draft-ietf-perc-private-media-framework-04.txt   draft-ietf-perc-private-media-framework-05.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft D. Benham Internet-Draft D. Benham
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: January 4, 2018 C. Groves Expires: May 3, 2018 C. Groves
Huawei Huawei
July 3, 2017 October 30, 2017
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing
draft-ietf-perc-private-media-framework-04 draft-ietf-perc-private-media-framework-05
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distribution devices are not trusted with the end-to-end media distributors are not trusted with the end-to-end media encryption
encryption keys. The solution aims to build upon existing security keys. The solution aims to build upon existing security mechanisms
mechanisms defined for the real-time transport protocol (RTP). defined for the real-time transport protocol (RTP).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018. This Internet-Draft will expire on May 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6
3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7
4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9
4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 10 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 10
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10
4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10
4.5.2. Key Exchange during a Conference . . . . . . . . . . 11 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12
5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13
5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 5.2. Certificate Fingerprints in Session Signaling . . . . . . 13
5.3. Conferences Identification . . . . . . . . . . . . . . . 13 5.3. Conferences Identification . . . . . . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 14 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 14
6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 15
6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 15
6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 15
6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 16
6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 16
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.1. Normative References . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . 16
9.2. Informative References . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 18 Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 18
A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 19 A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 19
A.2. The Key Distributor Transmits the KEK (EKT Key) . . . . . 20 A.2. The Key Distributor Transmits the KEK (EKT Key) . . . . . 20
A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 20 A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 21
A.4. Who has What Key . . . . . . . . . . . . . . . . . . . . 21 A.4. Who has What Key . . . . . . . . . . . . . . . . . . . . 21
Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 21 Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a Media transrated, recomposed, or otherwise manipulated by a Media
Distributor, as might be the case with a traditional media server or Distributor, as might be the case with a traditional media server or
multipoint control unit (MCU). Instead, media flows transmitted by multipoint control unit (MCU). Instead, media flows transmitted by
skipping to change at page 3, line 34 skipping to change at page 3, line 34
Deploying conference resources in a public cloud environment might Deploying conference resources in a public cloud environment might
introduce a higher security risk. Whereas traditional conference introduce a higher security risk. Whereas traditional conference
resources were usually deployed in private networks that were resources were usually deployed in private networks that were
protected, cloud-based conference resources might be viewed as less protected, cloud-based conference resources might be viewed as less
secure since they are not always physically controlled by those who secure since they are not always physically controlled by those who
use them. Additionally, there are usually several ports open to the use them. Additionally, there are usually several ports open to the
public in cloud deployments, such as for remote administration, and public in cloud deployments, such as for remote administration, and
so on. so on.
This document defines a solution framework wherein media privacy is This document defines a solution framework wherein media privacy is
ensured by making it impossible for a media distribution device to ensured by making it impossible for a media distributor to gain
gain access to keys needed to decrypt or authenticate the actual access to keys needed to decrypt or authenticate the actual media
media content sent between conference participants. At the same content sent between conference participants. At the same time, the
time, the framework allows for the Media Distributors to modify framework allows for the Media Distributors to modify certain RTP
certain RTP headers; add, remove, encrypt, or decrypt RTP header headers; add, remove, encrypt, or decrypt RTP header extensions; and
extensions; and encrypt and decrypt RTCP packets. The framework also encrypt and decrypt RTCP packets. The framework also prevents replay
prevents replay attacks by authenticating each packet transmitted attacks by authenticating each packet transmitted between a given
between a given participant and the media distribution device using a participant and the media distributor using a unique key per endpoint
unique key per endpoint that is independent from the key for media that is independent from the key for media encryption and
encryption and authentication. authentication.
A goal of this document is to define a framework for enhanced privacy A goal of this document is to define a framework for enhanced privacy
in RTP-based conferencing environments while utilizing existing in RTP-based conferencing environments while utilizing existing
security procedures defined for RTP with minimal enhancements. security procedures defined for RTP with minimal enhancements.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] when they document are to be interpreted as described in [RFC2119] when they
appear in ALL CAPS. These words may also appear in this document in appear in ALL CAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings. lower case as plain English words, absent their normative meanings.
