draft-ietf-perc-private-media-framework-01.txt   draft-ietf-perc-private-media-framework-02.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft D. Benham Internet-Draft D. Benham
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: January 9, 2017 C. Groves Expires: May 4, 2017 C. Groves
Huawei Huawei
July 8, 2016 October 31, 2016
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing
draft-ietf-perc-private-media-framework-01 draft-ietf-perc-private-media-framework-02
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distribution devices are not trusted with the end-to-end media distribution devices are not trusted with the end-to-end media
encryption keys. The solution aims to build upon existing security encryption keys. The solution aims to build upon existing security
mechanisms defined for the real-time transport protocol (RTP). mechanisms defined for the real-time transport protocol (RTP).
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2017. This Internet-Draft will expire on May 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 31 skipping to change at page 2, line 31
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 8 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 8
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9
4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 9 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 9
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10
4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10
4.5.2. Key Exchange during a Conference . . . . . . . . . . 11 4.5.2. Key Exchange during a Conference . . . . . . . . . . 11
5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12
5.2. Certificate Fingerprints in Session Signaling . . . . . . 12 5.2. Certificate Fingerprints in Session Signaling . . . . . . 12
6. Attacks on Privacy Enhanced RTP Conferencing . . . . . . . . 13 5.3. Conferences Identification . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 13 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 13
6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14
6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14
6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 14 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15
6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15
6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15
7. To-Do List . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . 16
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 9.2. Informative References . . . . . . . . . . . . . . . . . 17
11.1. Normative References . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a Media transrated, recomposed, or otherwise manipulated by a Media
Distributor, as might be the case with a traditional media server or Distributor, as might be the case with a traditional media server or
skipping to change at page 4, line 21 skipping to change at page 4, line 18
Hop-by-Hop (HBH): Communications between an endpoint and a Media Hop-by-Hop (HBH): Communications between an endpoint and a Media
Distribution Device or between Media Distribution Devices. Distribution Device or between Media Distribution Devices.
Endpoint: An RTP flow terminating entity that has possession of E2E Endpoint: An RTP flow terminating entity that has possession of E2E
media encryption keys and terminates E2E encryption. This may media encryption keys and terminates E2E encryption. This may
include embedded user conferencing equipment or browsers on include embedded user conferencing equipment or browsers on
computers, media gateways, MCUs, media recording device and more that computers, media gateways, MCUs, media recording device and more that
are in the trusted domain for a given deployment. are in the trusted domain for a given deployment.
Media Distributor (MD): An RTP middlebox that is not allowed to to Media Distributor (MD): An RTP middlebox that is not allowed to to
have access to E2E encryption keys. It may operate according to any have access to E2E encryption keys. It operates according to the
of the RTP topologies [I-D.ietf-avtcore-rtp-topologies-update] per Selective Forwarding Middlebox RTP topologies
the constraints defined by the PERC system, which includes, but not [I-D.ietf-avtcore-rtp-topologies-update] per the constraints defined
limited to, having no access to RTP media unencrypted and having by the PERC system, which includes, but not limited to, having no
limits on what RTP header field it can alter. access to RTP media unencrypted and having limits on what RTP header
field it can alter.
Key Distributor: An entity that is a logical function which passes Key Distributor: An entity that is a logical function which passes
keying material and related information to endpoints and Media keying material and related information to endpoints and Media
Distributor(s) that is appropriate for each. The Key Distributor Distributor(s) that is appropriate for each. The Key Distributor
might be co-resident with another entity trusted with E2E keying might be co-resident with another entity trusted with E2E keying
material. material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via trusted
endpoints to exchange RTP flows through one or more Media endpoints to exchange RTP flows through one or more Media
Distributor. Distributor.
skipping to change at page 7, line 17 skipping to change at page 7, line 14
3.2.2. Key Distributor 3.2.2. Key Distributor
The Key Distributor, which may be collocated with an endpoint or The Key Distributor, which may be collocated with an endpoint or
exist standalone, is responsible for providing key information to exist standalone, is responsible for providing key information to
endpoints for both end-to-end and hop-by-hop security and for endpoints for both end-to-end and hop-by-hop security and for
providing key information to Media Distributors for the hop-by-hop providing key information to Media Distributors for the hop-by-hop
security. security.
