<?xmlversion="1.0" encoding="utf-8"?> <!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.nl" -->version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM'rfc2629.dtd' []>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType="IETF" category="std" xml:lang="en"consensus="yes" docName="draft-ietf-perc-private-media-framework-12"> <?rfc toc="yes"?><?rfc symrefs="yes"?><?rfc sortrefs="yes"?><?rfc compact="yes"?><?rfc subcompact="no"?><?rfc comments="no"?>consensus="true" docName="draft-ietf-perc-private-media-framework-12" number="8871" obsoletes="" updates="" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.46.0 --> <front> <title abbrev="Private Media Framework">A Solution Framework for Private Media inPrivacy EnhancedPrivacy-Enhanced RTP Conferencing(PERC)</title><author(PERC)</title> <seriesInfo name="RFC" value="8871"/> <author initials="P." surname="Jones" fullname="Paul E.Jones"><organization>Cisco</organization><address><postal><street>7025Jones"> <organization>Cisco</organization> <address> <postal> <street>7025 Kit Creek Rd.</street> <city>Research Triangle Park</city><code>27709</code> <country>USA</country><region>North Carolina</region></postal><phone>+1<code>27709</code> <country>United States of America</country> </postal> <phone>+1 919 476 2048</phone> <email>paulej@packetizer.com</email></address></author></address> </author> <author initials="D." surname="Benham" fullname="DavidBenham"><organization>Independent</organization><address><postal><street></street> </postal><email>dabenham@gmail.com</email> </address></author>Benham"> <organization>Independent</organization> <address> <postal> <region>California</region> <country>United States of America</country> </postal> <email>dabenham@gmail.com</email> </address> </author> <author initials="C." surname="Groves" fullname="ChristianGroves"><organization>Independent</organization><address><postal><street></street>Groves"> <organization>Independent</organization> <address> <postal> <street/> <city>Melbourne</city> <country>Australia</country></postal><email>cngroves.std@gmail.com</email> </address></author> <date/> <area>Internet</area><workgroup></workgroup><keyword>PERC</keyword></postal> <email>cngroves.std@gmail.com</email> </address> </author> <date month="January" year="2021"/> <keyword>PERC</keyword> <keyword>Private Media Framework</keyword> <keyword>conferencing</keyword><abstract><t>This<abstract> <t>This document describes a solution framework for ensuring that media confidentiality and integrity are maintainedend-to-endend to end within the context of a switched conferencing environment wheremedia distributorsMedia Distributors are not trusted with the end-to-end media encryption keys. The solution builds upon existing security mechanisms defined for thereal-time transport protocolReal-time Transport Protocol (RTP).</t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>Switched conferencing is an increasingly popular model for multimedia conferences with multiple participants using a combination of audio, video, text, and other media types. With this model, real-time media flows from conference participants are not mixed, transcoded,transrated,translated, recomposed, or otherwise manipulated by a Media Distributor, as might be the case with a traditional media server ormultipoint control unitMultipoint Control Unit (MCU). Instead, media flows transmitted by conference participants are simply forwarded by Media Distributors to each of the other participants. Media Distributors often forward only a subset of flows based on voice activity detection or other criteria. In some instances, Media Distributors may make limited modifications to RTP headers <xreftarget="RFC3550"></xref> headers,target="RFC3550" format="default"/>, for example, but the actual media content (e.g., voice or video data) is unaltered.</t> <t>An advantage of switched conferencing is that Media Distributors can be more easily deployed on general-purpose computing hardware, including virtualized environments in private and public clouds. Virtualized public cloud environments have been viewed as lesssecuresecure, since resources are not always physically controlled by those who use them. This document defines improved security so as to lower the barrier to taking advantage of those environments.</t> <t>This document defines a solution framework wherein media privacy is ensured by making it impossible for a Media Distributor to gain access to keys needed to decrypt or authenticate the actual media content sent between conference participants. At the same time, the framework allows for the Media Distributors to modify certain RTP headers; add, remove, encrypt, or decrypt RTP header extensions; and encrypt and decrypt RTP Control Protocol (RTCP) packets <xreftarget="RFC3550"></xref> packets.target="RFC3550" format="default"/>. The framework also prevents replay attacks by authenticating each packet transmitted between a given participant and the Media Distributor using a unique key perEndpointendpoint that is independent from the key for media encryption and authentication.</t> <t>This solution framework provides for enhanced privacy in RTP-based conferencing environments while utilizing existing security procedures defined for RTP with minimal enhancements.</t> </section> <section anchor="conventions-used-in-this-document"title="Conventionsnumbered="true" toc="default"> <name>Conventions Used in ThisDocument">Document</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref>target="RFC2119"/> <xreftarget="RFC8174"></xref>target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> <t>Additionally, this solution framework uses the following terms andacronyms:</t> <t>End-to-End (E2E): Communicationsabbreviations:</t> <dl newline="false" spacing="normal"> <dt>End-to-End (E2E):</dt><dd>Communications from oneEndpointendpoint through one or more Media Distributors to theEndpointendpoint at the otherend.</t> <t>Hop-by-Hop (HBH): Communicationsend.</dd> <dt>Hop-by-Hop (HBH):</dt><dd>Communications between anEndpointendpoint and a Media Distributor or between MediaDistributors.</t> <t>TrustedDistributors.</dd> <dt>Trusted Endpoint (or simplyEndpoint): Anendpoint):</dt><dd>An RTPflow terminatingflow-terminating entity that has possession of E2E media encryption keys and terminates E2E encryption. This may include embedded user conferencing equipment or browsers on computers, media gateways, MCUs, media recordingdevicesdevices, andmoremore, that are in the trusted domain for a given deployment. In the context of WebRTC <xreftarget="W3C.CR-webrtc-20180927"></xref>,target="W3C.CR-webrtc" format="default"/>, where control of a session is divided between a JavaScript application and a browser, the browser acts as the Trusted Endpoint for purposes of this framework (just as it acts as the endpoint for DTLS-SRTP <xreftarget="RFC5764"></xref>target="RFC5764" format="default"/> in one-to-onecalls).</t> <t>Mediacalls).</dd> <dt>Media Distributor(MD): An(MD):</dt><dd>An RTP middlebox that forwardsEndpointendpoint media content (e.g., voice or video data)unaltered,unaltered -- either a subset or all of the flows at any giventime,time -- and is never allowed to have access to E2E encryption keys. It operates according to the Selective Forwarding Middlebox RTP topologies <xreftarget="RFC7667"></xref>target="RFC7667" format="default"/> per the constraints defined by thePERCPrivate Media in Privacy-Enhanced RTP Conferencing (PERC) system, which includes, but is not limited to, having no access to RTP media plaintext and having limits on what RTP headerfieldfields it can alter. The header fields that may be modified by a Media Distributor are enumerated inSection 4 of the Double<xref target="RFC8723" sectionFormat="of" section="4">the double cryptographic transformspecification <xref target="I-D.ietf-perc-double"></xref>specification</xref> and chosen with respect to utility and the security considerations outlined in thisdocument.</t> <t>Key Distributor: Andocument.</dd> <dt>Key Distributor:</dt><dd>An entity that is a logical functionwhichthat distributes keying material and related information to Trusted Endpoints and MediaDistributor(s),Distributor(s) -- onlythat whichwhat is appropriate for each. The Key Distributor might be co-resident with another entity trusted with E2E keyingmaterial.</t> <t>Conference: Twomaterial.</dd> <dt>Conference:</dt><dd>Two or more participants communicating via Trusted Endpoints to exchange RTP flows through one or more MediaDistributor.</t> <t>Call Processing: AllDistributors.</dd> <dt>Call Processing:</dt><dd>All Trusted Endpointsin the conferenceconnect toit bya conference via a call processing dialog,such ase.g., with theFocus"focus" as defined inthe<xref target="RFC4353" format="default">"A Framework for Conferencing withSIP <xref target="RFC4353"></xref>.</t> <t>Third Party: Anythe Session Initiation Protocol (SIP)"</xref>.