Additionally, this solution framework uses the following conventions, Additionally, this solution framework uses the following terms and
terms and acronyms: acronyms:
End-to-End (E2E): Communications from one endpoint through one or End-to-End (E2E): Communications from one endpoint through one or
more Media Distribution Devices to the endpoint at the other end. more Media Distributors to the endpoint at the other end.
Hop-by-Hop (HBH): Communications between an endpoint and a Media Hop-by-Hop (HBH): Communications between an endpoint and a Media
Distribution Device or between Media Distribution Devices. Distributor or between Media Distributors.
Trusted Endpoint: An RTP flow terminating entity that has possession Trusted Endpoint: An RTP flow terminating entity that has possession
of E2E media encryption keys and terminates E2E encryption. This may of E2E media encryption keys and terminates E2E encryption. This may
include embedded user conferencing equipment or browsers on include embedded user conferencing equipment or browsers on
computers, media gateways, MCUs, media recording device and more that computers, media gateways, MCUs, media recording device and more that
are in the trusted domain for a given deployment. are in the trusted domain for a given deployment.
Media Distributor (MD): An RTP middlebox that is not allowed to to Media Distributor (MD): An RTP middlebox that is not allowed to to
have access to E2E encryption keys. It operates according to the have access to E2E encryption keys. It operates according to the
Selective Forwarding Middlebox RTP topologies Selective Forwarding Middlebox RTP topologies [RFC7667] per the
[I-D.ietf-avtcore-rtp-topologies-update] per the constraints defined constraints defined by the PERC system, which includes, but not
by the PERC system, which includes, but not limited to, having no limited to, having no access to RTP media unencrypted and having
access to RTP media unencrypted and having limits on what RTP header limits on what RTP header field it can alter.
field it can alter.
Key Distributor: An entity that is a logical function which Key Distributor: An entity that is a logical function which
distributes keying material and related information to trusted distributes keying material and related information to trusted
endpoints and Media Distributor(s), only that which is appropriate endpoints and Media Distributor(s), only that which is appropriate
for each. The Key Distributor might be co-resident with another for each. The Key Distributor might be co-resident with another
entity trusted with E2E keying material. entity trusted with E2E keying material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via trusted
endpoints to exchange RTP flows through one or more Media endpoints to exchange RTP flows through one or more Media
Distributor. Distributor.
skipping to change at page 5, line 46 skipping to change at page 5, line 46
The architecture described in this framework document enables The architecture described in this framework document enables
conferencing infrastructure to be hosted in domains, such as in a conferencing infrastructure to be hosted in domains, such as in a
cloud conferencing provider's facilities, where the trustworthiness cloud conferencing provider's facilities, where the trustworthiness
is below the level needed to assume the privacy of participant's is below the level needed to assume the privacy of participant's
media will not be compromised. The conferencing infrastructure in media will not be compromised. The conferencing infrastructure in
such a domain is still trusted with reliably connecting the such a domain is still trusted with reliably connecting the
participants together in a conference, but not trusted with keying participants together in a conference, but not trusted with keying
material needed to decrypt any of the participant's media. Entities material needed to decrypt any of the participant's media. Entities
in such lower trustworthiness domains will simply be referred to as in such lower trustworthiness domains will simply be referred to as
untrusted entities from this point forward. This does not mean that untrusted entities from this point forward.
they are completely untrusted as they may be trusted with most non-
media related aspects of hosting a conference. It is important to understand that untrusted in this document does
not mean an entity is not expected to function properly. Rather, it
means only that the entity does not have access to the E2E media
encryption keys.