Interaction between the Key Distributor and the call processing Interaction between the Key Distributor and the call processing
function may be necessary to for proper conference-to-endpoint function is necessary to for proper conference-to-endpoint mappings.
mappings, which may or may not be satisfied by getting information This is described in Section 5.3.
directly from the endpoints or via some other means. See Section 7
for a related item in the To Do list.
The Key Distributor needs to be secured and managed in a way to The Key Distributor needs to be secured and managed in a way to
prevent exploitation by an adversary, as any kind of compromise of prevent exploitation by an adversary, as any kind of compromise of
the Key Distributor puts the security of the conference at risk. the Key Distributor puts the security of the conference at risk.
4. Framework for PERC 4. Framework for PERC
The purpose for this framework is to define a means through which The purpose for this framework is to define a means through which
media privacy can be ensured when communicating within a conferencing media privacy can be ensured when communicating within a conferencing
environment consisting of one or more Media Distributors that only environment consisting of one or more Media Distributors that only
switch, hence not terminate, media. It does not otherwise attempt to switch, hence not terminate, media. It does not otherwise attempt to
hide the fact that a conference between endpoints is taking place. hide the fact that a conference between endpoints is taking place.
This framework reuses several specified RTP security technologies, This framework reuses several specified RTP security technologies,
including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and
DTLS-SRTP [RFC5764]. DTLS-SRTP [RFC5764].
4.1. End-to-End and Hop-by-Hop Authenticated Encryption 4.1. End-to-End and Hop-by-Hop Authenticated Encryption
This solution framework focuses on the end-to-end privacy and This solution framework focuses on the end-to-end privacy and
integrity of the participant's media by limiting access to end-to-end integrity of the participant's media by limiting access of the end-
key information to trusted entities. However, this framework does to-end key information to trusted entities. However, this framework
give a Media Distributor access to RTP headers and all or most header does give a Media Distributor access to RTP headers and all or most
extensions, as well as the ability to modify a certain subset of header extensions, as well as the ability to modify a certain subset
those headers and to add header extensions. Packets received by a of those headers and to add header extensions. Packets received by a
Media Distributor or an endpoint are authenticated hop-by-hop. Media Distributor or an endpoint are authenticated hop-by-hop.
To enable all of the above, this framework defines the use of two To enable all of the above, this framework defines the use of two
security contexts and two associated encryption keys; an "inner" key security contexts and two associated encryption keys; an "inner" key
(E2E Key(i); i={a given endpoint}) for authenticated encryption of (E2E Key(i); i={a given endpoint}) for authenticated encryption of
RTP media between endpoints and an "outer" key (HBH Key(j); j={a RTP media between endpoints and an "outer" key (HBH Key(j); j={a
given hop}) for the hop between an endpoint and a Media Distributor given hop}) for the hop between an endpoint and a Media Distributor
or between Media Distributor. Reference the following figure. or between Media Distributor. Reference the following figure.
+-------------+ +-------------+ +-------------+ +-------------+
skipping to change at page 8, line 48 skipping to change at page 8, line 46
framework introduces no additional step for RTCP authenticated framework introduces no additional step for RTCP authenticated
encryption, so the procedures needed are specified in [RFC3711] and encryption, so the procedures needed are specified in [RFC3711] and
use the same outer, hop-by-hop cryptographic context chosen in the use the same outer, hop-by-hop cryptographic context chosen in the
Double operation described above. Double operation described above.
4.2. E2E Key Confidentiality 4.2. E2E Key Confidentiality
To ensure the confidentiality of E2E keys shared between endpoints, To ensure the confidentiality of E2E keys shared between endpoints,
endpoints will make use of a common Key Encryption Key (KEK) that is endpoints will make use of a common Key Encryption Key (KEK) that is
known only by the trusted entities in a conference. That KEK, known only by the trusted entities in a conference. That KEK,
defined in the PERC EKT [I-D.ietf-perc-srtp-ekt-diet] as the EKT Key, defined in the PERC EKT [I-D.ietf-perc-srtp-ekt-diet] as the EKTKey,
will be used to subsequently encrypt SRTP master keys used for E2E will be used to subsequently encrypt SRTP master keys used for E2E
authenticated encryption (E2E Key(i); i={a given endpoint}) of media authenticated encryption (E2E Key(i); i={a given endpoint}) of media
sent by a given endpoint. sent by a given endpoint.