</dd> <dt>Third Party:</dt><dd>Any entity that is not anEndpoint,endpoint, Media Distributor, KeyDistributorDistributor, orCall Processingcall processing entity as described in thisdocument.</t>document.</dd> </dl> </section> <section anchor="perc-entities-and-trust-model"title="PERCnumbered="true" toc="default"> <name>PERC Entities and TrustModel"> <t>The following figureModel</name> <t><xref target="fig-trust-model"/> depicts the trust relationships, direct or indirect, between entities described in the subsequentsub-sections.subsections. Note that these entities may be co-located or further divided into multiple, separate physical devices.</t> <t>Please note that some entities classified as untrusted in the simple, general deployment scenario used most commonly in this document might be considered trusted in other deployments. This document does not preclude such scenarios, but it keeps the definitions and examples focused by only using the simple, most general deployment scenario.</t> <figureanchor="fig-trust-model" align="center" title="Trustedanchor="fig-trust-model"> <name>Trusted and Untrusted Entities inPERC ">PERC</name> <artworkalign="center">align="center" name="" type="" alt=""><![CDATA[ | +----------+ | +-----------------+ | Endpoint | | | Call Processing | +----------+ | +-----------------+ | | +----------------+ | +--------------------+ | Key Distributor| | | Media Distributor | +----------------+ | +--------------------+ | Trusted | Untrusted Entities | Entities| </artwork>|]]></artwork> </figure> <section anchor="untrusted-entities"title="Untrusted Entities">numbered="true" toc="default"> <name>Untrusted Entities</name> <t>The architecture described in this framework document enables conferencing infrastructure to be hosted in domains, such as in a cloud conferencing provider's facilities, where the trustworthiness is below the level needed to assume that the privacy of the participant's media is not compromised. The conferencing infrastructure in such a domain is still trusted with reliably connecting the participants together in aconference,conference but is not trusted with keying material needed to decrypt any of the participant's media. Entities in suchlower trustworthinessless-trustworthy domains are referred to as untrusted entities from this point forward.</t> <t>It is important to understand thatuntrusted"untrusted" in this document does not mean that an entity is not expected to function properly. Rather, it means only that the entity does not have access to the E2E media encryption keys.</t> <section anchor="media-distributor"title="Media Distributor">numbered="true" toc="default"> <name>Media Distributor</name> <t>A Media Distributor forwards RTP flows betweenEndpointsendpoints in the conference while performing per-hop authentication of each RTP packet. The Media Distributor may need access to one or more RTP headers or header extensions, potentially adding or modifying a certain subset. The Media Distributor also relays secured messaging between theEndpointsendpoints and the Key Distributor and acquires per-hop key information from the Key Distributor. The actual media content must not be decryptable by a Media Distributor, as it isuntrustednot trusted to have access to the E2E media encryption keys. The key exchange mechanisms specified in this framework prevent the Media Distributor from gaining access to the E2E media encryption keys.</t> <t>AnEndpoint'sendpoint's ability to connect to a conference serviced by a Media Distributordoes implyimplies that theEndpointendpoint is authorized to have access to the E2E media encryption keys,asalthough the Media Distributor does not have the ability to determine whether anEndpointendpoint is authorized. Instead, the Key Distributor is responsible for authenticating theEndpointendpoint (e.g., using WebRTCIdentityidentity assertions <xreftarget="I-D.ietf-rtcweb-security-arch"></xref>)target="RFC8827" format="default"/>) and determining its authorization to receive E2E and HBH media encryptionkeys.</t>keys. </t> <t>A Media Distributor must perform its role in properly forwarding media packets while taking measures to mitigate the adverse effects ofdenial of servicedenial-of-service attacks (refer to <xreftarget="attacks"></xref>)target="attacks" format="default"/>) to a level equal to or better than traditional conferencing (non-PERC) deployments.</t> <t>A Media Distributor or associated conferencing infrastructure may also initiate or terminate variousconference controlmessaging techniques relatedmessaging, whichto conference control. This topic is outside the scope of this framework document.</t> </section> <section anchor="call-processing"title="Call Processing"> <t>The callnumbered="true" toc="default"> <name>Call Processing</name> <t>Call processingfunctionis untrusted in the simple, general deployment scenario. When a physical subset ofthecall processingfunctionresides in facilities outside the trusted domain, it should not be trusted to have access to E2E key information.</t><t>The call<t>Call processingfunctionmay include the processing of call signaling messages, as well as the signing of those messages. It may also authenticate theEndpointsendpoints for the purpose of call signaling and of subsequently joiningofa conference hosted through one or more Media Distributors. Call processing may optionally ensure the privacy of call signaling messages betweenitself,itself (call processing), theEndpoint,endpoint, and other entities.</t> </section> </section> <section anchor="trusted-entities"title="Trusted Entities">numbered="true" toc="default"> <name>Trusted Entities</name> <t>From the PERC modelsystemsystem's perspective, entities considered trusted (refer to <xreftarget="fig-trust-model"></xref>)target="fig-trust-model" format="default"/>) can be in possession of the E2E media encryption keys for one or more conferences.</t> <section anchor="endpoint"title="Endpoint">numbered="true" toc="default"> <name>Endpoint</name> <t>AnEndpointendpoint is considered trusted and has access to E2E key information. While it is possible for anEndpointendpoint to be compromised, subsequently performing in undesired ways, definingEndpointendpoint resistance to compromise is outside the scope of this document. Endpoints take measures to mitigate the adverse effects ofdenial of servicedenial-of-service attacks (refer to <xreftarget="attacks"></xref>)target="attacks" format="default"/>) from other entities, including from otherEndpoints,endpoints, to a level equal to or better than traditional conference (non-PERC) deployments.</t> </section> <section anchor="key_distributor"title="Key Distributor">numbered="true" toc="default"> <name>Key Distributor</name> <t>The Key Distributor, which may becolocatedco-located with anEndpointendpoint or exist standalone, is responsible for providing key information toEndpointsendpoints for bothend-to-end (E2E)E2E andhop-by-hop (HBH)HBH security and for providing key information to Media Distributors forthe hop-by-hopHBH security.</t> <t>Interaction between the Key Distributor andthecall processingfunctionis necessary for properconference-to-Endpointconference-to-endpoint mappings. This is described in <xreftarget="conf-id"></xref>.</t>target="conf-id" format="default"/>.</t> <t>The Key Distributor needs to be secured and managed in a wayto preventthat prevents exploitation by an adversary, as any kind of compromise of the Key Distributor puts the security of the conference at risk.</t><t>They<t>The Key Distributor needs to know whichEndpointsendpoints and which Media Distributors are authorized to participate in the conference. How the Key Distributor obtains this information is outside the scope of this document. However, Key DistributorsMUST<bcp14>MUST</bcp14> reject DTLS associations with any unauthorizedEndpointendpoint or Media Distributor.</t> </section> </section> </section> <section anchor="framework-for-perc"title="Frameworknumbered="true" toc="default"> <name>Framework forPERC">PERC</name> <t>The purposeforof this framework is to define a means through which media privacy is ensured when communicating within a conferencing environment consisting of one or more Media Distributors that only switch, and hence do not terminate, media. It does not otherwise attempt to hide the fact that a conference betweenEndpointsendpoints is taking place.</t> <t>This framework reuses several specified RTP security technologies, including the Secure Real-time Transport Protocol (SRTP) <xreftarget="RFC3711"></xref>,target="RFC3711" format="default"/>, Encrypted Key Transport (EKT) <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>,target="RFC8870" format="default"/>, and DTLS-SRTP.