3.1.1. Media Distributor 3.1.1. Media Distributor
A Media Distributor forwards RTP flows between endpoints in the A Media Distributor forwards RTP flows between endpoints in the
conference while performing per-hop authentication of each RTP conference while performing per-hop authentication of each RTP
packet. The Media Distributor may need access to one or more RTP packet. The Media Distributor may need access to one or more RTP
headers or header extensions, potentially adding or modifying a headers or header extensions, potentially adding or modifying a
certain subset. The Media Distributor will also relay secured certain subset. The Media Distributor will also relay secured
messaging between the endpoints and the Key Distributor and will messaging between the endpoints and the Key Distributor and will
acquire per-hop key information from the Key Distributor. The actual acquire per-hop key information from the Key Distributor. The actual
media content *MUST NOT* not be decryptable by a Media Distributor, media content MUST NOT not be decryptable by a Media Distributor, so
so it is untrusted to have access to the E2E media encryption keys, it is untrusted to have access to the E2E media encryption keys. The
which this framework's key exchange mechanisms will prevent. key exchange mechanisms specified in this framework will prevent the
Media Distributor from gaining access to the E2E media encryption
keys.
An endpoint's ability to join a conference hosted by a Media An endpoint's ability to join a conference hosted by a Media
Distributor MUST NOT alone be interpreted as being authorized to have Distributor MUST NOT alone be interpreted as being authorized to have
access to the E2E media encryption keys, as the Media Distributor access to the E2E media encryption keys, as the Media Distributor
does not have the ability to determine whether an endpoint is does not have the ability to determine whether an endpoint is
authorized. Trusted endpoint authorization is described in authorized. Trusted endpoint authorization is described in
[I-D.roach-perc-webrtc]. [I-D.roach-perc-webrtc].
A Media Distributor MUST perform its role in properly forwarding A Media Distributor MUST perform its role in properly forwarding
media packets while taking measures to mitigate the adverse effects media packets while taking measures to mitigate the adverse effects
skipping to change at page 7, line 9 skipping to change at page 7, line 15
entities. entities.
In any deployment scenario where the call processing function is In any deployment scenario where the call processing function is
considered trusted, the call processing function MUST ensure the considered trusted, the call processing function MUST ensure the
integrity of received messages before forwarding to other entities. integrity of received messages before forwarding to other entities.
3.2. Trusted Entities 3.2. Trusted Entities
From the PERC model system perspective, entities considered trusted From the PERC model system perspective, entities considered trusted
(refer to Figure 1) can be in possession of the E2E media encryption (refer to Figure 1) can be in possession of the E2E media encryption
key(s) for one or more conferences. keys for one or more conferences.
3.2.1. Endpoint 3.2.1. Endpoint
An endpoint is considered trusted and will have access to E2E key An endpoint is considered trusted and will have access to E2E key
information. While it is possible for an endpoint to be compromised, information. While it is possible for an endpoint to be compromised,
subsequently performing in undesired ways, defining endpoint subsequently performing in undesired ways, defining endpoint
resistance to compromise is outside the scope of this document. resistance to compromise is outside the scope of this document.
Endpoints will take measures to mitigate the adverse effects of Endpoints will take measures to mitigate the adverse effects of
denial of service attacks (refer to Section 6) from other entities, denial of service attacks (refer to Section 6) from other entities,
including from other endpoints, to a level equal to or better than including from other endpoints, to a level equal to or better than
skipping to change at page 10, line 18 skipping to change at page 10, line 18
requires that every packet be authenticated hop-by-hop (HBH) between requires that every packet be authenticated hop-by-hop (HBH) between
an endpoint and a Media Distributor, as well between Media an endpoint and a Media Distributor, as well between Media
Distributors. The authentication key used for hop-by-hop Distributors. The authentication key used for hop-by-hop
authentication is derived from an SRTP master key shared only on the authentication is derived from an SRTP master key shared only on the
respective hop. Each HBH key is distinct per hop and no two hops respective hop. Each HBH key is distinct per hop and no two hops
ever intentionally use the same SRTP master key. ever intentionally use the same SRTP master key.
