rfc8723xml2.original.xml   rfc8723.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' []> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<rfc ipr="trust200902" category="std" docName="draft-ietf-perc-double-12"> <rfc
<?rfc toc="yes"?> xmlns:xi="http://www.w3.org/2001/XInclude"
<?rfc symrefs="yes"?> number="8723"
<?rfc sortrefs="yes"?> updates=""
<?rfc compact="yes"?> obsoletes=""
<?rfc subcompact="no"?> category="std"
<?rfc private=""?> consensus="true"
<?rfc topblock="yes"?> submissionType="IETF"
<?rfc comments="no"?> ipr="trust200902"
<front> sortRefs="true"
<title abbrev="Double SRTP">SRTP Double Encryption Procedures</title> symRefs="true"
xml:lang="en"
<author initials="C." surname="Jennings" fullname="Cullen Jennings"> docName="draft-ietf-perc-double-12"
<organization>Cisco Systems</organization> tocInclude="true"
<address> version="3">
<postal> <front>
<street></street> <title abbrev="Double SRTP">Double Encryption Procedures for the Secure Real
<city></city> -Time Transport Protocol (SRTP)</title>
<code></code> <seriesInfo name="RFC" value="8723"/>
<country></country> <author initials="C." surname="Jennings" fullname="Cullen Jennings">
<region></region> <organization>Cisco Systems</organization>
</postal> <address>
<phone></phone> <email>fluffy@iii.ca</email>
<email>fluffy@iii.ca</email> </address>
<uri></uri> </author>
</address> <author initials="P." surname="Jones" fullname="Paul E. Jones">
</author> <organization>Cisco Systems</organization>
<author initials="P." surname="Jones" fullname="Paul E. Jones"> <address>
<organization>Cisco Systems</organization> <email>paulej@packetizer.com</email>
<address> </address>
<postal> </author>
<street></street> <author initials="R." surname="Barnes" fullname="Richard Barnes">
<city></city> <organization>Cisco Systems</organization>
<code></code> <address>
<country></country> <email>rlb@ipv.sx</email>
<region></region> </address>
</postal> </author>
<phone></phone> <author initials="A.B." surname="Roach" fullname="Adam Roach">
<email>paulej@packetizer.com</email> <organization>Mozilla</organization>
<uri></uri> <address>
</address> <email>adam@nostrum.com</email>
</author> </address>
<author initials="R." surname="Barnes" fullname="Richard Barnes"> </author>
<organization>Cisco Systems</organization> <date year="2020" month="April"/>
<address> <area>Internet</area>
<postal> <workgroup/>
<street></street> <keyword>PERC</keyword>
<city></city> <keyword>SRTP</keyword>
<code></code> <keyword>RTP</keyword>
<country></country> <keyword>conferencing</keyword>
<region></region> <keyword>encryption</keyword>
</postal> <abstract>
<phone></phone> <t>In some conferencing scenarios, it is desirable for an intermediary
<email>rlb@ipv.sx</email> to be able to manipulate some parameters in Real-time Transport Protocol (RTP)
<uri></uri>
</address>
</author>
<author initials="A.B." surname="Roach" fullname="Adam Roach">
<organization>Mozilla</organization>
<address>
<postal>
<street></street>
<city></city>
<code></code>
<country></country>
<region></region>
</postal>
<phone></phone>
<email>adam@nostrum.com</email>
<uri></uri>
</address>
</author>
<date year="2019" month="August" day="29"/>
<area>Internet</area>
<workgroup></workgroup>
<keyword>PERC</keyword>
<keyword>SRTP</keyword>
<keyword>RTP</keyword>
<keyword>conferencing</keyword>
<keyword>encryption</keyword>
<abstract>
<t>In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some parameters in Real Time Protocol (RTP)
packets, while still providing strong end-to-end security packets, while still providing strong end-to-end security
guarantees. This document defines a cryptographic transform for the guarantees. This document defines a cryptographic transform for the
Secure Real Time Protocol (SRTP) that uses two separate but related Secure Real-time Transport Protocol (SRTP) that uses two separate but related
cryptographic operations to provide hop-by-hop and end-to-end cryptographic operations to provide hop-by-hop and end-to-end
security guarantees. Both the end-to-end and hop-by-hop security guarantees. Both the end-to-end and hop-by-hop
cryptographic algorithms can utilize an authenticated encryption cryptographic algorithms can utilize an authenticated encryption
with associated data (AEAD) algorithm or take advantage of future SRTP with associated data (AEAD) algorithm or take advantage of future SRTP
transforms with different properties. transforms with different properties.
</t> </t>
</abstract> </abstract>
</front>
</front> <middle>
<section anchor="introduction" numbered="true" toc="default">
<middle> <name>Introduction</name>
<t>Cloud conferencing systems that are based on switched conferencing
<section anchor="introduction" title="Introduction"> have a central Media Distributor (MD) device that receives media from
<t>Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor device that receives media from
endpoints and distributes it to other endpoints, but does not need endpoints and distributes it to other endpoints, but does not need
to interpret or change the media content. For these systems, it is to interpret or change the media content. For these systems, it is
desirable to have one cryptographic key that enables encryption and desirable to have one cryptographic key that enables encryption and
authentication of the media authentication of the media
end-to-end while still allowing certain information in the header of end-to-end while still allowing certain information in the header of
a Real Time Protocol (RTP) packet to be changed by the Media an RTP packet to be changed by the MD.
Distributor. At the same time, a separate cryptographic key At the same time, a separate cryptographic key
provides integrity and optional confidentiality for the media provides integrity and optional confidentiality for the media
flowing between the Media Distributor and the endpoints. The flowing between the MD and the endpoints. The
framework document <xref target="I-D.ietf-perc-private-media-framework"/> framework document <xref target="I-D.ietf-perc-private-media-framework" format="
default"/>
describes this concept in more detail. describes this concept in more detail.
</t> </t>
<t>This specification defines a transform for the Secure Real Time <t>This specification defines a transform for
Protocol (SRTP) that uses the AES-GCM algorithm <xref target="RFC7714"/> to SRTP that uses 1) the AES Galois/Counter Mode (AES-GCM) algorithm <xref target="
RFC7714" format="default"/> to
provide encryption and integrity for an RTP packet for the provide encryption and integrity for an RTP packet for the
end-to-end cryptographic key as well as a hop-by-hop cryptographic end-to-end cryptographic key and 2) a hop-by-hop cryptographic
encryption and integrity between the endpoint and the Media encryption and integrity between the endpoint and the MD.
Distributor. The Media Distributor decrypts and checks integrity of The MD decrypts and checks integrity of
the hop-by-hop security. The Media Distributor MAY change some of the hop-by-hop security. The MD <bcp14>MAY</bcp14> change some of
the RTP header information that would impact the end-to-end the RTP header information that would impact the end-to-end
integrity. In that case, the original value of any RTP header field integrity. In that case, the original value of any RTP header field
that is changed is included in an &quot;Original Header Block&quot; that is that is changed is included in an "Original Header Block" that is
added to the packet. The new RTP packet is encrypted with the added to the packet. The new RTP packet is encrypted with the
hop-by-hop cryptographic algorithm before it is sent. The receiving hop-by-hop cryptographic algorithm before it is sent. The receiving
endpoint decrypts and checks integrity using the hop-by-hop endpoint decrypts and checks integrity using the hop-by-hop
cryptographic algorithm and then replaces any parameters the Media cryptographic algorithm and then replaces any parameters the MD
Distributor changed using the information in the Original Header changed using the information in the Original Header
Block before decrypting and checking the end-to-end integrity. Block before decrypting and checking the end-to-end integrity.