</t> <section anchor="end-to-end-and-hop-by-hop-authenticated-encryption"title="End-to-Endnumbered="true" toc="default"> <name>E2E-Authenticated andHop-by-Hop Authenticated Encryption">HBH-Authenticated Encryption</name> <t>This solution framework focuses on theend-to-endE2E privacy and integrity of the participant's media by limiting access to only trusted entities to the E2E key used for authenticatedend-to-endE2E encryption. However, this framework does give a Media Distributor access to RTPheadersheader fields and header extensions, as well as the ability to modify a certain subset of the header fields and to add or change header extensions. Packets received by a Media Distributor or anEndpointendpoint are authenticatedhop-by-hop.</t>hop by hop.</t> <t>To enable all of the above, this framework defines the use of two security contexts and two associated encryption keys: an"inner""inner" key(an(a distinct E2E keydistinctfor each transmitted media flow) for authenticated encryption of RTP media betweenEndpointsendpoints and an"outer""outer" key(HBH(a HBH key) known only to a Media Distributor or the adjacentEndpointendpoint for the hop between anEndpointendpoint and a Media Distributor or peerEndpoint.endpoint. AnEndpointendpoint will receive one or more E2E keys from every otherEndpointendpoint in the conference that correspond to the media flows transmitted by those otherEndpoints,endpoints, while HBH keys are derived from the DTLS-SRTP association with the Key Distributor. Two communicating Media Distributors use DTLS-SRTP associations directly with each other to obtain the HBH keys they will use. See <xreftarget="key_exchange"></xref>target="key_exchange" format="default"/> for more details on key exchange.</t> <figureanchor="fig-e2e-and-hbh-keys-used" align="center" title="E2Eanchor="fig-e2e-and-hbh-keys-used"> <name>E2E and HBH Keys Used for Authenticated Encryption of SRTPPackets ">Packets</name> <artworkalign="center">+-------------+align="center" name="" type="" alt=""><![CDATA[+-------------+ +-------------+ | |################################| | | Media |------------------------*----->|*----->| Media | | Distributor|<----------------------*-|------||<----------------------*-|------| Distributor | | X |#####################*#|#|######| Y | | | | | | | | +-------------+ | | | +-------------+ # ^ | # HBH Key (XY) -+ | | # ^ | # # | | # E2E Key (B) ---+ | # | | # # | | # E2E Key (A) -----+ # | | # # | | # # | | # # | | # # | | # # | | *---- HBH Key (AX) HBH Key (YB) ----* | | # # | | # # | | # # *--------- E2E Key (A) E2E Key (A) ---------* # # | *------- E2E Key (B) E2E Key (B) -------* | # # | | # # | | # # | v # # | v # +-------------+ +-------------+ | Endpoint A | | Endpoint B | +-------------++-------------+ </artwork>+-------------+]]></artwork> </figure> <t>TheDoubledouble transform <xreftarget="I-D.ietf-perc-double"></xref>target="RFC8723" format="default"/> enablesEndpointsendpoints to perform encryption using both theend-to-endE2E andhop-by-hopHBH contexts while still preserving the same overall interface as other SRTP transforms. The Media Distributor simply uses the corresponding normal (single) AES-GCM transform, keyed with the appropriate HBH keys. See <xreftarget="keyinventory"></xref>target="keyinventory" format="default"/> for a description of the keys used in PERC and <xreftarget="packetformat"></xref>target="packetformat" format="default"/> for a diagram of how encrypted RTP packets appear on the wire.</t> <t>RTCP is only encryptedhop-by-hop,hop by hop -- notend-to-end.end to end. This frameworkintroduces nodoes not provide an additional step forRTCP authenticated encryption, soRTCP-authenticated encryption. Rather, implementations utilize the existing proceduresneeded arespecified in <xreftarget="RFC3711"></xref> andtarget="RFC3711" format="default"/>; those procedures use the same outer,hop-by-hopHBH cryptographic context chosen in theDoubledouble transform operation described above. For this reason,Endpoints MUST NOTendpoints <bcp14>MUST NOT</bcp14> send confidential information via RTCP.</t> </section> <section anchor="e2e-key-confidentiality"title="E2Enumbered="true" toc="default"> <name>E2E KeyConfidentiality">Confidentiality</name> <t>To ensure the confidentiality of E2E keys shared betweenEndpoints, Endpointsendpoints, endpoints use a common Key Encryption Key (KEK) that is known only by the trusted entities in a conference. That KEK, defined in the EKT specification <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>target="RFC8870" format="default"/> as the EKT Key, is used to subsequently encrypt the SRTP master key used forE2E authenticatedE2E-authenticated encryption of media sent by a givenEndpoint.endpoint. EachEndpointendpoint in the conference creates an SRTP master key forE2E authenticatedE2E-authenticated encryption andkeepkeeps track of the E2E keys received via the Full EKT Tag for each distinct synchronization source (SSRC) in the conference so that it can properly decrypt received media. AnEndpointendpoint may change its E2E key at any time and advertise that new key to the conference as specified in <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>.</t>target="RFC8870" format="default"/>.</t> </section> <section anchor="e2e_keys_ops"title="E2Enumbered="true" toc="default"> <name>E2E Keys and EndpointOperations">Operations</name> <t>Any given RTP media flow is identified by its SSRC, and anEndpointendpoint might send more than one at a time and change the mix of media flows transmitted during thelifelifetime of a conference.</t> <t>Thus, anEndpoint MUSTendpoint <bcp14>MUST</bcp14> maintain a list of SSRCs from received RTP flows and each SSRC's associated E2E key information. AnEndpoint MUSTendpoint <bcp14>MUST</bcp14> discard old E2E keys no later than when it leaves theconference (see <xref target="keyexchange"></xref>).</t>conference.</t> <t>If the packet is to contain RTP header extensions, it should be noted that those extensions are only encryptedHBHhop by hop per <xreftarget="I-D.ietf-perc-double"></xref>.target="RFC8723" format="default"/>. For this reason,Endpoints MUST NOTendpoints <bcp14>MUST NOT</bcp14> transmit confidential information via RTP header extensions.</t> </section> <section anchor="hbh-keys-and-per-hop-operations"title="HBHnumbered="true" toc="default"> <name>HBH Keys andPer-hop Operations">Per-Hop Operations</name> <t>To ensure the integrity of transmitted media packets, it isREQUIRED<bcp14>REQUIRED</bcp14> that every packet be authenticatedhop-by-hophop by hop between anEndpointendpoint and a Media Distributor, as well as between Media Distributors. The authentication key used forhop-by-hopHBH authentication is derived from an SRTP master key shared only on the respective hop. Each HBH key is distinct perhophop, and no two hops ever use the same SRTP master key.</t> <t>WhileEndpointsendpoints also perform HBH authentication, the ability of theEndpointsendpoints to reconstruct the original RTP header also enables theEndpointsendpoints to authenticate RTP packetsE2E.end to end. This design yields flexibility to the Media Distributor to change certain RTP header values as packets are forwarded.Which valuesValues that the Media Distributor can change in the RTP header are defined in <xreftarget="I-D.ietf-perc-double"></xref>.target="RFC8723" format="default"/>. RTCP can only be encryptedhop-by-hop,hop by hop, giving the Media Distributor the flexibility toforward(1) forward RTCP content unchanged,transmit(2) transmit compound RTCPpackets or to initiatepackets, (3) initiate RTCP packets for reportingstatisticsstatistics, orconveying(4) convey other information. Performinghop-by-hopHBH authentication for all RTP and RTCP packets also helps provide replay protection (see <xreftarget="attacks"></xref>).target="attacks" format="default"/>). The use of the replay protection mechanism specified inSection 3.3.2 of<xreftarget="RFC3711"></xref>target="RFC3711" sectionFormat="of" section="3.3.2"/> isREQUIRED<bcp14>REQUIRED</bcp14> at each hop.</t> <t>If there is a need to encrypt one or more RTP header extensionshop-by-hop,hop by hop, theEndpointendpoint derives an encryption key from the HBH SRTP master key to encrypt header extensions as per <xreftarget="RFC6904"></xref>.target="RFC6904" format="default"/>. This still gives the Media Distributor visibility into header extensions, such as the one used to determine the audio level <xreftarget="RFC6464"></xref>target="RFC6464" format="default"/> of conference participants. Note that when RTP header extensions are encrypted, all hops need to decrypt and re-encrypt these encrypted header extensions. Please refer toSections 5.1 through 5.3Sections <xref target="RFC8723" section="5.1" sectionFormat="bare"/>, <xref target="RFC8723" section="5.2" sectionFormat="bare"/>, and <xref target="RFC8723" section="5.3" sectionFormat="bare"/> of <xreftarget="I-D.ietf-perc-double"></xref>target="RFC8723"/> for procedures to perform RTP header extension encryption and decryption.