Using hop-by-hop authentication gives the Media Distributor the Using hop-by-hop authentication gives the Media Distributor the
ability to change certain RTP header values. Which values the Media ability to change certain RTP header values. Which values the Media
Distributor can change in the RTP header are defined in Distributor can change in the RTP header are defined in
[I-D.ietf-perc-double]. RTCP can only be encrypted, giving the Media [I-D.ietf-perc-double]. RTCP can only be encrypted HBH, giving the
Distributor the flexibility to forward RTCP content unchanged, Media Distributor the flexibility to forward RTCP content unchanged,
transmit compound RTCP packets or to initiate RTCP packets for transmit compound RTCP packets or to initiate RTCP packets for
reporting statistics or conveying other information. Performing hop- reporting statistics or conveying other information. Performing hop-
by-hop authentication for all RTP and RTCP packets also helps provide by-hop authentication for all RTP and RTCP packets also helps provide
replay protection (see Section 6). replay protection (see Section 6).
If there is a need to encrypt one or more RTP header extensions hop- If there is a need to encrypt one or more RTP header extensions hop-
by-hop, an encryption key is derived from the hop-by-hop SRTP master by-hop, an encryption key is derived from the hop-by-hop SRTP master
key to encrypt header extensions as per [RFC6904]. This will still key to encrypt header extensions as per [RFC6904]. This will still
give the Media Distributor visibility into header extensions, such as give the Media Distributor visibility into header extensions, such as
the one used to determine audio level [RFC6464] of conference the one used to determine audio level [RFC6464] of conference
participants. Note that when RTP header extensions are encrypted, participants. Note that when RTP header extensions are encrypted,
all hops - in the untrusted domain at least - will need to decrypt all hops - in the untrusted domain at least - will need to decrypt
and re-encrypt these encrypted header extensions. and re-encrypt these encrypted header extensions.
4.5. Key Exchange 4.5. Key Exchange
To facilitate key exchange required to establish or generate an E2E
key and a HBH key for an endpoint and the same HBH key for the Media
Distributor, this framework utilizes a DTLS-SRTP [RFC5764]
association between an endpoint and the Key Distributor. To
establish this association, an endpoint will send DTLS-SRTP messages
to the Media Distributor which will then forward them to the Key
Distributor as defined in [I-D.ietf-perc-dtls-tunnel]. The Key
Encryption Key (KEK) (i.e., EKTKey) is also conveyed by the Key
Distributor over the DTLS association to endpoints via procedures
defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
Distributor to establish the HBH key for transmitting RTP and RTCP
packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing a HBH key for use between Media Distributors.
4.5.1. Initial Key Exchange and Key Distributor 4.5.1. Initial Key Exchange and Key Distributor
The procedures defined in DTLS Tunnel for PERC The procedures defined in DTLS Tunnel for PERC
[I-D.ietf-perc-dtls-tunnel] establish one or more TLS tunnels between [I-D.ietf-perc-dtls-tunnel] establish one or more TLS tunnels between
the Media Distributor and Key Distributor, making it is possible for the Media Distributor and Key Distributor, making it is possible for
the Media Distributor to facilitate the establishment of a secure the Media Distributor to facilitate the establishment of a secure
DTLS association between each endpoint and the Key Distributor as DTLS association between each endpoint and the Key Distributor as
shown the following figure. The DTLS association between endpoints shown the following figure. The DTLS association between endpoints
and the Key Distributor will enable each endpoint to receive E2E key and the Key Distributor will enable each endpoint to generate E2E and
information, Key Encryption Key (KEK) information (i.e., EKT Key), HBH keys and receive the Key Encryption Key (KEK) (i.e., EKT Key).
and HBH key information. At the same time, the Key Distributor can At the same time, the Key Distributor can securely provide the HBH
securely provide the HBH key information to the Media Distributor. key information to the Media Distributor. The key information
The key information summarized here may include the SRTP master key, summarized here may include the SRTP master key, SRTP master salt,
SRTP master salt, and the negotiated cryptographic transform. and the negotiated cryptographic transform.