</t> </t>
<t>One can think of the double as a normal SRTP transform for encrypting <t>One can think of the double transform as a normal SRTP transform for en
the RTP in a way where things that only know half of the key, can crypting
the RTP in a way such that things that only know half of the key, can
decrypt and modify part of the RTP packet but not other parts, decrypt and modify part of the RTP packet but not other parts,
including the media payload. including the media payload.
</t> </t>
</section> </section>
<section anchor="terminology" numbered="true" toc="default">
<section anchor="terminology" title="Terminology"> <name>Terminology</name>
<t>The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, & <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>R
quot;SHALL&quot;, &quot;SHALL NOT&quot;, EQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
&quot;SHOULD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;NOT R NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
ECOMMENDED&quot;, &quot;MAY&quot;, and RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
&quot;OPTIONAL&quot; in this document are to be interpreted as described in "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, th be interpreted as
ey appear in all described in BCP&nbsp;14 <xref target="RFC2119" format="default"/> <xref tar
capitals, as shown here. get="RFC8174" format="default"/>
when, and only when, they appear in all capitals, as shown here.
</t> </t>
<t>Terms used throughout this document include: <t>Terms used throughout this document include:
</t> </t>
<t> <dl spacing="normal">
<list style="symbols"> <dt>Media Distributor (MD):</dt>
<t>Media Distributor: A device that receives media from endpoints and <dd>A device that receives media from endpoints and
distributes it to other endpoints, but does not need to interpret distributes it to other endpoints, but does not need to interpret
or change the media content (see also or change the media content (see also
<xref target="I-D.ietf-perc-private-media-framework"/>)</t> <xref target="I-D.ietf-perc-private-media-framework" format="default"/>).</dd>
<t>end-to-end: The path from one endpoint through one or <dt>end-to-end:</dt>
more Media Distributors to the endpoint at the other end.</t> <dd>The path from one endpoint through one or
<t>hop-by-hop: The path from the endpoint to or from the more MDs to the endpoint at the other end.</dd>
Media Distributor.</t> <dt>hop-by-hop:</dt>
<t>Original Header Block (OHB): An octet string that contains the <dd>The path from the endpoint to or from the MD.</dd>
<dt>Original Header Block (OHB):</dt>
<dd>An octet string that contains the
original values from the RTP header that might have been changed original values from the RTP header that might have been changed
by a Media Distributor.</t> by an MD.</dd>
</list> </dl>
</t> </section>
</section> <section anchor="cryptographic-context" numbered="true" toc="default">
<name>Cryptographic Context</name>
<section anchor="cryptographic-context" title="Cryptographic Context"> <t>This specification uses a cryptographic context with two parts:
<t>This specification uses a cryptographic context with two parts:
</t>
<t>
<list style="symbols">
<t>An inner (end-to-end) part that is used by endpoints that originate and
consume media to ensure the integrity of media end-to-end, and</t>
<t>An outer (hop-by-hop) part that is used between endpoints and Media
Distributors to ensure the integrity of media over a single hop and to
enable a Media Distributor to modify certain RTP header fields. RTCP
is also handled using the hop-by-hop cryptographic part.</t>
</list>
</t> </t>
<t>The RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is <ul spacing="normal">
<li>An inner (end-to-end) part that is used by endpoints that originate
and
consume media to ensure the integrity of media end-to-end, and</li>
<li>An outer (hop-by-hop) part that is used between endpoints and MDs
to ensure the integrity of media over a single hop and to
enable an MD to modify certain RTP header fields. RTCP
is also handled using the hop-by-hop cryptographic part.</li>
</ul>
<t>The <bcp14>RECOMMENDED</bcp14> cipher for the hop-by-hop and end-to-end
algorithms is
AES-GCM. Other combinations of SRTP ciphers that support the AES-GCM. Other combinations of SRTP ciphers that support the
procedures in this document can be added to the IANA registry. procedures in this document can be added to the IANA registry.
</t> </t>
<t>The keys and salt for these algorithms are generated with the following <t>The keys and salt for these algorithms are generated with the following
steps: steps:
</t> </t>
<t> <ul spacing="normal">
<list style="symbols"> <li>Generate key and salt values of the length required for the combined
<t>Generate key and salt values of the length required for the combined inner (end-to-end) and outer (hop-by-hop) algorithms.</li>
inner (end-to-end) and outer (hop-by-hop) algorithms.</t> <li>Assign the key and salt values generated for the inner (end-to-end)
<t>Assign the key and salt values generated for the inner (end-to-end)
algorithm to the first half of the key and the first half of the algorithm to the first half of the key and the first half of the
salt for the double algorithm.</t> salt for the double algorithm.</li>
<t>Assign the key and salt values for the outer (hop-by-hop) algorithm <li>Assign the key and salt values for the outer (hop-by-hop) algorithm
to the second half of the key and second half of the salt for the to the second half of the key and second half of the salt for the
double algorithm. The first half of the key is referred to as the double algorithm. The first half of the key is referred to as the
inner key while the second half is referred to as the outer key. inner key while the second half is referred to as the outer key.
When a key is used by a cryptographic algorithm, the salt used is When a key is used by a cryptographic algorithm, the salt that is used is
the part of the salt generated with that key.</t> the part of the salt generated with that key.</li>
<t>the SSRC is the same for both the inner and out outer algorithms as <li>the synchronization source (SSRC) is the same for both the inner and
it can not be changed.</t> outer algorithms as
<t>The SEQ and ROC are tracked independently for the inner and outer it cannot be changed.</li>
algorithms.</t> <li>The sequence number (SEQ) and rollover counter (ROC) are tracked ind
</list> ependently for the inner and outer
</t> algorithms.</li>
<t>If the Media Distributor is to be able to modify header fields but </ul>
not decrypt the payload, then it must have cryptographic key for the <t>If the MD is to be able to modify header fields but
outer algorithm, but not the inner (end-to-end) algorithm. This not decrypt the payload, then it must have a cryptographic key for the
document does not define how the Media Distributor should be outer algorithm but not the inner (end-to-end) algorithm. This
document does not define how the MD should be
provisioned with this information. One possible way to provide provisioned with this information. One possible way to provide
keying material for the outer (hop-by-hop) algorithm is to use keying material for the outer (hop-by-hop) algorithm is to use
<xref target="I-D.ietf-perc-dtls-tunnel"/>. <xref target="I-D.ietf-perc-dtls-tunnel" format="default"/>.
</t> </t>
<section anchor="key-derivation" numbered="true" toc="default">
<section anchor="key-derivation" title="Key Derivation"> <name>Key Derivation</name>
<t>Although SRTP uses a single master key to derive keys for an SRTP <t>Although SRTP uses a single master key to derive keys for an SRTP
session, this transform requires separate inner and outer keys. session, this transform requires separate inner and outer keys.
