draft-ietf-perc-private-media-framework-07.txt   draft-ietf-perc-private-media-framework-08.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track D. Benham Intended status: Standards Track D. Benham
Expires: March 8, 2019 C. Groves Expires: July 27, 2019 C. Groves
Independent Independent
September 4, 2018 January 23, 2019
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing
draft-ietf-perc-private-media-framework-07 draft-ietf-perc-private-media-framework-08
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distributors are not trusted with the end-to-end media encryption distributors are not trusted with the end-to-end media encryption
keys. The solution aims to build upon existing security mechanisms keys. The solution aims to build upon existing security mechanisms
defined for the real-time transport protocol (RTP). defined for the real-time transport protocol (RTP).
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 8, 2019. This Internet-Draft will expire on July 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 5 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 4
3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5 3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5
3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 6 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 5
3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6
3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 6
3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7
4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9
4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 10 4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 9
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10
4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10
4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12
5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13
5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 5.2. Certificate Fingerprints in Session Signaling . . . . . . 13
5.3. Conferences Identification . . . . . . . . . . . . . . . 14 5.3. Conferences Identification . . . . . . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 14 6.1. Key Inventory and Management Considerations . . . . . . . 14
6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 15 6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 15
6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 15 6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 16
6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 16 6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 17
6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 16 6.5. Summary of Key Types and Entity Possession . . . . . . . 17
6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 16 7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 19
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 20
9.1. Normative References . . . . . . . . . . . . . . . . . . 17 8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 20
9.2. Informative References . . . . . . . . . . . . . . . . . 17 8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 20
Appendix A. PERC Key Inventory . . . . . . . . . . . . . . . . . 19 8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 21
A.1. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 20 8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 21
A.2. The Key Distributor Transmits the KEK (EKT Key) . . . . . 20 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
A.3. Endpoints fabricate an SRTP Master Key . . . . . . . . . 21 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21
A.4. Who has What Key . . . . . . . . . . . . . . . . . . . . 21 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
Appendix B. PERC Packet Format . . . . . . . . . . . . . . . . . 22 11.1. Normative References . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 11.2. Informative References . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a Media transrated, recomposed, or otherwise manipulated by a Media
Distributor, as might be the case with a traditional media server or Distributor, as might be the case with a traditional media server or
multipoint control unit (MCU). Instead, media flows transmitted by multipoint control unit (MCU). Instead, media flows transmitted by
conference participants are simply forwarded by the Media Distributor conference participants are simply forwarded by Media Distributors to
to each of the other participants, often forwarding only a subset of each of the other participants. Media Distributors often forward
flows based on voice activity detection or other criteria. In some only a subset of flows based on voice activity detection or other
instances, the Media Distributors may make limited modifications to criteria. In some instances, Media Distributors may make limited
RTP [RFC3550] headers, for example, but the actual media content modifications to RTP [RFC3550] headers, for example, but the actual
(e.g., voice or video data) is unaltered. media content (e.g., voice or video data) is unaltered.
An advantage of switched conferencing is that Media Distributors can An advantage of switched conferencing is that Media Distributors can
be more easily deployed on general-purpose computing hardware, be more easily deployed on general-purpose computing hardware,
including virtualized environments in private and public clouds. including virtualized environments in private and public clouds.
Deploying conference resources in a public cloud environment might While virutalized public cloud environments have been viewed as less
introduce a higher security risk. Whereas traditional conference secure since resources are not always physically controlled by those
resources were usually deployed in private networks that were who use them and since there are usually several ports open to the
protected, cloud-based conference resources might be viewed as less public, this draft aims to improve security so as to lower the
secure since they are not always physically controlled by those who barrier to taking advantage of those environments.
use them. Additionally, there are usually several ports open to the
public in cloud deployments, such as for remote administration, and
so on.
This document defines a solution framework wherein media privacy is This document defines a solution framework wherein media privacy is
ensured by making it impossible for a media distributor to gain ensured by making it impossible for a media distributor to gain
access to keys needed to decrypt or authenticate the actual media access to keys needed to decrypt or authenticate the actual media
content sent between conference participants. At the same time, the content sent between conference participants. At the same time, the
framework allows for the Media Distributors to modify certain RTP framework allows for the Media Distributors to modify certain RTP
headers; add, remove, encrypt, or decrypt RTP header extensions; and headers; add, remove, encrypt, or decrypt RTP header extensions; and
encrypt and decrypt RTCP packets. The framework also prevents replay encrypt and decrypt RTCP packets. The framework also prevents replay
attacks by authenticating each packet transmitted between a given attacks by authenticating each packet transmitted between a given
participant and the media distributor using a unique key per endpoint participant and the media distributor using a unique key per endpoint
that is independent from the key for media encryption and that is independent from the key for media encryption and
authentication. authentication.
A goal of this document is to define a framework for enhanced privacy A goal of this document is to define a framework for enhanced privacy
in RTP-based conferencing environments while utilizing existing in RTP-based conferencing environments while utilizing existing
security procedures defined for RTP with minimal enhancements. security procedures defined for RTP with minimal enhancements.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119] when they "OPTIONAL" in this document are to be interpreted as described in BCP
appear in ALL CAPS. These words may also appear in this document in 14 [RFC2119] [RFC8174] when, and only when, they appear in all
lower case as plain English words, absent their normative meanings. capitals, as shown here.
Additionally, this solution framework uses the following terms and Additionally, this solution framework uses the following terms and
acronyms: acronyms:
End-to-End (E2E): Communications from one endpoint through one or End-to-End (E2E): Communications from one endpoint through one or
more Media Distributors to the endpoint at the other end. more Media Distributors to the endpoint at the other end.
Hop-by-Hop (HBH): Communications between an endpoint and a Media Hop-by-Hop (HBH): Communications between an endpoint and a Media
Distributor or between Media Distributors. Distributor or between Media Distributors.
Trusted Endpoint: An RTP flow terminating entity that has possession Trusted Endpoint: An RTP flow terminating entity that has possession
of E2E media encryption keys and terminates E2E encryption. This may of E2E media encryption keys and terminates E2E encryption. This may
include embedded user conferencing equipment or browsers on include embedded user conferencing equipment or browsers on
computers, media gateways, MCUs, media recording device and more that computers, media gateways, MCUs, media recording device and more that
are in the trusted domain for a given deployment. are in the trusted domain for a given deployment.
Media Distributor (MD): An RTP middlebox that is not allowed to to Media Distributor (MD): An RTP middlebox that forwards endpoint media
have access to E2E encryption keys. It operates according to the content (e.g., voice or video data) unaltered, either a subset or all
Selective Forwarding Middlebox RTP topologies [RFC7667] per the of the flows at any given time, and is never allowed have access to
constraints defined by the PERC system, which includes, but not E2E encryption keys. It operates according to the Selective
limited to, having no access to RTP media unencrypted and having Forwarding Middlebox RTP topologies [RFC7667] per the constraints
limits on what RTP header field it can alter. defined by the PERC system, which includes, but not limited to,
having no access to RTP media unencrypted and having limits on what
RTP header field it can alter.
Key Distributor: An entity that is a logical function which Key Distributor: An entity that is a logical function which
distributes keying material and related information to trusted distributes keying material and related information to trusted
endpoints and Media Distributor(s), only that which is appropriate endpoints and Media Distributor(s), only that which is appropriate
for each. The Key Distributor might be co-resident with another for each. The Key Distributor might be co-resident with another
entity trusted with E2E keying material. entity trusted with E2E keying material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via trusted
endpoints to exchange RTP flows through one or more Media endpoints to exchange RTP flows through one or more Media
Distributor. Distributor.
skipping to change at page 5, line 15 skipping to change at page 5, line 8
3. PERC Entities and Trust Model 3. PERC Entities and Trust Model
The following figure depicts the trust relationships, direct or The following figure depicts the trust relationships, direct or
indirect, between entities described in the subsequent sub-sections. indirect, between entities described in the subsequent sub-sections.
Note that these entities may be co-located or further divided into Note that these entities may be co-located or further divided into
multiple, separate physical devices. multiple, separate physical devices.