+-----------+ +-----------+
KEK info | Key | HBH Key info to KEK info | Key | HBH Key info to
to Endpoints |Distributor| Endpoints & Media Distributor to Endpoints |Distributor| Endpoints & Media Distributor
+-----------+ +-----------+
# ^ ^ # # ^ ^ #
# | | #-TLS Tunnel # | | #-TLS Tunnel
# | | # # | | #
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
| Endpoint | DTLS | Media | DTLS | Endpoint | | Endpoint | DTLS | Media | DTLS | Endpoint |
| KEK |<------------|Distributor|------------>| KEK | | KEK |<------------|Distributor|------------>| KEK |
| HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key |
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
Figure 2: Exchanging Key Information Between Entities Figure 2: Exchanging Key Information Between Entities
Endpoints will establish a DTLS-SRTP association over the RTP Endpoints will establish a DTLS-SRTP [RFC5764] association over the
session's media ports for the purposes of key information exchange RTP session's media ports for the purposes of key information
with the Key Distributor. The Media Distributor will not terminate exchange with the Key Distributor. The Media Distributor will not
the DTLS signaling, but will instead forward DTLS packets received terminate the DTLS signaling, but will instead forward DTLS packets
from an endpoint on to the Key Distributor (and vice versa) via a received from an endpoint on to the Key Distributor (and vice versa)
tunnel established between Media Distributor and the Key Distributor. via a tunnel established between Media Distributor and the Key
This tunnel is used to encapsulate the DTLS-SRTP signaling between Distributor. This tunnel is used to encapsulate the DTLS-SRTP
the Key Distributor and endpoints will also be used to convey HBH key signaling between the Key Distributor and endpoints will also be used
information from the Key Distributor to the Media Distributor, so no to convey HBH key information from the Key Distributor to the Media
additional protocol or interface is required. Distributor, so no additional protocol or interface is required.
In establishing the DTLS association between endpoints and the Key
Distributor, the endpoint acts as the DTLS client and the Key
Distributor acts as the DTLS server. The Key Encryption Key (KEK)
(i.e., EKT Key) is conveyed by the Key Distributor over the DTLS
association to endpoints via procedures defined in PERC EKT
[I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message.
Note that following DTLS-SRTP procedures for the
[I-D.ietf-perc-double] cipher, the endpoint will generate both E2E
and HBH encryption keys and salt values. Endpoints MAY use the DTLS-
SRTP generated E2E key or MAY generate different E2E keys. In either
case, the generated SRTP master salt for E2E encryption MUST be
replaced with the salt value provided by the Key Distributor via the
EKTKey message. That is because every endpoint in the conference
uses the same SRTP master salt. The endpoint only transmits the SRTP
master key (not the salt) used for E2E encryption to other endpoints
in RTP/RTCP packets per [I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
Distributor to establish the HBH key for transmitting RTP and RTCP
packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing a HBH key for use between Media Distributors.
4.5.2. Key Exchange during a Conference 4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the Key Following the initial key information exchange with the Key
Distributor, an endpoints will be able to encrypt media end-to-end Distributor, an endpoint will be able to encrypt media end-to-end
with an E2E key, sending that E2E key to other endpoints encrypted with an E2E key, sending that E2E key to other endpoints encrypted
with the KEK, and will be able to encrypt and authenticate RTP with the KEK, and will be able to encrypt and authenticate RTP
packets using a HBH key. The procedures defined do not allow the packets using a HBH key. The procedures defined do not allow the
Media Distributor to gain access to the KEK information, preventing Media Distributor to gain access to the KEK information, preventing
it from gaining access to any endpoint's E2E key and subsequently it from gaining access to any endpoint's E2E key and subsequently
decrypting media. decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK (i.e., EKT Key) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is leaves a conference. Dictating if, when or how often a conference is
skipping to change at page 12, line 27 skipping to change at page 12, line 35
specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to
each of the conference participants. The endpoint MUST create a new each of the conference participants. The endpoint MUST create a new
SRTP master key and prepare to send that key inside a Full EKT Field SRTP master key and prepare to send that key inside a Full EKT Field
using the new EKTKey. Since it may take some time for all of the using the new EKTKey. Since it may take some time for all of the
endpoints in conference to finish re-keying, senders MUST delay a endpoints in conference to finish re-keying, senders MUST delay a
short period of time before sending media encrypted with the new short period of time before sending media encrypted with the new
master key, but it MUST be prepared to make use of the information master key, but it MUST be prepared to make use of the information
from a new inbound EKT Key immediately. See Section 2.2.2 of from a new inbound EKT Key immediately. See Section 2.2.2 of
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
re-negotiate HBH keys as desired. If new HBH keys are generated, the
new keys are also delivered to the Media Distributor following the
procedures defined in [I-D.ietf-perc-dtls-tunnel].