+---------------------+------------+-------+-------+------------+ +---------------------+------------+-------+-------+------------+
| Key / Entity | Endpoint A | MD X | MD Y | Endpoint B | | Key / Entity | Endpoint A | MD X | MD Y | Endpoint B |
+---------------------+------------+-------+-------+------------+ +---------------------+------------+-------+-------+------------+
| KEK | Yes | No | No | Yes | | KEK | Yes | No | No | Yes |
+---------------------+------------+-------+-------+------------+ +---------------------+------------+-------+-------+------------+
| E2E Key (i) | Yes | No | No | Yes | | E2E Key (i) | Yes | No | No | Yes |
skipping to change at page 9, line 27 skipping to change at page 9, line 27
Figure 2: Keys per Entity Figure 2: Keys per Entity
4.3. E2E Keys and Endpoint Operations 4.3. E2E Keys and Endpoint Operations
Any given RTP media flow can be identified by its SSRC, and endpoints Any given RTP media flow can be identified by its SSRC, and endpoints
might send more than one at a time and change the mix of media flows might send more than one at a time and change the mix of media flows
transmitted during the life of a conference. transmitted during the life of a conference.
Thus, endpoints MUST maintain a list of SSRCs from received RTP flows Thus, endpoints MUST maintain a list of SSRCs from received RTP flows
and each SSRC's associated E2E Key(i) information. Following a and each SSRC's associated E2E Key(i) information. Following a
change of the KEK (i.e., EKT Key), prior E2E Key(i) information change of the KEK (i.e., EKTKey), prior E2E Key(i) information SHOULD
SHOULD be retained for a period long enough to ensure that late- be retained for a period long enough to ensure that late-arriving or
arriving or out-of-order packets from other endpoints can be out-of-order packets from other endpoints can be successfully
successfully decrypted. The endpoint MUST discard the E2E Key(i) and decrypted. The endpoint MUST discard the E2E Key(i) and KEK
KEK information no later than when it leaves the conference. information no later than when it leaves the conference.
If there is a need to encrypt one or more RTP header extensions end- If there is a need to encrypt one or more RTP header extensions end-
to-end, an encryption key is derived from the end-to-end SRTP master to-end, an encryption key is derived from the end-to-end SRTP master
key to encrypt header extensions as per [RFC6904]. The Media key to encrypt header extensions as per [RFC6904]. The Media
Distributor will not be able use the information contained in those Distributor will not be able use the information contained in those
header extensions encrypted with E2E keys. See Section 7 for a header extensions encrypted with E2E keys.
related item in the To Do list.
4.4. HBH Keys and Hop Operations 4.4. HBH Keys and Hop Operations
To ensure the integrity of transmitted media packets, this framework To ensure the integrity of transmitted media packets, this framework
requires that every packet be authenticated hop-by-hop (HBH) between requires that every packet be authenticated hop-by-hop (HBH) between
an endpoint and a Media Distributor, as well between Media an endpoint and a Media Distributor, as well between Media
Distributors. The authentication key used for hop-by-hop Distributors. The authentication key used for hop-by-hop
authentication is derived from an SRTP master key shared only on the authentication is derived from an SRTP master key shared only on the
respective hop (HBH Key(j); j={a given hop}). Each HBH Key(j) is respective hop (HBH Key(j); j={a given hop}). Each HBH Key(j) is
distinct per hop and no two hops ever intentionally use the same SRTP distinct per hop and no two hops ever intentionally use the same SRTP
skipping to change at page 10, line 28 skipping to change at page 10, line 28
all hops - in the untrusted domain at least - will need to decrypt all hops - in the untrusted domain at least - will need to decrypt
and re-encrypt these encrypted header extensions. and re-encrypt these encrypted header extensions.
