Network Working Group                                           P. Jones
Internet-Draft                                                     Cisco
Intended status: Standards Track                               D. Benham
Expires: March 8, July 27, 2019                                         C. Groves
                                                             Independent
                                                       September 4, 2018
                                                        January 23, 2019

     A Solution Framework for Private Media in Privacy Enhanced RTP
                              Conferencing
               draft-ietf-perc-private-media-framework-07
               draft-ietf-perc-private-media-framework-08

Abstract

   This document describes a solution framework for ensuring that media
   confidentiality and integrity are maintained end-to-end within the
   context of a switched conferencing environment where media
   distributors are not trusted with the end-to-end media encryption
   keys.  The solution aims to build upon existing security mechanisms
   defined for the real-time transport protocol (RTP).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 8, July 27, 2019.

Copyright Notice

   Copyright (c) 2018 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   4   3
   3.  PERC Entities and Trust Model . . . . . . . . . . . . . . . .   5   4
     3.1.  Untrusted Entities  . . . . . . . . . . . . . . . . . . .   5
       3.1.1.  Media Distributor . . . . . . . . . . . . . . . . . .   6   5
       3.1.2.  Call Processing . . . . . . . . . . . . . . . . . . .   6
     3.2.  Trusted Entities  . . . . . . . . . . . . . . . . . . . .   7   6
       3.2.1.  Endpoint  . . . . . . . . . . . . . . . . . . . . . .   7
       3.2.2.  Key Distributor . . . . . . . . . . . . . . . . . . .   7
   4.  Framework for PERC  . . . . . . . . . . . . . . . . . . . . .   7
     4.1.  End-to-End and Hop-by-Hop Authenticated Encryption  . . .   8   7
     4.2.  E2E Key Confidentiality . . . . . . . . . . . . . . . . .   9
     4.3.  E2E Keys and Endpoint Operations  . . . . . . . . . . . .   9
     4.4.  HBH Keys and Hop Per-hop Operations . . . . . . . . . . . . . . .  10   9
     4.5.  Key Exchange  . . . . . . . . . . . . . . . . . . . . . .  10
       4.5.1.  Initial Key Exchange and Key Distributor  . . . . . .  11  10
       4.5.2.  Key Exchange during a Conference  . . . . . . . . . .  12
   5.  Authentication  . . . . . . . . . . . . . . . . . . . . . . .  13
     5.1.  Identity Assertions . . . . . . . . . . . . . . . . . . .  13
     5.2.  Certificate Fingerprints in Session Signaling . . . . . .  13
     5.3.  Conferences Identification  . . . . . . . . . . . . . . .  14
   6.  Security Considerations  PERC Keys . . . . . . . . . . . . . . . . . . .  14
     6.1.  Third Party Attacks . . . . . . .  14
     6.1.  Key Inventory and Management Considerations . . . . . . .  14
     6.2.  DTLS-SRTP Exchange Yields HBH Keys  . . . . . .  14
     6.2.  Media Distributor Attacks . . . . .  15
     6.3.  The Key Distributor Transmits the KEK (EKT Key) . . . . .  16
     6.4.  Endpoints fabricate an SRTP Master Key  . . . . . .  15
       6.2.1.  Denial of service . . .  17
     6.5.  Summary of Key Types and Entity Possession  . . . . . . .  17
   7.  Encrypted Media Packet Format . . . . . . . .  15
       6.2.2.  Replay Attack . . . . . . . .  18
   8.  Security Considerations . . . . . . . . . . . .  16
       6.2.3.  Delayed Playout Attack . . . . . . .  19
     8.1.  Third Party Attacks . . . . . . . .  16
       6.2.4.  Splicing Attack . . . . . . . . . . .  19
     8.2.  Media Distributor Attacks . . . . . . . .  16
   7.  IANA Considerations . . . . . . . .  20
       8.2.1.  Denial of service . . . . . . . . . . . . .  16
   8.  Acknowledgments . . . . .  20
       8.2.2.  Replay Attack . . . . . . . . . . . . . . . . . .  17
   9.  References . .  20
       8.2.3.  Delayed Playout Attack  . . . . . . . . . . . . . . .  21
       8.2.4.  Splicing Attack . . . . . . . .  17
     9.1.  Normative References . . . . . . . . . . .  21
   9.  IANA Considerations . . . . . . .  17
     9.2.  Informative References . . . . . . . . . . . . . .  21
   10. Acknowledgments . . .  17
   Appendix A.  PERC Key Inventory . . . . . . . . . . . . . . . . .  19
     A.1.  DTLS-SRTP Exchange Yields HBH Keys . . .  21
   11. References  . . . . . . . .  20
     A.2.  The Key Distributor Transmits the KEK (EKT Key) . . . . .  20
     A.3.  Endpoints fabricate an SRTP Master Key . . . . . . . . .  21
     A.4.  Who has What Key . . .  22
     11.1.  Normative References . . . . . . . . . . . . . . . . .  21
   Appendix B.  PERC Packet Format .  22
     11.2.  Informative References . . . . . . . . . . . . . . . . .  22
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  23  24

1.  Introduction

   Switched conferencing is an increasingly popular model for multimedia
   conferences with multiple participants using a combination of audio,
   video, text, and other media types.  With this model, real-time media
   flows from conference participants are not mixed, transcoded,
   transrated, recomposed, or otherwise manipulated by a Media
   Distributor, as might be the case with a traditional media server or
   multipoint control unit (MCU).  Instead, media flows transmitted by
   conference participants are simply forwarded by the Media Distributor Distributors to
   each of the other participants, participants.  Media Distributors often forwarding forward
   only a subset of flows based on voice activity detection or other
   criteria.  In some instances, the Media Distributors may make limited
   modifications to RTP [RFC3550] headers, for example, but the actual
   media content (e.g., voice or video data) is unaltered.

   An advantage of switched conferencing is that Media Distributors can
   be more easily deployed on general-purpose computing hardware,
   including virtualized environments in private and public clouds.
   Deploying conference resources in a
   While virutalized public cloud environment might
   introduce a higher security risk.  Whereas traditional conference
   resources were usually deployed in private networks that were
   protected, cloud-based conference resources might be environments have been viewed as less
   secure since they resources are not always physically controlled by those
   who use them.  Additionally, them and since there are usually several ports open to the
   public in cloud deployments, such as for remote administration, and
   public, this draft aims to improve security so on. as to lower the
   barrier to taking advantage of those environments.

   This document defines a solution framework wherein media privacy is
   ensured by making it impossible for a media distributor to gain
   access to keys needed to decrypt or authenticate the actual media
   content sent between conference participants.  At the same time, the
   framework allows for the Media Distributors to modify certain RTP
   headers; add, remove, encrypt, or decrypt RTP header extensions; and
   encrypt and decrypt RTCP packets.  The framework also prevents replay
   attacks by authenticating each packet transmitted between a given
   participant and the media distributor using a unique key per endpoint
   that is independent from the key for media encryption and
   authentication.

   A goal of this document is to define a framework for enhanced privacy
   in RTP-based conferencing environments while utilizing existing
   security procedures defined for RTP with minimal enhancements.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] when [RFC8174] when, and only when, they appear in ALL CAPS.  These words may also appear in this document in
   lower case as plain English words, absent their normative meanings.

   Additionally, all
   capitals, as shown here.

   Additionally, this solution framework uses the following terms and
   acronyms:

   End-to-End (E2E): Communications from one endpoint through one or
   more Media Distributors to the endpoint at the other end.

   Hop-by-Hop (HBH): Communications between an endpoint and a Media
   Distributor or between Media Distributors.

   Trusted Endpoint: An RTP flow terminating entity that has possession
   of E2E media encryption keys and terminates E2E encryption.  This may
   include embedded user conferencing equipment or browsers on
   computers, media gateways, MCUs, media recording device and more that
   are in the trusted domain for a given deployment.

