Shyam Pallapothu Internet-Draft Sunil Mahajan Expires: June 21, 2007 ARICENT Dec 21, 2006 Selective Encryption Support in SRTP draft-smahajan-srtp-selective-encryption-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 21, 2007. Copyright Notice Copyright (C) The IETF TRUST (2006). Abstract Selective Encryption is good mechanism to improve performance of devices that support media encode/decode and transport and still meets basic requirement of confidentiality. SRTP is one of the popular mechanism used to support media transport over IP channels. This draft suggests some enhancements to SRTP protocol management without changing protocol syntax to enable SRTP to support "Selective Encryption". Sunil Mahajan Expires June 21, 2006 [Page 1] Internet-Draft SRTP Selective Encryption June 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Selective Encryption in SRTP . . . . . . . . . . . . . . . . 4 3. Security Context . . . . . . . . . . . . . . . . . . . . . . 5 4. Key Exchange Protocol . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Intellectual Property and Copyright Statements . . . . . . . . . 8 Sunil Mahajan Expires June 21, 2006 [Page 2] Internet-Draft SRTP Selective Encryption June 2006 1. Introduction It is clearly understood that to support media transport over IP networks transport protocols would need to support confidentiality and integrity of data, as these transports are typically shared access media for multiple users and are open to different kind of security attacks, unlike traditional PSTN networks where access and network transport is inherently and physically secured from malicious use. To support such requirements media transport shall provide mechanisms to encrypt and protect integrity of the user data. To achieve such requirements SRTP protocol is proposed to be used which is another profile of RTP protocol. SRTP provides all the required features for media communication over insecure and shared IP networks. However since most of these media communications originate from handheld devices like mobile phones or even fixed phones, processing power requirements at these devices to encrypt the complete media stream also increases which poses its own challenges. To avoid high processing requirements at these devices "Selective Encryption" techniques can be used. Selective Encryption: It is a method where part of the media stream is encrypted and other part is left unencrypted. The parts to be encrypted depends on the type of media and compression schemes used for media transport. It is required that sufficient information is encrypted so that any evesdroper should not be able to reconstruct the complete stream. E.g. for video transport, I frames are encrypted and others are sent in un -encrypted format. There are various research papers published on the benefits of Selective Encryption but still there are differing opinions on the usefulness of selective encryption. However the biggest benefit for IP based communication from handheld devices point of view is low processing power requirements and this is a good enough benefit for selective encryption to be considered. For network nodes which process large number of encrypted media streams, selective encryption can play an important role there too. Use of selective encryption shall be optional to the user and device and for critical projecs or communication needs where confidentiality is of prime importance, it shall not be used, however for other form of normal communication needs, it can be used. Current definition of SRTP protocol does not support selective encryption. This draft proposes a method using which selective Sunil Mahajan Expires June 21, 2006 [Page 3] Internet-Draft SRTP Selective Encryption June 2006 encryption can be supported without changing the syntax of the protocol, which means that even existing implementations will not change and the proposed method is backward compatible with existing implementations. 2. Selective Encryption in SRTP Basic requirement in selective encryption is to encrypt some media packets and not encrypt some other. This requires that every packet shall carry an indicator which indicates whether packet is encrypted or not. This does not interfere with other security requirements, like message integrity or authentication of source etc. SRTP uses a parameter called MKI (Master Key Index) which is an optional parameter in every SRTP packet and indicates the index of the master key in use. Current definition of SRTP protocol defines security context at both the ends of the communication which is established using other(other than SRTP)mechanisms and also creates Master Key. Master key is used to create session keys for encryption and integrity. SRTP allows multiple Master Keys to be used to provide enhanced security features where Master Key can be changed during media communication over SRTP by indicating different MKI value in the SRTP stream. Current definition of SRTP does not include encryption (cipher) algorithm to be part of Master Key Index, so basically while establishing security context at both ends of the communication, cipher algorithm is negotiated and multiple master keys are established and all the keys uses same cipher suite. SRTP also allows NULL encryption to be supported as valid cipher algorithm. If we change SRTP definition by linking encryption algorithm to the Master Key and each Master Key can hold its own cipher algorithms, SRTP can support selective encryption without changing protocol syntax. In order to support selective encryption between two endpoints, security context establishment shall establish at least two master keys (which means two MKI values as well) and one of the master key carries a cipher algorithm and other one uses NULL Cipher. During RTP Sunil Mahajan Expires June 21, 2006 [Page 4] Internet-Draft SRTP Selective Encryption June 2006 packet processing by SRTP stack, if encryption for that packet is needed, MKI value will be set to the one that has cipher algorithm attached and if encryption is not needed, MKI value will be set to one that has NULL Cipher. 3. Security Context Security context at each endpoint will change as per this new definition. Key material params (for each master key): SRTP and SRTCP encr transf. AES_CM/NULL AES_CM master key length 128 128 n_e (encr session key length) 128 128 n_a (auth session key length) 160 160 master salt key length of the master salt 112 112 n_s (session salt key length) 112 112 key derivation rate 0 0 key lifetime SRTP-packets-max-lifetime 2^48 2^48 SRTCP-packets-max-lifetime 2^31 2^31 from-to-lifetime MKI indicator 0 0 length of the MKI 0 0 value of the MKI Above table is modified table from RFC3711 section 8.2. 4. Key exchange protocol This new definition of SRTP protocol will also require changes to key exchange protocols like RFC4568 (Security Descriptions for Media Streams). For example crypto parameter as per RFC4568 shall be part of key definition. Following example is only suggestive and does not define the required syntax. (example is taken from RFC4568 section 7.1.5.) Sunil Mahajan Expires June 21, 2006 [Page 5] Internet-Draft SRTP Selective Encryption June 2006 v=0 o=sam 2890844526 2890842807 IN IP4 10.47.16.5 s=SRTP Discussion i=A discussion of Secure RTP u=http://www.example.com/seminars/srtp.pdf e=marge@example.com (Marge Simpson) c=IN IP4 168.2.17.12 t=2873397496 2873404696 m=audio 49170 RTP/SAVP 0 a=crypto:1 F8_128_HMAC_SHA1_80 inline:MTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5QUJjZGVm|2^20|1:4; crypto:1 AES_CM_128_HMAC_SHA1_80 inline:QUJjZGVmMTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5|2^20|2:4 FEC_ORDER=FEC_SRTP For two endpoints agreeing to use selective encryption, one of the key parameter shall carry NULL Cipher and NULL key. 5. Security Considerations Selective Encryption with SRTP is an optional feature of SRTP and shall be used only if participating end points agree to use it. Algorithm to do selective encryption will determine effectiveness of this mechanism and overall security of the media. Well established mechanism of selective encryption shall be used. 6. Acknowledgements Thanks to Armstrong M and Senthil Gurusamy for fruitful discussions and inputs. 7. References [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. Sunil Mahajan Expires June 21, 2006 [Page 6] Internet-Draft SRTP Selective Encryption June 2006 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004. [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol Security Descriptions for Media Streams", Authors' Addresses Sunil Mahajan Aricent Plot#31, Sector 18, Electronic City Gurgaon, Haryana INDIA Phone: +91-124-2346666 Email: sunil.mahajan@arcient.com Shyam SBK Gupta Pallapothu Aricent 9th Floor, Gamma Block, Sigma Soft Tech park, Varthur, Bangalore, Karnataka, INDIA Email: shyam.pallapothu@aricent.com Sunil Mahajan Expires June 21, 2006 [Page 7] Internet-Draft SRTP Selective Encryption June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The IETF Trust (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Sunil Mahajan Expires June 21, 2006 [Page 8]