Please note that some entities classified as untrusted in the simple, Please note that some entities classified as untrusted in the simple,
general deployment scenario used most commonly in this document might general deployment scenario used most commonly in this document might
be considered trusted in other deployments. This document does not be considered trusted in other deployments. This document does not
preclude such scenarios, but will keep the definitions and examples preclude such scenarios, but keeps the definitions and examples
focused by only using the the simple, most general deployment focused by only using the the simple, most general deployment
scenario. scenario.
| |
+----------+ | +-----------------+ +----------+ | +-----------------+
| Endpoint | | | Call Processing | | Endpoint | | | Call Processing |
+----------+ | +-----------------+ +----------+ | +-----------------+
| |
| |
+----------------+ | +--------------------+ +----------------+ | +--------------------+
skipping to change at page 5, line 41 skipping to change at page 5, line 34
| |
Figure 1: Trusted and Untrusted Entities in PERC Figure 1: Trusted and Untrusted Entities in PERC
3.1. Untrusted Entities 3.1. Untrusted Entities
The architecture described in this framework document enables The architecture described in this framework document enables
conferencing infrastructure to be hosted in domains, such as in a conferencing infrastructure to be hosted in domains, such as in a
cloud conferencing provider's facilities, where the trustworthiness cloud conferencing provider's facilities, where the trustworthiness
is below the level needed to assume the privacy of participant's is below the level needed to assume the privacy of participant's
media will not be compromised. The conferencing infrastructure in media is not compromised. The conferencing infrastructure in such a
such a domain is still trusted with reliably connecting the domain is still trusted with reliably connecting the participants
participants together in a conference, but not trusted with keying together in a conference, but not trusted with keying material needed
material needed to decrypt any of the participant's media. Entities to decrypt any of the participant's media. Entities in such lower
in such lower trustworthiness domains will simply be referred to as trustworthiness domains are referred to as untrusted entities from
untrusted entities from this point forward. this point forward.
It is important to understand that untrusted in this document does It is important to understand that untrusted in this document does
not mean an entity is not expected to function properly. Rather, it not mean an entity is not expected to function properly. Rather, it
means only that the entity does not have access to the E2E media means only that the entity does not have access to the E2E media
encryption keys. encryption keys.
3.1.1. Media Distributor 3.1.1. Media Distributor
A Media Distributor forwards RTP flows between endpoints in the A Media Distributor forwards RTP flows between endpoints in the
conference while performing per-hop authentication of each RTP conference while performing per-hop authentication of each RTP
packet. The Media Distributor may need access to one or more RTP packet. The Media Distributor may need access to one or more RTP
headers or header extensions, potentially adding or modifying a headers or header extensions, potentially adding or modifying a
certain subset. The Media Distributor will also relay secured certain subset. The Media Distributor also relays secured messaging
messaging between the endpoints and the Key Distributor and will between the endpoints and the Key Distributor and acquires per-hop
acquire per-hop key information from the Key Distributor. The actual key information from the Key Distributor. The actual media content
media content MUST NOT not be decryptable by a Media Distributor, so must not be decryptable by a Media Distributor, as it is untrusted to
it is untrusted to have access to the E2E media encryption keys. The have access to the E2E media encryption keys. The key exchange
key exchange mechanisms specified in this framework will prevent the mechanisms specified in this framework prevents the Media Distributor
Media Distributor from gaining access to the E2E media encryption from gaining access to the E2E media encryption keys.
keys.
An endpoint's ability to join a conference hosted by a Media An endpoint's ability to connect to a conference serviced by a Media
Distributor MUST NOT alone be interpreted as being authorized to have Distributor does imply that the endpoint is authorized to have access
access to the E2E media encryption keys, as the Media Distributor to the E2E media encryption keys, as the Media Distributor does not
does not have the ability to determine whether an endpoint is have the ability to determine whether an endpoint is authorized.
authorized. Instead, the Key Distributor is responsible for Instead, the Key Distributor is responsible for authenticating the
authenticating endpoints (e.g., using WebRTC Identity endpoint (e.g., using WebRTC Identity
[I-D.ietf-rtcweb-security-arch]) and determining their authorization [I-D.ietf-rtcweb-security-arch]) and determining its authorization to
to receive E2E media encryption keys. receive E2E and HBH media encryption keys.
A Media Distributor MUST perform its role in properly forwarding A Media Distributor must perform its role in properly forwarding
media packets while taking measures to mitigate the adverse effects media packets while taking measures to mitigate the adverse effects
of denial of service attacks (refer to Section 6), etc, to a level of denial of service attacks (refer to Section 8) to a level equal to
equal to or better than traditional conferencing (i.e. non-PERC) or better than traditional conferencing (i.e. non-PERC) deployments.
deployments.
A Media Distributor or associated conferencing infrastructure may A Media Distributor or associated conferencing infrastructure may
also initiate or terminate various conference control related also initiate or terminate various conference control related
messaging, which is outside the scope of this framework document. messaging, which is outside the scope of this framework document.
3.1.2. Call Processing 3.1.2. Call Processing
The call processing function is untrusted in the simple, general The call processing function is untrusted in the simple, general
deployment scenario. When a physical subset of the call processing deployment scenario. When a physical subset of the call processing
function resides in facilities outside the trusted domain, it should function resides in facilities outside the trusted domain, it should
not be trusted to have access to E2E key information. not be trusted to have access to E2E key information.
The call processing function may include the processing of call The call processing function may include the processing of call
signaling messages, as well as the signing of those messages. It may signaling messages, as well as the signing of those messages. It may
also authenticate the endpoints for the purpose of call signaling and also authenticate the endpoints for the purpose of call signaling and
subsequently joining of a conference hosted through one or more Media subsequently joining of a conference hosted through one or more Media
Distributors. Call processing may optionally ensure the privacy of Distributors. Call processing may optionally ensure the privacy of
call signaling messages between itself, the endpoint, and other call signaling messages between itself, the endpoint, and other
entities. entities.
In any deployment scenario where the call processing function is
considered trusted, the call processing function MUST ensure the
integrity of received messages before forwarding to other entities.
3.2. Trusted Entities 3.2. Trusted Entities
From the PERC model system perspective, entities considered trusted From the PERC model system perspective, entities considered trusted
(refer to Figure 1) can be in possession of the E2E media encryption (refer to Figure 1) can be in possession of the E2E media encryption
keys for one or more conferences. keys for one or more conferences.
3.2.1. Endpoint 3.2.1. Endpoint
An endpoint is considered trusted and will have access to E2E key An endpoint is considered trusted and has access to E2E key
information. While it is possible for an endpoint to be compromised, information. While it is possible for an endpoint to be compromised,
subsequently performing in undesired ways, defining endpoint subsequently performing in undesired ways, defining endpoint
resistance to compromise is outside the scope of this document. resistance to compromise is outside the scope of this document.
Endpoints will take measures to mitigate the adverse effects of Endpoints take measures to mitigate the adverse effects of denial of
denial of service attacks (refer to Section 6) from other entities, service attacks (refer to Section 8) from other entities, including
including from other endpoints, to a level equal to or better than from other endpoints, to a level equal to or better than traditional
traditional conference (i.e., non-PERC) deployments. conference (i.e., non-PERC) deployments.
3.2.2. Key Distributor 3.2.2. Key Distributor
The Key Distributor, which may be colocated with an endpoint or exist The Key Distributor, which may be colocated with an endpoint or exist
standalone, is responsible for providing key information to endpoints standalone, is responsible for providing key information to endpoints
for both end-to-end and hop-by-hop security and for providing key for both end-to-end (E2E) and hop-by-hop (HBH) security and for
information to Media Distributors for the hop-by-hop security. providing key information to Media Distributors for the hop-by-hop
security.
Interaction between the Key Distributor and the call processing Interaction between the Key Distributor and the call processing
function is necessary to for proper conference-to-endpoint mappings. function is necessary to for proper conference-to-endpoint mappings.
This is described in Section 5.3. This is described in Section 5.3.
The Key Distributor needs to be secured and managed in a way to The Key Distributor needs to be secured and managed in a way to
prevent exploitation by an adversary, as any kind of compromise of prevent exploitation by an adversary, as any kind of compromise of
the Key Distributor puts the security of the conference at risk. the Key Distributor puts the security of the conference at risk.
4. Framework for PERC 4. Framework for PERC
The purpose for this framework is to define a means through which The purpose for this framework is to define a means through which
media privacy can be ensured when communicating within a conferencing media privacy is ensured when communicating within a conferencing
environment consisting of one or more Media Distributors that only environment consisting of one or more Media Distributors that only
switch, hence not terminate, media. It does not otherwise attempt to switch, hence not terminate, media. It does not otherwise attempt to
hide the fact that a conference between endpoints is taking place. hide the fact that a conference between endpoints is taking place.