   Media Distributor (MD): An RTP middlebox that forwards endpoint media
   content (e.g., voice or video data) unaltered, either a subset or all
   of the flows at any given time, and is not never allowed to to have access to
   E2E encryption keys.  It operates according to the Selective
   Forwarding Middlebox RTP topologies [RFC7667] per the constraints
   defined by the PERC system, which includes, but not limited to,
   having no access to RTP media unencrypted and having limits on what
   RTP header field it can alter.

   Key Distributor: An entity that is a logical function which
   distributes keying material and related information to trusted
   endpoints and Media Distributor(s), only that which is appropriate
   for each.  The Key Distributor might be co-resident with another
   entity trusted with E2E keying material.

   Conference: Two or more participants communicating via trusted
   endpoints to exchange RTP flows through one or more Media
   Distributor.

   Call Processing: All trusted endpoints in the conference connect to
   it by a call processing dialog, such as with the Focus defined in the
   Framework for Conferencing with SIP [RFC4353].

   Third Party: Any entity that is not an Endpoint, Media Distributor,
   Key Distributor or Call Processing entity as described in this
   document.

3.  PERC Entities and Trust Model

   The following figure depicts the trust relationships, direct or
   indirect, between entities described in the subsequent sub-sections.
   Note that these entities may be co-located or further divided into
   multiple, separate physical devices.

   Please note that some entities classified as untrusted in the simple,
   general deployment scenario used most commonly in this document might
   be considered trusted in other deployments.  This document does not
   preclude such scenarios, but will keep keeps the definitions and examples
   focused by only using the the simple, most general deployment
   scenario.

                                  |
              +----------+        |        +-----------------+
              | Endpoint |        |        | Call Processing |
              +----------+        |        +-----------------+
                                  |
                                  |
           +----------------+     |       +--------------------+
           | Key Distributor|     |       | Media Distributor  |
           +----------------+     |       +--------------------+
                                  |
                Trusted           |             Untrusted
                Entities          |             Entities
                                  |

             Figure 1: Trusted and Untrusted Entities in PERC

3.1.  Untrusted Entities

   The architecture described in this framework document enables
   conferencing infrastructure to be hosted in domains, such as in a
   cloud conferencing provider's facilities, where the trustworthiness
   is below the level needed to assume the privacy of participant's
   media will is not be compromised.  The conferencing infrastructure in such a
   domain is still trusted with reliably connecting the participants
   together in a conference, but not trusted with keying material needed
   to decrypt any of the participant's media.  Entities in such lower
   trustworthiness domains will simply be are referred to as untrusted entities from
   this point forward.

   It is important to understand that untrusted in this document does
   not mean an entity is not expected to function properly.  Rather, it
   means only that the entity does not have access to the E2E media
   encryption keys.

3.1.1.  Media Distributor

   A Media Distributor forwards RTP flows between endpoints in the
   conference while performing per-hop authentication of each RTP
   packet.  The Media Distributor may need access to one or more RTP
   headers or header extensions, potentially adding or modifying a
   certain subset.  The Media Distributor will also relay relays secured messaging
   between the endpoints and the Key Distributor and will
   acquire acquires per-hop
   key information from the Key Distributor.  The actual media content MUST NOT
   must not be decryptable by a Media Distributor, so as it is untrusted to
   have access to the E2E media encryption keys.  The key exchange
   mechanisms specified in this framework will prevent prevents the Media Distributor
   from gaining access to the E2E media encryption keys.

   An endpoint's ability to join connect to a conference hosted serviced by a Media
   Distributor MUST NOT alone be interpreted as being does imply that the endpoint is authorized to have access
   to the E2E media encryption keys, as the Media Distributor does not
   have the ability to determine whether an endpoint is authorized.
   Instead, the Key Distributor is responsible for authenticating endpoints the
   endpoint (e.g., using WebRTC Identity
   [I-D.ietf-rtcweb-security-arch]) and determining their its authorization to
   receive E2E and HBH media encryption keys.

   A Media Distributor MUST must perform its role in properly forwarding
   media packets while taking measures to mitigate the adverse effects
   of denial of service attacks (refer to Section 6), etc, 8) to a level equal to
   or better than traditional conferencing (i.e. non-PERC) deployments.

   A Media Distributor or associated conferencing infrastructure may
   also initiate or terminate various conference control related
   messaging, which is outside the scope of this framework document.

3.1.2.  Call Processing

   The call processing function is untrusted in the simple, general
   deployment scenario.  When a physical subset of the call processing
   function resides in facilities outside the trusted domain, it should
   not be trusted to have access to E2E key information.

   The call processing function may include the processing of call
   signaling messages, as well as the signing of those messages.  It may
   also authenticate the endpoints for the purpose of call signaling and
   subsequently joining of a conference hosted through one or more Media
   Distributors.  Call processing may optionally ensure the privacy of
   call signaling messages between itself, the endpoint, and other
   entities.

   In any deployment scenario where the call processing function is
   considered trusted, the call processing function MUST ensure the
   integrity of received messages before forwarding to other entities.

3.2.  Trusted Entities

   From the PERC model system perspective, entities considered trusted
   (refer to Figure 1) can be in possession of the E2E media encryption
   keys for one or more conferences.

3.2.1.  Endpoint

   An endpoint is considered trusted and will have has access to E2E key
   information.  While it is possible for an endpoint to be compromised,
   subsequently performing in undesired ways, defining endpoint
   resistance to compromise is outside the scope of this document.
   Endpoints will take measures to mitigate the adverse effects of denial of
   service attacks (refer to Section 6) 8) from other entities, including
   from other endpoints, to a level equal to or better than traditional
   conference (i.e., non-PERC) deployments.

3.2.2.  Key Distributor

   The Key Distributor, which may be colocated with an endpoint or exist
   standalone, is responsible for providing key information to endpoints
   for both end-to-end (E2E) and hop-by-hop (HBH) security and for
   providing key information to Media Distributors for the hop-by-hop
   security.

   Interaction between the Key Distributor and the call processing
   function is necessary to for proper conference-to-endpoint mappings.
   This is described in Section 5.3.

   The Key Distributor needs to be secured and managed in a way to
   prevent exploitation by an adversary, as any kind of compromise of
   the Key Distributor puts the security of the conference at risk.

4.  Framework for PERC

   The purpose for this framework is to define a means through which
   media privacy can be is ensured when communicating within a conferencing
   environment consisting of one or more Media Distributors that only
   switch, hence not terminate, media.  It does not otherwise attempt to
   hide the fact that a conference between endpoints is taking place.

   This framework reuses several specified RTP security technologies,
   including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and
   DTLS-SRTP [RFC5764].

4.1.  End-to-End and Hop-by-Hop Authenticated Encryption

   This solution framework focuses on the end-to-end privacy and
   integrity of the participant's media by limiting access of the end-
   to-end key information to only
   trusted entities. entities to the E2E key used for authenticated end-to-end
   encryption.  However, this framework does give a Media Distributor
   access to RTP headers and all or most header extensions, as well as
   the ability to modify a certain subset of those headers and to add
   header extensions.  Packets received by a Media Distributor or an
   endpoint are authenticated hop-by-hop.

   To enable all of the above, this framework defines the use of two
   security contexts and two associated encryption keys: an "inner" key
   (an E2E key distinct for each transmitted media flow) for
   authenticated encryption of RTP media between endpoints and an
   "outer" key (HBH key) known only to media distributor Media Distributor and the
   adjacent endpoint) for the hop between an endpoint and a Media
   Distributor or between Media Distributor.