In order to allow the inner and outer keys to be managed In order to allow the inner and outer keys to be managed
independently via the master key, the transforms defined in this independently via the master key, the transforms defined in this
document MUST be used with the following pseudo-random function document <bcp14>MUST</bcp14> be used with the following pseudorandom function
(PRF), which preserves the separation between the two halves of the (PRF), which preserves the separation between the two halves of the
key. Given a positive integer <spanx style="verb">n</spanx> representing the de key. Given a positive integer <tt>n</tt> representing the desired output
sired output length, a master key <tt>k_master</tt>, and an input <tt>x</tt>:
length, a master key <spanx style="verb">k_master</spanx>, and an input <spanx s
tyle="verb">x</spanx>:
</t> </t>
<artwork align="center" name="" type="" alt=""><![CDATA[
PRF_double_n(k_master,x) = PRF_(n/2)(inner(k_master),x) ||
PRF_(n/2)(outer(k_master),x)
]]></artwork>
<figure align="center"><artwork align="center"> <t>Here <tt>PRF_double_n(k_master, x)</tt> represents the AES_CM PRF Key
PRF\_double\_n(k\_master,x) = PRF\_(n/2)(inner(k\_master),x) || Derivation Function (KDF) (see
PRF\_(n/2)(outer(k\_master),x) <xref target="RFC3711" section="4.3.3" sectionFormat="of" format="default"/>) fo
</artwork></figure> r
<t>Here <spanx style="verb">PRF_n(k, x)</spanx> represents the AES_CM PRF KDF (s
ee Section 4.3.3
of <xref target="RFC3711"/>) for
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and
AES_256_CM_PRF KDF <xref target="RFC6188"/> for DOUBLE_AEAD_AES_256_GCM_AEAD_AES AES_256_CM_PRF KDF <xref target="RFC6188" format="default"/> for DOUBLE_AEAD_AES
_256_GCM _256_GCM_AEAD_AES_256_GCM
algorithm. <spanx style="verb">inner(key)</spanx> represents the first half of t algorithm. The term <tt>inner(k_master)</tt> represents the first half of
he key, and <spanx style="verb">outer(key)</spanx> the key; <tt>outer(k_master)</tt>
represents the second half of the key. represents the second half of the key.
</t> </t>
</section> </section>
</section> </section>
<section anchor="ohb" numbered="true" toc="default">
<section anchor="ohb" title="Original Header Block"> <name>Original Header Block</name>
<t>The Original Header Block (OHB) contains the original values of any <t>The OHB contains the original values of any
modified RTP header fields. In the encryption process, the OHB is modified RTP header fields. In the encryption process, the OHB is
included in an SRTP packet as described in <xref target="rtp-operations"/>. In the included in an SRTP packet as described in <xref target="rtp-operations" format= "default"/>. In the
decryption process, the receiving endpoint uses it to reconstruct decryption process, the receiving endpoint uses it to reconstruct
the original RTP header, so that it can pass the proper AAD value to the original RTP header so that it can pass the proper additional authenticated data (AAD) value to
the inner transform. the inner transform.
</t> </t>
<t>The OHB can reflect modifications to the following fields in an RTP header: t <t>The OHB can reflect modifications to the following fields in an RTP hea
he der: the
payload type, the sequence number, and the marker bit. All other fields in the payload type (PT), the SEQ, and the marker bit. All other fields in the
RTP header MUST remain unmodified; since the OHB cannot reflect their original RTP header <bcp14>MUST</bcp14> remain unmodified; since the OHB cannot reflect t
values, the receiver will be unable to verify the E2E integrity of the packet. heir original
values, the receiver will be unable to verify the end-to-end integrity of the pa
cket.
</t> </t>
<t>The OHB has the following syntax (in ABNF <xref target="RFC5234"/>): <t>The OHB has the following syntax (in ABNF <xref target="RFC5234" format ="default"/>):
</t> </t>
<sourcecode name="" src="" type="abnf" markers="false"><![CDATA[
<figure align="left"><artwork align="left">
OCTET = %x00-FF OCTET = %x00-FF
PT = OCTET PT = OCTET
SEQ = 2OCTET SEQ = 2OCTET
Config = OCTET Config = OCTET
OHB = [ PT ] [ SEQ ] Config OHB = [ PT ] [ SEQ ] Config
</artwork></figure> ]]></sourcecode>
<t>If present, the PT and SEQ parts of the OHB contain the original payload type <t>If present, the PT and SEQ parts of the OHB contain the original payloa
and sequence number fields, respectively. The final &quot;config&quot; octet of d type
the OHB and sequence number fields, respectively. The final "Config" octet of the OHB
specifies whether these fields are present, and the original value of the specifies whether these fields are present, and the original value of the
marker bit (if necessary): marker bit (if necessary):
</t> </t>
<artwork align="left" name="" type="" alt=""><![CDATA[
<figure align="left"><artwork align="left">
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|R R R R B M P Q| |R R R R B M P Q|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
</artwork></figure> ]]></artwork>
<t> <ul spacing="normal">
<list style="symbols"> <li>P: PT is present</li>
<t>P: PT is present</t> <li>Q: SEQ is present</li>
<t>Q: SEQ is present</t> <li>M: Marker bit is present</li>
<t>M: Marker bit is present</t> <li>B: Value of marker bit</li>
<t>B: Value of marker bit</t> <li>R: Reserved, <bcp14>MUST</bcp14> be set to 0</li>
<t>R: Reserved, MUST be set to 0</t> </ul>
</list>
</t> <t>In particular, an all-zero OHB Config octet (<tt>0x00</tt>) indicates t
<t>In particular, an all-zero OHB config octet (0x00) indicates that hat
there have been no modifications from the original header. there have been no modifications from the original header.
</t> </t>
<t>If the marker bit is not present (M=0), then B MUST be set to zero. <t>If the marker bit is not present (M=0), then <tt>B</tt> <bcp14>MUST</bc
That is, if <spanx style="verb">C</spanx> represents the value of the config oct p14> be set to zero.
et, then the That is, if <tt>C</tt> represents the value of the Config octet, then the
masked value <spanx style="verb">C &amp; 0x0C</spanx> MUST NOT have the value <s masked value <tt>C &amp; 0x0C</tt> <bcp14>MUST NOT</bcp14> have the value <tt>0x
panx style="verb">0x80</spanx>. 80</tt>.
</t> </t>
</section> </section>
<section anchor="rtp-operations" numbered="true" toc="default">
<section anchor="rtp-operations" title="RTP Operations"> <name>RTP Operations</name>
<t>As implied by the use of the word &quot;double&quot; above, this transform <t>As implied by the use of the word "double" above, this transform
applies AES-GCM to the SRTP packet twice. This allows media applies AES-GCM to the SRTP packet twice. This allows media
distributors to be able to modify some header fields while allowing distributors to be able to modify some header fields while allowing
endpoints to verify the end-to-end integrity of a packet. endpoints to verify the end-to-end integrity of a packet.
</t> </t>
<t>The first, &quot;inner&quot; application of AES-GCM encrypts the SRTP payload <t>The first, "inner" application of AES-GCM encrypts the SRTP payload
and integrity-protects a version of the SRTP header with extensions and protects the integrity of a version of the SRTP header with extensions
truncated. Omitting extensions from the inner integrity check means truncated. Omitting extensions from the inner integrity check means
that they can be modified by a media distributor holding only the that they can be modified by an MD holding only the outer key.
&quot;outer&quot; key.
</t> </t>
<t>The second, &quot;outer&quot; application of AES-GCM encrypts the ciphertext <t>The second, "outer" application of AES-GCM encrypts the ciphertext
produced by the inner encryption (i.e., the encrypted payload and produced by the inner encryption (i.e., the encrypted payload and
authentication tag), plus an OHB that expresses any changes made authentication tag), plus an OHB that expresses any changes made
between the inner and outer transforms. between the inner and outer transforms.
</t> </t>
<t>A media distributor that has the outer key but not the inner key may <t>An MD that has the outer key but not the inner key may
modify the header fields that can be included in the OHB by modify the header fields that can be included in the OHB by
decrypting, modifying, and re-encrypting the packet. decrypting, modifying, and re-encrypting the packet.
</t> </t>
<section anchor="encrypt" numbered="true" toc="default">
<section anchor="encrypt" title="Encrypting a Packet"> <name>Encrypting a Packet</name>
<t>To encrypt a packet, the endpoint encrypts the packet using the inner <t>An endpoint encrypts a packet by using the inner (end-to-end)
(end-to-end) cryptographic key and then encrypts using the outer cryptographic key and then the outer (hop-by-hop) cryptographic key.