</t> </section> <section anchor="key_exchange"title="Key Exchange">numbered="true" toc="default"> <name>Key Exchange</name> <t>In brief, the keys used by any givenEndpointsendpoints are determinedin the following way:</t> <t> <list style="symbols"> <t>Theas follows:</t> <ul spacing="normal"> <li>The HBH keys that theEndpointendpoint uses to send and receive SRTP media are derived from a DTLS handshake that theEndpointendpoint performs with the Key Distributor (following normal DTLS-SRTPprocedures).</t> <t>Theprocedures).</li> <li>The E2E key that anEndpointendpoint uses to send SRTP media caneitherbe either set from the DTLS-SRTP association with the Key Distributor or chosen by theEndpoint.endpoint. It is then distributed to otherEndpointsendpoints in a Full EKT Tag, encrypted under an EKT Key provided to the client by the Key Distributor within the DTLS channel they negotiated. Note that anEndpoint MAYendpoint <bcp14>MAY</bcp14> create a different E2E key per media flow, where a media flow is identified by its SSRCvalue.</t> <t>Eachvalue.</li> <li>Each E2E key that anEndpointendpoint uses to receive SRTP media is set by receiving a Full EKT Tag from anotherEndpoint.</t> <t>Theendpoint.</li> <li>The HBH keys used between two Media Distributorsisare derivedfromvia DTLS-SRTP procedures employed directly betweenthem.</t> </list> </t>them.</li> </ul> <section anchor="initial-key-exchange-and-key-distributor"title="Initialnumbered="true" toc="default"> <name>Initial Key Exchange and KeyDistributor">Distributor</name> <t>The Media Distributor maintains a tunnel with the Key Distributor (e.g., using the tunnel protocol defined in <xreftarget="I-D.ietf-perc-dtls-tunnel"></xref>),target="I-D.ietf-perc-dtls-tunnel" format="default"/>), making it possible for the Media Distributor to facilitate the establishment of a secure DTLS association between eachEndpointendpoint and the Key Distributor as shownthe following figure.in <xref target="fig-initial-key-exchange"/>. The DTLS association betweenEndpointsendpoints and the Key Distributor enables eachEndpointendpoint to generate E2E and HBH keys and receive the KEK. At the same time, the Key Distributor securely provides the HBH key information to the Media Distributor. The key information summarized here may include the SRTP master key, the SRTP master salt, and the negotiated cryptographic transform.</t> <figureanchor="fig-initial-key-exchange" align="center" title="Exchanginganchor="fig-initial-key-exchange"> <name>Exchanging Key InformationBetween Entities ">between Entities</name> <artworkalign="center">align="center" name="" type="" alt=""><![CDATA[ +-----------+ KEK info | Key | HBH Key info to to Endpoints |Distributor| Endpoints&& Media Distributor +-----------+ # ^ ^ # # | | #--- Tunnel # | | # +-----------+ +-----------+ +-----------+ | Endpoint | DTLS | Media | DTLS | Endpoint | | KEK|<------------|Distributor|------------>||<------------|Distributor|------------>| KEK | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | +-----------+ +-----------++-----------+ </artwork>+-----------+]]></artwork> </figure> <t>In addition to the secure tunnel between the Media Distributor and the Key Distributor, there are two additional types of security associations utilized as a part of the keyexchangeexchange, as discussed in the following paragraphs. One is a DTLS-SRTP association between anEndpointendpoint and the Key Distributor (with packets passing through the MediaDistributor)Distributor), and the other is a DTLS-SRTP association between peer Media Distributors.</t> <t>Endpoints establish a DTLS-SRTP association over the RTP session with the Media Distributor and its media ports for the purposes of key information exchange with the Key Distributor. The Media Distributor does not terminate the DTLSsignaling,signaling but instead forwards DTLS packets received from anEndpointendpoint on to the Key Distributor (and vice versa) via a tunnel established between the Media Distributor and the Key Distributor.</t><t>In<t>When establishing the DTLS association betweenEndpointsendpoints and the Key Distributor, theEndpoint MUSTendpoint <bcp14>MUST</bcp14> act as the DTLSclientclient, and the Key DistributorMUST<bcp14>MUST</bcp14> act as the DTLS server. The KEK is conveyed by the Key Distributor over the DTLS association toEndpointsendpoints via procedures defined in EKT <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>target="RFC8870" format="default"/> via the EKTKey message.</t> <t>The Key DistributorMUST NOT<bcp14>MUST NOT</bcp14> establish DTLS-SRTP associations withEndpointsendpoints without first authenticating the Media Distributor tunneling the DTLS-SRTP packets from theEndpoint.</t>endpoint.</t> <t>Note that following DTLS-SRTP procedures for the cipher defined in <xreftarget="I-D.ietf-perc-double"></xref> cipher,target="RFC8723" format="default"/>, theEndpointendpoint generates both E2E and HBH encryption keys and salt values. EndpointsMUST<bcp14>MUST</bcp14> either use theDTLS-SRTP generatedDTLS-SRTP-generated E2E key for transmission or generate a fresh E2E key. In either case, the generated SRTP master salt for E2E encryptionMUST<bcp14>MUST</bcp14> be replaced with the salt value provided by the Key Distributor via the EKTKey message. That is because everyEndpointendpoint in the conference uses the same SRTP master salt. TheEndpointendpoint only transmits the SRTP master key (not the salt) used for E2E encryption to otherEndpointsendpoints in RTP/RTCP packets per <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>.</t>target="RFC8870" format="default"/>.</t> <t>Media Distributors use DTLS-SRTP directly with a peer Media Distributor to establish the HBH key for transmitting RTP and RTCP packets to that peer Media Distributor. The Key Distributor does not facilitate establishing a HBH key for use between Media Distributors.</t> </section> <section anchor="keyexchange"title="Keynumbered="true" toc="default"> <name>Key Exchange during aConference">Conference</name> <t>Following the initial key information exchange with the Key Distributor, anEndpointendpoint is able to encrypt mediaend-to-endend to end with an E2E key, sending that E2E key to otherEndpointsendpoints encrypted with the KEK, and is able to encrypt and authenticate RTP packets using a HBH key.The procedures defined doThis framework does not allow the Media Distributor to gain access to the KEK information, preventing it from gaining access to anyEndpoint'sendpoint's E2E key and subsequently decrypting media.</t> <t>The KEK may need to change fromtime-to-timetime to time during thelifelifetime of a conference, such as when a new participant joins or leaves a conference. Dictating if,whenwhen, or how often a conference is to bere-keyedrekeyed is outside the scope of this document, but this framework does accommodatere-keyingrekeying during thelifelifetime of a conference.</t> <t>When a Key Distributor decides tore-keyrekey a conference, it transmits a new EKTKey message containing the new EKT Key to each of the conference participants. Upon receipt of the new EKT Key, theEndpoint MUSTendpoint <bcp14>MUST</bcp14> create a new SRTP master key and prepare to send that key inside aFull EKT FieldFullEKTField using the new EKT Key as perSection 4.5 of<xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>.target="RFC8870" sectionFormat="of" section="4.5"/>. In order to allow time for allEndpointsendpoints in the conference to receive the new keys, the sender should follow the recommendations inSection 4.7 of [I-D.ietf-perc-srtp-ekt-diet].<xref target="RFC8870" sectionFormat="of" section="4.6"/>. On receiving a new EKT Key,Endpoints MUSTendpoints <bcp14>MUST</bcp14> be prepared to decrypt EKTtagsTags using the new key. The EKTSPISecurity Parameter Index (SPI) field is used to differentiate betweentagsEKT Tags encrypted with the old and new keys.</t> <t>Afterre-keying,rekeying, anEndpoint SHOULDendpoint <bcp14>SHOULD</bcp14> retain prior SRTP master keys and EKTKeyKeys for a period of time sufficient for the purpose of ensuring that it can decrypt late-arriving or out-of-order packets or packets sent by otherEndpointsendpoints that used the prior keys for a period of time afterre-keyingrekeying began. AnEndpoint MAYendpoint <bcp14>MAY</bcp14> retain old keys until the end of the conference.</t> <t>EndpointsMAY<bcp14>MAY</bcp14> follow the procedures insection 5.2 of<xreftarget="RFC5764"></xref>target="RFC5764" sectionFormat="of" section="5.2"/> to renegotiate HBH keys as desired. If new HBH keys are generated, the new keys are also delivered to the Media Distributor following the procedures defined in <xreftarget="I-D.ietf-perc-dtls-tunnel"></xref>target="I-D.ietf-perc-dtls-tunnel" format="default"/> as one possible method.</t><t>Endpoints MAY<t>At any time, endpoints <bcp14>MAY</bcp14> change the E2E encryption keyused at any time.being used. AnEndpoint MUSTendpoint <bcp14>MUST</bcp14> generate a new E2E encryption key whenever it receives a new EKT Key. After switching to a new key, the new key is conveyed to otherEndpointsendpoints in the conference in RTP/RTCP packets per <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>.