      +-------------+                                +-------------+
      |             |################################|             |
      |    Media    |------------------------ *----->|    Media    |
      | Distributor |<----------------------*-|------| Distributor |
      |      X      |#####################*#|#|######|      Y      |
      |             |                     | | |      |             |
      +-------------+                     | | |      +-------------+
         #  ^ |  #          HBH Key (XY) -+ | |         #  ^ |  #
         #  | |  #           E2E Key (B) ---+ |         #  | |  #
         #  | |  #           E2E Key (A) -----+         #  | |  #
         #  | |  #                                      #  | |  #
         #  | |  #                                      #  | |  #
         #  | |  *---- HBH Key (AX)    HBH Key (YB) ----*  | |  #
         #  | |  #                                      #  | |  #
         #  *--------- E2E Key (A)      E2E Key (A) ---------*  #
         #  | *------- E2E Key (B)      E2E Key (B) -------* |  #
         #  | |  #                                      #  | |  #
         #  | v  #                                      #  | v  #
      +-------------+                                +-------------+
      | Endpoint A  |                                | Endpoint B  |
      +-------------+                                +-------------+

   Figure 2: E2E and HBH Keys Used for Authenticated Encryption of SRTP
                                  Packets

   The PERC Double transform [I-D.ietf-perc-double] enables endpoints to
   perform encryption using both the E2E end-to-end and HBH hop-by-hop contexts
   while still preserving the same overall interface as other SRTP
   transforms.  The Media Distributor simply uses the corresponding
   normal (single) AES-
   GCM AES-GCM transform, keyed with the appropriate HBH
   keys.  See Appendix A Section 6.1 for a description of the keys used in PERC and Appendix B
   Section 7 for an
   overview diagram of how the packet appears encrypted RTP packets appear on the
   wire.

   RTCP can is only be encrypted hop-by-hop, not end-to-end.  This framework
   introduces no additional step for RTCP authenticated encryption, so
   the procedures needed are specified in [RFC3711] and use the same
   outer, hop-by-hop cryptographic context chosen in the Double
   operation described above.

4.2.  E2E Key Confidentiality

   To ensure the confidentiality of E2E keys shared between endpoints,
   endpoints will make use of a common Key Encryption Key (KEK) that is known only by
   the trusted entities in a conference.  That KEK, defined in the PERC EKT
   [I-D.ietf-perc-srtp-ekt-diet] specification as the EKT Key,
   will be is used
   to subsequently encrypt the SRTP master key used for E2E
   authenticated encryption of media sent by a given endpoint.  Each
   endpoint in the conference will create a random creates an SRTP master key for E2E
   authenticated encryption, thus participants in the conference
   MUST encryption and keep track of the E2E keys received via
   the Full EKT Field Tag for each distinct SSRC synchronization source (SSRC) in
   the conference so that it can properly decrypt received media.  Note, too, that an  An
   endpoint may change its E2E key at any time and advertise that new
   key to the conference as specified in [I-D.ietf-perc-srtp-ekt-diet].

4.3.  E2E Keys and Endpoint Operations

   Any given RTP media flow can be is identified by its SSRC, and endpoints an endpoint
   might send more than one at a time and change the mix of media flows
   transmitted during the life of a conference.

   Thus, endpoints an endpoint MUST maintain a list of SSRCs from received RTP
   flows and each SSRC's associated E2E key information.  Following a change
   in an E2E key, prior E2E keys SHOULD be retained by receivers for a
   period long enough to ensure that late-arriving or out-of-order
   packets from the  An endpoint can be successfully decrypted.  Receiving
   endpoints
   MUST discard old E2E keys no later than when it leaves the
   conference. conference
   (see Section 4.5.2).

   If there is a need to encrypt one or more RTP header extensions end-
   to-end, the endpoint derives an encryption key is derived from the end-to-end E2E SRTP
   master key to encrypt header extensions as per [RFC6904].  The Media
   Distributor will not be able is unable use the information contained in those header
   extensions encrypted with an E2E key.

4.4.  HBH Keys and Hop Per-hop Operations

   To ensure the integrity of transmitted media packets, this framework
   requires it is REQUIRED
   that every packet be authenticated hop-by-hop (HBH) between an endpoint and
   a Media Distributor, as well between Media Distributors.  The
   authentication key used for hop-by-hop authentication is derived from
   an SRTP master key shared only on the respective hop.  Each HBH key
   is distinct per hop and no two hops ever use the same SRTP master
   key.

   Using hop-by-hop authentication gives the Media Distributor

   While endpoints also perform HBH authentication, the ability to of the
   endpoints to reconstruct the original RTP header also enables the
   endpoints to authenticate RTP packets E2E.  This design yields
   flexibility to the Media Distributor to change certain RTP header values.
   values as packets are forwarded.  Which values the Media Distributor
   can change in the RTP header are defined in [I-D.ietf-perc-double].
   RTCP can only be encrypted HBH, hop-by-hop, giving the Media Distributor
   the flexibility to forward RTCP content unchanged, transmit compound
   RTCP packets or to initiate RTCP packets for reporting statistics or
   conveying other information.  Performing hop-
   by-hop hop-by-hop authentication
   for all RTP and RTCP packets also helps provide replay protection
   (see Section 6). 8).

   If there is a need to encrypt one or more RTP header extensions hop-
   by-hop, the endpoint derives an encryption key is derived from the hop-by-hop HBH SRTP
   master key to encrypt header extensions as per [RFC6904].  This will still
   give
   gives the Media Distributor visibility into header extensions, such
   as the one used to determine audio level [RFC6464] of conference
   participants.  Note that when RTP header extensions are encrypted,
   all hops - in the untrusted domain at least - will need to decrypt and re-encrypt these encrypted header
   extensions.

4.5.  Key Exchange

   In brief, the keys used by any given endpoints are determined in the
   following way:

   o  The HBH keys that the endpoint uses to send and receive SRTP media
      are derived from a DTLS handshake that the endpoint performs with
      the Key Distributor (following normal DTLS-SRTP procedures).

   o  The E2E key that an endpoint uses to send SRTP media can either be
      set from DTLS or chosen by the endpoint.  It is then distributed
      to other endpoints in a Full EKT Field, Tag, encrypted under an EKTKey EKT Key
      provided to the client by the Key Distributor within the DTLS
      channel they negotiated.

   o  Each E2E key that an endpoint uses to receive SRTP media is set by
      receiving a Full EKT Field Tag from another endpoint.

4.5.1.  Initial Key Exchange and Key Distributor

   The Media Distributor maintains a tunnel with the Key Distrubutor Distributor
   (e.g., using [I-D.ietf-perc-dtls-tunnel]), making it possible for the
   Media Distributor to facilitate the establishment of a secure DTLS
   association between each endpoint and the Key Distributor as shown
   the following figure.  The DTLS association between endpoints and the
   Key Distributor will enable enables each endpoint to generate E2E and HBH keys
   and receive the Key Encryption Key (KEK) (i.e., EKT Key).  At the
   same time, the Key Distributor can securely provide provides the HBH key
   information to the Media Distributor.  The key information summarized
   here may include the SRTP master key, SRTP master salt, and the
   negotiated cryptographic transform.

                             +-----------+
                    KEK info |    Key    | HBH Key info to
                to Endpoints |Distributor| Endpoints & Media Distributor
                             +-----------+
                                # ^ ^ #
                                # | | #--- Tunnel
                                # | | #
   +-----------+             +-----------+             +-----------+
   | Endpoint  |   DTLS      |   Media   |   DTLS      | Endpoint  |
   |    KEK    |<------------|Distributor|------------>|    KEK    |
   |  HBH Key  | to Key Dist | HBH Keys  | to Key Dist |  HBH Key  |
   +-----------+             +-----------+             +-----------+

           Figure 3: Exchanging Key Information Between Entities

   In addition to the secure tunnel between the Media Distributor and
   the Key Distributor, there are two additional types of security
   associations utilized as a part of the key exchange as discussed in
   the following paragraphs.  One is a DTLS-SRTP association between an
   endpoint and the Key Distributor (with packets passing through the
   Media Distributor) and the other is a DTLS-SRTP association between
   peer Media Distributors.

