you can make as many fresh >pairwise encryption keys as you want from that, so why do you need >to make a new encryption key K_e_i and send it from KD to i? > >-Ekr >
- [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Cullen Jennings