4.5. Key Exchange 4.5. Key Exchange
To facilitate key exchange required to establish or generate an E2E To facilitate key exchange required to establish or generate an E2E
key and a HBH key for an endpoint and the same HBH key for the Media key and a HBH key for an endpoint and the same HBH key for the Media
Distributor, this framework utilizes a DTLS-SRTP [RFC5764] Distributor, this framework utilizes a DTLS-SRTP [RFC5764]
association between an endpoint and the Key Distributor. To association between an endpoint and the Key Distributor. To
establish this association, an endpoint will send DTLS-SRTP messages establish this association, an endpoint will send DTLS-SRTP messages
to the Media Distributor which will then forward them to the Media to the Media Distributor which will then forward them to the Key
Distributor as defined in [I-D.jones-perc-dtls-tunnel]. The Key Distributor as defined in [I-D.jones-perc-dtls-tunnel]. The Key
Encryption Key (KEK) (i.e., EKT Key) is also conveyed by the Key Encryption Key (KEK) (i.e., EKTKey) is also conveyed by the Key
Distributor over the DTLS association to endpoints via procedures Distributor over the DTLS association to endpoints via procedures
defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet]. defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
Distributor to establish HBH keys for transmitting RTP and RTCP Distributor to establish HBH keys for transmitting RTP and RTCP
packets that peer Media Distributor. The Key Distributor does not packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing HBH keys for use between Media Distributors. facilitate establishing HBH keys for use between Media Distributors.
4.5.1. Initial Key Exchange and Key Distributor 4.5.1. Initial Key Exchange and Key Distributor
The procedures defined in DTLS Tunnel for PERC The procedures defined in DTLS Tunnel for PERC
[I-D.jones-perc-dtls-tunnel] establish one or more DTLS tunnels [I-D.jones-perc-dtls-tunnel] establish one or more TLS tunnels
between the Media Distributor and Key Distributor, making it is between the Media Distributor and Key Distributor, making it is
possible for the Media Distributor to facilitate the establishment of possible for the Media Distributor to facilitate the establishment of
a secure DTLS association between each endpoint and the Key a secure DTLS association between each endpoint and the Key
Distributor as shown the following figure. The DTLS association Distributor as shown the following figure. The DTLS association
between endpoints and the Key Distributor will enable each endpoint between endpoints and the Key Distributor will enable each endpoint
to receive E2E key information, Key Encryption Key (KEK) information to receive E2E key information, Key Encryption Key (KEK) information
(i.e., EKT Key), and HBH key information. At the same time, the Key (i.e., EKTKey), and HBH key information. At the same time, the Key
Distributor can securely provide the HBH key information to the Media Distributor can securely provide the HBH key information to the Media
Distributor. The key information summarized here may include the Distributor. The key information summarized here may include the
SRTP master key, SRTP master salt, and the negotiated cryptographic SRTP master key, SRTP master salt, and the negotiated cryptographic
transform. transform.
+-----------+ +-----------+
KEK info | Key | HBH Key info to KEK info | Key | HBH Key info to
to Endpoints |Distributor| Endpoints & Media Distributor to Endpoints |Distributor| Endpoints & Media Distributor
+-----------+ +-----------+
# ^ ^ # # ^ ^ #
# | | #-DTLS Tunnel # | | #-TLS Tunnel
# | | # # | | #
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
| Endpoint | DTLS | Media | DTLS | Endpoint | | Endpoint | DTLS | Media | DTLS | Endpoint |
| KEK |<------------|Distributor|------------>| KEK | | KEK |<------------|Distributor|------------>| KEK |
| HBH Key(j)| to Key Dist | HBH Keys | to Key Dist | HBH Key(j)| | HBH Key(j)| to Key Dist | HBH Keys | to Key Dist | HBH Key(j)|
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
Figure 3: Exchanging Key Information Between Entities Figure 3: Exchanging Key Information Between Entities
Endpoints will establish a DTLS-SRTP association over the RTP Endpoints will establish a DTLS-SRTP association over the RTP
session's media ports for the purposes of key information exchange session's media ports for the purposes of key information exchange
with the Key Distributor. The Media Distributor will not terminate with the Key Distributor. The Media Distributor will not terminate
the DTLS signaling, but will instead forward DTLS packets received the DTLS signaling, but will instead forward DTLS packets received
from an endpoint on to the Key Distributor (and vice versa) via a from an endpoint on to the Key Distributor (and vice versa) via a
tunnel established between Media Distributor and the Key Distributor. tunnel established between Media Distributor and the Key Distributor.