   Endpoints will establish a DTLS-SRTP [RFC5764] association over the RTP
   session's media ports for the purposes of key information exchange
   with the Key Distributor.  The Media Distributor will does not terminate
   the DTLS signaling, but will instead forward forwards DTLS packets received from
   an endpoint on to the Key Distributor (and vice versa) via a tunnel
   established between Media Distributor and the Key Distributor.  This tunnel is used to encapsulate the DTLS-SRTP
   signaling between the Key Distributor and endpoints will also be used
   to convey HBH key information from the Key Distributor to the Media
   Distributor, so no additional protocol or interface is required.

   In establishing the DTLS association between endpoints and the Key
   Distributor, the endpoint MUST act as the DTLS client and the Key
   Distributor MUST act as the DTLS server.  The Key Encryption Key
   (KEK) (i.e., EKT Key) is conveyed by the Key Distributor over the
   DTLS association to endpoints via procedures defined in PERC EKT
   [I-D.ietf-perc-srtp-ekt-diet] via the EKTKey message.

   The Key Distributor MUST NOT establish DTLS-SRTP associations with
   endpoints without first authenticating the Media Distributor
   tunneling the DTLS-SRTP packets from the endpoint.

   Note that following DTLS-SRTP procedures for the
   [I-D.ietf-perc-double] cipher, the endpoint will generate generates both E2E and
   HBH encryption keys and salt values.  Endpoints MAY MUST either use the DTLS-
   SRTP
   DTLS-SRTP generated E2E key for transmission or MAY generate a fresh E2E
   key.  In either case, the generated SRTP master salt for E2E
   encryption MUST be replaced with the salt value provided by the Key
   Distributor via the EKTKey message.  That is because every endpoint
   in the conference uses the same SRTP master salt.  The endpoint only
   transmits the SRTP master key (not the salt) used for E2E encryption
   to other endpoints in RTP/RTCP packets per
   [I-D.ietf-perc-srtp-ekt-diet].

   Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
   Distributor to establish the HBH key for transmitting RTP and RTCP
   packets to that peer Media Distributor.  The Key Distributor does not
   facilitate establishing a HBH key for use between Media Distributors.

4.5.2.  Key Exchange during a Conference

   Following the initial key information exchange with the Key
   Distributor, an endpoint will be is able to encrypt media end-to-end with an
   E2E key, sending that E2E key to other endpoints encrypted with the
   KEK, and will be is able to encrypt and authenticate RTP packets using a HBH
   key.  The procedures defined do not allow the Media Distributor to
   gain access to the KEK information, preventing it from gaining access
   to any endpoint's E2E key and subsequently decrypting media.

   The KEK (i.e., EKT Key) may need to change from time-to-time during
   the life of a conference, such as when a new participant joins or
   leaves a conference.  Dictating if, when or how often a conference is
   to be re-keyed is outside the scope of this document, but this
   framework does accommodate re-keying during the life of a conference.

   When a Key Distributor decides to re-key a conference, it transmits a
   specific
   new EKTKey message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to each of the
   conference participants.  The participants containing the new EKT Key.  Upon receipt of
   the new EKT Key, the endpoint MUST create a new SRTP master key and
   prepare to send that key inside a Full EKT Field using the new EKTKey.  Since it may take some EKT
   Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet].  In order to
   allow time for all of the endpoints in the conference to finish re-keying, senders MUST delay a
   short period of time before sending media encrypted with receive the new
   master key, but it MUST be
   keys, the sender should follow the recommendations in Section 4.7 of
   [I-D.ietf-perc-srtp-ekt-diet].  On receiving a new EKT Key, endpoints
   MUST be prepared to make use of decrypt EKT tags using the information
   from a new inbound key.  The EKT SPI
   field is used to differentiate between tags encrypted with the old
   and new keys.

   After re-keying, an endpoint SHOULD retain prior SRTP master keys and
   EKT Key immediately.  See Section 2.2.2 for a period of
   [I-D.ietf-perc-srtp-ekt-diet]. time sufficient for the purpose of ensuring
   it can decrypt late-arriving or out-of-order packets or packets sent
   by other endpoints that used the prior keys for a period of time
   after re-keying began.  An endpoint MAY retain old keys until the end
   of the conference.

   Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
   re-negotiate
   renegotiate HBH keys as desired.  If new HBH keys are generated, the
   new keys are also delivered to the Media Distributor following the
   procedures defined in [I-D.ietf-perc-dtls-tunnel]. [I-D.ietf-perc-dtls-tunnel] as one possible
   method.

   Endpoints are at liberty to MAY change the E2E encryption key used at any time.
   Endpoints MUST generate a new E2E encryption key whenever it receives
   a new EKT Key.  After switching to a new key, the new key
   will be is conveyed
   to other endpoints in the conference in RTP/RTCP packets per
   [I-D.ietf-perc-srtp-ekt-diet].

5.  Authentication

   It is important to this solution framework that the entities can
   validate the authenticity of other entities, especially the Key
   Distributor and endpoints.  The details of this are outside the scope
   of specification but a few possibilities are discussed in the
   following sections.  The key requirements is are that endpoints an endpoint can
   verify they are it is connected to the correct Key Distributor for the
   conference and the Key Distributor can verify the endpoints are endpoint is the
   correct endpoints endpoint for the conference.

   Two possible approaches to solve this are Identity Assertions and
   Certificate Fingerprints.

5.1.  Identity Assertions

   WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] can be is used to
   bind the identity of the user of the endpoint to the fingerprint of
   the DTLS-SRTP certificate used for the call.  This certificate is
   unique for a given call and a conference.  This allows the Key
   Distributor to ensure that only authorized users participate in the
   conference.  Similarly the Key Distributor can create a WebRTC
   Identity assertion to bind the fingerprint of the unique certificate
   used by the Key Distributor for this conference so that the endpoint
   can validate it is talking to the correct Key Distributor.  Such a
   setup requires an Identity Provider (Idp) trusted by the endpoints
   and the Key Distributor.

5.2.  Certificate Fingerprints in Session Signaling

   Entities managing session signaling are generally assumed to be
   untrusted in the PERC framework.  However, there are some deployment
   scenarios where parts of the session signaling may be assumed
   trustworthy for the purposes of exchanging, in a manner that can be
   authenticated, the fingerprint of an entity's certificate.

   As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to
   convey the fingerprint information per [RFC5763].  An endpoint's SIP
   User Agent would send an INVITE message containing SDP for the media
   session along with the endpoint's certificate fingerprint, which can
   be signed using the procedures described in [RFC4474] [RFC8224] for the benefit
   of forwarding the message to other entities by the Focus [RFC4353].
   Other entities can now verify the fingerprints match the certificates
   found in the DTLS-SRTP connections to find the identity of the far
   end of the DTLS-SRTP connection and check verify that is the authorized
   entity.

   Ultimately, if using session signaling, an endpoint's certificate
   fingerprint would need to be securely mapped to a user and conveyed
   to the Key Distributor so that it can check that that user is
   authorized.  Similarly, the Key Distributor's certificate fingerprint
   can be conveyed to endpoint in a manner that can be authenticated as
   being an authorized Key Distributor for this conference.

5.3.  Conferences Identification

   The Key Distributor needs to know what endpoints are being added to a
   given conference.  Thus, the Key Distributor and the Media
   Distributor will need to know endpoint-to-conference mappings, which is
   enabled by exchanging a conference-specific unique identifier as defined
   in [I-D.ietf-perc-dtls-tunnel].  How this unique identifier is
   assigned is outside the scope of this document.

6.  Security Considerations  PERC Keys

   This framework, and the individual protocols defined to support it,
   must take care to not increase section describes the exposure to Denial of Service
   (DoS) attacks various keys employed by untrusted or third-party entities PERC, how they
   are derived, conveyed, and should take
   measures to mitigate, where possible, more serious DoS attacks from
   on-path so forth.

