Re: [secdir] draft-ietf-avtcore-aria-srtp-06

Uri Blumenthal <> Mon, 15 September 2014 21:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5158E1A8784 for <>; Mon, 15 Sep 2014 14:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.853
X-Spam-Status: No, score=-5.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N6wx7zuZAe3y for <>; Mon, 15 Sep 2014 14:36:33 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9BEC81A8748 for <>; Mon, 15 Sep 2014 14:36:33 -0700 (PDT)
X-AuditID: 1209190c-f795e6d000006c66-07-54175be085ee
Received: from ( []) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id CF.95.27750.0EB57145; Mon, 15 Sep 2014 17:36:32 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id s8FLaVuE011960; Mon, 15 Sep 2014 17:36:32 -0400
Received: from W92EXEDGE5.EXCHANGE.MIT.EDU ( []) by (8.13.8/8.12.4) with ESMTP id s8FLaTj4002218; Mon, 15 Sep 2014 17:36:31 -0400
Received: from ( by W92EXEDGE5.EXCHANGE.MIT.EDU ( with Microsoft SMTP Server (TLS) id; Mon, 15 Sep 2014 17:35:47 -0400
Received: from ([]) by ([]) with mapi id 14.03.0158.001; Mon, 15 Sep 2014 17:36:29 -0400
From: Uri Blumenthal <>
To: Ben Laurie <>, "" <>, "" <>
Thread-Topic: [secdir] draft-ietf-avtcore-aria-srtp-06
Thread-Index: AQHP0RRbFKfP74bOH0qsxsJ3nE4kHpwCtdlE
Date: Mon, 15 Sep 2014 21:36:29 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAKsWRmVeSWpSXmKPExsUixCmqrPsgWjzEoGuHmMWGz9fYLHY13Gex +LDwIYsDs8eCTaUeS5b8ZPL4cvkzWwBzFJdNSmpOZllqkb5dAlfGvks32AuaxCqOP//B1sC4 XqiLkZNDQsBEYu3dTewQtpjEhXvr2boYuTiEBGYzSWz+uYcFwjnAKHFx/RV2COcYo8SEaW8Y IZztjBLfd/dDOasZJd5ebWQDGcYmoCTx4dEmsH4Rga2MEp3rroNtERYwlTh1/TGYLSJgJjH7 3HpWCNtIYn/rQ0YQm0VAVWL95VlMIDavQJDEpZc/wGqEBAIkds9eBNbLKRAosXDHTRYQmxHo 8u+n1oDVMwuIS9x6Mp8J4iNBiUWz9zDDfPdv10Og4ziAbEWJOat9Icp1JBbs/sQGYWtLLFv4 mhliraDEyZlPWCYwSsxCMnUWkpZZSFpmIWlZwMiyilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdQ LzezRC81pXQTIzgyJXl2ML45qHSIUYCDUYmHt6BPLESINbGsuDL3EKMkB5OSKK+ht3iIEF9S fkplRmJxRnxRaU5q8SFGCQ5mJRHe/T5AOd6UxMqq1KJ8mJQ0B4uSOO+mH3whQgLpiSWp2amp BalFMFkZDg4lCd6TUUCNgkWp6akVaZk5JQhpJg5OkOE8QMMFQWp4iwsSc4sz0yHypxh1OdZ1 futnEmLJy89LlRLnPQNSJABSlFGaBzcHllBfMYoDvSXM+wykigeYjOEmvQJawgS05GyPGMiS kkSElFQDY9d5kfK9r29+t/EIu5lW0Zy4+8QWHoZjoi3fXl6RMf2fGWf0yCLpz6v44HbDwwEr FtUZxR9q3W94xz7ST+X2JY/Fl9nXH1Krbv/4ap+g8omNFxh8nFfZpv7w3pfl89XOc4XFBSPV nTb+1UvkJOxPVEzNiG57ZfxSfNrmhtS/fDP6s/YebFAMU2Ipzkg01GIuKk4EAMhXFbeDAwAA
Subject: Re: [secdir] draft-ietf-avtcore-aria-srtp-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Sep 2014 21:36:36 -0000

My assumption would be that the main use case for SRTP is streaming video. For streaming video the main threat is theft of service - aka unauthorized reception. The sender usually doesn't care if some packets don't make it through, which includes being accidentally or maliciously corrupted.

Compounded by the performance requirements (and if my assumption is correct), I can understand why the idea of adding a full authentication tag for every packet is repulsive to SRTP crowd. 

I agree that for SRTP in the above context full-length authentication tags would be highly undesirable, and short tags are all that's needed.

Having said that, I share Ben's concern wrt. "vanity ciphers", and think that it is a bad idea, to be avoided if possible - and fully justified if not. 


From: secdir [] on behalf of Ben Laurie []
Sent: Monday, September 15, 2014 14:12
To: The IESG;;
Subject: [secdir] draft-ietf-avtcore-aria-srtp-06

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with issues, or maybe not ready (AD's choice!)

Firstly, I'm not generally keen on RFCs for "vanity" ciphers - or,
indeed, any cipher that's been as lightly reviewed as ARIA has. The
Security ADs may feel differently, so I defer to them.

Secondly, ARIA-CTR and ARIA-GCM both use SHA-1 as a hash function, and
I believe we are trying to deprecate that practice.

Thirdly, I am not familiar enough with SRTP to understand why short
authentication tags are needed, but in general its a bad idea, so I
feel the Security Considerations should explain more fully than
"Ciphersuites with short tag length may be
   considered for specific application environments stated in 7.5 of
   [RFC3711], but the risk of weak authentication described in
   Section 9.5.1 of [RFC3711] should be taken into account."

How would I take this risk into account?

Finally, given that short tags are a risk, why are there no modes with
full-length tags?

secdir mailing list