Endpoints are at liberty to change the E2E encryption key used at any
time. Endpoints MUST generate a new E2E encryption key whenever it
receives a new EKT Key. After switching to a new key, the new key
will be conveyed to other endpoints in the conference in RTP/RTCP
packets per [I-D.ietf-perc-srtp-ekt-diet].
5. Entity Trust 5. Entity Trust
It is important to this solution framework that the entities can It is important to this solution framework that the entities can
trust and validate the authenticity of other entities, especially the trust and validate the authenticity of other entities, especially the
Key Distributor and endpoints. The details of this are outside the Key Distributor and endpoints. The details of this are outside the
scope of specification but a few possibilities are discussed in the scope of specification but a few possibilities are discussed in the
following sections. The key requirements is that endpoints can following sections. The key requirements is that endpoints can
verify they are connected to the correct Key Distributor for the verify they are connected to the correct Key Distributor for the
conference and the Key Distributor can verify the endpoints are the conference and the Key Distributor can verify the endpoints are the
correct endpoints for the conference. correct endpoints for the conference.
skipping to change at page 16, line 26 skipping to change at page 16, line 50
The authors would like to thank Mo Zanaty and Christian Oien for The authors would like to thank Mo Zanaty and Christian Oien for
invaluable input on this document. Also, we would like to invaluable input on this document. Also, we would like to
acknowledge Nermeen Ismail for serving on the initial versions of acknowledge Nermeen Ismail for serving on the initial versions of
this document as a co-author. this document as a co-author.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-perc-double] [I-D.ietf-perc-double]
Jennings, C., Jones, P., and A. Roach, "SRTP Double Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP
Encryption Procedures", draft-ietf-perc-double-04 (work in Double Encryption Procedures", draft-ietf-perc-double-07
progress), April 2017. (work in progress), September 2017.
[I-D.ietf-perc-dtls-tunnel] [I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01
(work in progress), April 2017. (work in progress), April 2017.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., and D. Wing, Jennings, C., Mattsson, J., McGrew, D., and D. Wing,
"Encrypted Key Transport for DTLS and Secure RTP", draft- "Encrypted Key Transport for DTLS and Secure RTP", draft-
ietf-perc-srtp-ekt-diet-04 (work in progress), April 2017. ietf-perc-srtp-ekt-diet-05 (work in progress), June 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc5764>. editor.org/info/rfc5764>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc6904>. editor.org/info/rfc6904>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-avtcore-rtp-topologies-update]
Westerlund, M. and S. Wenger, "RTP Topologies", draft-
ietf-avtcore-rtp-topologies-update-10 (work in progress),
July 2015.
[I-D.ietf-rtcweb-security-arch] [I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf- Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-12 (work in progress), June 2016. rtcweb-security-arch-13 (work in progress), October 2017.
[I-D.roach-perc-webrtc] [I-D.roach-perc-webrtc]
Roach, A., "Using Privacy Enhanced Real-time Conferencing Roach, A., "Using Privacy Enhanced Real-time Conferencing
(PERC) in a WebRTC Context", draft-roach-perc-webrtc-00 (PERC) in a WebRTC Context", draft-roach-perc-webrtc-00
(work in progress), March 2017. (work in progress), March 2017.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc3261>. editor.org/info/rfc3261>.