6.1.  Key Inventory and off-path attackers.

   The following Management Considerations

   This section enumerates summarizes the kind of attacks that will be
   considered several different keys used in the development of this framework's solution.

6.1.  Third Party Attacks

   On-path attacks PERC
   framework, how they are mitigated by HBH integrity protection generated, and
   encryption. what purpose they serve.

   The integrity protection mitigates packet modification
   and encryption makes selective blocking of packets harder, but not
   impossible.

   Off-path attackers may try connecting to different PERC entities and
   send specifically crafted packets.  A successful attacker might be
   able to get keys are described in the Media Distributor to forward such packets.  If not
   making use of HBH authentication on the Media Distributor, such an
   attack could only be detected order in the receiving endpoints where the
   forged packets which they would finally typically be dropped.

   Another potential attack is a third party claiming
   acquired.

   The various keys used in PERC are shown in Figure 4 below.

    +-----------+----------------------------------------------------+
    | Key       | Description                                        |
    +-----------+----------------------------------------------------+
    | KEK       | Key shared by all endpoints and used to be a Media
   Distributor, fooling encrypt    |
    | (EKT Key) | each endpoint's SRTP master key so receiving       |
    |           | endpoints in can decrypt media.                       |
    +-----------+----------------------------------------------------+
    | HBH Key   | Key used to sending packets encrypt media hop-by-hop.              |
    +-----------+----------------------------------------------------+
    | E2E Key   | Key used to encrypt media end-to-end.              |
    +-----------+----------------------------------------------------+

                          Figure 4: Key Inventory

   While the false
   Media Distributor instead of the correct one.  The deceived sending
   endpoints could incorrectly assuming their packets have been
   delivered to endpoints when they in fact have not.  Further, number key types is very small, it should be understood
   that the
   false Media Distributor may cascade to another legitimate Media
   Distributor creating a false version actual number of the real conference.

   This attack distinct keys can be mitigated by the false Media Distributor not being
   authenticated by the Key Distributor during PERC Tunnel
   establishment.  Without large as the tunnel
   conference grows in place, endpoints will not
   establish secure associations size.

   As an example, with the Key Distributor and receive
   the KEK, causing the conference to not proceed.

6.2.  Media Distributor Attacks

   The Media Distributor can attack the session 1,000 participants in a number conference, there would
   be at least 1,000 distinct SRTP master keys, all of possible
   ways.

6.2.1.  Denial of service

   Any modification which share the
   same master salt.  Each of those keys are passed through the end-to-end authenticated data will result KDF
   defined in [RFC3711] to produce the receiving endpoint getting an integrity failure when performing actual encryption and
   authentication on keys.

   Complicating key management is the received packet.

   The Media Distributor fact that the KEK can also attempt to perform resource
   consumption attacks on change and,
   when it does, the receiving endpoint.  One such attack would
   be to insert random SSRC/CSRC values in any RTP packet endpoints generate new SRTP master keys that are
   associated with an inband
   key-distribution message attached (i.e., Full EKT Field).  Since such a message would trigger the receiver new EKT SPI.  Endpoints have to form retain old keys for
   a new cryptographic
   context, the Media Distributor can attempt period of time to consume the receiving
   endpoints resources.

   Another denial ensure they can properly decrypt late-arriving or
   out-of-order packets.

   A more detailed explanation of each of service attack is where the Media Distributor
   rewrites the PT field to indicate a different codec. keys follows.

6.2.  DTLS-SRTP Exchange Yields HBH Keys

   The effect first set of
   this attack is that any payload packetized keys acquired are for hop-by-hop encryption and encoded according to
   one RTP payload format is then processed using another payload format
   decryption.  Per the Double [I-D.ietf-perc-double] procedures, the
   endpoint performs DTLS-SRTP exchange with the key distributor and codec.  Assuming
   receives a key that the implementation is robust to random
   input, it is unlikely to cause crashes is, in fact, "double" the receiving software/
   hardware.  However, it is not unlikely size that such rewriting will cause
   severe media degradation.

   For audio formats, this attack is likely to cause highly disturbing
   audio and/or can be damaging to hearing and playout equipment.

6.2.2.  Replay Attack

   Replay attack needed.
   The end-to-end part is when an already received packets from a previous
   point in the RTP stream is replayed as new packet.  This could, for
   example, allow a Media Distributor to transmit a sequence of packets
   identified as a user saying "yes", instead first half of the "no" key, so the user
   actually said. endpoint
   discards that information when generating its own key.  The mitigation for a replay attack is to prevent old packets beyond a
   small-to-modest jitter and network re-ordering sized window to be
   rejected.  End-to-end replay protection MUST be provided for the
   whole duration second
   half of the conference.

6.2.3.  Delayed Playout Attack

   The delayed playout attack key material is a variant for hop-by-hop operations, so that half
   of the replay attack.  This
   attack is possible even if E2E replay protection is in place.
   However, due key (corresponding to fact that the least significant bits) is assigned
   internally as the HBH key.

   The Key Distributor informs the Media Distributor is allowed to select
   a sub-set of streams and not forward the rest HBH key.
   Specifically, the Key Distributor sends the least significant bits
   corresponding to a receiver, such as
   in forwarding only the most active speakers, half of the receiver has keying material determined through
   DTLS-SRTP with the endpoint to
   accept gaps in the E2E packet sequence.  The issue Media Distributor.  A salt value
   is generated along with this the HBH key.  The salt is that
   a Media Distributor can select to not deliver a particular stream also longer than
   needed for
   a while.

   Within the window from last packet forwarded to hop-by-hop operations, thus only the receiver and least significant
   bits of the
   latest received by required length (i.e., half of the Media Distributor, generated salt
   material) are sent to the Media Distributor can
   select an arbitrary starting point when resuming forwarding packets.
   Thus what Distributor.  One way to transmit
   this key and salt information is via the media source said can be substantially delayed at tunnel protocol defined in
   [I-D.ietf-perc-dtls-tunnel].

   No two endpoints have the
   receiver with same HBH key, thus the receiver believing that it is what was said just
   now, Media Distributor
   MUST keep track each distinct HBH key (and the corresponding salt)
   and use it only delayed due to transport delay.

6.2.4.  Splicing Attack for the specified hop.

   The splicing attack HBH key is an attack where a Media also used for hop-by-hop encryption of RTCP.  RTCP is
   not end-to-end encrypted in PERC.

6.3.  The Key Distributor receiving
   multiple media sources splices one media stream into Transmits the other.  If KEK (EKT Key)

   Via the Media aforementioned DTLS-SRTP association, the Key Distributor
   sends the endpoint the KEK (i.e., EKT Key per
   [I-D.ietf-perc-srtp-ekt-diet]).  This key is able known only to change the SSRC without Key
   Distributor and endpoints.  This key is the receiver most important to protect
   since having any method for verifying the original source ID, then knowledge of this key (and the
   Media Distributor could first deliver stream A and then later forward
   stream B under SRTP master salt
   transmitted as a part of the same SSRC as stream A was previously using.  Not
   allowing message) allows an entity to
   decrypt any media packet in the Media conference.

   Note that the Key Distributor can send any number of EKT Keys to change the SSRC mitigates this
   attack.

7.  IANA Considerations

   There are no IANA considerations for this document.

8.  Acknowledgments

   The authors would like
   endpoints.  This is used to thank Mo Zanaty and Christian Oien for
   invaluable input on this document.  Also, we would like re-key the entire conference.  Each key
   is identified by a "Security Parameter Index" (SPI) value.  Endpoints
   MUST expect that a conference might be re-keyed when a new
   participant joins a conference or when a participant leaves a
   conference in order to
   acknowledge Nermeen Ismail for serving on protect the initial versions confidentiality of
   this document as a co-author.