</t>target="RFC8870" format="default"/>.</t> </section> </section> </section> <section anchor="authentication"title="Authentication">numbered="true" toc="default"> <name>Authentication</name> <t>It is importantto this solution frameworkthattheentities can validate the authenticity of other entities, especially the Key Distributor andEndpoints. The details ofendpoints. Details on this topic are outside the scope ofspecificationthis specification, but a few possibilities are discussed in the following sections. The critical requirements are thatan Endpoint(1) an endpoint can verify that it is connected to the correct Key Distributor for the conference andthe(2) the Key Distributor can verify that theEndpointendpoint is the correctEndpointendpoint for the conference.</t> <t>Two possible approaches tosolveresolve this situation areIdentity Assertionsidentity assertions andCertificate Fingerprints.</t>certificate fingerprints.</t> <section anchor="identity-assertions"title="Identity Assertions"> <t>WebRTC Identitynumbered="true" toc="default"> <name>Identity Assertions</name> <t>A WebRTC identity assertion <xreftarget="I-D.ietf-rtcweb-security-arch"></xref>target="RFC8827" format="default"/> is used to bind the identity of the user of theEndpointendpoint to the fingerprint of the DTLS-SRTP certificate used for the call. This certificate is unique for a given call and a conference. Thisallowscertificate is unique for a given call and a conference, allowing the Key Distributor to ensure that only authorized users participate in the conference.SimilarlySimilarly, the Key Distributor can create a WebRTCIdentityidentity assertion to bind the fingerprint of the unique certificate used by the Key Distributor for this conference so that theEndpointendpoint canvalidateverify that it is talking to the correct Key Distributor. Such a setup requires an Identity Provider(Idp)(IdP) trusted by theEndpointsendpoints and the Key Distributor.</t> </section> <section anchor="certificate-fingerprints-in-session-signaling"title="Certificatenumbered="true" toc="default"> <name>Certificate Fingerprints in SessionSignaling">Signaling</name> <t>Entities managing session signaling are generally assumed to be untrusted in the PERC framework. However, there are some deployment scenarios where parts of the session signaling may be assumed trustworthy for the purposes of exchanging, in a manner that can be authenticated, the fingerprint of an entity's certificate.</t> <t>As a concrete example, SIP <xreftarget="RFC3261"></xref>target="RFC3261" format="default"/> and the Session Description Protocol (SDP) <xreftarget="RFC4566"></xref>target="RFC4566" format="default"/> can be used to convey the fingerprint information per <xreftarget="RFC5763"></xref>.target="RFC5763" format="default"/>. AnEndpoint'sendpoint's SIP User Agent would send an INVITE message containing SDP for the media session along with theEndpoint'sendpoint's certificate fingerprint, which can be signed using the procedures described in <xreftarget="RFC8224"></xref>target="RFC8224" format="default"/> for the benefit of forwarding the message to other entities by theFocusfocus <xreftarget="RFC4353"></xref>.target="RFC4353" format="default"/>. Other entities can verify that the fingerprints match the certificates found in the DTLS-SRTP connections to find the identity of the far end of the DTLS-SRTP connection and verify that it is the authorized entity.</t> <t>Ultimately, if using session signaling, anEndpoint'sendpoint's certificate fingerprint would need to be securely mapped to a user and conveyed to the Key Distributor so that it can check thatthatthe user in question is authorized. Similarly, the Key Distributor's certificate fingerprint can be conveyed to anEndpointendpoint in a manner that can be authenticated as being an authorized Key Distributor for this conference.</t> </section> <section anchor="conf-id"title="Conference Identification">numbered="true" toc="default"> <name>Conference Identification</name> <t>The Key Distributor needs to know whatEndpointsendpoints are being added to a given conference. Thus, the Key Distributor and the Media Distributor need to knowEndpoint-to-conferenceendpoint-to-conference mappings, whichisare enabled by exchanging a conference-specific unique identifierdefinedas described in <xreftarget="I-D.ietf-perc-dtls-tunnel"></xref>.target="I-D.ietf-perc-dtls-tunnel" format="default"/>. How this unique identifier is assigned is outside the scope of this document.</t> </section> </section> <section anchor="perc-keys"title="PERC Keys">numbered="true" toc="default"> <name>PERC Keys</name> <t>This section describes the various keys employed by PERC.</t> <section anchor="keyinventory"title="Keynumbered="true" toc="default"> <name>Key Inventory and ManagementConsiderations">Considerations</name> <t>This section summarizes the several different keys used in the PERC framework, how they are generated, and what purpose they serve.</t> <t>The keys are described in the order in which they would typically be acquired.</t> <t>The various keys used in PERC are shown in <xreftarget="key-inventory-table"></xref>target="key-inventory-table" format="default"/> below.</t><figure anchor="key-inventory-table" align="center" title="Key Inventory "> <artwork align="center">+-----------+----------------------------------------------------+ | Key | Description | +-----------+----------------------------------------------------+ | HBH Key | SRTP<table anchor="key-inventory-table"> <name>Key Inventory</name> <thead> <tr> <th align="center">Key</th> <th align="center">Description</th> </tr> </thead> <tbody> <tr> <td>HBH Key</td> <td>SRTP master key used to encrypt mediahop-by-hop. | +-----------+----------------------------------------------------+ | KEK | Keyhop by hop.</td> </tr> <tr> <td>KEK (EKT Key)</td> <td>Key shared by allEndpointsendpoints and used to encrypt| | (EKT Key) |eachEndpoint'sendpoint's E2E SRTP master key so receiving| | | Endpointsendpoints can decryptmedia. | +-----------+----------------------------------------------------+ | E2E Key | SRTPmedia.</td> </tr> <tr> <td>E2E Key</td> <td>SRTP master key used to encrypt mediaend-to-end. | +-----------+----------------------------------------------------+ </artwork> </figure>end to end.</td> </tr> </tbody> </table> <t>While the number of key types is very small, it should be understood that the actual number of distinct keys can be large as the conference grows in size.</t> <t>As an example, with 1,000 participants in a conference, there would be at least 1,000 distinct SRTP master keys, all of which share the same master salt. Each of those keysareis passed through theKDFKey Derivation Function (KDF) as defined in <xreftarget="RFC3711"></xref>target="RFC3711" format="default"/> to produce the actual encryption and authentication keys.</t> <t>Complicating key management is the fact that the KEK can change and, when it does, theEndpointsendpoints generate new SRTP master keys that are associated with a new EKT SPI. Endpoints might retain old keys for a period of time to ensure that they can properly decrypt late-arriving or out-of-order packets, which means that the number of keys held during that period of time might be substantiallymore.</t>higher.</t> <t>A more detailed explanation of each of the keys follows.</t> </section> <section anchor="dtls-srtp-exchange-yields-hbh-keys"title="DTLS-SRTPnumbered="true" toc="default"> <name>DTLS-SRTP Exchange Yields HBHKeys">Keys</name> <t>The first set of keys acquired are forhop-by-hopHBH encryption and decryption. Per theDoubledouble transform procedures <xreftarget="I-D.ietf-perc-double"></xref> procedures,target="RFC8723" format="default"/>, theEndpointendpoint performs a DTLS-SRTP exchange with the Key Distributor and receives a key that is, in fact,"double""double" the size that is needed. Theend-to-endE2E part is the first half of the key, so theEndpointendpoint discards that information when generating its own key. The second half of thekeykeying material is forhop-by-hopHBH operations, so that half of the key (corresponding to the least significant bits) is assigned internally as the HBH key.</t> <t>The Key Distributor informs the Media Distributor of the HBH key. Specifically, the Key Distributor sends the least significant bits corresponding to the half of the keying material determined through DTLS-SRTP with theEndpointendpoint to the Media Distributor. A salt value is generated along with the HBH key. The salt is also longer than needed forhop-by-hop operations, thusHBH operations; thus, only the least significant bits of the required length (half of the generated salt material) are sent to the Media Distributor. One way to transmit this key and salt information is via the tunnel protocol defined in <xreftarget="I-D.ietf-perc-dtls-tunnel"></xref>.