(hop-by-hop) cryptographic key. The encryption also supports a mode The encryption also supports a mode
for repair packets that only does the outer (hop-by-hop) encryption. for repair packets that only does the outer (hop-by-hop) encryption.
The processes is as follows: The processes is as follows:
</t> </t>
<t> <ol spacing="normal" type="1">
<list style="numbers"> <li>Form an RTP packet. If there are any header extensions,
<t>Form an RTP packet. If there are any header extensions, they MUST they <bcp14>MUST</bcp14> use <xref target="RFC8285" format="default"/>.</li>
use <xref target="RFC8285"/>.</t> <li>If the packet is for repair mode data, skip to <xref
<t>If the packet is for repair mode data, skip to step 6.</t> target="step6" format="none">step 6</xref>.</li>
<t>Form a synthetic RTP packet with the following contents: <li>
<list style="symbols"> <t>Form a synthetic RTP packet with the following contents:</t>
<t>Header: The RTP header of the original packet with the following <ul spacing="normal">
modifications:</t> <li>
<t>The X bit is set to zero</t> <t>Header: The RTP header of the original packet with
<t>The header is truncated to remove any extensions (i.e., keep the following modifications:</t>
only the first 12 + 4 * CC bytes of the header)</t> <ul spacing="normal">
<t>Payload: The RTP payload of the original packet (including padding when prese <li>The X bit is set to zero.</li>
nt) </t> <li>The header is truncated to remove any extensions
</list></t> (i.e., keep only the first 12 + 4 * CSRC count (CC) bytes of the header).</li>
<t>Apply the inner cryptographic algorithm to the synthetic RTP packet </ul>
from the previous step.</t> </li>
<t>Replace the header of the protected RTP packet with the header of <li>Payload: The RTP payload of the original packet (including
padding when present).</li>
</ul>
</li>
<li anchor="step4a">Apply the inner cryptographic algorithm to the syn
thetic RTP packet from the previous step.</li>
<li>Replace the header of the protected RTP packet with the header of
the original packet (to restore any header extensions and reset the original packet (to restore any header extensions and reset
the X bit), and append an empty OHB (0x00) to the encrypted the X bit), and append an empty OHB (<tt>0x00</tt>) to the encrypted
payload (with the authentication tag) obtained from the step 4.</t> payload (with the authentication tag) obtained from <xref
<t>Apply the outer cryptographic algorithm to the RTP packet. If target="step4a" format="none">step 4</xref>.</li>
encrypting RTP header extensions hop-by-hop, then <xref target="RFC6904"/> MUST <li anchor="step6">Apply the outer cryptographic algorithm to the RTP
packet. If
encrypting RTP header extensions hop-by-hop, then <xref target="RFC6904" format=
"default"/> <bcp14>MUST</bcp14>
be used when encrypting the RTP packet using the outer be used when encrypting the RTP packet using the outer
cryptographic key.</t> cryptographic key.</li>
</list> </ol>
</t> <t>When using Encrypted Key Transport (EKT) <xref target="I-D.ietf-perc-
<t>When using EKT <xref target="I-D.ietf-perc-srtp-ekt-diet"/>, the EKT Field co srtp-ekt-diet" format="default"/>, the EKTField comes
mes after the SRTP packet, exactly like using EKT with any other SRTP
after the SRTP packet exactly like using EKT with any other SRTP
transform. transform.
</t> </t>
</section> </section>
<section anchor="relay" numbered="true" toc="default">
<section anchor="relay" title="Relaying a Packet"> <name>Relaying a Packet</name>
<t>The Media Distributor has the part of the key for the outer <t>The MD has the part of the key for the outer
(hop-by-hop) cryptographic algorithm, but it does not have the part (hop-by-hop) cryptographic algorithm, but it does not have the part
of the key for the (end-to-end) cryptographic algorithm. The of the key for the inner (end-to-end) cryptographic algorithm. The
cryptographic algorithm and key used to decrypt a packet and cryptographic algorithm and key used to decrypt a packet and
any encrypted RTP header extensions would be the same as those any encrypted RTP header extensions would be the same as those
used in the endpoint's outer algorithm and key. used in the endpoint's outer algorithm and key.
</t> </t>
<t>In order to modify a packet, the Media Distributor decrypts the <t>In order to modify a packet, the MD decrypts the
received packet, modifies the packet, updates the OHB with received packet, modifies the packet, updates the OHB with
any modifications not already present in the OHB, and re-encrypts any modifications not already present in the OHB, and re-encrypts
the packet using the the outer (hop-by-hop) cryptographic key the packet using the outer (hop-by-hop) cryptographic key
before transmitting. before transmitting using the following steps:
</t> </t>
<t> <ol spacing="normal" type="1">
<list style="numbers"> <li anchor="step1">Apply the outer (hop-by-hop) cryptographic algorith
<t>Apply the outer (hop-by-hop) cryptographic algorithm to decrypt the m to decrypt the
packet. If decrypting RTP header extensions hop-by-hop, then packet. If decrypting RTP header extensions hop-by-hop, then
<xref target="RFC6904"/> MUST be used. Note that the RTP payload produced by <xref target="RFC6904" format="default"/> <bcp14>MUST</bcp14> be used. Note tha t the RTP payload produced by
this decryption operation contains the original encrypted payload this decryption operation contains the original encrypted payload
with the tag from the inner transform and the OHB appended.</t> with the tag from the inner transform and the OHB appended.</li>
<t>Make any desired changes to the fields are allowed to be changed, <li>Make any desired changes to the fields that are allowed to be chan
i.e., PT, SEQ, and M. The Media Distributor MAY also make ged,
i.e., PT, SEQ, and M. The MD <bcp14>MAY</bcp14> also make
modifications to header extensions, without the need to reflect modifications to header extensions, without the need to reflect
these changes in the OHB.</t> these changes in the OHB.</li>
<t>Reflect any changes to header fields in the OHB: <li>
<list style="symbols"> <t>Reflect any changes to header fields in the OHB:
<t>If Media Distributor changed a field that is not already in the </t>
OHB, then it MUST add the original value of the field to the <ul spacing="normal">
<li>If the MD changed a field that is not already in the
OHB, then it <bcp14>MUST</bcp14> add the original value of the field to the
OHB. Note that this might result in an increase in the size of OHB. Note that this might result in an increase in the size of
the OHB.</t> the OHB.</li>
<t>If the Media Distributor took a field that had previously been <li>If the MD took a field that had previously been
modified and reset to its original value, then it SHOULD drop modified and reset to its original value, then it <bcp14>SHOULD</bcp14> drop
the corresponding information from the OHB. Note that this the corresponding information from the OHB. Note that this
might result in a decrease in the size of the OHB.</t> might result in a decrease in the size of the OHB.</li>
<t>Otherwise, the Media Distributor MUST NOT modify the OHB.</t> <li>Otherwise, the MD <bcp14>MUST NOT</bcp14> modify the OHB.</li>
</list></t> </ul>
<t>Apply the outer (hop-by-hop) cryptographic algorithm to the </li>
packet. If the RTP Sequence Number has been modified, SRTP <li anchor="step4">Apply the outer (hop-by-hop) cryptographic algorith
m to the
packet. If the RTP sequence number has been modified, SRTP
processing happens as defined in SRTP and will end up using the new processing happens as defined in SRTP and will end up using the new
Sequence Number. If encrypting RTP header extensions hop-by-hop, sequence number. If encrypting RTP header extensions hop-by-hop,
then <xref target="RFC6904"/> MUST be used.</t> then <xref target="RFC6904" format="default"/> <bcp14>MUST</bcp14> be used.</li>
</list> </ol>
</t> <t>In order to avoid nonce reuse, the cryptographic contexts
<t>In order to avoid nonce reuse, the cryptographic contexts used in used in steps
step 1 and step 5 MUST use different, independent master keys. Note <xref target="step1" format="counter">1</xref> and <xref
that this means that the key used for decryption by the MD MUST be target="step4" format="counter">4</xref> <bcp14>MUST</bcp14> use different, inde
pendent master keys. Note
that this means that the key used for decryption by the MD <bcp14>MUST</bcp14> b
e
different from the key used for re-encryption to the end recipient. different from the key used for re-encryption to the end recipient.