9.  References

9.1.  Normative References

   [I-D.ietf-perc-double]
              Jennings, C., Jones, P., Barnes, R., the
   conversation before and A. Roach, "SRTP
              Double Encryption Procedures", draft-ietf-perc-double-09
              (work after such events.

   The SRTP master salt to be used by the endpoint is transmitted along
   with the EKT Key.  All endpoints in progress), May 2018.

   [I-D.ietf-perc-dtls-tunnel]
              Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
              between the conference utilize the same
   SRTP master salt that corresponds with a Media Distributor and given EKT Key.

   The Full EKT Tag in media packets is encrypted using a cipher
   specified via the EKTKey message (e.g., AES Key Distributor Wrap with a 128-bit
   key).  This cipher is different than the cipher used to
              Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03
              (work in progress), April 2018.

   [I-D.ietf-perc-srtp-ekt-diet]
              Jennings, C., Mattsson, J., McGrew, D., Wing, D., protect media
   and F.
              Andreasen, "Encrypted is only used to encrypt the endpoint's SRTP master key (and other
   EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]).

   The media distributor is not given the KEK (i.e., EKT Key).

6.4.  Endpoints fabricate an SRTP Master Key Transport for DTLS and Secure
              RTP", draft-ietf-perc-srtp-ekt-diet-08 (work in progress),
              July 2018.

   [RFC2119]  Bradner, S., "Key words for use

   As stated earlier, the E2E key determined via DTLS-SRTP MAY be
   discarded in RFCs favor of a locally-generated SRTP master key.  While the
   DTLS-SRTP-derived SRTP master key can be used initially, the endpoint
   might choose to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., change the SRTP master key periodically and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
              July 2003, <https://www.rfc-editor.org/info/rfc3550>.

   [RFC6904]  Lennox, J., "Encryption MUST
   change the SRTP master key as a result of Header Extensions in the Secure
              Real-time Transport Protocol (SRTP)", RFC 6904,
              DOI 10.17487/RFC6904, April 2013,
              <https://www.rfc-editor.org/info/rfc6904>.

9.2.  Informative References

   [I-D.ietf-rtcweb-security-arch]
              Rescorla, E., "WebRTC Security Architecture", draft-ietf-
              rtcweb-security-arch-15 (work in progress), July 2018.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              DOI 10.17487/RFC3261, June 2002,
              <https://www.rfc-editor.org/info/rfc3261>.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, DOI 10.17487/RFC3711, March 2004,
              <https://www.rfc-editor.org/info/rfc3711>.

   [RFC4353]  Rosenberg, J., "A Framework for Conferencing EKT key changing.

   A locally-generated SRTP master key is used along with the
              Session Initiation Protocol (SIP)", RFC 4353,
              DOI 10.17487/RFC4353, February 2006,
              <https://www.rfc-editor.org/info/rfc4353>.

   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management master
   salt transmitted to the endpoint from the key distributor via the
   EKTKey message to encrypt media end-to-end.

   Since the media distributor is not involved in E2E functions, it does
   not create this key nor have access to any endpoint's E2E key.  Note,
   too, that even the Session
              Initiation Protocol (SIP)", RFC 4474,
              DOI 10.17487/RFC4474, August 2006,
              <https://www.rfc-editor.org/info/rfc4474>.

   [RFC4566]  Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
              Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
              July 2006, <https://www.rfc-editor.org/info/rfc4566>.

   [RFC5763]  Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
              for Establishing a Secure Real-time Transport Protocol
              (SRTP) Security Context Using Datagram Transport Layer
              Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
              2010, <https://www.rfc-editor.org/info/rfc5763>.

   [RFC5764]  McGrew, D. and E. Rescorla, "Datagram Transport Layer
              Security (DTLS) Extension to Establish Keys for the Secure
              Real-time Transport Protocol (SRTP)", RFC 5764,
              DOI 10.17487/RFC5764, May 2010,
              <https://www.rfc-editor.org/info/rfc5764>.

   [RFC6464]  Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
              Transport Protocol (RTP) Header Extension for Client-to-
              Mixer Audio Level Indication", RFC 6464,
              DOI 10.17487/RFC6464, December 2011,
              <https://www.rfc-editor.org/info/rfc6464>.

   [RFC7667]  Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
              DOI 10.17487/RFC7667, November 2015,
              <https://www.rfc-editor.org/info/rfc7667>.

Appendix A.  PERC Key Inventory

   PERC specifies the use of a number key distributor is unaware of different keys and,
   understandably, it looks complicated or confusing on the surface.
   This section summarizes the various locally-
   generated E2E keys used in the system, how they
   are generated, and what purpose they serve. by each endpoint.

   The keys are described endpoint transmits its E2E key to other endpoints in the order
   conference by periodically including it in which they would typically be
   acquired.

   The various keys used SRTP packets in PERC are shown a Full EKT
   Tag.  When placed in Figure 4 below.

    +-----------+----------------------------------------------------+
    | Key       | Description                                        |
    +-----------+----------------------------------------------------+
    | KEK       | the Full EKT Tag, it is encrypted using the EKT
   Key shared provided by the key distributor.  The master salt is not
   transmitted, though, since all endpoints and used to encrypt    |
    | (EKT Key) | each endpoint's SRTP receive the same master key so receiving       |
    |           | endpoints can decrypt media.                       |
    +-----------+----------------------------------------------------+
    | HBH Key   | Key used to encrypt media hop-by-hop.              |
    +-----------+----------------------------------------------------+
    | E2E Key   | Key used to encrypt media end-to-end.              |
    +-----------+----------------------------------------------------+

                          Figure 4: Key Inventory

   As you can see, salt
   via the number EKTKey message from the Key Distributor.  The recommended
   frequency with which an endpoint transmits its SRTP master key types is very small.  However, what
   can be challenging is keeping track
   specified in [I-D.ietf-perc-srtp-ekt-diet].

6.5.  Summary of all Key Types and Entity Possession

   All endpoints have knowledge of the KEK.

   Every HBH key is distinct E2E keys
   as the conference grows in size.  With 1,000 participants in for a
   conference, there will be 1,000 distinct SRTP master keys, all given endpoint, thus Endpoint A and
   Endpoint B do not have knowledge of
   which share the same master salt. other's HBH key.

   Each of those keys are passed
   through the KDF defined in [RFC3711] to produce the actual encryption
   and authentication keys.  Complicating endpoint generates its own E2E Key (SRTP master key), thus
   distinct per endpoint.  This key management is transmitted (encrypted) via the fact
   that the KEK can change and, when it does, the endpoints generate new
   SRTP master keys.  And, of course, there is a new SRTP master salt
   Full EKT Tag to
   go with those keys. other endpoints.  Endpoints have to retain old keys for that receive media from a period
   given transmitting endpoint gains knowledge of time to ensure they can properly decrypt late-arriving or out-of-
   order packets.

   The time required to retain old keys (either the transmitter's E2E
   key via the Full EKT Keys or SRTP master
   keys) is not specified, but they should be retained at least for Tag.

   To summarize the
   period various keys and which entity is in possession of time required to re-key the conference or handle late-
   arriving or out-of-order packets.  A period of 60s should be
   considered a generous retention period, but endpoints may keep old
   keys on hand until the end of the conference.

   Or more detailed explanation of each of the keys follows.

A.1.  DTLS-SRTP Exchange Yields
   given key, refer to Figure 5.