This tunnel used to encapsulate the DTLS-SRTP signaling between the This tunnel is used to encapsulate the DTLS-SRTP signaling between
Key Distributor and endpoints will also be used to convey HBH key the Key Distributor and endpoints will also be used to convey HBH key
information from the Key Distributor to the Media Distributor, so no information from the Key Distributor to the Media Distributor, so no
additional protocol or interface is required. additional protocol or interface is required.
4.5.2. Key Exchange during a Conference 4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the Key Following the initial key information exchange with the Key
Distributor, endpoints will be able to encrypt media end-to-end with Distributor, endpoints will be able to encrypt media end-to-end with
their E2E Key(i), sending that E2E Key(i) to other endpoints their E2E Key(i), sending that E2E Key(i) to other endpoints
encrypted with KEK, and will be able to encrypt and authenticate RTP encrypted with KEK, and will be able to encrypt and authenticate RTP
packets using local HBH Key(j). The procedures defined do not allow packets using local HBH Key(j). The procedures defined do not allow
the Media Distributor to gain access to the KEK information, the Media Distributor to gain access to the KEK information,
preventing it from gaining access to any endpoint's E2E key and preventing it from gaining access to any endpoint's E2E key and
subsequently decrypting media. subsequently decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK (i.e., EKTKey) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is leaves a conference. Dictating if, when or how often a conference is
to be re-keyed is outside the scope of this document, but this to be re-keyed is outside the scope of this document, but this
framework does accommodate re-keying during the life of a conference. framework does accommodate re-keying during the life of a conference.
When a Key Distributor decides to rekey a conference, it transmits a When a Key Distributor decides to rekey a conference, it transmits a
specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to
each of the conference participants. The endpoint MUST create a new each of the conference participants. The endpoint MUST create a new
SRTP master key and prepare to send that key inside a Full EKT Field SRTP master key and prepare to send that key inside a Full EKT Field
using the new EKT Key. Since it may take some time for all of the using the new EKTKey. Since it may take some time for all of the
endpoints in conference to finish re-keying, senders MUST delay a endpoints in conference to finish re-keying, senders MUST delay a
short period of time before sending media encrypted with the new short period of time before sending media encrypted with the new
master key, but it MUST be prepared to make use of the information master key, but it MUST be prepared to make use of the information
from a new inbound EKT Key immediately. See Section 2.2.2 of from a new inbound EKTKey immediately. See Section 2.2.2 of
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
5. Entity Trust 5. Entity Trust
It is important to this solution framework that the entities can It is important to this solution framework that the entities can
trust and validate the authenticity of other entities, especially the trust and validate the authenticity of other entities, especially the
Key Distributor and endpoints. The details of this are outside the Key Distributor and endpoints. The details of this are outside the
scope of specification but a few possibilities are discussed in the scope of specification but a few possibilities are discussed in the
following sections. The key requirements is that endpoints can following sections. The key requirements is that endpoints can
verify they are connected to the correct Key Distributor for the verify they are connected to the correct Key Distributor for the
conference and the Key Distributor can verify the endpoints are the conference and the Key Distributor can verify the endpoints are the
correct endpoints for the conference. correct endpoints for the conference.
Two possible approaches to solve this are Identity Assertions and Two possible approaches to solve this are Identity Assertions and
Certificate Fingerprints. Certificate Fingerprints.
5.1. Identity Assertions 5.1. Identity Assertions
WebRTC Identity assertion (EDITOR NOTE: add I-D reference) can be WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] can be used
used to bind the identity of the user of the endpoint to the to bind the identity of the user of the endpoint to the fingerprint
fingerprint of the DTLS-SRTP certificate used for the call. This of the DTLS-SRTP certificate used for the call. This certificate is
certificate is unique for a given call and a conference. This allows unique for a given call and a conference. This allows the Key
the Key Distributor to ensure that only authorized users participate Distributor to ensure that only authorized users participate in the
in the conference. Similarly the Key Distributor can create a WeBRTC conference. Similarly the Key Distributor can create a WebRTC
Identity assertion bound the fingerprint of the unique certificate Identity assertion to bind the fingerprint of the unique certificate
used by the Key Distributor for this conference so that the endpoint used by the Key Distributor for this conference so that the endpoint
can validate it is talking to the correct Key Distributor. can validate it is talking to the correct Key Distributor. Such a
setup requires an Identity Provider (Idp) trusted by the endpoints
and the Key Distributor.