</t> </t>
<t>Note that if multiple MDs modify the same packet, then the first MD <t>Note that if multiple MDs modify the same packet, then the first MD
to alter a given header field is the one that adds it to the OHB. to alter a given header field is the one that adds it to the OHB.
If a subsequent MD changes the value of a header field that has If a subsequent MD changes the value of a header field that has
already been changed, then the original value will already be in the already been changed, then the original value will already be in the
OHB, so no update to the OHB is required. OHB, so no update to the OHB is required.
</t> </t>
<t>A Media Distributor that decrypts, modifies, and re-encrypts <t>An MD that decrypts, modifies, and re-encrypts
packets in this way MUST use an independent key for each recipient, packets in this way <bcp14>MUST</bcp14> use an independent key for each recipien
and MUST NOT re-encrypt the packet using the sender's keys. If the t,
Media Distributor decrypts and re-encrypts with the same key and and <bcp14>MUST NOT</bcp14> re-encrypt the packet using the sender's keys. If t
he
MD decrypts and re-encrypts with the same key and
salt, it will result in the reuse of a (key, nonce) pair, salt, it will result in the reuse of a (key, nonce) pair,
undermining the security of AES-GCM. undermining the security of AES-GCM.
</t> </t>
</section> </section>
<section anchor="decrypt" numbered="true" toc="default">
<section anchor="decrypt" title="Decrypting a Packet"> <name>Decrypting a Packet</name>
<t>To decrypt a packet, the endpoint first decrypts and verifies using <t>To decrypt a packet, the endpoint first decrypts and verifies using
the outer (hop-by-hop) cryptographic key, then uses the OHB to the outer (hop-by-hop) cryptographic key, then uses the OHB to
reconstruct the original packet, which it decrypts and verifies with reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key. the inner (end-to-end) cryptographic key using the following steps:
</t> </t>
<t> <ol spacing="normal" type="1">
<list style="numbers"> <li>Apply the outer cryptographic algorithm to the packet. If the
<t>Apply the outer cryptographic algorithm to the packet. If the
integrity check does not pass, discard the packet. The result of integrity check does not pass, discard the packet. The result of
this is referred to as the outer SRTP packet. If decrypting RTP this is referred to as the outer SRTP packet. If decrypting RTP
header extensions hop-by-hop, then <xref target="RFC6904"/> MUST be used when header extensions hop-by-hop, then <xref target="RFC6904" format="default"/> <bc
decrypting the RTP packet using the outer cryptographic key.</t> p14>MUST</bcp14> be used when
<t>If the packet is for repair mode data, skip the rest of the decrypting the RTP packet using the outer cryptographic key.</li>
<li>If the packet is for repair mode data, skip the rest of the
steps. Note that the packet that results from the repair algorithm steps. Note that the packet that results from the repair algorithm
will still have encrypted data that needs to be decrypted as will still have encrypted data that needs to be decrypted as
specified by the repair algorithm sections.</t> specified by the repair algorithm sections.</li>
<t>Remove the inner authentication tag and the OHB from the end of the <li>Remove the inner authentication tag and the OHB from the end of th
payload of the outer SRTP packet.</t> e
<t>Form a new synthetic SRTP packet with: payload of the outer SRTP packet.</li>
<list style="symbols"> <li>
<t>Header = Received header, with the following modifications:</t> <t>Form a new synthetic SRTP packet with: </t>
<t>Header fields replaced with values from OHB (if any)</t> <ul spacing="normal">
<t>The X bit is set to zero</t> <li>
<t>The header is truncated to remove any extensions (i.e., keep <t>Header = Received header, with the following modifications:<
only the first 12 + 4 * CC bytes of the header)</t> /t>
<t>Payload is the encrypted payload from the outer SRTP packet (after <ul spacing="normal">
the inner tag and OHB have been stripped).</t> <li>Header fields replaced with values from OHB (if any).</l
<t>Authentication tag is the inner authentication tag from the outer i>
SRTP packet.</t> <li>The X bit is set to zero.</li>
</list></t> <li>The header is truncated to remove any extensions (i.e.,
<t>Apply the inner cryptographic algorithm to this synthetic SRTP keep
packet. Note if the RTP Sequence Number was changed by the Media only the first 12 + 4 * CC bytes of the header).</li>
Distributor, the synthetic packet has the original Sequence </ul>
Number. If the integrity check does not pass, discard the packet.</t> </li>
</list> <li>Payload is the encrypted payload from the outer SRTP packet (a
</t> fter
<t>Once the packet has been successfully decrypted, the application needs the inner tag and OHB have been stripped).</li>
<li>Authentication tag is the inner authentication tag from the ou
ter
SRTP packet.</li>
</ul>
</li>
<li>Apply the inner cryptographic algorithm to this synthetic SRTP
packet. Note if the RTP sequence number was changed by the MD, the synthetic pa
cket has the original sequence
number. If the integrity check does not pass, discard the packet.</li>
</ol>
<t>Once the packet has been successfully decrypted, the application need
s
to be careful about which information it uses to get the correct to be careful about which information it uses to get the correct
behavior. The application MUST use only the information found in the behavior. The application <bcp14>MUST</bcp14> use only the information found in
synthetic SRTP packet and MUST NOT use the other data that was in the the
synthetic SRTP packet and <bcp14>MUST NOT</bcp14> use the other data that was in
the
outer SRTP packet with the following exceptions: outer SRTP packet with the following exceptions:
</t> </t>
<t> <ul spacing="normal">
<list style="symbols"> <li>The PT from the outer SRTP packet is used for normal matching to
<t>The PT from the outer SRTP packet is used for normal matching to SDP Session Description Protocol (SDP) and codec selection.</li>
and codec selection.</t> <li>The sequence number from the outer SRTP packet is used for normal
<t>The sequence number from the outer SRTP packet is used for normal RTP ordering.</li>
RTP ordering.</t> </ul>
</list> <t>The PT and sequence number from the inner SRTP packet can be used for
</t>
<t>The PT and sequence number from the inner SRTP packet can be used for
collection of various statistics. collection of various statistics.
</t> </t>
<t>If the RTP header of the outer packet contains extensions, they MAY <t>If the RTP header of the outer packet contains extensions, they <bcp1 4>MAY</bcp14>
be used. However, because extensions are not protected end-to-end, be used. However, because extensions are not protected end-to-end,
implementations SHOULD reject an RTP packet containing headers that implementations <bcp14>SHOULD</bcp14> reject an RTP packet containing headers th at
would require end-to-end protection. would require end-to-end protection.
</t> </t>
</section> </section>
</section> </section>
<section anchor="rtcp-operations" numbered="true" toc="default">
<section anchor="rtcp-operations" title="RTCP Operations"> <name>RTCP Operations</name>
<t>Unlike RTP, which is encrypted both hop-by-hop and end-to-end using <t>Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic keys, RTCP is encrypted using only the outer two separate cryptographic keys, RTCP is encrypted using only the outer
(hop-by-hop) cryptographic key. The procedures for RTCP encryption (hop-by-hop) cryptographic key. The procedures for RTCP encryption
are specified in <xref target="RFC3711"/> and this document introduces no are specified in <xref target="RFC3711" format="default"/>, and this document in troduces no
additional steps. additional steps.