    +----------------------+------------+-------+-------+------------+
    | Key     /    Entity  | Endpoint A |  MD X |  MD Y | Endpoint B |
    +----------------------+------------+-------+-------+------------+
    | KEK                  |    Yes     |  No   |  No   |     Yes    |
    +----------------------+------------+-------+-------+------------+
    | E2E Key (A and B)    |    Yes     |  No   |  No   |     Yes    |
    +----------------------+------------+-------+-------+------------+
    | HBH Key (A<=>MD X)   |    Yes     |  Yes  |  No   |     No     |
    +----------------------+------------+-------+-------+------------+
    | HBH Key (B<=>MD Y)   |    No      |  No   |  Yes  |     Yes    |
    +----------------------+------------+---------------+------------+
    | HBH Key (MD X<=>MD Y)|    No      |  Yes  |  Yes  |     No     |
    +----------------------+------------+---------------+------------+

                Figure 5: Keys

   The first set of keys acquired are for hop-by-hop encryption and
   decryption.  Assuming the use of Double [I-D.ietf-perc-double], the
   endpoint would perform DTLS-SRTP exchange with the key distributor Types and receive Entity Possession

7.  Encrypted Media Packet Format

   Figure 6 presents a key that is, in fact, "double" the size that is needed.
   Per the Double specification, the E2E part is the first half complete picture of what an encrypted media
   packet per this framework looks like when transmitted over the
   key, so the endpoint will just discard that information in PERC.  It
   is not used. wire.
   The second half of the key material packet format shown is for HBH
   operations, so that half of encrypted using the key (corresponding Double cryptographic
   transform with an EKT Tag appended to the least
   significant bits) is assigned internally as the end.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<++
    |V=2|P|X|  CC   |M|     PT      |       sequence number         | IO
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
    |                           timestamp                           | IO
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IO
    |           synchronization source (SSRC) identifier            | IO
    +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ IO
    |            contributing source (CSRC) identifiers             | IO
    |                               ....                            | IO
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
    |                    RTP extension (OPTIONAL) ...               | |O
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O I |                          payload  ...                         | IO
O I |                               +-------------------------------+ IO
O I |                               | RTP padding   | RTP pad count | IO
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O
O | |                    E2E authentication tag                     | |O
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |O
O | |                            OHB ...                            | |O
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |+
| | |                    HBH key.

   The media distributor doesn't perform DTLS-SRTP, but it authentication tag                     | ||
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ||
| | |   EKT Tag ...   | R                                             ||
| | +-+-+-+-+-+-+-+-+-+ |                                             ||
| |                     +- Neither encrypted nor authenticated;       ||
| |                        appended after Double is at this
   point that the key distributor will inform the media distributor of
   the performed         ||
| |                                                                   ||
| |                                                                   ||
| +- E2E Encrypted Portion               E2E Authenticated Portion ---+|
|                                                                      |
+--- HBH key value via the tunnel protocol
   ([I-D.ietf-perc-dtls-tunnel]). Encrypted Portion               HBH Authenticated Portion ----+

                  Figure 6: Encrypted Media Packet Format

8.  Security Considerations

8.1.  Third Party Attacks

   On-path attacks are mitigated by hop-by-hop integrity protection and
   encryption.  The key distributor will integrity protection mitigates packet modification
   and encryption makes selective blocking of packets harder, but not
   impossible.

   Off-path attackers may try connecting to different PERC entities and
   send the
   least significant bits corresponding specifically crafted packets.  A successful attacker might be
   able to get the half of the keying
   material determined through DTLS-SRTP with the endpoint Media Distributor to the media
   distributor via the tunnel protocol.  There is a salt generated along
   with the HBH key. forward such packets.  The salt is also longer than needed for HBH
   operations, thus only the least significant bits of Media
   Distributor mitigates such an attack by performing hop-by-hop
   authentication and discarding packets that fail authentication.

   Another potential attack is a third party claiming to be a Media
   Distributor, fooling endpoints in to sending packets to the required
   length (i.e., half false
   Media Distributor instead of the generated salt material) are sent correct one.  The deceived sending
   endpoints could incorrectly assuming their packets have been
   delivered to the
   media distributor via the tunnel protocol.

   No two endpoints will when they in fact have not.  Further, the same HBH key, thus the media
   distributor must keep track each distinct HBH key (and the
   corresponding salt) and use it only for
   false Media Distributor may cascade to another legitimate Media
   Distributor creating a false version of the specified hop. real conference.

   This key is also used for HBH encryption of RTCP.  RTCP attack is be mitigated by the false Media Distributor not end-
   to-end encrypted in PERC.

A.2.  The being
   authenticated by the Key Distributor.  They Key Distributor Transmits the KEK (EKT Key)

   Via the aforementioned DTLS-SRTP association, the key distributor will send the endpoint the KEK (i.e., EKT Key per
   [I-D.ietf-perc-srtp-ekt-diet]).  This key is known only fail
   to establish the key
   distributor and endpoints.  This key is secure association with the most important to protect
   since having knowledge of this key (and endpoint if the SRTP master salt
   transmitted as a part of Media
   Distributor cannot be authenticated.

8.2.  Media Distributor Attacks

   The Media Distributor can attack the same message) will allow an entity to
   decrypt any media packet session in the conference.

   Note that the key distributor can send any a number of EKT Keys to
   endpoints.  This can be used to re-key the entire conference.  Each
   key possible
   ways.

8.2.1.  Denial of service

   A simple form of attack is identified by a "Security Parameter Index" (SPI) value.
   Endpoints should expect discarding received packets that a conference might should be re-keyed when a
   new participant joins a conference or when a participant leaves a
   conference in order
   forwarded.  This solution framework does not introduce any mitigation
   for Media Distributors that fail to protect the confidentiality forward media packets.

   Another form of the
   conversation before and after such events.

   The SRTP master salt to be used by the endpoint attack is transmitted along
   with modifying received packets before
   forwarding.  With this solution framework, any modification of the EKT Key.  All endpoints
   end-to-end authenticated data results in the conference utilize receiving endpoint
   getting an integrity failure when performing authentication on the same
   SRTP master salt that corresponds with a given EKT Key.
   received packet.

   The EKT Field Media Distributor can also attempt to perform resource
   consumption attacks on the receiving endpoint.  One such attack would
   be to insert random SSRC/CSRC values in media packets is encrypted using any RTP packet with an inband
   key-distribution message attached (i.e., Full EKT Tag).  Since such a cipher specified
   via the EKTKey
   message (e.g., AES Key Wrap with would trigger the receiver to form a 128-bit key).  This
   cipher is different than new cryptographic
   context, the cipher used Media Distributor can attempt to protect media consume the receiving
   endpoints resources.  While E2E authentication would fail and is only
   used to encrypt the endpoint's SRTP master key (and other EKT Field
   data as per [I-D.ietf-perc-srtp-ekt-diet]).

   The media distributor is not given
   cryptographic context would be destroyed, the KEK (i.e., EKT Key).

A.3.  Endpoints fabricate an SRTP Master Key

   As stated earlier, the E2E key determined via DTLS-SRTP MAY be
   discarded in favor of a locally-generated SRTP master key.  While the
   DTLS-SRTP-derived key could be used, the fact that derivation
   operation would nonetheless consume some computational resources.

8.2.2.  Replay Attack

   A replay attack is when an endpoint might
   need to change already received packets from a previous
   point in the SRTP master key periodically or RTP stream is forced replayed as new packet.  This could, for
   example, allow a Media Distributor to
   change the SRTP master key transmit a sequence of packets
   identified as a result user saying "yes", instead of the EKT key changing means
   using it has only limited utility.  To reduce complexity, PERC
   *RECOMMENDS* that endpoints create random SRTP master keys locally to
   be used "no" the user
   actually said.

   The mitigation for E2E encryption.

   This locally-generated SRTP master key a replay attack is used along with the master
   salt transmitted to prevent old packets beyond a
   small-to-modest jitter and network re-ordering sized window to be
   rejected.  End-to-end replay protection MUST be provided for the endpoint from the key distributor via
   whole duration of the
   EKTKey message to encrypt media end-to-end.

   Since conference.