5.2. Certificate Fingerprints in Session Signaling 5.2. Certificate Fingerprints in Session Signaling
Entities managing session signaling are generally assumed to be Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate. authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to
skipping to change at page 13, line 18 skipping to change at page 13, line 22
connections to find the identity of the far end of the DTLS-SRTP connections to find the identity of the far end of the DTLS-SRTP
connection and check that is the authorized entity. connection and check that is the authorized entity.
Ultimately, if using session signaling, an endpoint's certificate Ultimately, if using session signaling, an endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed fingerprint would need to be securely mapped to a user and conveyed
to the Key Distributor so that it can check that that user is to the Key Distributor so that it can check that that user is
authorized. Similarly, the Key Distributor's certificate fingerprint authorized. Similarly, the Key Distributor's certificate fingerprint
can be conveyed to endpoint in a manner that can be authenticated as can be conveyed to endpoint in a manner that can be authenticated as
being an authorized Key Distributor for this conference. being an authorized Key Distributor for this conference.
6. Attacks on Privacy Enhanced RTP Conferencing 5.3. Conferences Identification
The Key Distributor is responsible for knowing what endpoints are
allowed in a given conference. Thus, the Key Distributor and the
Media Distributor will need to know endpoint-to-conference mappings,
which is enabled by exchanging a conference-specific unique
identifier as defined in [I-D.jones-perc-dtls-tunnel]. How this
unique identifier is assigned is outside the scope of this document.
6. Security Considerations
This framework, and the individual protocols defined to support it, This framework, and the individual protocols defined to support it,
must take care to not increase the exposure to Denial of Service must take care to not increase the exposure to Denial of Service
(DoS) attacks by untrusted or third-party entities and should take (DoS) attacks by untrusted or third-party entities and should take
measures to mitigate, where possible, more serious DoS attacks from measures to mitigate, where possible, more serious DoS attacks from
on-path and off-path attackers. on-path and off-path attackers.
The following section enumerates the kind of attacks that will be The following section enumerates the kind of attacks that will be
considered in the development of this framework's solution. considered in the development of this framework's solution.
skipping to change at page 15, line 36 skipping to change at page 15, line 47
The splicing attack is an attack where a Media Distributor receiving The splicing attack is an attack where a Media Distributor receiving
multiple media sources splices one media stream into the other. If multiple media sources splices one media stream into the other. If
the Media Distributor is able to change the SSRC without the receiver the Media Distributor is able to change the SSRC without the receiver
having any method for verifying the original source ID, then the having any method for verifying the original source ID, then the
Media Distributor could first deliver stream A and then later forward Media Distributor could first deliver stream A and then later forward
stream B under the same SSRC as stream A was previously using. Not stream B under the same SSRC as stream A was previously using. Not
allowing the Media Distributor to change the SSRC mitigates this allowing the Media Distributor to change the SSRC mitigates this
attack. attack.
7. To-Do List 7. IANA Considerations
o The mapping of endpoints-to-conference identifiers may need to be
conveyed in the framework. Need Revisit this text after a design
choice is made between alternatives.
o Consider adding a list of RTP header extensions that should/must
not be E2E encrypted.
o Endpoints, Key Distributor and Media Distributor provider must
securely convey their respective certificate information directly
or indirectly via some means, such as via an identity service
provider.
o If as in "Double" draft, the ROC value is no longer in the clear
and associated with the "outer" protection scheme, we may need to
require that the Media Distributor maintain a separate ROC value
for each SSRC sent to each endpoint. This ROC value should start
at 0 regardless of the sequence number in that first packet sent
to an endpoint.
o Investigate adding ability to enable the transmission of one-way
media from a non-trusted device (e.g., announcements). One
possible solution is to have the Key Distributor send an "ekt_key"
message that is explicitly labeled for receive-only and giving
that to announcement servers. A possible approach would be to
define EKT Keys with a SPI > 32000, for example, for this purpose
and endpoints should only use those EKT Keys to decrypt Full EKT
Fields received from such transmitters. Endpoints would never
send media with EKT Keys with those SPI values.