This framework reuses several specified RTP security technologies, This framework reuses several specified RTP security technologies,
including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and including SRTP [RFC3711], EKT [I-D.ietf-perc-srtp-ekt-diet], and
DTLS-SRTP [RFC5764]. DTLS-SRTP [RFC5764].
4.1. End-to-End and Hop-by-Hop Authenticated Encryption 4.1. End-to-End and Hop-by-Hop Authenticated Encryption
This solution framework focuses on the end-to-end privacy and This solution framework focuses on the end-to-end privacy and
integrity of the participant's media by limiting access of the end- integrity of the participant's media by limiting access to only
to-end key information to trusted entities. However, this framework trusted entities to the E2E key used for authenticated end-to-end
does give a Media Distributor access to RTP headers and all or most encryption. However, this framework does give a Media Distributor
header extensions, as well as the ability to modify a certain subset access to RTP headers and all or most header extensions, as well as
of those headers and to add header extensions. Packets received by a the ability to modify a certain subset of those headers and to add
Media Distributor or an endpoint are authenticated hop-by-hop. header extensions. Packets received by a Media Distributor or an
endpoint are authenticated hop-by-hop.
To enable all of the above, this framework defines the use of two To enable all of the above, this framework defines the use of two
security contexts and two associated encryption keys: an "inner" key security contexts and two associated encryption keys: an "inner" key
(an E2E key distinct for each transmitted media flow) for (an E2E key distinct for each transmitted media flow) for
authenticated encryption of RTP media between endpoints and an authenticated encryption of RTP media between endpoints and an
"outer" key (HBH key) known only to media distributor and the "outer" key (HBH key) known only to Media Distributor and the
adjacent endpoint) for the hop between an endpoint and a Media adjacent endpoint) for the hop between an endpoint and a Media
Distributor or between Media Distributor. Distributor or between Media Distributor.
+-------------+ +-------------+ +-------------+ +-------------+
| |################################| | | |################################| |
| Media |------------------------ *----->| Media | | Media |------------------------ *----->| Media |
| Distributor |<----------------------*-|------| Distributor | | Distributor |<----------------------*-|------| Distributor |
| X |#####################*#|#|######| Y | | X |#####################*#|#|######| Y |
| | | | | | | | | | | | | |
+-------------+ | | | +-------------+ +-------------+ | | | +-------------+
skipping to change at page 8, line 48 skipping to change at page 8, line 40
# | *------- E2E Key (B) E2E Key (B) -------* | # # | *------- E2E Key (B) E2E Key (B) -------* | #
# | | # # | | # # | | # # | | #
# | v # # | v # # | v # # | v #
+-------------+ +-------------+ +-------------+ +-------------+
| Endpoint A | | Endpoint B | | Endpoint A | | Endpoint B |
+-------------+ +-------------+ +-------------+ +-------------+
Figure 2: E2E and HBH Keys Used for Authenticated Encryption of SRTP Figure 2: E2E and HBH Keys Used for Authenticated Encryption of SRTP
Packets Packets
The PERC Double transform [I-D.ietf-perc-double] enables endpoints to The Double transform [I-D.ietf-perc-double] enables endpoints to
perform encryption using both the E2E and HBH contexts while still perform encryption using both the end-to-end and hop-by-hop contexts
preserving the same overall interface as other SRTP transforms. The while still preserving the same overall interface as other SRTP
Media Distributor simply uses the corresponding normal (single) AES- transforms. The Media Distributor simply uses the corresponding
GCM transform, keyed with the appropriate HBH keys. See Appendix A normal (single) AES-GCM transform, keyed with the appropriate HBH
for a description of the keys used in PERC and Appendix B for an keys. See Section 6.1 for a description of the keys used in PERC and
overview of how the packet appears on the wire. Section 7 for diagram of how encrypted RTP packets appear on the
wire.
RTCP can only be encrypted hop-by-hop, not end-to-end. This RTCP is only encrypted hop-by-hop, not end-to-end. This framework
framework introduces no additional step for RTCP authenticated introduces no additional step for RTCP authenticated encryption, so
encryption, so the procedures needed are specified in [RFC3711] and the procedures needed are specified in [RFC3711] and use the same
use the same outer, hop-by-hop cryptographic context chosen in the outer, hop-by-hop cryptographic context chosen in the Double
Double operation described above. operation described above.
4.2. E2E Key Confidentiality 4.2. E2E Key Confidentiality
To ensure the confidentiality of E2E keys shared between endpoints, To ensure the confidentiality of E2E keys shared between endpoints,
endpoints will make use of a common Key Encryption Key (KEK) that is endpoints use a common Key Encryption Key (KEK) that is known only by
known only by the trusted entities in a conference. That KEK, the trusted entities in a conference. That KEK, defined in the EKT
defined in the PERC EKT [I-D.ietf-perc-srtp-ekt-diet] as the EKT Key, [I-D.ietf-perc-srtp-ekt-diet] specification as the EKT Key, is used
will be used to subsequently encrypt the SRTP master key used for E2E to subsequently encrypt the SRTP master key used for E2E
authenticated encryption of media sent by a given endpoint. Each authenticated encryption of media sent by a given endpoint. Each
endpoint in the conference will create a random SRTP master key for endpoint in the conference creates an SRTP master key for E2E
E2E authenticated encryption, thus participants in the conference authenticated encryption and keep track of the E2E keys received via
MUST keep track of the E2E keys received via the Full EKT Field for the Full EKT Tag for each distinct synchronization source (SSRC) in
each distinct SSRC in the conference so that it can properly decrypt the conference so that it can properly decrypt received media. An
received media. Note, too, that an endpoint may change its E2E key endpoint may change its E2E key at any time and advertise that new
at any time and advertise that new key to the conference as specified key to the conference as specified in [I-D.ietf-perc-srtp-ekt-diet].
in [I-D.ietf-perc-srtp-ekt-diet].
4.3. E2E Keys and Endpoint Operations 4.3. E2E Keys and Endpoint Operations
Any given RTP media flow can be identified by its SSRC, and endpoints Any given RTP media flow is identified by its SSRC, and an endpoint
might send more than one at a time and change the mix of media flows might send more than one at a time and change the mix of media flows
transmitted during the life of a conference. transmitted during the life of a conference.
Thus, endpoints MUST maintain a list of SSRCs from received RTP flows Thus, an endpoint MUST maintain a list of SSRCs from received RTP
and each SSRC's associated E2E key information. Following a change flows and each SSRC's associated E2E key information. An endpoint
in an E2E key, prior E2E keys SHOULD be retained by receivers for a MUST discard old E2E keys no later than when it leaves the conference
period long enough to ensure that late-arriving or out-of-order (see Section 4.5.2).
packets from the endpoint can be successfully decrypted. Receiving
endpoints MUST discard old E2E keys no later than when it leaves the
conference.
If there is a need to encrypt one or more RTP header extensions end- If there is a need to encrypt one or more RTP header extensions end-
to-end, an encryption key is derived from the end-to-end SRTP master to-end, the endpoint derives an encryption key from the E2E SRTP
key to encrypt header extensions as per [RFC6904]. The Media master key to encrypt header extensions as per [RFC6904]. The Media
Distributor will not be able use the information contained in those Distributor is unable use the information contained in those header
header extensions encrypted with an E2E key. extensions encrypted with an E2E key.
4.4. HBH Keys and Hop Operations 4.4. HBH Keys and Per-hop Operations
To ensure the integrity of transmitted media packets, this framework To ensure the integrity of transmitted media packets, it is REQUIRED
requires that every packet be authenticated hop-by-hop (HBH) between that every packet be authenticated hop-by-hop between an endpoint and
an endpoint and a Media Distributor, as well between Media a Media Distributor, as well between Media Distributors. The
Distributors. The authentication key used for hop-by-hop authentication key used for hop-by-hop authentication is derived from
authentication is derived from an SRTP master key shared only on the an SRTP master key shared only on the respective hop. Each HBH key
respective hop. Each HBH key is distinct per hop and no two hops is distinct per hop and no two hops ever use the same SRTP master
ever use the same SRTP master key. key.