</t>target="I-D.ietf-perc-dtls-tunnel" format="default"/>.</t> <t>No twoEndpointsendpoints have the same HBHkey, thuskey; thus, the Media DistributorMUST<bcp14>MUST</bcp14> keep track of each distinct HBH key (and the corresponding salt) and use it only for the specified hop.</t> <t>The HBH key is also used forhop-by-hopHBH encryption of RTCP. RTCP is notend-to-end encryptedE2E-encrypted in PERC.</t> </section> <section anchor="the-key-distributor-transmits-the-kek-ekt-key"title="Thenumbered="true" toc="default"> <name>The Key Distributor Transmits the KEK (EKTKey)"> <t>Via the aforementioned DTLS-SRTP association, theKey)</name> <t>The Key Distributor sends theEndpoint theKEK(EKT(the EKT Key per <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>).target="RFC8870" format="default"/>) to the endpoint via the aforementioned DTLS-SRTP association. This key is known only to the Key Distributor andEndpoints. This keyendpoints; it is the most important entity toprotectprotect, since having knowledge of this key (and the SRTP master salt transmitted as a part of the same message) allows an entity to decrypt any media packet in the conference.</t> <t>Note that the Key Distributor can send any number of EKT Keys toEndpoints.endpoints. This information is used tore-keyrekey the entire conference. Each key is identified bya "Security Parameter Index" (SPI)an SPI value. EndpointsMUST<bcp14>MUST</bcp14> expect that a conference might bere-keyedrekeyed when a new participant joins a conference or when a participant leaves aconferenceconference, in order to protect the confidentiality of the conversation before and after such events.</t> <t>The SRTP master salt to be used by theEndpointendpoint is transmitted along with the EKT Key. AllEndpointsendpoints in the conference utilize the same SRTP master salt that corresponds with a given EKT Key.</t> <t>The Full EKT Tag in media packets is encrypted using a cipher specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This cipher is different than the cipher used to protect media and is only used to encrypt theEndpoint'sendpoint's SRTP master key (and other EKT Tag data as per <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>).</t>target="RFC8870" format="default"/>).</t> <t>TheMedia DistributorKEK is not given to theKEK.</t>Media Distributor.</t> </section> <section anchor="endpoints-fabricate-an-srtp-master-key"title="Endpoints fabricatenumbered="true" toc="default"> <name>Endpoints Fabricate an SRTP MasterKey">Key</name> <t>As stated earlier, the E2E key determined via DTLS-SRTPMAY<bcp14>MAY</bcp14> be discarded in favor of alocally-generatedlocally generated E2E SRTP master key. While the DTLS-SRTP-derived SRTP master key can be used initially, theEndpointendpoint might choose to change the SRTP master key periodically andMUST<bcp14>MUST</bcp14> change the SRTP master key as a result of the EKTkeyKey changing.</t> <t>Alocally-generatedlocally generated SRTP master key is used along with the master salt transmitted to theEndpointendpoint from the Key Distributor via the EKTKey message to encrypt mediaend-to-end.</t>end to end.</t> <t>Since the Media Distributor is not involved in E2E functions, it does not create thiskeykey, nor does it have access to anyEndpoint'sendpoint's E2E key. Note, too, that even the Key Distributor is unaware of thelocally-generatedlocally generated E2E keys used by eachEndpoint.</t>endpoint.</t> <t>TheEndpointendpoint transmits its E2E key to otherEndpointsendpoints in the conference by periodically including it in SRTP packets in a Full EKT Tag. When placed in the Full EKT Tag, it is encrypted using the EKT Key provided by the Key Distributor. The master salt is not transmitted, though, since allEndpointsendpoints receive the same master salt via the EKTKey message from the Key Distributor. The recommended frequency with which anEndpointendpoint transmits its SRTP master key is specified in <xreftarget="I-D.ietf-perc-srtp-ekt-diet"></xref>.</t>target="RFC8870" format="default"/>.</t> </section> <section anchor="summary-of-key-types-and-entity-possession"title="Summarynumbered="true" toc="default"> <name>Summary of Key Types and EntityPossession">Possession</name> <t>AllEndpointsendpoints have knowledge of the KEK.</t> <t>Every HBH key is distinct for a givenEndpoint, thusendpoint; thus, Endpoint A and Endpoint B do not have knowledge of the other's HBH key. Since HBH keys are derived from a DTLS-SRTP association, there is at most one HBH key perEndpoint,endpoint. (The only exception is where the DTLS-SRTP association might be rekeyed perSection 5.2 of<xreftarget="RFC5764"></xref>target="RFC5764" sectionFormat="of" section="5.2"/> and a new key is created to replace the former key.)</t> <t>EachEndpointendpoint generates its own E2E key (SRTP masterkey), thuskey); thus, there is a distinct E2E key per endpoint. This key is transmitted (encrypted) via the Full EKT Tag to otherEndpoints.endpoints. Endpoints that receive media from a given transmittingEndpointendpoint gain knowledge of the transmitter's E2E key via the Full EKT Tag.</t><t>To summarize<t><xref target="who-has-what-key-table" format="default"/> summarizes the various keys and which entity is in possession of a givenkey, refer to <xref target="fig-who-has-what-key"></xref>.</t> <figure anchor="fig-who-has-what-key" align="center" title="Keyskey.</t> <table anchor="who-has-what-key-table"> <name>Key Types and EntityPossession "> <artwork align="center">+----------------------+------------+-------+-------+------------+ | Key / Entity | Endpoint A | MD X | MD Y | Endpoint B | +----------------------+------------+-------+-------+------------+ | KEKPossession</name> <thead> <tr> <th align="center">Key/Entity</th> <th align="center">Endpoint A</th> <th align="center">MD X</th> <th align="center">MD Y</th> <th align="center">Endpoint B</th> </tr> </thead> <tbody> <tr> <td>KEK (EKTKey) | Yes | No | No | Yes | +----------------------+------------+-------+-------+------------+ | E2EKey)</td> <td align="center">Yes</td> <td align="center">No</td> <td align="center">No</td> <td align="center">Yes</td> </tr> <tr> <td>E2E Key (A andB) | Yes | No | No | Yes | +----------------------+------------+-------+-------+------------+ | HBHB)</td> <td align="center">Yes</td> <td align="center">No</td> <td align="center">No</td> <td align="center">Yes</td> </tr> <tr> <td>HBH Key (A<=>MDX) | Yes | Yes | No | No | +----------------------+------------+-------+-------+------------+ | HBHX)</td> <td align="center">Yes</td> <td align="center">Yes</td> <td align="center">No</td> <td align="center">No</td> </tr> <tr> <td>HBH Key (B<=>MDY) | No | No | Yes | Yes | +----------------------+------------+---------------+------------+ | HBHY)</td> <td align="center">No</td> <td align="center">No</td> <td align="center">Yes</td> <td align="center">Yes</td> </tr> <tr> <td>HBH Key (MD X<=>MDY)| No | Yes | Yes | No | +----------------------+------------+---------------+------------+ </artwork> </figure>Y)</td> <td align="center">No</td> <td align="center">Yes</td> <td align="center">Yes</td> <td align="center">No</td> </tr> </tbody> </table> </section> </section> <section anchor="packetformat"title="Encryptednumbered="true" toc="default"> <name>Encrypted Media PacketFormat">Format</name> <t><xreftarget="fig-perc-packet-format"></xref>target="fig-perc-packet-format" format="default"/> presents a complete picture of what an encrypted media packet per this framework looks like when transmitted over the wire. The packet format shown in the figure is encrypted using theDoubledouble cryptographic transform with an EKT Tag appended to the end.</t> <figureanchor="fig-perc-packet-format" align="center" title="Encryptedanchor="fig-perc-packet-format"> <name>Encrypted Media PacketFormat ">Format</name> <artworkalign="center">align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++ |V=2|P|X| CC |M| PT | sequence number | IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO | timestamp | IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO | synchronization source (SSRC) identifier | IO +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO | contributing source (CSRC) identifiers | IO | .... | IO+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O | RTP extension (OPTIONAL) ... | |O+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O O I | payload ... | IO O I | +-------------------------------+ IO O I | | RTP padding | RTP pad count | IO O+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O O | | E2E authentication tag | |O O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O O | | OHB ... | |O+>|+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+ | | | HBH authentication tag | || | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | | | EKT Tag ... | R || | | +-+-+-+-+-+-+-+-+-+ | || | | +- Neither encrypted nor authenticated; || | | appended afterDouble is performedthe double transform || | | is performed || | | || | +-E2E EncryptedE2E-Encrypted PortionE2E AuthenticatedE2E-Authenticated Portion ---+| | | +---HBH EncryptedHBH-Encrypted PortionHBH AuthenticatedHBH-Authenticated Portion ----+ I = Inner (E2E)encryption / authenticationencryption/authentication O = Outer (HBH)encryption / authentication </artwork>encryption/authentication]]></artwork> </figure> </section> <section anchor="attacks"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <section anchor="third-party-attacks"title="Third Party Attacks"> <t>Third partynumbered="true" toc="default"> <name>Third-Party Attacks</name> <t>Third-party attacks are attacks attempted by an adversary that is not supposed to have access to keying material or is otherwise not an authorized participant in the conference.