[RFC4353] Rosenberg, J., "A Framework for Conferencing with the [RFC4353] Rosenberg, J., "A Framework for Conferencing with the
Session Initiation Protocol (SIP)", RFC 4353, Session Initiation Protocol (SIP)", RFC 4353,
DOI 10.17487/RFC4353, February 2006, DOI 10.17487/RFC4353, February 2006, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc4353>. editor.org/info/rfc4353>.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, Initiation Protocol (SIP)", RFC 4474,
DOI 10.17487/RFC4474, August 2006, DOI 10.17487/RFC4474, August 2006, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc4474>. editor.org/info/rfc4474>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <https://www.rfc-editor.org/info/rfc5763>.
[RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
Transport Protocol (RTP) Header Extension for Client-to- Transport Protocol (RTP) Header Extension for Client-to-
Mixer Audio Level Indication", RFC 6464, Mixer Audio Level Indication", RFC 6464,
DOI 10.17487/RFC6464, December 2011, DOI 10.17487/RFC6464, December 2011, <https://www.rfc-
<http://www.rfc-editor.org/info/rfc6464>. editor.org/info/rfc6464>.
[RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
DOI 10.17487/RFC7667, November 2015, <https://www.rfc-
editor.org/info/rfc7667>.
Appendix A. PERC Key Inventory Appendix A. PERC Key Inventory
PERC specifies the use of a number of different keys and, PERC specifies the use of a number of different keys and,
understandably, it looks complicated or confusing on the surface. understandably, it looks complicated or confusing on the surface.
This section summarizes the various keys used in the system, how they This section summarizes the various keys used in the system, how they
are generated, and what purpose they serve. are generated, and what purpose they serve.
The keys are described in the order in which they would typically be The keys are described in the order in which they would typically be
acquired. acquired.
skipping to change at page 20, line 37 skipping to change at page 21, line 7
The EKT Field in media packets is encrypted using a cipher specified The EKT Field in media packets is encrypted using a cipher specified
via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This
cipher is different than the cipher used to protect media and is only cipher is different than the cipher used to protect media and is only
used to encrypt the endpoint's SRTP master key (and other EKT Field used to encrypt the endpoint's SRTP master key (and other EKT Field
data as per [I-D.ietf-perc-srtp-ekt-diet]). data as per [I-D.ietf-perc-srtp-ekt-diet]).
The media distributor is not given the KEK (i.e., EKT Key). The media distributor is not given the KEK (i.e., EKT Key).
A.3. Endpoints fabricate an SRTP Master Key A.3. Endpoints fabricate an SRTP Master Key
As stated earlier, the E2E key determined via DTLS-SRTP is discarded. As stated earlier, the E2E key determined via DTLS-SRTP MAY be
While it could have been used, the fact that endpoints may need to discarded in favor of a locally-generated SRTP master key. While the
change the SRTP master key periodically or are forced to change the DTLS-SRTP-derived key could be used, the fact that an endpoint might
SRTP master key as a result of the EKT key changing means using it need to change the SRTP master key periodically or is forced to
has only limited utility. To reduce complexity, PERC prescribes that change the SRTP master key as a result of the EKT key changing means
endpoints manufacturer random SRTP master keys locally to be used for using it has only limited utility. To reduce complexity, PERC
E2E encryption. *RECOMMENDS* that endpoints create random SRTP master keys locally to
be used for E2E encryption.
This locally-generated SRTP master key is used along with the master This locally-generated SRTP master key is used along with the master
salt transmitted to the endpoint from the key distributor via the salt transmitted to the endpoint from the key distributor via the
EKTKey message to encrypt media end-to-end. EKTKey message to encrypt media end-to-end.
Since the media distributor is not involved in E2E functions, it will Since the media distributor is not involved in E2E functions, it will
not create this key nor have access to any endpoint's E2E key. Note, not create this key nor have access to any endpoint's E2E key. Note,
too, that even the key distributor is unaware of the locally- too, that even the key distributor is unaware of the locally-
generated E2E keys used by each endpoint. generated E2E keys used by each endpoint.
 End of changes. 42 change blocks. 
115 lines changed or deleted 137 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/