8.2.3.  Delayed Playout Attack

   The delayed playout attack is a variant of the media distributor replay attack.  This
   attack is not involved in possible even if E2E functions, it will
   not create this key nor have access replay protection is in place.
   However, due to any endpoint's E2E key.  Note,
   too, fact that even the key distributor Media Distributor is unaware allowed to select
   a sub-set of streams and not forward the locally-
   generated E2E keys used by each endpoint.

   The endpoint will transmit its E2E key rest to other endpoints in the
   conference by periodically including it in SRTP packets in a Full EKT
   Field.  When placed receiver, such as
   in forwarding only the Full EKT Field, it is encrypted using most active speakers, the
   EKT Key provided by receiver has to
   accept gaps in the key distributor. E2E packet sequence.  The master salt issue with this is that
   a Media Distributor can select to not
   transmitted, though, since all endpoints will have deliver a particular stream for
   a while.

   Within the window from last packet forwarded to the receiver and the
   latest received by the same
   master salt via Media Distributor, the EKTKey message.  The recommended frequency with
   which Media Distributor can
   select an endpoint transmits its SRTP master key arbitrary starting point when resuming forwarding packets.
   Thus what the media source said can be substantially delayed at the
   receiver with the receiver believing that it is specified in
   [I-D.ietf-perc-srtp-ekt-diet].

A.4.  Who has What Key

   All endpoints have knowledge of what was said just
   now, and only delayed due to transport delay.

8.2.4.  Splicing Attack

   The splicing attack is an attack where a Media Distributor receiving
   multiple media sources splices one media stream into the KEK.

   Every HBH key other.  If
   the Media Distributor is distinct able to change the SSRC without the receiver
   having any method for a given endpoint, thus Endpoint verifying the original source ID, then the
   Media Distributor could first deliver stream A and
   endpoint then later forward
   stream B do under the same SSRC as stream A was previously using.  By
   not have knowledge of allowing the other's HBH key.

   Each endpoint generates its own E2E Key (SRTP master key), thus Media Distributor to change the
   key distinct per endpoint.  This key is transmitted (encrypted) via
   the EKT Field SSRC, PERC mitigates
   this attack.

9.  IANA Considerations

   There are no IANA considerations for this document.

10.  Acknowledgments

   The authors would like to other endpoints.  Endpoints that receive media from
   a given transmitting endpoint will therefore have knowledge of the
   transmitter's E2E key.

   To summarize the various keys thank Mo Zanaty and which entity is in possession Christian Oien for
   invaluable input on this document.  Also, we would like to
   acknowledge Nermeen Ismail for serving on the initial versions of
   this document as a
   given key, refer to Figure 5.

    +----------------------+------------+-------+-------+------------+
    | co-author.

11.  References

11.1.  Normative References

   [I-D.ietf-perc-double]
              Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP
              Double Encryption Procedures", draft-ietf-perc-double-10
              (work in progress), October 2018.

   [I-D.ietf-perc-srtp-ekt-diet]
              Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
              Andreasen, "Encrypted Key     /    Entity  | Endpoint Transport for DTLS and Secure
              RTP", draft-ietf-perc-srtp-ekt-diet-09 (work in progress),
              October 2018.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A |  MD X |  MD Y | Endpoint B |
    +----------------------+------------+-------+-------+------------+
    | KEK                  |    Yes     |  No   |  No   |     Yes    |
    +----------------------+------------+-------+-------+------------+
    | E2E Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
              July 2003, <https://www.rfc-editor.org/info/rfc3550>.

   [RFC6904]  Lennox, J., "Encryption of Header Extensions in the Secure
              Real-time Transport Protocol (SRTP)", RFC 6904,
              DOI 10.17487/RFC6904, April 2013,
              <https://www.rfc-editor.org/info/rfc6904>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key (A Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

11.2.  Informative References

   [I-D.ietf-perc-dtls-tunnel]
              Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
              between a Media Distributor and B)    |    Yes     |  No   |  No   |     Yes    |
    +----------------------+------------+-------+-------+------------+
    | HBH Key (A<=>MD X)   |    Yes     |  Yes  |  No   |     No     |
    +----------------------+------------+-------+-------+------------+
    | HBH Key (B<=>MD Y)   |    No      |  No   |  Yes  |     Yes    |
    +----------------------+------------+---------------+------------+
    | HBH Distributor to
              Facilitate Key (MD X<=>MD Y)|    No      |  Yes  |  Yes  |     No     |
    +----------------------+------------+---------------+------------+

                         Figure 5: Keys per Entity

Appendix B.  PERC Packet Format

   Figure 6 presents a complete picture of what a PERC packet looks like
   when transmitted over Exchange", draft-ietf-perc-dtls-tunnel-04
              (work in progress), October 2018.

   [I-D.ietf-rtcweb-security-arch]
              Rescorla, E., "WebRTC Security Architecture", draft-ietf-
              rtcweb-security-arch-17 (work in progress), November 2018.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              DOI 10.17487/RFC3261, June 2002,
              <https://www.rfc-editor.org/info/rfc3261>.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, DOI 10.17487/RFC3711, March 2004,
              <https://www.rfc-editor.org/info/rfc3711>.

   [RFC4353]  Rosenberg, J., "A Framework for Conferencing with the wire.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    A |V=2|P|X|  CC   |M|     PT      |       sequence number         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    A |                           timestamp                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    A |           synchronization source (SSRC) identifier            |
      +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    A |            contributing source (CSRC) identifiers             |
    A |                               ....                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    A |                    RTP extension (OPTIONAL)                   |
    A |                      (including
              Session Initiation Protocol (SIP)", RFC 4353,
              DOI 10.17487/RFC4353, February 2006,
              <https://www.rfc-editor.org/info/rfc4353>.

   [RFC4566]  Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
              Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
              July 2006, <https://www.rfc-editor.org/info/rfc4566>.

   [RFC5763]  Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
              for Establishing a Secure Real-time Transport Protocol
              (SRTP) Security Context Using Datagram Transport Layer
              Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
              2010, <https://www.rfc-editor.org/info/rfc5763>.

   [RFC5764]  McGrew, D. and E. Rescorla, "Datagram Transport Layer
              Security (DTLS) Extension to Establish Keys for the OHB)                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    C :                                                               :
    C :                       Ciphertext Payload                      :
    C :                                                               :
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    R :                                                               :
    R :                        EKT Field                              :
    R :                                                               :
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                 C = Ciphertext (encrypted Secure
              Real-time Transport Protocol (SRTP)", RFC 5764,
              DOI 10.17487/RFC5764, May 2010,
              <https://www.rfc-editor.org/info/rfc5764>.

   [RFC6464]  Lennox, J., Ed., Ivov, E., and authenticated)
                 A = Associated Data (authenticated only)
                 R = neither encrypted nor authenticated, added
                     after Authenticated Encryption completed

                       Figure 6: PERC Packet Format E. Marocco, "A Real-time
              Transport Protocol (RTP) Header Extension for Client-to-
              Mixer Audio Level Indication", RFC 6464,
              DOI 10.17487/RFC6464, December 2011,
              <https://www.rfc-editor.org/info/rfc6464>.

   [RFC7667]  Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
              DOI 10.17487/RFC7667, November 2015,
              <https://www.rfc-editor.org/info/rfc7667>.

   [RFC8224]  Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
              "Authenticated Identity Management in the Session
              Initiation Protocol (SIP)", RFC 8224,
              DOI 10.17487/RFC8224, February 2018,
              <https://www.rfc-editor.org/info/rfc8224>.

Authors' Addresses

   Paul E. Jones
   Cisco
   7025 Kit Creek Rd.
   Research Triangle Park, North Carolina  27709
   USA

   Phone: +1 919 476 2048
   Email: paulej@packetizer.com

   David Benham
   Independent

   Email: dabenham@gmail.com

   Christian Groves
   Independent
   Melbourne
   Australia

   Email: Christian.Groves@nteczone.com cngroves.std@gmail.com