</t> <t>On-path attacks are mitigated byhop-by-hopHBH integrity protection and encryption. The integrity protection mitigates packetmodification and encryptionmodification. Encryption makes selective blocking of packets harder, but not impossible.</t> <t>Off-path attackers could try connecting to different PERC entities to send specifically crafted packets with an aim of forcing the receiver to forward or render bogus media packets. Endpoints and Media Distributors mitigate such an attack by performinghop-by-hopHBH authentication and discarding packets that fail authentication.</t> <t>Another attack vector is a third party claiming to be a Media Distributor, foolingEndpointsendpoints into sending packets to the false Media Distributor instead of the correct one. The deceived sendingEndpointsendpoints could incorrectly assume that their packets have been delivered toEndpointsendpoints when they in fact have not. While this attack is possible, the result is a simple denial of service with no leakage of confidential information, since the false Media Distributor would not have access to either HBH or E2E encryption keys.</t> <t>A third party could cause adenial-of-servicedenial of service by transmitting many bogus or replayed packets toward receiving devicesthatand ultimatelydegradedegrading conference or device performance. Therefore, implementations might wish to devise mechanisms to safeguard against such illegitimate packets, such as utilizing rate-limiting or performing basicsanity-checkssanity checks on packets (e.g., looking at packet length or expected sequence numberranges)ranges), before performingmore expensivedecryptionoperations.</t> <t>Useoperations that are more expensive.</t> <t>The use of mutual DTLS authentication (as required by DTLS-SRTP) also helps to prevent a denial-of-service attack by preventing a falseEndpointendpoint or false Media Distributor from successfully participating as a perceived valid media sender that could otherwise carry out an on-path attack. When mutual authentication fails, a receivingEndpointendpoint would know that it could safely discard media packets received from theEndpointendpoint without inspection.</t> </section> <section anchor="media-distributor-attacks"title="Medianumbered="true" toc="default"> <name>Media DistributorAttacks">Attacks</name> <t>A malicious or compromised Media Distributor can attack the session in a number of possibleways.</t>ways, as discussed below.</t> <section anchor="denial-of-service"title="Denialnumbered="true" toc="default"> <name>Denial ofservice">Service</name> <t>A simple form of attack is discarding received packets that should be forwarded. This solution framework does notintroduceprovide any mitigation mechanisms for Media Distributors that fail to forward media packets.</t> <t>Another form of attack is modifying received packets before forwarding. With this solution framework, any modification of theend-to-end authenticatedE2E-authenticated data results in the receivingEndpointendpoint getting an integrity failure when performing authentication on the received packet.</t> <t>The Media Distributor can also attempt to perform resource consumption attacks on the receivingEndpoint.endpoint. One such attack would be to insert random SSRC/CSRC values in any RTP packet along with a Full EKT Tag.Since Since such a message would trigger the receiver to form a new cryptographic context, the Media Distributor can attempt to consume the receivingEndpoint'sendpoint's resources. While E2E authentication would fail and the cryptographic context would be destroyed, the key derivation operation would nonetheless consume some computational resources. While resource consumption attacks cannot be mitigated entirely, rate-limiting packets might help reduce the impact of such attacks.</t> </section> <section anchor="replay-attack"title="Replay Attack">numbered="true" toc="default"> <name>Replay Attacks</name> <t>A replay attack iswhenanalready receivedattack where an already-received packet from a previous point in the RTP stream is replayed as a new packet. This could, for example, allow a Media Distributor to transmit a sequence of packets identified as a user saying"yes","yes", instead of the"no""no" the user actually said.</t> <t>A replay attack is mitigated by the requirement to implement replay protection as described inSection 3.3.2 of<xreftarget="RFC3711"></xref>. End-to-endtarget="RFC3711" sectionFormat="of" section="3.3.2"/>. E2E replay protectionMUST<bcp14>MUST</bcp14> be provided for the duration of the conference.</t> </section> <section anchor="delayed-playout-attack"title="Delayednumbered="true" toc="default"> <name>Delayed PlayoutAttack">Attacks</name> <t>A delayed playout attack isonean attack where media is received and held by a Media Distributor and then forwarded toEndpointsendpoints at a later point in time.</t> <t>This attack is possible even if E2E replay protection is in place. Because the Media Distributor is allowed to select a subset of streams and not forward the rest to a receiver, such as in forwarding only the most active speakers, the receiver has to accept gaps in the E2E packet sequence. Theissue with thisproblem here is that a Media Distributor canselectchoose to not deliver a particular stream for a while.</t> <t>While the Media Distributor can purposely stop forwarding media flows, it can also select an arbitrary starting point to resume forwarding those mediaflow,flows, perhaps forwarding old packets rather than current packets. As a consequence, what the media source sent can be substantially delayed at the receiver with the receiver believing that newly arriving packets are delayed only by transport delay when the packets may actually be minutes or hours old.</t> <t>While this attack cannot be eliminated entirely, its effectiveness can be reduced byre-keyingrekeying the conferenceperiodicallyperiodically, sincesignificantly-delayedsignificantly delayed media encrypted with expired keys would not be decrypted byEndpoints.</t>endpoints.</t> </section> <section anchor="splicing-attack"title="Splicing Attack">numbered="true" toc="default"> <name>Splicing Attacks</name> <t>A splicing attack is an attack where a Media Distributor receiving multiple media sources splices one media stream into the other. If the Media Distributor were able to change the SSRC without the receiver having any method for verifying the original source ID, then the Media Distributor could first deliver stream A and then later forward stream B under the same SSRCasthat stream A was previously using. By including the SSRC in the integrity check for eachpacket,packet -- both HBH andE2E,E2E -- PERC prevents splicing attacks.</t> </section> <section anchor="rtcp-attacks"title="RTCP Attacks">numbered="true" toc="default"> <name>RTCP Attacks</name> <t>PERC does not provideend-to-endE2E protection of RTCP messages. This allows a compromised Media Distributor to impact any message that might be transmitted via RTCP, including media statistics, picture requests, or loss indication. It is also possible for a compromised Media Distributor to forge requests, such as requests to theEndpointendpoint to send a new picture. Such requests can consume significant bandwidth and impair conference performance.</t> </section> </section> <section anchor="key-distributor-attacks"title="Keynumbered="true" toc="default"> <name>Key DistributorAttacks">Attacks</name> <t>As stated in <xreftarget="key_distributor"></xref>,target="key_distributor" format="default"/>, the Key Distributor needs to besecuredsecured, since exploiting the Key Server can allow an adversary to gain access to the keying material for one or more conferences. Having access to that keying material would then allow the adversary to decrypt media sent from anyEndpointendpoint in the conference.