Using hop-by-hop authentication gives the Media Distributor the While endpoints also perform HBH authentication, the ability of the
ability to change certain RTP header values. Which values the Media endpoints to reconstruct the original RTP header also enables the
Distributor can change in the RTP header are defined in endpoints to authenticate RTP packets E2E. This design yields
[I-D.ietf-perc-double]. RTCP can only be encrypted HBH, giving the flexibility to the Media Distributor to change certain RTP header
Media Distributor the flexibility to forward RTCP content unchanged, values as packets are forwarded. Which values the Media Distributor
transmit compound RTCP packets or to initiate RTCP packets for can change in the RTP header are defined in [I-D.ietf-perc-double].
reporting statistics or conveying other information. Performing hop- RTCP can only be encrypted hop-by-hop, giving the Media Distributor
by-hop authentication for all RTP and RTCP packets also helps provide the flexibility to forward RTCP content unchanged, transmit compound
replay protection (see Section 6). RTCP packets or to initiate RTCP packets for reporting statistics or
conveying other information. Performing hop-by-hop authentication
for all RTP and RTCP packets also helps provide replay protection
(see Section 8).
If there is a need to encrypt one or more RTP header extensions hop- If there is a need to encrypt one or more RTP header extensions hop-
by-hop, an encryption key is derived from the hop-by-hop SRTP master by-hop, the endpoint derives an encryption key from the HBH SRTP
key to encrypt header extensions as per [RFC6904]. This will still master key to encrypt header extensions as per [RFC6904]. This still
give the Media Distributor visibility into header extensions, such as gives the Media Distributor visibility into header extensions, such
the one used to determine audio level [RFC6464] of conference as the one used to determine audio level [RFC6464] of conference
participants. Note that when RTP header extensions are encrypted, participants. Note that when RTP header extensions are encrypted,
all hops - in the untrusted domain at least - will need to decrypt all hops need to decrypt and re-encrypt these encrypted header
and re-encrypt these encrypted header extensions. extensions.
4.5. Key Exchange 4.5. Key Exchange
In brief, the keys used by any given endpoints are determined in the In brief, the keys used by any given endpoints are determined in the
following way: following way:
o The HBH keys that the endpoint uses to send and receive SRTP media o The HBH keys that the endpoint uses to send and receive SRTP media
are derived from a DTLS handshake that the endpoint performs with are derived from a DTLS handshake that the endpoint performs with
the Key Distributor (following normal DTLS-SRTP procedures). the Key Distributor (following normal DTLS-SRTP procedures).
o The E2E key that an endpoint uses to send SRTP media can either be o The E2E key that an endpoint uses to send SRTP media can either be
set from DTLS or chosen by the endpoint. It is then distributed set from DTLS or chosen by the endpoint. It is then distributed
to other endpoints in a Full EKT Field, encrypted under an EKTKey to other endpoints in a Full EKT Tag, encrypted under an EKT Key
provided to the client by the Key Distributor within the DTLS provided to the client by the Key Distributor within the DTLS
channel they negotiated. channel they negotiated.
o Each E2E key that an endpoint uses to receive SRTP media is set by o Each E2E key that an endpoint uses to receive SRTP media is set by
receiving a Full EKT Field from another endpoint. receiving a Full EKT Tag from another endpoint.
4.5.1. Initial Key Exchange and Key Distributor 4.5.1. Initial Key Exchange and Key Distributor
The Media Distributor maintains a tunnel with the Key Distrubutor The Media Distributor maintains a tunnel with the Key Distributor
(e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the (e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the
Media Distributor to facilitate the establishment of a secure DTLS Media Distributor to facilitate the establishment of a secure DTLS
association between each endpoint and the Key Distributor as shown association between each endpoint and the Key Distributor as shown
the following figure. The DTLS association between endpoints and the the following figure. The DTLS association between endpoints and the
Key Distributor will enable each endpoint to generate E2E and HBH Key Distributor enables each endpoint to generate E2E and HBH keys
keys and receive the Key Encryption Key (KEK) (i.e., EKT Key). At and receive the Key Encryption Key (KEK) (i.e., EKT Key). At the
the same time, the Key Distributor can securely provide the HBH key same time, the Key Distributor securely provides the HBH key
information to the Media Distributor. The key information summarized information to the Media Distributor. The key information summarized
here may include the SRTP master key, SRTP master salt, and the here may include the SRTP master key, SRTP master salt, and the
negotiated cryptographic transform. negotiated cryptographic transform.
+-----------+ +-----------+
KEK info | Key | HBH Key info to KEK info | Key | HBH Key info to
to Endpoints |Distributor| Endpoints & Media Distributor to Endpoints |Distributor| Endpoints & Media Distributor
+-----------+ +-----------+
# ^ ^ # # ^ ^ #
# | | #--- Tunnel # | | #--- Tunnel
# | | # # | | #
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
| Endpoint | DTLS | Media | DTLS | Endpoint | | Endpoint | DTLS | Media | DTLS | Endpoint |
| KEK |<------------|Distributor|------------>| KEK | | KEK |<------------|Distributor|------------>| KEK |
| HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key | | HBH Key | to Key Dist | HBH Keys | to Key Dist | HBH Key |
+-----------+ +-----------+ +-----------+ +-----------+ +-----------+ +-----------+
Figure 3: Exchanging Key Information Between Entities Figure 3: Exchanging Key Information Between Entities
Endpoints will establish a DTLS-SRTP [RFC5764] association over the In addition to the secure tunnel between the Media Distributor and
RTP session's media ports for the purposes of key information the Key Distributor, there are two additional types of security
exchange with the Key Distributor. The Media Distributor will not associations utilized as a part of the key exchange as discussed in
terminate the DTLS signaling, but will instead forward DTLS packets the following paragraphs. One is a DTLS-SRTP association between an
received from an endpoint on to the Key Distributor (and vice versa) endpoint and the Key Distributor (with packets passing through the
via a tunnel established between Media Distributor and the Key Media Distributor) and the other is a DTLS-SRTP association between
Distributor. This tunnel is used to encapsulate the DTLS-SRTP peer Media Distributors.
signaling between the Key Distributor and endpoints will also be used
to convey HBH key information from the Key Distributor to the Media Endpoints establish a DTLS-SRTP [RFC5764] association over the RTP
Distributor, so no additional protocol or interface is required. session's media ports for the purposes of key information exchange
with the Key Distributor. The Media Distributor does not terminate
the DTLS signaling, but instead forwards DTLS packets received from
an endpoint on to the Key Distributor (and vice versa) via a tunnel
established between Media Distributor and the Key Distributor.
In establishing the DTLS association between endpoints and the Key In establishing the DTLS association between endpoints and the Key
Distributor, the endpoint MUST act as the DTLS client and the Key Distributor, the endpoint MUST act as the DTLS client and the Key
Distributor MUST act as the DTLS server. The Key Encryption Key Distributor MUST act as the DTLS server. The Key Encryption Key
(KEK) (i.e., EKT Key) is conveyed by the Key Distributor over the (KEK) (i.e., EKT Key) is conveyed by the Key Distributor over the
DTLS association to endpoints via procedures defined in PERC EKT DTLS association to endpoints via procedures defined in EKT
[I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message. [I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message.
The Key Distributor MUST NOT establish DTLS-SRTP associations with
endpoints without first authenticating the Media Distributor
tunneling the DTLS-SRTP packets from the endpoint.
Note that following DTLS-SRTP procedures for the Note that following DTLS-SRTP procedures for the
[I-D.ietf-perc-double] cipher, the endpoint will generate both E2E [I-D.ietf-perc-double] cipher, the endpoint generates both E2E and
and HBH encryption keys and salt values. Endpoints MAY use the DTLS- HBH encryption keys and salt values. Endpoints MUST either use the
SRTP generated E2E key for transmission or MAY generate a fresh E2E DTLS-SRTP generated E2E key for transmission or generate a fresh E2E
key. In either case, the generated SRTP master salt for E2E key. In either case, the generated SRTP master salt for E2E
encryption MUST be replaced with the salt value provided by the Key encryption MUST be replaced with the salt value provided by the Key
Distributor via the EKTKey message. That is because every endpoint Distributor via the EKTKey message. That is because every endpoint
in the conference uses the same SRTP master salt. The endpoint only in the conference uses the same SRTP master salt. The endpoint only
transmits the SRTP master key (not the salt) used for E2E encryption transmits the SRTP master key (not the salt) used for E2E encryption
to other endpoints in RTP/RTCP packets per to other endpoints in RTP/RTCP packets per
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
Distributor to establish the HBH key for transmitting RTP and RTCP Distributor to establish the HBH key for transmitting RTP and RTCP
packets to that peer Media Distributor. The Key Distributor does not packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing a HBH key for use between Media Distributors. facilitate establishing a HBH key for use between Media Distributors.