8. IANA Considerations
There are no IANA considerations for this document. There are no IANA considerations for this document.
9. Security Considerations 8. Acknowledgments
[TBD]
10. Acknowledgments
The authors would like to thank Mo Zanaty and Christian Oien for The authors would like to thank Mo Zanaty and Christian Oien for
invaluable input on this document. Also, we would like to invaluable input on this document. Also, we would like to
acknowledge Nermeen Ismail for serving on the initial versions of acknowledge Nermeen Ismail for serving on the initial versions of
this document as a co-author. this document as a co-author.
11. References 9. References
11.1. Normative References 9.1. Normative References
[I-D.ietf-perc-double] [I-D.ietf-perc-double]
Jennings, C., Jones, P., and A. Roach, "SRTP Double Jennings, C., Jones, P., and A. Roach, "SRTP Double
Encryption Procedures", draft-ietf-perc-double-00 (work in Encryption Procedures", draft-ietf-perc-double-01 (work in
progress), May 2016. progress), July 2016.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Mattsson, J., McGrew, D., Wing, D., and C. Jennings, Mattsson, J., McGrew, D., Wing, D., and C. Jennings,
"Encrypted Key Transport for Secure RTP", draft-ietf-perc- "Encrypted Key Transport for Secure RTP", draft-ietf-perc-
srtp-ekt-diet-00 (work in progress), May 2016. srtp-ekt-diet-01 (work in progress), July 2016.
[I-D.jones-perc-dtls-tunnel] [I-D.jones-perc-dtls-tunnel]
Jones, P., "DTLS Tunnel between Media Distribution Device Jones, P., "A DTLS Tunnel between Media Distributor and
and Key Management Function to Facilitate Key Exchange", Key Distributor to Facilitate Key Exchange", draft-jones-
draft-jones-perc-dtls-tunnel-03 (work in progress), July perc-dtls-tunnel-03 (work in progress), July 2016.
2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <http://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <http://www.rfc-editor.org/info/rfc3711>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, DOI Real-time Transport Protocol (SRTP)", RFC 5764,
10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>. <http://www.rfc-editor.org/info/rfc5764>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, DOI Real-time Transport Protocol (SRTP)", RFC 6904,
10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <http://www.rfc-editor.org/info/rfc6904>.
11.2. Informative References 9.2. Informative References
[I-D.ietf-avtcore-rtp-topologies-update] [I-D.ietf-avtcore-rtp-topologies-update]
Westerlund, M. and S. Wenger, "RTP Topologies", draft- Westerlund, M. and S. Wenger, "RTP Topologies", draft-
ietf-avtcore-rtp-topologies-update-10 (work in progress), ietf-avtcore-rtp-topologies-update-10 (work in progress),
July 2015. July 2015.
[I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-12 (work in progress), June 2016.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<http://www.rfc-editor.org/info/rfc3261>. <http://www.rfc-editor.org/info/rfc3261>.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, DOI 10.17487/ Initiation Protocol (SIP)", RFC 4474,
RFC4474, August 2006, DOI 10.17487/RFC4474, August 2006,
<http://www.rfc-editor.org/info/rfc4474>. <http://www.rfc-editor.org/info/rfc4474>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>. July 2006, <http://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <http://www.rfc-editor.org/info/rfc5763>.
[RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
Transport Protocol (RTP) Header Extension for Client-to- Transport Protocol (RTP) Header Extension for Client-to-
Mixer Audio Level Indication", RFC 6464, DOI 10.17487/ Mixer Audio Level Indication", RFC 6464,
RFC6464, December 2011, DOI 10.17487/RFC6464, December 2011,
<http://www.rfc-editor.org/info/rfc6464>. <http://www.rfc-editor.org/info/rfc6464>.
Authors' Addresses Authors' Addresses
Paul E. Jones Paul E. Jones
Cisco Cisco
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
 End of changes. 40 change blocks. 
112 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/