</t> </t>
</section> </section>
<section anchor="use-with-other-rtp-mechanisms" numbered="true" toc="default
<section anchor="use-with-other-rtp-mechanisms" title="Use with Other RTP Mechan ">
isms"> <name>Use with Other RTP Mechanisms</name>
<t>Media Distributors sometimes interact with RTP media packets sent <t>MDs sometimes interact with RTP media packets sent
by endpoints, e.g., to provide recovery or receive commands via by endpoints, e.g., to provide recovery or receive commands via
DTMF. When media packets are encrypted end-to-end, these procedures dual-tone multi-frequency (DTMF) signaling. When media packets are encrypted en d-to-end, these procedures
require modification. (End-to-end interactions, including require modification. (End-to-end interactions, including
end-to-end recovery, are not affected by end-to-end encryption.) end-to-end recovery, are not affected by end-to-end encryption.)
</t> </t>
<t>Repair mechanisms, in general, will need to perform recovery on <t>Repair mechanisms, in general, will need to perform recovery on
encrypted packets (double-encrypted when using this transform), encrypted packets (double-encrypted when using this transform),
since the Media Distributor does not have access to the plaintext of since the MD does not have access to the plaintext of
the packet, only an intermediate, E2E-encrypted form. the packet, only an intermediate, E2E-encrypted form.
</t> </t>
<t>When the recovery mechanism calls for the recovery packet itself to <t>When the recovery mechanism calls for the recovery packet itself to
be encrypted, it is encrypted with only the outer, hop-by-hop key. This be encrypted, it is encrypted with only the outer, hop-by-hop key. This
allows a media distributor to generate recovery packets without allows an MD to generate recovery packets without
having access to the inner, end-to-end keys. However, it also results in having access to the inner, end-to-end keys. However, it also results in
recovery packets being triple-encrypted, twice for the base recovery packets being triple-encrypted, twice for the base
transform, and once for the recovery protection. transform, and once for the recovery protection.
</t> </t>
<section anchor="rtx" numbered="true" toc="default">
<section anchor="rtx" title="RTP Retransmission (RTX)"> <name>RTP Retransmission (RTX)</name>
<t>When using RTX <xref target="RFC4588"/> with double, the cached payloads MUST <t>When using RTX <xref target="RFC4588" format="default"/> with the dou
be the ble transform, the cached payloads <bcp14>MUST</bcp14> be the
double-encrypted packets, i.e., the bits that are sent over the wire to the double-encrypted packets, i.e., the bits that are sent over the wire to the
other side. When encrypting a retransmission packet, it MUST be other side. When encrypting a retransmission packet, it <bcp14>MUST</bcp14> be
encrypted the packet in repair mode (i.e., with only the hop-by-hop key). encrypted like a packet in repair mode (i.e., with only the hop-by-hop key).
</t> </t>
<t>If the Media Distributor were to cache the inner, E2E-encrypted <t>If the MD were to cache the inner, E2E-encrypted
payload and retransmit that with an RTX OSN field prepended, then payload and retransmit it with an RTX original sequence number field prepended,
then
the modifications to the payload would cause the inner integrity the modifications to the payload would cause the inner integrity
check to fail at the receiver. check to fail at the receiver.
</t> </t>
<t>A typical RTX receiver would decrypt the packet, undo the RTX <t>A typical RTX receiver would decrypt the packet, undo the RTX
transformation, then process the resulting packet normally by transformation, then process the resulting packet normally by
using the steps in <xref target="decrypt"/>. using the steps in <xref target="decrypt" format="default"/>.
</t> </t>
</section> </section>
<section anchor="red" numbered="true" toc="default">
<section anchor="red" title="Redundant Audio Data (RED)"> <name>Redundant Audio Data (RED)</name>
<t>When using RED <xref target="RFC2198"/> with double, the processing at the se <t>When using RED <xref target="RFC2198" format="default"/> with the dou
nder ble transform, the processing at the sender
and receiver is the same as when using RED with any other SRTP and receiver is the same as when using RED with any other SRTP
transform. transform.
</t> </t>
<t>The main difference between double and any other transform is that <t>The main difference between the double transform and any other transf
in an intermediated environment, usage of RED must be end-to-end. A orm is that
Media Distributor cannot synthesize RED packets, because it lacks in an intermediated environment, usage of RED must be end-to-end.
An MD cannot synthesize RED packets, because it lacks
access to the plaintext media payloads that are combined to form a access to the plaintext media payloads that are combined to form a
RED payload. RED payload.
</t> </t>
<t>Note that FlexFEC may often provide similar or better repair <t>Note that Flexible Forward Error Correction (Flex FEC) may often prov
capabilities compared to RED. For most applications, FlexFEC is a ide similar or better repair
better choice than RED; in particular, FlexFEC has modes in which capabilities compared to RED. For most applications, Flex FEC is a
the Media Distributor can synthesize recovery packets. better choice than RED; in particular, Flex FEC has modes in which
the MD can synthesize recovery packets.
</t> </t>
</section> </section>
<section anchor="fec" numbered="true" toc="default">
<section anchor="fec" title="Forward Error Correction (FEC)"> <name>Forward Error Correction (FEC)</name>
<t>When using Flex FEC <xref target="I-D.ietf-payload-flexible-fec-scheme"/> wit <t>When using Flex FEC <xref target="RFC8627" format="default"/> with
h the double transform, repair packets <bcp14>MUST</bcp14> be constructed by first
double, repair packets MUST be constructed by first
double-encrypting the packet, then performing FEC. Processing of double-encrypting the packet, then performing FEC. Processing of
repair packets proceeds in the opposite order, performing FEC repair packets proceeds in the opposite order, performing FEC
recovery and then decrypting. This ensures that the original media recovery and then decrypting. This ensures that the original media
is not revealed to the Media Distributor but at the same time allows is not revealed to the MD but, at the same time, allows
the Media Distributor to repair media. When encrypting a packet the MD to repair media. When encrypting a packet
that contains the Flex FEC data, which is already encrypted, it MUST that contains the Flex FEC data, which is already encrypted, it <bcp14>MUST</bcp
14>
be encrypted with only the outer, hop-by-hop transform. be encrypted with only the outer, hop-by-hop transform.
</t> </t>
<t>The algorithm recommended in <xref target="I-D.ietf-rtcweb-fec"/> for repair <t>The algorithm recommended in <xref target="I-D.ietf-rtcweb-fec" forma
of video t="default"/> for repair of video
is Flex FEC <xref target="I-D.ietf-payload-flexible-fec-scheme"/>. Note that fo is Flex FEC <xref target="RFC8627" format="default"/>. Note that for
r interoperability with WebRTC, <xref target="I-D.ietf-rtcweb-fec" format="default
interoperability with WebRTC, <xref target="I-D.ietf-rtcweb-fec"/> recommends no "/> recommends not
t using additional FEC-only "m=" lines in SDP for the repair packets.
using additional FEC only m-line in SDP for the repair packets.
</t> </t>
</section> </section>
<section anchor="dtmf" numbered="true" toc="default">
<section anchor="dtmf" title="DTMF"> <name>DTMF</name>
<t>When DTMF is sent using the mechanism in <xref target="RFC4733"/>, it is <t>When DTMF is sent using the mechanism in <xref target="RFC4733" forma
end-to-end encrypted and the relay can not read it, so it cannot be t="default"/>, it is
used to control the relay. Other out of band methods to control the end-to-end encrypted; the relay cannot read it, so it cannot be
used to control the relay. Other out-of-band methods to control the
relay need to be used instead. relay need to be used instead.