4.5.2. Key Exchange during a Conference 4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the Key Following the initial key information exchange with the Key
Distributor, an endpoint will be able to encrypt media end-to-end Distributor, an endpoint is able to encrypt media end-to-end with an
with an E2E key, sending that E2E key to other endpoints encrypted E2E key, sending that E2E key to other endpoints encrypted with the
with the KEK, and will be able to encrypt and authenticate RTP KEK, and is able to encrypt and authenticate RTP packets using a HBH
packets using a HBH key. The procedures defined do not allow the key. The procedures defined do not allow the Media Distributor to
Media Distributor to gain access to the KEK information, preventing gain access to the KEK information, preventing it from gaining access
it from gaining access to any endpoint's E2E key and subsequently to any endpoint's E2E key and subsequently decrypting media.
decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK (i.e., EKT Key) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is leaves a conference. Dictating if, when or how often a conference is
to be re-keyed is outside the scope of this document, but this to be re-keyed is outside the scope of this document, but this
framework does accommodate re-keying during the life of a conference. framework does accommodate re-keying during the life of a conference.
When a Key Distributor decides to re-key a conference, it transmits a When a Key Distributor decides to re-key a conference, it transmits a
specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to new EKTKey message [I-D.ietf-perc-srtp-ekt-diet] to each of the
each of the conference participants. The endpoint MUST create a new conference participants containing the new EKT Key. Upon receipt of
SRTP master key and prepare to send that key inside a Full EKT Field the new EKT Key, the endpoint MUST create a new SRTP master key and
using the new EKTKey. Since it may take some time for all of the prepare to send that key inside a Full EKT Field using the new EKT
endpoints in conference to finish re-keying, senders MUST delay a Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet]. In order to
short period of time before sending media encrypted with the new allow time for all endpoints in the conference to receive the new
master key, but it MUST be prepared to make use of the information keys, the sender should follow the recommendations in Section 4.7 of
from a new inbound EKT Key immediately. See Section 2.2.2 of [I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT Key, endpoints
[I-D.ietf-perc-srtp-ekt-diet]. MUST be prepared to decrypt EKT tags using the new key. The EKT SPI
field is used to differentiate between tags encrypted with the old
and new keys.
After re-keying, an endpoint SHOULD retain prior SRTP master keys and
EKT Key for a period of time sufficient for the purpose of ensuring
it can decrypt late-arriving or out-of-order packets or packets sent
by other endpoints that used the prior keys for a period of time
after re-keying began. An endpoint MAY retain old keys until the end
of the conference.
Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
re-negotiate HBH keys as desired. If new HBH keys are generated, the renegotiate HBH keys as desired. If new HBH keys are generated, the
new keys are also delivered to the Media Distributor following the new keys are also delivered to the Media Distributor following the
procedures defined in [I-D.ietf-perc-dtls-tunnel]. procedures defined in [I-D.ietf-perc-dtls-tunnel] as one possible
method.
Endpoints are at liberty to change the E2E encryption key used at any Endpoints MAY change the E2E encryption key used at any time.
time. Endpoints MUST generate a new E2E encryption key whenever it Endpoints MUST generate a new E2E encryption key whenever it receives
receives a new EKT Key. After switching to a new key, the new key a new EKT Key. After switching to a new key, the new key is conveyed
will be conveyed to other endpoints in the conference in RTP/RTCP to other endpoints in the conference in RTP/RTCP packets per
packets per [I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
5. Authentication 5. Authentication
It is important to this solution framework that the entities can It is important to this solution framework that the entities can
validate the authenticity of other entities, especially the Key validate the authenticity of other entities, especially the Key
Distributor and endpoints. The details of this are outside the scope Distributor and endpoints. The details of this are outside the scope
of specification but a few possibilities are discussed in the of specification but a few possibilities are discussed in the
following sections. The key requirements is that endpoints can following sections. The key requirements are that an endpoint can
verify they are connected to the correct Key Distributor for the verify it is connected to the correct Key Distributor for the
conference and the Key Distributor can verify the endpoints are the conference and the Key Distributor can verify the endpoint is the
correct endpoints for the conference. correct endpoint for the conference.
Two possible approaches to solve this are Identity Assertions and Two possible approaches to solve this are Identity Assertions and
Certificate Fingerprints. Certificate Fingerprints.
5.1. Identity Assertions 5.1. Identity Assertions
WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] can be used WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] is used to
to bind the identity of the user of the endpoint to the fingerprint bind the identity of the user of the endpoint to the fingerprint of
of the DTLS-SRTP certificate used for the call. This certificate is the DTLS-SRTP certificate used for the call. This certificate is
unique for a given call and a conference. This allows the Key unique for a given call and a conference. This allows the Key
Distributor to ensure that only authorized users participate in the Distributor to ensure that only authorized users participate in the
conference. Similarly the Key Distributor can create a WebRTC conference. Similarly the Key Distributor can create a WebRTC
Identity assertion to bind the fingerprint of the unique certificate Identity assertion to bind the fingerprint of the unique certificate
used by the Key Distributor for this conference so that the endpoint used by the Key Distributor for this conference so that the endpoint
can validate it is talking to the correct Key Distributor. Such a can validate it is talking to the correct Key Distributor. Such a
setup requires an Identity Provider (Idp) trusted by the endpoints setup requires an Identity Provider (Idp) trusted by the endpoints
and the Key Distributor. and the Key Distributor.
5.2. Certificate Fingerprints in Session Signaling 5.2. Certificate Fingerprints in Session Signaling
skipping to change at page 14, line 5 skipping to change at page 14, line 11
Entities managing session signaling are generally assumed to be Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate. authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to
convey the fingerprint information per [RFC5763]. An endpoint's SIP convey the fingerprint information per [RFC5763]. An endpoint's SIP
User Agent would send an INVITE message containing SDP for the media User Agent would send an INVITE message containing SDP for the media
session along with the endpoint's certificate fingerprint, which can session along with the endpoint's certificate fingerprint, which can
be signed using the procedures described in [RFC4474] for the benefit be signed using the procedures described in [RFC8224] for the benefit
of forwarding the message to other entities by the Focus [RFC4353]. of forwarding the message to other entities by the Focus [RFC4353].
Other entities can now verify the fingerprints match the certificates Other entities can verify the fingerprints match the certificates
found in the DTLS-SRTP connections to find the identity of the far found in the DTLS-SRTP connections to find the identity of the far
end of the DTLS-SRTP connection and check that is the authorized end of the DTLS-SRTP connection and verify that is the authorized
entity. entity.
Ultimately, if using session signaling, an endpoint's certificate Ultimately, if using session signaling, an endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed fingerprint would need to be securely mapped to a user and conveyed
to the Key Distributor so that it can check that that user is to the Key Distributor so that it can check that that user is
authorized. Similarly, the Key Distributor's certificate fingerprint authorized. Similarly, the Key Distributor's certificate fingerprint
can be conveyed to endpoint in a manner that can be authenticated as can be conveyed to endpoint in a manner that can be authenticated as
being an authorized Key Distributor for this conference. being an authorized Key Distributor for this conference.
5.3. Conferences Identification 5.3. Conferences Identification
The Key Distributor needs to know what endpoints are being added to a The Key Distributor needs to know what endpoints are being added to a
given conference. Thus, the Key Distributor and the Media given conference. Thus, the Key Distributor and the Media
Distributor will need to know endpoint-to-conference mappings, which Distributor need to know endpoint-to-conference mappings, which is
is enabled by exchanging a conference-specific unique identifier as enabled by exchanging a conference-specific unique identifier defined
defined in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is
is assigned is outside the scope of this document. assigned is outside the scope of this document.
6. Security Considerations 6. PERC Keys
This framework, and the individual protocols defined to support it, This section describes the various keys employed by PERC, how they
must take care to not increase the exposure to Denial of Service are derived, conveyed, and so forth.
(DoS) attacks by untrusted or third-party entities and should take
measures to mitigate, where possible, more serious DoS attacks from
on-path and off-path attackers.
The following section enumerates the kind of attacks that will be 6.1. Key Inventory and Management Considerations
considered in the development of this framework's solution.
6.1. Third Party Attacks This section summarizes the several different keys used in the PERC
framework, how they are generated, and what purpose they serve.
On-path attacks are mitigated by HBH integrity protection and The keys are described in the order in which they would typically be
acquired.
The various keys used in PERC are shown in Figure 4 below.
