Re: [Perc] Question on diet Design?
Eric Rescorla <ekr@rtfm.com> Wed, 22 March 2017 00:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9AD1241FC for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 17:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWJ4fGlZTmpE for <perc@ietfa.amsl.com>; Tue, 21 Mar 2017 17:57:21 -0700 (PDT)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 219E91292F4 for <perc@ietf.org>; Tue, 21 Mar 2017 17:57:21 -0700 (PDT)
Received: by mail-ot0-x22e.google.com with SMTP id a12so92379213ota.0 for <perc@ietf.org>; Tue, 21 Mar 2017 17:57:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WCjCwX7t7baGL0pDFlBGTnTgp9Knq36QfIGo/O8B+OY=; b=nUFCFJCssMTQ44WR2gp5MTgjMfFHp3cjTFItg/mms75f5uWuThZwWXUbIBe81TFsgh A4g1iSJABMfrPTSWCl7G+8l17PYEcsGopXbaDw/1uzZt7gLh7mmhB+MEWWeIP3Nfg/Jd NZ8UOh6jBQAjqtAQPR0UrFsOoUSkp6vtp4eEbX7JfL2Of6lqV46EdFPjjw/9XI7mWV5C Iq1Ar4RXPEBSpF0TLDucstPzMoAzyeZuocZ7rDmgolDyqiJtxq35/VB64EF69rEVMmhp Y31kbpN/e3GlRTxPUbMsr2suOOpwiygpk1yVAbmKWQVsHwdvOd71yewvu99q/Fh07DAN HGEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WCjCwX7t7baGL0pDFlBGTnTgp9Knq36QfIGo/O8B+OY=; b=CpKP2WBNthNCKqe64m5jHbEYRvEYr4tOPdiq2MNDElqQ+X2mmKJ4nYdCq8mFfV9ZWq dcBoKE1jFwMytZFc0A1sYxDyPVR01VH0muqv4t0qvMlkUy8N8k8kwq3EgZ8TU59+oR2p OjIXYQ90NSeyMniYiMJ20SF7+PFDx2ke3Xwxqy/hYaFpUfcvCZ9DAaX/fQLPLc8NZ8sK rTRrTe9VsoIAWr4OwhOmB9NDoFDAHoegrqNgOz72pYpQninlCWUm7W9+QJx6bn9ocP+g pXKaQMY3DSgB3hZffDDZ6r7lFPNOFTlj6y3ClM2jpAblhjFQQjTeCAYm7SnVmg8tXri4 gY7g==
X-Gm-Message-State: AFeK/H3o7Fy6iabrKUR3EL6JuTQMunK4DLABRnWlN2jZAPV1gNYNsWor6/aeEF5Q2tPJbzb5pdMdo6tvOIVkFg==
X-Received: by 10.157.68.234 with SMTP id p42mr19148758otg.46.1490144240461; Tue, 21 Mar 2017 17:57:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.13.167 with HTTP; Tue, 21 Mar 2017 17:56:40 -0700 (PDT)
In-Reply-To: <ema2355ca7-fc19-48f6-972e-7dd73ac7a9a9@sydney>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com> <em918d187a-1839-494c-a969-b298d03965d7@sydney> <CABcZeBNFSmM4VjKzKLmrTzTEMxke=gYzH7x9GuhPcv=gFqRvQQ@mail.gmail.com> <ema2355ca7-fc19-48f6-972e-7dd73ac7a9a9@sydney>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Mar 2017 17:56:40 -0700
Message-ID: <CABcZeBMXWoQ1jeDFGUU2maO3ehJ4Z9-o6_pckUaC_wbmNPPnGg@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Cc: perc@ietf.org
Content-Type: multipart/alternative; boundary="f403043c50201dfdf9054b473e91"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/P3B4Fb7f8pSV8WbvHgSew2gzTE8>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 00:57:24 -0000
On Tue, Mar 21, 2017 at 5:35 PM, Paul E. Jones <paulej@packetizer.com> wrote: > Ekr, > > >> Each endpoint then manufacturers a random SRTP master key E_i used for >> E2E encryption. The endpoint then generates the various keys for RTP >> encryption, RTP authentication, RTCP encryption, and RTCP authentication >> using the KDF defined in RFC 3711 from the pair {E_i, S_g}. This produces >> k_e, k_a, k_s (Section 4.3.1 of RFC 3711). Since we will have these for >> both E2E and HBH, let's suffix whese with _e (for E2E). So, we'll have >> K_e_e. >> >> The endpoint then generates the various keys for RTP encryption, RTP >> authentication, RTCP encryption, and RTCP authentication using the KDF >> defined in RFC 3711 from the pair {K_h, S_h}. As above, we'll have k_e, >> k_a, k_s, which let's suffix as k_e_h (for HBH). >> >> The endpoint then performs these steps: >> 1) encrypts the RTP packet using the keys derived via the KDF for E2E, >> K_e_e and salt k_s_e. >> 2) encrypts the RTP packet using the keys derives via the KDF for HBH, >> namely K_e_h and k_s_h. >> >> The EKT field