IETF Logo Mail Archive

Re: [Perc] Question on diet Design?

Cullen Jennings <fluffy@iii.ca> Sat, 25 March 2017 20:32 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CDB124D68 for <perc@ietfa.amsl.com>; Sat, 25 Mar 2017 13:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.695
X-Spam-Level:
X-Spam-Status: No, score=-4.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hW_1GB-lxs9 for <perc@ietfa.amsl.com>; Sat, 25 Mar 2017 13:32:26 -0700 (PDT)
Received: from smtp85.iad3a.emailsrvr.com (smtp85.iad3a.emailsrvr.com [173.203.187.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA7BF127011 for <perc@ietf.org>; Sat, 25 Mar 2017 13:32:26 -0700 (PDT)
Received: from smtp27.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id C86DD24A59; Sat, 25 Mar 2017 16:32:23 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp27.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 752F9249E1; Sat, 25 Mar 2017 16:32:23 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from rtp-vpn3-150.cisco.com ([UNAVAILABLE]. [173.38.117.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.7.12); Sat, 25 Mar 2017 16:32:23 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_CDB3C598-6C91-49D0-A665-B596C029EA5B"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <CABcZeBOyvQ2zZkr4Z5jnjNJ=CAoMWbYws6QN-TSgv_KZvaWgyA@mail.gmail.com>
Date: Sat, 25 Mar 2017 15:32:22 -0500
Cc: Paul Jones <paulej@packetizer.com>, perc@ietf.org
Message-Id: <37B48DF7-C267-402D-ABA0-68195CA89E21@iii.ca>
References: <CABcZeBPbFJYyCBUGhtryn1Z6W9feLUiS-sVB+HM7UUUR3-ZbQg@mail.gmail.com> <em918d187a-1839-494c-a969-b298d03965d7@sydney> <CABcZeBNFSmM4VjKzKLmrTzTEMxke=gYzH7x9GuhPcv=gFqRvQQ@mail.gmail.com> <ema2355ca7-fc19-48f6-972e-7dd73ac7a9a9@sydney> <CABcZeBMXWoQ1jeDFGUU2maO3ehJ4Z9-o6_pckUaC_wbmNPPnGg@mail.gmail.com> <emba00a16e-6ca9-41ac-85ae-e53f6115c95c@sydney> <CABcZeBPSATAonu87OaJuUX1QWkuPufi=HpKQQ5AZZB6ZWP759A@mail.gmail.com> <emb912fdf7-1123-46c4-ba3d-8ff4d73e87b2@sydney> <CABcZeBNFbpAKu-PkuB+zxxpduJStViJX=_xZD5s7R4ejCMx5FA@mail.gmail.com> <em8cc80c10-b9a1-4c1c-9f13-098d43739673@sydney> <CABcZeBOyvQ2zZkr4Z5jnjNJ=CAoMWbYws6QN-TSgv_KZvaWgyA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/jW_l0PNi2wDrLrp-Pe1ffgjpflI>
Subject: Re: [Perc] Question on diet Design?
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 20:32:29 -0000

EKT was deployed and shipped before the PERC WG was started. It was easy to reuse it from an implementation point of view and it remains useful for conferencing even without PERC or DTLS-SRTP because it allows the conference server to move all the participants to same same key to reduce outbound encryption load. 

The other issue driving the design is scheduling when to use keys. We can't easily synchronize when key changes happen, but we can make sure that everyone gets the intermedia key over DTLS and waits a few seconds before they start using it. That way they know everyone has likely received it before thy start using it. 


> On Mar 23, 2017, at 6:45 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Thu, Mar 23, 2017 at 4:31 PM, Paul E. Jones <paulej@packetizer.com <mailto:paulej@packetizer.com>> wrote:
> Ekr,
> 
> The SSRC is used in the IV when encrypting packets, but not directly in the KDF to derive k_e, k_a, or k_s.  That said, that will avoid the two-time pad problem.
> 
> Sure, my mistake. In any case, it's not a problem for multiple SSRCs.
> 
> 
> Current guidance is that a given key should not be used more than 2^48 times.  By how much would having 1,000 participants in a conference sending a total of 2,000 media flows using keys derived from the same K_g reduce key lifetime?
> 
> These are totally unrelated. The guidance is about the lifetime of a single GCM key, not about
> the keying material from which it was derived.
> 
> 
> I'm still struggling with the overall benefit, though.  With both, we have a need to exchange keying material, thus a need for DTLS-SRTP + EKT (or other) procedures.
> 
> With EKT, an endpoint sends its SRTP master key and ROC  periodically.  AES_Keywrap() doesn't have to be called on every packet, since the ciphertext is static.  Other than the size of the EKT field (which we could reduce and which is only sent periodically), it doesn't seem like a burden.
> 
> What you're proposing will require assignment of a unique participant identifier (which we can do over the DTLS tunnel) and sending that ID and the ROC periodically in packets. 
> 
> It seems roughly the same in terms of complexity, with the K_g approach (ID || ROC) perhaps using slightly fewer bits on the wire compared to the the EKT field.
> 
> I'd like to hear others weigh in on pros/cons.  I don't want to send negative signals if others favor this approach.  Other than my question on key lifetime impact, the K_g approach seems fine.
> 
> Well, at the moment, I'm just trying to understand what the current design is supposed
> to achieve, and that means getting clear on what keying material you are trying to
> establish. 
> 
> In that process, I am seeing some things that make me sad in particular;
> 
> - Having two key transport phases, which is pretty hard to wrap your head around,
> though perhaps it's just a writing issue.
> - Grabbing a DTLS code point (why can't you just shove this in the application data),
> so I'm trying to remove that [0]. 
> 
> So I'm trying to push on what's really needed.
> 
> -Ekr
> 
> [0] I concede that what I wrote above doesn't do that, but reducing the number of
> key wrap phases might let us do so, for instance by carrying K_g in EKT.
> 
> 
> Paul
> 
> ------ Original Message ------
> From: "Eric Rescorla" <ekr@rtfm.com <mailto:ekr@rtfm.com>>
> To: "Paul E. Jones" <paulej@packetizer.com <mailto:paulej@packetizer.com>>
> Cc: perc@ietf.org <mailto:perc@ietf.org>
> Sent: 3/23/2017 7:12:51 AM
> Subject: Re: [Perc] Question on diet Design?
> 
>> It's part of the SRTP KDF.
>> 
>> -Ekr
>> 
>> 
>> On Wed, Mar 22, 2017 at 9:42 PM, Paul E. Jones <paulej@packetizer.com <mailto:paulej@packetizer.com>> wrote:
>> Eric,
>> 
>>> I think what you propose would work, but each stream from a given endpoint would need to have a unique key since we do not want the any two media flows using the same key. Thus, I think we'd need:
>>>   KDF(K_g, ID || stream_id)
>>> 
>>> The SSRC addresses that, no?
>> 
>> Yeah, SSRC is fine for that.  We just need to ensure it is a part of the KDF input.
>> 
>> Paul
>> 
> 
> _______________________________________________
> Perc mailing list
> Perc@ietf.org
> https://www.ietf.org/mailman/listinfo/perc

v2.23.0 | Report a Bug | By Email