+-----------+----------------------------------------------------+
| Key | Description |
+-----------+----------------------------------------------------+
| KEK | Key shared by all endpoints and used to encrypt |
| (EKT Key) | each endpoint's SRTP master key so receiving |
| | endpoints can decrypt media. |
+-----------+----------------------------------------------------+
| HBH Key | Key used to encrypt media hop-by-hop. |
+-----------+----------------------------------------------------+
| E2E Key | Key used to encrypt media end-to-end. |
+-----------+----------------------------------------------------+
Figure 4: Key Inventory
While the number key types is very small, it should be understood
that the actual number of distinct keys can be large as the
conference grows in size.
As an example, with 1,000 participants in a conference, there would
be at least 1,000 distinct SRTP master keys, all of which share the
same master salt. Each of those keys are passed through the KDF
defined in [RFC3711] to produce the actual encryption and
authentication keys.
Complicating key management is the fact that the KEK can change and,
when it does, the endpoints generate new SRTP master keys that are
associated with a new EKT SPI. Endpoints have to retain old keys for
a period of time to ensure they can properly decrypt late-arriving or
out-of-order packets.
A more detailed explanation of each of the keys follows.
6.2. DTLS-SRTP Exchange Yields HBH Keys
The first set of keys acquired are for hop-by-hop encryption and
decryption. Per the Double [I-D.ietf-perc-double] procedures, the
endpoint performs DTLS-SRTP exchange with the key distributor and
receives a key that is, in fact, "double" the size that is needed.
The end-to-end part is the first half of the key, so the endpoint
discards that information when generating its own key. The second
half of the key material is for hop-by-hop operations, so that half
of the key (corresponding to the least significant bits) is assigned
internally as the HBH key.
The Key Distributor informs the Media Distributor of the HBH key.
Specifically, the Key Distributor sends the least significant bits
corresponding to the half of the keying material determined through
DTLS-SRTP with the endpoint to the Media Distributor. A salt value
is generated along with the HBH key. The salt is also longer than
needed for hop-by-hop operations, thus only the least significant
bits of the required length (i.e., half of the generated salt
material) are sent to the Media Distributor. One way to transmit
this key and salt information is via the tunnel protocol defined in
[I-D.ietf-perc-dtls-tunnel].
No two endpoints have the same HBH key, thus the Media Distributor
MUST keep track each distinct HBH key (and the corresponding salt)
and use it only for the specified hop.
The HBH key is also used for hop-by-hop encryption of RTCP. RTCP is
not end-to-end encrypted in PERC.
6.3. The Key Distributor Transmits the KEK (EKT Key)
Via the aforementioned DTLS-SRTP association, the Key Distributor
sends the endpoint the KEK (i.e., EKT Key per
[I-D.ietf-perc-srtp-ekt-diet]). This key is known only to the Key
Distributor and endpoints. This key is the most important to protect
since having knowledge of this key (and the SRTP master salt
transmitted as a part of the same message) allows an entity to
decrypt any media packet in the conference.
Note that the Key Distributor can send any number of EKT Keys to
endpoints. This is used to re-key the entire conference. Each key
is identified by a "Security Parameter Index" (SPI) value. Endpoints
MUST expect that a conference might be re-keyed when a new
participant joins a conference or when a participant leaves a
conference in order to protect the confidentiality of the
conversation before and after such events.
The SRTP master salt to be used by the endpoint is transmitted along
with the EKT Key. All endpoints in the conference utilize the same
SRTP master salt that corresponds with a given EKT Key.
The Full EKT Tag in media packets is encrypted using a cipher
specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit
key). This cipher is different than the cipher used to protect media
and is only used to encrypt the endpoint's SRTP master key (and other
EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]).
The media distributor is not given the KEK (i.e., EKT Key).
6.4. Endpoints fabricate an SRTP Master Key
As stated earlier, the E2E key determined via DTLS-SRTP MAY be
discarded in favor of a locally-generated SRTP master key. While the
DTLS-SRTP-derived SRTP master key can be used initially, the endpoint
might choose to change the SRTP master key periodically and MUST
change the SRTP master key as a result of the EKT key changing.
A locally-generated SRTP master key is used along with the master
salt transmitted to the endpoint from the key distributor via the
EKTKey message to encrypt media end-to-end.
Since the media distributor is not involved in E2E functions, it does
not create this key nor have access to any endpoint's E2E key. Note,
too, that even the key distributor is unaware of the locally-
generated E2E keys used by each endpoint.
The endpoint transmits its E2E key to other endpoints in the
conference by periodically including it in SRTP packets in a Full EKT
Tag. When placed in the Full EKT Tag, it is encrypted using the EKT
Key provided by the key distributor. The master salt is not
transmitted, though, since all endpoints receive the same master salt
via the EKTKey message from the Key Distributor. The recommended
frequency with which an endpoint transmits its SRTP master key is
specified in [I-D.ietf-perc-srtp-ekt-diet].
6.5. Summary of Key Types and Entity Possession
All endpoints have knowledge of the KEK.
Every HBH key is distinct for a given endpoint, thus Endpoint A and
Endpoint B do not have knowledge of the other's HBH key.
Each endpoint generates its own E2E Key (SRTP master key), thus
distinct per endpoint. This key is transmitted (encrypted) via the
Full EKT Tag to other endpoints. Endpoints that receive media from a
given transmitting endpoint gains knowledge of the transmitter's E2E
key via the Full EKT Tag.
To summarize the various keys and which entity is in possession of a
given key, refer to Figure 5.
+----------------------+------------+-------+-------+------------+
| Key / Entity | Endpoint A | MD X | MD Y | Endpoint B |
+----------------------+------------+-------+-------+------------+
| KEK | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+
| E2E Key (A and B) | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+
| HBH Key (A<=>MD X) | Yes | Yes | No | No |
+----------------------+------------+-------+-------+------------+
| HBH Key (B<=>MD Y) | No | No | Yes | Yes |
+----------------------+------------+---------------+------------+
| HBH Key (MD X<=>MD Y)| No | Yes | Yes | No |
+----------------------+------------+---------------+------------+
Figure 5: Keys Types and Entity Possession
7. Encrypted Media Packet Format
Figure 6 presents a complete picture of what an encrypted media
packet per this framework looks like when transmitted over the wire.
The packet format shown is encrypted using the Double cryptographic
transform with an EKT Tag appended to the end.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++
|V=2|P|X| CC |M| PT | sequence number | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
| timestamp | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
| synchronization source (SSRC) identifier | IO
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO
| contributing source (CSRC) identifiers | IO
| .... | IO
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
| RTP extension (OPTIONAL) ... | |O
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O I | payload ... | IO
O I | +-------------------------------+ IO
O I | | RTP padding | RTP pad count | IO
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O | | E2E authentication tag | |O
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O
O | | OHB ... | |O
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+
| | | HBH authentication tag | ||
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||
| | | EKT Tag ... | R ||
| | +-+-+-+-+-+-+-+-+-+ | ||
| | +- Neither encrypted nor authenticated; ||
| | appended after Double is performed ||
| | ||
| | ||
| +- E2E Encrypted Portion E2E Authenticated Portion ---+|
| |
+--- HBH Encrypted Portion HBH Authenticated Portion ----+
Figure 6: Encrypted Media Packet Format
8. Security Considerations
8.1. Third Party Attacks
On-path attacks are mitigated by hop-by-hop integrity protection and
encryption. The integrity protection mitigates packet modification encryption. The integrity protection mitigates packet modification
and encryption makes selective blocking of packets harder, but not and encryption makes selective blocking of packets harder, but not
impossible. impossible.
Off-path attackers may try connecting to different PERC entities and Off-path attackers may try connecting to different PERC entities and
send specifically crafted packets. A successful attacker might be send specifically crafted packets. A successful attacker might be
able to get the Media Distributor to forward such packets. If not able to get the Media Distributor to forward such packets. The Media
making use of HBH authentication on the Media Distributor, such an Distributor mitigates such an attack by performing hop-by-hop
attack could only be detected in the receiving endpoints where the authentication and discarding packets that fail authentication.
forged packets would finally be dropped.
Another potential attack is a third party claiming to be a Media Another potential attack is a third party claiming to be a Media
Distributor, fooling endpoints in to sending packets to the false Distributor, fooling endpoints in to sending packets to the false
Media Distributor instead of the correct one. The deceived sending Media Distributor instead of the correct one. The deceived sending
endpoints could incorrectly assuming their packets have been endpoints could incorrectly assuming their packets have been
delivered to endpoints when they in fact have not. Further, the delivered to endpoints when they in fact have not. Further, the
false Media Distributor may cascade to another legitimate Media false Media Distributor may cascade to another legitimate Media
Distributor creating a false version of the real conference. Distributor creating a false version of the real conference.
