Re: [secdir] review of draft-ietf-avt-srtp-big-aes-05.txt

David McGrew <> Wed, 05 January 2011 22:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0AE583A6D18; Wed, 5 Jan 2011 14:53:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j7IvRUFiUweg; Wed, 5 Jan 2011 14:53:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D37233A6D02; Wed, 5 Jan 2011 14:53:36 -0800 (PST)
Authentication-Results:; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAFeFJE2rRN+K/2dsb2JhbACkHHOmYZghhUwEhGiGIoMf
X-IronPort-AV: E=Sophos;i="4.60,279,1291593600"; d="scan'208";a="241065133"
Received: from ([]) by with ESMTP; 05 Jan 2011 22:55:43 +0000
Received: from [] ([]) by (8.13.8/8.14.3) with ESMTP id p05Mtg0E014998; Wed, 5 Jan 2011 22:55:43 GMT
Message-Id: <>
From: David McGrew <>
To: Hilarie Orman <>
In-Reply-To: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 5 Jan 2011 14:55:42 -0800
References: <>
X-Mailer: Apple Mail (2.936)
Subject: Re: [secdir] review of draft-ietf-avt-srtp-big-aes-05.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Jan 2011 22:53:41 -0000

Hi Hilarie,

thanks for your detailed review.

On Jan 4, 2011, at 2:26 PM, Hilarie Orman wrote:

> Security review of draft-ietf-avt-srtp-big-aes-05.txt
> Do not be alarmed.  I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents
> being processed by the IESG. These comments were written primarily for
> the benefit of the security area directors. Document editors and WG
> chairs should treat these comments just like any other last call
> comments.
> This is a very well-written document about using AES-192 and AES-256
> with RTP, and I have only a few comments.
> There is no comment on why AES-192 might be used.  There is a comment
> about AES-128 vs. AES-256, but AES-192 seems to fall into a useless
> middle ground.  I'd like to see some comment about it.

I agree that AES-192 doesn't seem that useful.  When the draft was  
first presented to AVT WG, the sentiment of the room was that AES-192  
might be useful, so the draft should include it, so that people have  
the option of using it if it seems valuable in the future.  I suppose  
the draft ought to say something like that.  How about:

AES-256 provides the highest level of security, and it SHOULD be used  
whenever the highest possible security is desired.  AES-192 provides a  
middle ground between the 128-bit and 256-bit versions of AES, and it  
MAY be used when higher security than AES-128 is desired.

> Section 3.1 "Usage Requirements" might be easier to understand if it
> said that "When AES_192_CM is used for encryption, the key derivation
> function MUST have a cryptographic strength of at least 192 bits;
> AES_192_CM has this strength, AES_128_CM does not."  Similarly for
> AES_256_CM.

Sounds good.

> It would be helpful to note which data items are specific to SRTP.
> The draft says that it uses the terminology of "Section 4.1.1 of
> [RFC3711]", but oddly enough, the "SSRC" is not defined in that
> document, either.  One must go back to RFC3550 for its definition.

That's a very constructive suggestion.

> I was flummoxed by the math of "if kdr=0 then (index DIV kdr) = 0".
> RFC3711 section 4.3.1 does explain it; it's kind of confusing to  
> have to
> switch back and forth between the two documents.
> The block counter "b_c" is two octets, but the "default key lifetime"
> is 2^31.  Is this perhaps the "maximum" key lifetime?  Should
> implementors introduce an internal counter to keep track of the
> history of key usage (across sessions?)?  Perhaps earlier documents
> explain this?

The key lifetime is the maximum number of packets that can be  
protected using a single key.  The packets are no longer than 2^18  
bytes, so limiting the number of packets is a convenient way to limit  
the number of bytes.

Perhaps the draft should mention that this parameter (and the other  
cryptosuite parameters) are defined in Section 8.2 of RFC 3711.

thanks again,


> Hilarie
> _______________________________________________
> secdir mailing list