</t> <t>As a first line of defense, the Key Distributor authenticates every securityassociation, bothassociation -- associations withEndpointsboth endpoints and Media Distributors. The Key Distributor knows which entities are authorized to have access to whichkeyskeys, and inspection of certificates will substantially reduce the risk of providing keys to an adversary.</t> <t>Both physical and network access to the Key Distributor should be severely restricted. This may be more difficult to achieve when the Key Distributor is embeddedwithin and Endpoint,within, forexample.example, an endpoint. Nonetheless, consideration should be given to shielding the Key Distributor from unauthorized access or any access that is not strictly necessary for the support of an ongoing conference.</t> <t>Consideration should be given to whether access to the keying material will be needed beyond the conclusion of a conference. If not needed, the Key Distributor's policy should be to destroy the keying material once the conference concludes or when keying material changes during the course of the conference. If keying material is needed beyond the lifetime of the conference, further consideration should be given to protecting keying material from future exposure. While it mightbeseem obvious, it is worthstatingmaking this point, to avoid any doubt that if an adversary were to record the media packets transmitted during a conference and then gain unauthorized access to the keying material left unsecured on the Key Distributor even years later, the adversary could decrypt the content of every packet transmitted during the conference.</t> </section> <section anchor="endpoint-attacks"title="Endpoint Attacks">numbered="true" toc="default"> <name>Endpoint Attacks</name> <t>A Trusted Endpoint is so named because conference confidentiality relies heavily on the security and integrity of theEndpoint.endpoint. If an adversary successfully exploits a vulnerability in anEndpoint,endpoint, it might be possible for the adversary to obtain all of the keying material used in the conference. With that keying material, an adversary could decrypt any of the media flows received from any otherEndpoint,endpoint, either inreal-timereal time or at a later point in time (assuming that the adversary makes a copy of the media packets).</t> <t>Additionally, if an adversary successfully exploits anEndpoint,endpoint, the adversary could inject media into the conference.One wayFor example, an adversary coulddo that is by manipulatingmanipulate the RTP or SRTP software to transmit whatever media the adversary wishes to send. This could involvere-use oftheEndpoint's SSRC, a new SSRC, orreuse of the compromised endpoint's SSRCvalue of an existing endpoint. This is made possibleor, since all conference participants share the sameKEK.KEK, the use of a new SSRC or the SSRC value of another endpoint. Only a single SRTP cipher suite defined provides source authentication properties that allow an endpoint to cryptographically assert that it sent a particularE2E protectedE2E-protected packet (namely,TESLATimed Efficient Stream Loss-Tolerant Authentication (TESLA) <xreftarget="RFC4383"></xref>),target="RFC4383" format="default"/>), and its usage is presently not defined for PERC. The suite defined in PERC only allows anEndpointendpoint to determine that whoever sent a packet had received the KEK.</t> <t>However, attacks on the endpoint are not limited to the PERC-specific software within theEndpoint.endpoint. An attacker could inject media or record media by manipulating the software that sits between the PERC-enabled application and the hardware microphone of a video camera, for example. Likewise, an attacker could potentially access confidential media by accessing memory, cache, disk storage, etc. if the endpoint isnonot secured.</t> </section> </section> <section anchor="iana-considerations"title="IANA Considerations"> <t>There arenumbered="true" toc="default"> <name>IANA Considerations</name> <t>This document has no IANAconsiderations for this document.</t>actions.</t> </section> </middle> <back> <displayreference target="I-D.ietf-perc-dtls-tunnel" to="PERC-DTLS"/> <references> <name>References</name> <references> <name>Normative References</name> <!-- draft-ietf-perc-double (RFC 8723; Published) --> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8723.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3550.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <!-- draft-ietf-perc-srtp-ekt-diet (RFC 8870) --> <reference anchor="RFC8870" target="https://www.rfc-editor.org/info/rfc8870"> <front> <title>Encrypted Key Transport for DTLS and Secure RTP</title> <author initials="C" surname="Jennings" fullname="Cullen Jennings"> <organization>company</organization> </author> <author initials="J" surname="Mattsson" fullname="John Mattsson"> <organization>company</organization> </author> <author initials="D" surname="McGrew" fullname="David A. McGrew"> <organization>company</organization> </author> <author initials="D" surname="Wing" fullname="Dan Wing"> <organization>company</organization> </author> <author initials="F" surname="Andreasen" fullname="Flemming Andreasen"> <organization>company</organization> </author> <date month="January" year="2021"/> </front> <seriesInfo name="RFC" value="8870"/> <seriesInfo name="DOI" value="10.17487/RFC8870"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6904.xml"/> </references> <references> <name>Informative References</name> <reference anchor="W3C.CR-webrtc" target="https://www.w3.org/TR/webrtc/"> <front> <title>WebRTC 1.0: Real-time Communication Between Browsers</title> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization/> </author> <author initials="H." surname="Boström" fullname="Henrik Boström"> <organization/> </author> <author initials="J-I." surname="Bruaroey" fullname="Jan-Ivar Bruaroey"> <organization/> </author> <date/> </front> <refcontent>W3C Proposed Recommendation</refcontent> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7667.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4353.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3261.xml"/> <!-- draft-ietf-perc-dtls-tunnel (Expired) --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-perc-dtls-tunnel.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4566.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4383.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6464.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5763.xml"/> <!-- draft-ietf-rtcweb-security-arch (RFC 8827) --> <reference anchor="RFC8827" target="https://www.rfc-editor.org/info/rfc8827"> <front> <title>WebRTC Security Architecture</title> <author initials='E.' surname='Rescorla' fullname='Eric Rescorla'> <organization/> </author> <date month='January' year='2021'/> </front> <seriesInfo name="RFC" value="8827"/> <seriesInfo name="DOI" value="10.17487/RFC8827"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8224.xml"/> </references> </references> <section anchor="acknowledgments"title="Acknowledgments">numbered="false" toc="default"> <name>Acknowledgments</name> <t>The authors would like to thankMo Zanaty, Christian Oien,<contact fullname="Mo Zanaty"/>, <contact fullname="Christian Oien"/>, andRichard Barnes<contact fullname="Richard Barnes"/> for invaluable input on this document. Also, we would like to acknowledgeNermeen Ismail<contact fullname="Nermeen Ismail"/> for serving on the initial draft versions of this document as aco-author.coauthor. We would also like to acknowledgeJohn Mattsson, Mats Naslund, and Magnus Westerlund<contact fullname="John Mattsson"/>, <contact fullname="Mats Naslund"/>, and <contact fullname="Magnus Westerlund"/> for providing some of the text in the document, including much of the original text in thesecurity considerations section.</t>Security Considerations section (<xref target="attacks"/>).</t> </section></middle> <back> <references title="Normative References"> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/reference.I-D.ietf-perc-double.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3550.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/reference.I-D.ietf-perc-srtp-ekt-diet.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6904.xml"?> </references> <references title="Informative References"> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml-w3c/reference.W3C.CR-webrtc-20180927.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7667.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4353.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3261.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/reference.I-D.ietf-perc-dtls-tunnel.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4566.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4383.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6464.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5763.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/reference.I-D.ietf-rtcweb-security-arch.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8224.xml"?> </references></back> </rfc>