This attack can be mitigated by the false Media Distributor not being This attack is be mitigated by the false Media Distributor not being
authenticated by the Key Distributor during PERC Tunnel authenticated by the Key Distributor. They Key Distributor will fail
establishment. Without the tunnel in place, endpoints will not to establish the secure association with the endpoint if the Media
establish secure associations with the Key Distributor and receive Distributor cannot be authenticated.
the KEK, causing the conference to not proceed.
6.2. Media Distributor Attacks 8.2. Media Distributor Attacks
The Media Distributor can attack the session in a number of possible The Media Distributor can attack the session in a number of possible
ways. ways.
6.2.1. Denial of service 8.2.1. Denial of service
Any modification of the end-to-end authenticated data will result in A simple form of attack is discarding received packets that should be
the receiving endpoint getting an integrity failure when performing forwarded. This solution framework does not introduce any mitigation
authentication on the received packet. for Media Distributors that fail to forward media packets.
Another form of attack is modifying received packets before
forwarding. With this solution framework, any modification of the
end-to-end authenticated data results in the receiving endpoint
getting an integrity failure when performing authentication on the
received packet.
The Media Distributor can also attempt to perform resource The Media Distributor can also attempt to perform resource
consumption attacks on the receiving endpoint. One such attack would consumption attacks on the receiving endpoint. One such attack would
be to insert random SSRC/CSRC values in any RTP packet with an inband be to insert random SSRC/CSRC values in any RTP packet with an inband
key-distribution message attached (i.e., Full EKT Field). Since such key-distribution message attached (i.e., Full EKT Tag). Since such a
a message would trigger the receiver to form a new cryptographic message would trigger the receiver to form a new cryptographic
context, the Media Distributor can attempt to consume the receiving context, the Media Distributor can attempt to consume the receiving
endpoints resources. endpoints resources. While E2E authentication would fail and the
cryptographic context would be destroyed, the key derivation
Another denial of service attack is where the Media Distributor operation would nonetheless consume some computational resources.
rewrites the PT field to indicate a different codec. The effect of
this attack is that any payload packetized and encoded according to
one RTP payload format is then processed using another payload format
and codec. Assuming that the implementation is robust to random
input, it is unlikely to cause crashes in the receiving software/
hardware. However, it is not unlikely that such rewriting will cause
severe media degradation.
For audio formats, this attack is likely to cause highly disturbing
audio and/or can be damaging to hearing and playout equipment.
6.2.2. Replay Attack 8.2.2. Replay Attack
Replay attack is when an already received packets from a previous A replay attack is when an already received packets from a previous
point in the RTP stream is replayed as new packet. This could, for point in the RTP stream is replayed as new packet. This could, for
example, allow a Media Distributor to transmit a sequence of packets example, allow a Media Distributor to transmit a sequence of packets
identified as a user saying "yes", instead of the "no" the user identified as a user saying "yes", instead of the "no" the user
actually said. actually said.
The mitigation for a replay attack is to prevent old packets beyond a The mitigation for a replay attack is to prevent old packets beyond a
small-to-modest jitter and network re-ordering sized window to be small-to-modest jitter and network re-ordering sized window to be
rejected. End-to-end replay protection MUST be provided for the rejected. End-to-end replay protection MUST be provided for the
whole duration of the conference. whole duration of the conference.
6.2.3. Delayed Playout Attack 8.2.3. Delayed Playout Attack
The delayed playout attack is a variant of the replay attack. This The delayed playout attack is a variant of the replay attack. This
attack is possible even if E2E replay protection is in place. attack is possible even if E2E replay protection is in place.
However, due to fact that the Media Distributor is allowed to select However, due to fact that the Media Distributor is allowed to select
a sub-set of streams and not forward the rest to a receiver, such as a sub-set of streams and not forward the rest to a receiver, such as
in forwarding only the most active speakers, the receiver has to in forwarding only the most active speakers, the receiver has to
accept gaps in the E2E packet sequence. The issue with this is that accept gaps in the E2E packet sequence. The issue with this is that
a Media Distributor can select to not deliver a particular stream for a Media Distributor can select to not deliver a particular stream for
a while. a while.
Within the window from last packet forwarded to the receiver and the Within the window from last packet forwarded to the receiver and the
latest received by the Media Distributor, the Media Distributor can latest received by the Media Distributor, the Media Distributor can
select an arbitrary starting point when resuming forwarding packets. select an arbitrary starting point when resuming forwarding packets.
Thus what the media source said can be substantially delayed at the Thus what the media source said can be substantially delayed at the
receiver with the receiver believing that it is what was said just receiver with the receiver believing that it is what was said just
now, and only delayed due to transport delay. now, and only delayed due to transport delay.
6.2.4. Splicing Attack 8.2.4. Splicing Attack
The splicing attack is an attack where a Media Distributor receiving The splicing attack is an attack where a Media Distributor receiving
multiple media sources splices one media stream into the other. If multiple media sources splices one media stream into the other. If
the Media Distributor is able to change the SSRC without the receiver the Media Distributor is able to change the SSRC without the receiver
having any method for verifying the original source ID, then the having any method for verifying the original source ID, then the
Media Distributor could first deliver stream A and then later forward Media Distributor could first deliver stream A and then later forward
stream B under the same SSRC as stream A was previously using. Not stream B under the same SSRC as stream A was previously using. By
allowing the Media Distributor to change the SSRC mitigates this not allowing the Media Distributor to change the SSRC, PERC mitigates
attack. this attack.
7. IANA Considerations 9. IANA Considerations
There are no IANA considerations for this document. There are no IANA considerations for this document.
8. Acknowledgments 10. Acknowledgments
The authors would like to thank Mo Zanaty and Christian Oien for The authors would like to thank Mo Zanaty and Christian Oien for
invaluable input on this document. Also, we would like to invaluable input on this document. Also, we would like to
acknowledge Nermeen Ismail for serving on the initial versions of acknowledge Nermeen Ismail for serving on the initial versions of
this document as a co-author. this document as a co-author.
9. References 11. References
9.1. Normative References 11.1. Normative References
[I-D.ietf-perc-double] [I-D.ietf-perc-double]
Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP
Double Encryption Procedures", draft-ietf-perc-double-09 Double Encryption Procedures", draft-ietf-perc-double-10
(work in progress), May 2018. (work in progress), October 2018.
[I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03
(work in progress), April 2018.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F. Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
Andreasen, "Encrypted Key Transport for DTLS and Secure Andreasen, "Encrypted Key Transport for DTLS and Secure
RTP", draft-ietf-perc-srtp-ekt-diet-08 (work in progress), RTP", draft-ietf-perc-srtp-ekt-diet-09 (work in progress),
July 2018. October 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <https://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<https://www.rfc-editor.org/info/rfc6904>. <https://www.rfc-editor.org/info/rfc6904>.
9.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References
[I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-04
(work in progress), October 2018.
[I-D.ietf-rtcweb-security-arch] [I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf- Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-15 (work in progress), July 2018. rtcweb-security-arch-17 (work in progress), November 2018.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC4353] Rosenberg, J., "A Framework for Conferencing with the [RFC4353] Rosenberg, J., "A Framework for Conferencing with the
Session Initiation Protocol (SIP)", RFC 4353, Session Initiation Protocol (SIP)", RFC 4353,
DOI 10.17487/RFC4353, February 2006, DOI 10.17487/RFC4353, February 2006,
<https://www.rfc-editor.org/info/rfc4353>. <https://www.rfc-editor.org/info/rfc4353>.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474,
DOI 10.17487/RFC4474, August 2006,
<https://www.rfc-editor.org/info/rfc4474>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>. July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <https://www.rfc-editor.org/info/rfc5763>. 2010, <https://www.rfc-editor.org/info/rfc5763>.
skipping to change at page 19, line 5 skipping to change at page 23, line 47
[RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
Transport Protocol (RTP) Header Extension for Client-to- Transport Protocol (RTP) Header Extension for Client-to-
Mixer Audio Level Indication", RFC 6464, Mixer Audio Level Indication", RFC 6464,
DOI 10.17487/RFC6464, December 2011, DOI 10.17487/RFC6464, December 2011,
<https://www.rfc-editor.org/info/rfc6464>. <https://www.rfc-editor.org/info/rfc6464>.
[RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667, [RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
DOI 10.17487/RFC7667, November 2015, DOI 10.17487/RFC7667, November 2015,
<https://www.rfc-editor.org/info/rfc7667>. <https://www.rfc-editor.org/info/rfc7667>.