</t> </t>
</section> </section>
</section> </section>
<section anchor="recommended-inner-and-outer-cryptographic-algorithms" numbe
red="true" toc="default">
<name>Recommended Inner and Outer Cryptographic Algorithms</name>
<section anchor="recommended-inner-and-outer-cryptographic-algorithms" title="Re <t>This specification recommends and defines AES-GCM as both the inner
commended Inner and Outer Cryptographic Algorithms">
<t>This specification recommends and defines AES-GCM as both the inner
and outer cryptographic algorithms, identified as and outer cryptographic algorithms, identified as
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithm provide for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithms provide for
authenticated encryption and will consume additional processing time authenticated encryption and will consume additional processing time
double-encrypting for hop-by-hop and end-to-end. However, the double-encrypting for hop-by-hop and end-to-end. However, the
approach is secure and simple, and is thus viewed as an acceptable approach is secure and simple; thus, it is viewed as an acceptable
trade-off in processing efficiency. trade-off in processing efficiency.
</t> </t>
<t>Note that names for the cryptographic transforms are of the form <t>Note that names for the cryptographic transforms are of the form
DOUBLE_(inner algorithm)_(outer algorithm). DOUBLE_(inner algorithm)_(outer algorithm).
</t> </t>
<t>While this document only defines a profile based on AES-GCM, it is <t>While this document only defines a profile based on AES-GCM, it is
possible for future documents to define further profiles with possible for future documents to define further profiles with
different inner and outer algorithms in this same framework. For example, different inner and outer algorithms in this same framework. For example,
if a new SRTP transform was defined that encrypts some or all of the if a new SRTP transform were defined that encrypts some or all of the
RTP header, it would be reasonable for systems to have the option of RTP header, it would be reasonable for systems to have the option of
using that for the outer algorithm. Similarly, if a new transform was using that for the outer algorithm. Similarly, if a new transform were
defined that provided only integrity, that would also be reasonable to defined that provided only integrity, that would also be reasonable to
use for the outer transform as the payload data is already encrypted by the use for the outer transform as the payload data is already encrypted by the
inner transform. inner transform.
</t> </t>
<t>The AES-GCM cryptographic algorithm introduces an additional 16 <t>The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet. When using AES-GCM for both the octets to the length of the packet. When using AES-GCM for both the
inner and outer cryptographic algorithms, the total additional inner and outer cryptographic algorithms, the total additional
length is 32 octets. The OHB will consume an additional 1-4 octets. length is 32 octets. The OHB will consume an additional 1-4 octets.
Packets in repair mode will carry additional repair data, further Packets in repair mode will carry additional repair data, further
increasing their size. increasing their size.
</t> </t>
</section> </section>
<section anchor="sec" numbered="true" toc="default">
<section anchor="sec" title="Security Considerations"> <name>Security Considerations</name>
<t>This SRTP transform provides protection against two classes of <t>This SRTP transform provides protection against two classes of
attacker: An network attacker that knows neither the inner nor outer attacker: a network attacker that knows neither the inner nor outer
keys, and a malicious MD that knows the outer key. Obviously, it keys and a malicious MD that knows the outer key. Obviously, it
provides no protections against an attacker that holds both the provides no protections against an attacker that holds both the
inner and outer keys. inner and outer keys.
</t> </t>
<t>The protections with regard to the network are the same as with the <t>The protections with regard to the network are the same as with the
normal SRTP AES-GCM transforms. The major difference is that the normal SRTP AES-GCM transforms. The major difference is that the
double transforms are designed to work better in a group context. double transforms are designed to work better in a group context.
In such contexts, it is important to note that because these In such contexts, it is important to note that because these
transforms are symmetric, they do not protect against attacks within transforms are symmetric, they do not protect against attacks within
the group. Any member of the group can generate valid SRTP packets the group. Any member of the group can generate valid SRTP packets
for any SSRC in use by the group. for any SSRC in use by the group.
</t> </t>
<t>With regard to a malicious MD, the recipient can verify the <t>With regard to a malicious MD, the recipient can verify the
integrity of the base header fields and confidentiality and integrity of the base header fields and confidentiality and
integrity of the payload. The recipient has no assurance, however, integrity of the payload. The recipient has no assurance, however,
of the integrity of the header extensions in the packet. of the integrity of the header extensions in the packet.
</t> </t>
<t>The main innovation of this transform relative to other SRTP <t>The main innovation of this transform relative to other SRTP
transforms is that it allows a partly-trusted MD to decrypt, modify, transforms is that it allows a partly trusted MD to decrypt, modify,
and re-encrypt a packet. When this is done, the cryptographic and re-encrypt a packet. When this is done, the cryptographic
contexts used for decryption and re-encryption MUST use different, contexts used for decryption and re-encryption <bcp14>MUST</bcp14> use different ,
independent master keys. If the same context is independent master keys. If the same context is
used, the nonce formation rules for SRTP will cause the same key and used, the nonce formation rules for SRTP will cause the same key and
nonce to be used with two different plaintexts, which substantially nonce to be used with two different plaintexts, which substantially
degrades the security of AES-GCM. degrades the security of AES-GCM.
</t> </t>
<t>In other words, from the perspective of the MD, re-encrypting <t>In other words, from the perspective of the MD, re-encrypting
packets using this protocol will involve the same cryptographic packets using this protocol will involve the same cryptographic
operations as if it had established independent AES-GCM crypto operations as if it had established independent AES-GCM crypto
contexts with the sender and the receiver. If the MD doesn't modify contexts with the sender and the receiver. This property allows
any header fields, then an MD that supports AES-GCM could be unused the use of an MD that supports AES-GCM but does not modify any
unmodified. header fields, without requiring any modification to the MD.
</t> </t>
</section> </section>
<section anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name>
<section anchor="dtlssrtp" numbered="true" toc="default">
<section anchor="iana" title="IANA Considerations"> <name>DTLS-SRTP</name>
<section anchor="dtlssrtp" title="DTLS-SRTP"> <t>IANA has added the following protection profiles to the
<t>We request IANA to add the following values to defines a DTLS-SRTP "DTLS-SRTP Protection Profiles" registry defined in <xref target="RFC5764" forma
&quot;SRTP Protection Profile&quot; defined in <xref target="RFC5764"/>. t="default"/>.
</t> </t>
<texttable> <table align="center">
<ttcol align="left">Value</ttcol> <name>Updates to the DTLS-SRTP Protection Profiles Registry</name>
<ttcol align="left">Profile</ttcol> <thead>
<ttcol align="left">Reference</ttcol> <tr>
<th align="left">Value</th>
<th align="left">Profile</th>
<th align="left">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">{0x00, 0x09}</td>
<td align="left">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</td>
<td align="left">RFC 8723</td>
</tr>
<tr>
<td align="left">{0x00, 0x0A}</td>
<td align="left">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</td>
<td align="left">RFC 8723</td>
</tr>
</tbody>
</table>
<c>{0x00, 0x09}</c><c>DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</c><c>RFCXXXX</c> <t>The SRTP transform parameters for each of these protection profiles a
<c>{0x00, 0x0A}</c><c>DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</c><c>RFCXXXX</c> re:
</texttable>
<t>Note to IANA: Please assign value RFCXXXX and update table to point at
this RFC for these values.