is then added to the end of the packet. If it's the "short >> EKT field", it has no keying material inside. It would just be a single 0 >> octet. >> >> The long EKT field is used periodically to allow the endpoint to transmit >> E_i to other endpoints. The plaintext of this field is constructed and >> then encrypted using AESKeyWrap(K_g, ekt_field). The ciphertext is then >> appended to the packet, along with a few plaintext fields indicating the >> field type and length. >> > > I'm going to stop here, because I think this is the relevant point, that I > had misunderstood > and I want to summarize looking just at the E2E portion. > > 1. You start out with every agent i having a pairwise key K_d_i (the DTLS > traffic key) with the > KD. > > > Yea, but the key is only used for DTLS exchanges, so independent of > anything SRTP related (except for the DTLS-SRTP key derivation for HBH that > you wanted to ignore for now). > Well, you're using it to encipher K_g. Right now, I'm primarily concerned with the key hierarchy and not which specific protocol is being used. 2. The KD then generates a single shared key K_g which it provides to each > agent i under > K_d_i (in DTLS). > > > Correct. > > > 2. Each agent then generates its own transmission key E_i which it > transmits to everyone > under K_g. > > Do I have this right? > > > Yes, that's correct. > > > If so, my question is. Why? In particular, why can't we use K_g directly > to encrypt SRTP > packets (i.e., as one ginormous SRTP session). I am assuming your answer > here is going > to be that then if you have SSRC collisions then we get two-time pad [0]? > If not, then > is there some other reason I am missing? > > > Avoiding the one-time pad is a primary concern, but not the only issue. A > secondary issue is that in a conferencing environment where each sender is > transmitting independently, endpoints need to be able to synchronize the > crypto context of the sender. The ROC value is conveyed in the EKT > field, which facilitates this synchronization. (The ROC for the HBH > encryption always starts at 0, so no synchronization is required. But, the > ROC for any transmitted flow in an existing conferencing might be any > value. So, EKT carries the E2E cipher and the ROC for that flow.) > > > [0] If so, I have another way to address this. > > > Assuming we could still convey the ROC in the clear (it's not really > secret), then I'd like to hear your suggestion. > Replace EKT with a fixed block consisting of: 1. A centrally assigned endpoint ID [you need this to avoid two-time pad] 2. The ROC (if needed) The per-sender key then can be computed as KDF(K_g, ID) [0]. Note that you don't need to send this block that frequently, you can use the same algorithm you use for EKT, though it's also pretty small, so maybe easier to just send all the time. I haven't been thinking about this for very long, so I could of course have something grievously wrong and insecure, in which people should point and laugh. One potential concern is that an attacker can send some incredibly large ROC and thus cause you to crank the KDF forward a zillion times. I believe that currently anyone who has K_g can do this, so requiring this block to be MACed with K_g should address this problem. -Ekr [0] Note, this assumes I am remembering how the ROC works, which, IIRC, is just that it tells you which generation of SRTP keys to derive from the master.
- [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Paul E. Jones
- Re: [Perc] Question on diet Design? Eric Rescorla
- Re: [Perc] Question on diet Design? Cullen Jennings