Appendix A. PERC Key Inventory [RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session
PERC specifies the use of a number of different keys and, Initiation Protocol (SIP)", RFC 8224,
understandably, it looks complicated or confusing on the surface. DOI 10.17487/RFC8224, February 2018,
This section summarizes the various keys used in the system, how they <https://www.rfc-editor.org/info/rfc8224>.
are generated, and what purpose they serve.
The keys are described in the order in which they would typically be
acquired.
The various keys used in PERC are shown in Figure 4 below.
+-----------+----------------------------------------------------+
| Key | Description |
+-----------+----------------------------------------------------+
| KEK | Key shared by all endpoints and used to encrypt |
| (EKT Key) | each endpoint's SRTP master key so receiving |
| | endpoints can decrypt media. |
+-----------+----------------------------------------------------+
| HBH Key | Key used to encrypt media hop-by-hop. |
+-----------+----------------------------------------------------+
| E2E Key | Key used to encrypt media end-to-end. |
+-----------+----------------------------------------------------+
Figure 4: Key Inventory
As you can see, the number key types is very small. However, what
can be challenging is keeping track of all of the distinct E2E keys
as the conference grows in size. With 1,000 participants in a
conference, there will be 1,000 distinct SRTP master keys, all of
which share the same master salt. Each of those keys are passed
through the KDF defined in [RFC3711] to produce the actual encryption
and authentication keys. Complicating key management is the fact
that the KEK can change and, when it does, the endpoints generate new
SRTP master keys. And, of course, there is a new SRTP master salt to
go with those keys. Endpoints have to retain old keys for a period
of time to ensure they can properly decrypt late-arriving or out-of-
order packets.
The time required to retain old keys (either EKT Keys or SRTP master
keys) is not specified, but they should be retained at least for the
period of time required to re-key the conference or handle late-
arriving or out-of-order packets. A period of 60s should be
considered a generous retention period, but endpoints may keep old
keys on hand until the end of the conference.
Or more detailed explanation of each of the keys follows.
A.1. DTLS-SRTP Exchange Yields HBH Keys
The first set of keys acquired are for hop-by-hop encryption and
decryption. Assuming the use of Double [I-D.ietf-perc-double], the
endpoint would perform DTLS-SRTP exchange with the key distributor
and receive a key that is, in fact, "double" the size that is needed.
Per the Double specification, the E2E part is the first half of the
key, so the endpoint will just discard that information in PERC. It
is not used. The second half of the key material is for HBH
operations, so that half of the key (corresponding to the least
significant bits) is assigned internally as the HBH key.
The media distributor doesn't perform DTLS-SRTP, but it is at this
point that the key distributor will inform the media distributor of
the HBH key value via the tunnel protocol
([I-D.ietf-perc-dtls-tunnel]). The key distributor will send the
least significant bits corresponding to the half of the keying
material determined through DTLS-SRTP with the endpoint to the media
distributor via the tunnel protocol. There is a salt generated along
with the HBH key. The salt is also longer than needed for HBH
operations, thus only the least significant bits of the required
length (i.e., half of the generated salt material) are sent to the
media distributor via the tunnel protocol.
No two endpoints will have the same HBH key, thus the media
distributor must keep track each distinct HBH key (and the
corresponding salt) and use it only for the specified hop.
This key is also used for HBH encryption of RTCP. RTCP is not end-
to-end encrypted in PERC.
A.2. The Key Distributor Transmits the KEK (EKT Key)
Via the aforementioned DTLS-SRTP association, the key distributor
will send the endpoint the KEK (i.e., EKT Key per
[I-D.ietf-perc-srtp-ekt-diet]). This key is known only to the key
distributor and endpoints. This key is the most important to protect
since having knowledge of this key (and the SRTP master salt
transmitted as a part of the same message) will allow an entity to
decrypt any media packet in the conference.
Note that the key distributor can send any number of EKT Keys to
endpoints. This can be used to re-key the entire conference. Each
key is identified by a "Security Parameter Index" (SPI) value.
Endpoints should expect that a conference might be re-keyed when a
new participant joins a conference or when a participant leaves a
conference in order to protect the confidentiality of the
conversation before and after such events.
The SRTP master salt to be used by the endpoint is transmitted along
with the EKT Key. All endpoints in the conference utilize the same
SRTP master salt that corresponds with a given EKT Key.
The EKT Field in media packets is encrypted using a cipher specified
via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This
cipher is different than the cipher used to protect media and is only
used to encrypt the endpoint's SRTP master key (and other EKT Field
data as per [I-D.ietf-perc-srtp-ekt-diet]).
The media distributor is not given the KEK (i.e., EKT Key).
A.3. Endpoints fabricate an SRTP Master Key
As stated earlier, the E2E key determined via DTLS-SRTP MAY be
discarded in favor of a locally-generated SRTP master key. While the
DTLS-SRTP-derived key could be used, the fact that an endpoint might
need to change the SRTP master key periodically or is forced to
change the SRTP master key as a result of the EKT key changing means
using it has only limited utility. To reduce complexity, PERC
*RECOMMENDS* that endpoints create random SRTP master keys locally to
be used for E2E encryption.
This locally-generated SRTP master key is used along with the master
salt transmitted to the endpoint from the key distributor via the
EKTKey message to encrypt media end-to-end.
Since the media distributor is not involved in E2E functions, it will
not create this key nor have access to any endpoint's E2E key. Note,
too, that even the key distributor is unaware of the locally-
generated E2E keys used by each endpoint.
The endpoint will transmit its E2E key to other endpoints in the
conference by periodically including it in SRTP packets in a Full EKT
Field. When placed in the Full EKT Field, it is encrypted using the
EKT Key provided by the key distributor. The master salt is not
transmitted, though, since all endpoints will have received the same
master salt via the EKTKey message. The recommended frequency with
which an endpoint transmits its SRTP master key is specified in
[I-D.ietf-perc-srtp-ekt-diet].
A.4. Who has What Key
All endpoints have knowledge of the KEK.
Every HBH key is distinct for a given endpoint, thus Endpoint A and
endpoint B do not have knowledge of the other's HBH key.
Each endpoint generates its own E2E Key (SRTP master key), thus the
key distinct per endpoint. This key is transmitted (encrypted) via
the EKT Field to other endpoints. Endpoints that receive media from
a given transmitting endpoint will therefore have knowledge of the
transmitter's E2E key.
To summarize the various keys and which entity is in possession of a
given key, refer to Figure 5.
+----------------------+------------+-------+-------+------------+
| Key / Entity | Endpoint A | MD X | MD Y | Endpoint B |
+----------------------+------------+-------+-------+------------+
| KEK | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+
| E2E Key (A and B) | Yes | No | No | Yes |
+----------------------+------------+-------+-------+------------+
| HBH Key (A<=>MD X) | Yes | Yes | No | No |
+----------------------+------------+-------+-------+------------+
| HBH Key (B<=>MD Y) | No | No | Yes | Yes |
+----------------------+------------+---------------+------------+
| HBH Key (MD X<=>MD Y)| No | Yes | Yes | No |
+----------------------+------------+---------------+------------+
Figure 5: Keys per Entity
Appendix B. PERC Packet Format
Figure 6 presents a complete picture of what a PERC packet looks like
when transmitted over the wire.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A |V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A | contributing source (CSRC) identifiers |
A | .... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A | RTP extension (OPTIONAL) |
A | (including the OHB) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C : :
C : Ciphertext Payload :
C : :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R : :
R : EKT Field :
R : :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C = Ciphertext (encrypted and authenticated)
A = Associated Data (authenticated only)
R = neither encrypted nor authenticated, added
after Authenticated Encryption completed
Figure 6: PERC Packet Format
Authors' Addresses Authors' Addresses
Paul E. Jones Paul E. Jones
Cisco Cisco
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
Phone: +1 919 476 2048 Phone: +1 919 476 2048
skipping to change at page 24, line 4 skipping to change at page 24, line 20
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
Phone: +1 919 476 2048 Phone: +1 919 476 2048
Email: paulej@packetizer.com Email: paulej@packetizer.com
David Benham David Benham
Independent Independent
Email: dabenham@gmail.com Email: dabenham@gmail.com
Christian Groves Christian Groves
Independent Independent
Melbourne Melbourne
Australia Australia
Email: Christian.Groves@nteczone.com Email: cngroves.std@gmail.com
 End of changes. 90 change blocks. 
490 lines changed or deleted 495 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/