</t>
<t>The SRTP transform parameters for each of these protection are:
</t> </t>
<table align="center">
<name>SRTP Transform Parameters for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</na
me>
<tbody>
<tr>
<th colspan="2">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</th>
</tr>
<tr>
<td>cipher:</td>
<td>AES_128_GCM then AES_128_GCM</td>
</tr>
<tr>
<td>cipher_key_length:</td><td>256 bits</td>
</tr>
<tr>
<td>cipher_salt_length:</td><td>192 bits</td>
</tr>
<tr>
<td>aead_auth_tag_length:</td><td>256 bits</td>
</tr>
<tr>
<td>auth_function:</td><td>NULL</td>
</tr>
<tr>
<td>auth_key_length:</td><td>N/A</td>
</tr>
<tr>
<td>auth_tag_length:</td><td>N/A</td>
</tr>
<tr>
<td>maximum lifetime:</td><td>at most 2<sup>31</sup> SRTCP packets and
at most 2<sup>48</sup> SRTP packets</td>
</tr>
</tbody>
</table>
<figure align="left"><artwork align="left"> <table align="center">
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM <name>SRTP Transform Parameters for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</na
cipher: AES_128_GCM then AES_128_GCM me>
cipher_key_length: 256 bits <tbody>
cipher_salt_length: 192 bits <tr>
aead_auth_tag_length: 256 bits <th colspan="2">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</th>
auth_function: NULL </tr>
auth_key_length: N/A <tr>
auth_tag_length: N/A <td>cipher:</td><td>AES_256_GCM then AES_256_GCM</td>
maximum lifetime: at most 2^31 SRTCP packets and </tr>
at most 2^48 SRTP packets <tr>
<td>cipher_key_length:</td><td>512 bits</td>
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM </tr>
cipher: AES_256_GCM then AES_256_GCM <tr>
cipher_key_length: 512 bits <td>cipher_salt_length:</td><td>192 bits</td>
cipher_salt_length: 192 bits </tr>
aead_auth_tag_length: 256 bits <tr>
auth_function: NULL <td>aead_auth_tag_length:</td><td>256 bits</td>
auth_key_length: N/A </tr>
auth_tag_length: N/A <tr>
maximum lifetime: at most 2^31 SRTCP packets and <td>auth_function:</td><td>NULL</td>
at most 2^48 SRTP packets </tr>
</artwork></figure> <tr>
<t>The first half of the key and salt is used for the inner (end-to-end) <td>auth_key_length:</td><td>N/A</td>
</tr>
<tr>
<td>auth_tag_length:</td><td>N/A</td>
</tr>
<tr>
<td>maximum lifetime:</td><td>at most 2<sup>31</sup> SRTCP packets and
at most 2<sup>48</sup> SRTP packets</td>
</tr>
</tbody>
</table>
<t>The first half of the key and salt is used for the inner (end-to-end)
algorithm and the second half is used for the outer (hop-by-hop) algorithm and the second half is used for the outer (hop-by-hop)
algorithm. algorithm.
</t> </t>
</section> </section>
</section> </section>
<section anchor="acknowledgments" title="Acknowledgments">
<t>Thank you for reviews and improvements to this specification from Alex
Gouaillard, David Benham, Magnus Westerlund, Nils Ohlmeier, Paul
Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to
Sergio Garcia Murillo proposed the change of transporting the OHB
information in the RTP payload instead of the RTP header.
</t>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <displayreference target="I-D.ietf-perc-dtls-tunnel" to="DTLS-TUNNEL"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.21 <displayreference target="I-D.ietf-perc-private-media-framework" to="PRIVATE
19.xml"?> -MEDIA-FRAMEWORK"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.37 <displayreference target="I-D.ietf-perc-srtp-ekt-diet" to="EKT-SRTP"/>
11.xml"?> <displayreference target="I-D.ietf-rtcweb-fec" to="WEBRTC-FEC"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.57 <references>
64.xml"?> <name>References</name>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.61 <references>
88.xml"?> <name>Normative References</name>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.69 <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
04.xml"?> FC.2119.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.77 <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
14.xml"?> FC.3711.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.81 <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
74.xml"?> FC.5764.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.82 <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
85.xml"?> FC.6188.xml"/>
</references> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<references title="Informative References"> FC.6904.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.i <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
etf-payload-flexible-fec-scheme.xml"?> FC.7714.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.i <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
etf-perc-dtls-tunnel.xml"?> FC.8174.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.i <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
etf-perc-private-media-framework.xml"?> FC.8285.xml"/>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.i </references>
etf-perc-srtp-ekt-diet.xml"?> <references>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.i <name>Informative References</name>
etf-rtcweb-fec.xml"?>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.21
98.xml"?>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.45
88.xml"?>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.47
33.xml"?>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.52
34.xml"?>
</references>
<section anchor="encryption-overview" title="Encryption Overview"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<t>The following figure shows a double encrypted SRTP packet. The sides FC.8627.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.
I-D.draft-ietf-perc-dtls-tunnel-06.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.
I-D.draft-ietf-perc-private-media-framework-12.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.
I-D.draft-ietf-perc-srtp-ekt-diet-10.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.
I-D.draft-ietf-rtcweb-fec-10.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2198.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4588.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4733.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.5234.xml"/>
</references>
</references>
<section anchor="encryption-overview" numbered="true" toc="default">
<name>Encryption Overview</name>
<t>The following figures show a double-encrypted SRTP packet. The sides
indicate the parts of the packet that are encrypted and authenticated indicate the parts of the packet that are encrypted and authenticated
by the hop-by-hop and end-to-end operations. by the hop-by-hop and end-to-end operations.
</t> </t>
<artwork alt="" type="ascii-art"><![CDATA[
<figure align="center"><artwork align="center"> 0 1 2 3
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;++ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X| CC |M| PT | sequence number | IO |V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| timestamp | IO | timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| synchronization source (SSRC) identifier | IO | synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| contributing source (CSRC) identifiers | IO | contributing source (CSRC) identifiers |
| .... | IO | .... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RTP extension (OPTIONAL) ... | |O | RTP extension (OPTIONAL) ... |
+&gt;+&gt;+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+ +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O O I | payload ... |
O I | payload ... | IO O I | +-------------------------------+
O I | +-------------------------------+ IO O I | | RTP padding | RTP pad count |
O I | | RTP padding | RTP pad count | IO O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O +&gt;+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+O O | | E2E authentication tag |
O | | E2E authentication tag | |O O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O O | | OHB ... |
O | | OHB ... | |O +>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+&gt;| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+ | | | HBH authentication tag |
| | | HBH authentication tag | || | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | |
| | || | +- E2E Encrypted Portion
| +- E2E Encrypted Portion E2E Authenticated Portion ---+| |
| | +--- HBH Encrypted Portion
+--- HBH Encrypted Portion HBH Authenticated Portion ----+ ]]></artwork>
</artwork></figure>
</section>
</back> <artwork alt="" type="ascii-art"><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+
|V=2|P|X| CC |M| PT | sequence number | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| timestamp | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
| synchronization source (SSRC) identifier | I O
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
| contributing source (CSRC) identifiers | I O
| .... | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| RTP extension (OPTIONAL) ... | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| payload ... | I O
| +-------------------------------+ I O
| | RTP padding | RTP pad count | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
| E2E authentication tag | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
| OHB ... | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+
| HBH authentication tag | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| |
E2E Authenticated Portion ---+ |
|
HBH Authenticated Portion -----+
]]></artwork>
</section>
<section anchor="acknowledgments" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>Thank you to <contact fullname="Alex Gouaillard"/>,
<contact fullname="David Benham"/>, <contact fullname="Magnus Westerlund"/>,
<contact fullname="Nils Ohlmeier"/>, <contact fullname="Roni Even"/>, and <conta
ct fullname="Suhas Nandakumar"/>
for reviews and improvements to this specification. In addition, thank you to
<contact fullname="Sergio Garcia Murillo"/>, who proposed the change of transpor
ting the OHB
information in the RTP payload instead of the RTP header.
</t>
</section>
</back>
</rfc> </rfc>
 End of changes. 118 change blocks. 
569 lines changed or deleted 679 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/