| RFC 8723 | Double SRTP | April 2020 |
| Jennings, et al. | Standards Track | [Page] |
In some conferencing scenarios, it is desirable for an intermediaryto be able to manipulate some parameters in Real-time Transport Protocol (RTP)packets, while still providing strong end-to-end securityguarantees. This document defines a cryptographic transform for theSecure Real-time Transport Protocol (SRTP) that uses two separate but relatedcryptographic operations to provide hop-by-hop and end-to-endsecurity guarantees. Both the end-to-end and hop-by-hopcryptographic algorithms can utilize an authenticated encryptionwith associated data (AEAD) algorithm or take advantage of future SRTPtransforms with different properties.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8723.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Cloud conferencing systems that are based on switched conferencinghave a central Media Distributor (MD) device that receives media fromendpoints and distributes it to other endpoints, but does not needto interpret or change the media content. For these systems, it isdesirable to have one cryptographic key that enables encryption andauthentication of the mediaend-to-end while still allowing certain information in the header ofan RTP packet to be changed by the MD. At the same time, a separate cryptographic keyprovides integrity and optional confidentiality for the mediaflowing between the MD and the endpoints. Theframework document[PRIVATE-MEDIA-FRAMEWORK]describes this concept in more detail.¶
This specification defines a transform for SRTP that uses 1) the AES Galois/Counter Mode (AES-GCM) algorithm[RFC7714] toprovide encryption and integrity for an RTP packet for theend-to-end cryptographic key and 2) a hop-by-hop cryptographicencryption and integrity between the endpoint and the MD. The MD decrypts and checks integrity ofthe hop-by-hop security. The MDMAY change some ofthe RTP header information that would impact the end-to-endintegrity. In that case, the original value of any RTP header fieldthat is changed is included in an "Original Header Block" that isadded to the packet. The new RTP packet is encrypted with thehop-by-hop cryptographic algorithm before it is sent. The receivingendpoint decrypts and checks integrity using the hop-by-hopcryptographic algorithm and then replaces any parameters the MD changed using the information in the Original HeaderBlock before decrypting and checking the end-to-end integrity.¶
One can think of the double transform as a normal SRTP transform for encryptingthe RTP in a way such that things that only know half of the key, candecrypt and modify part of the RTP packet but not other parts,including the media payload.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Terms used throughout this document include:¶
This specification uses a cryptographic context with two parts:¶
TheRECOMMENDED cipher for the hop-by-hop and end-to-end algorithms isAES-GCM. Other combinations of SRTP ciphers that support theprocedures in this document can be added to the IANA registry.¶
The keys and salt for these algorithms are generated with the followingsteps:¶
If the MD is to be able to modify header fields butnot decrypt the payload, then it must have a cryptographic key for theouter algorithm but not the inner (end-to-end) algorithm. Thisdocument does not define how the MD should beprovisioned with this information. One possible way to providekeying material for the outer (hop-by-hop) algorithm is to use[DTLS-TUNNEL].¶
Although SRTP uses a single master key to derive keys for an SRTPsession, this transform requires separate inner and outer keys.In order to allow the inner and outer keys to be managedindependently via the master key, the transforms defined in thisdocumentMUST be used with the following pseudorandom function(PRF), which preserves the separation between the two halves of thekey. Given a positive integern representing the desired outputlength, a master keyk_master, and an inputx:¶
PRF_double_n(k_master,x) = PRF_(n/2)(inner(k_master),x) || PRF_(n/2)(outer(k_master),x)¶
HerePRF_double_n(k_master, x) represents the AES_CM PRF Key Derivation Function (KDF) (seeSection 4.3.3 of [RFC3711]) forDOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm andAES_256_CM_PRF KDF[RFC6188] for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCMalgorithm. The terminner(k_master) represents the first half ofthe key;outer(k_master)represents the second half of the key.¶
The OHB contains the original values of anymodified RTP header fields. In the encryption process, the OHB isincluded in an SRTP packet as described inSection 5. In thedecryption process, the receiving endpoint uses it to reconstructthe original RTP header so that it can pass the proper additional authenticated data (AAD) value tothe inner transform.¶
The OHB can reflect modifications to the following fields in an RTP header: thepayload type (PT), the SEQ, and the marker bit. All other fields in theRTP headerMUST remain unmodified; since the OHB cannot reflect their originalvalues, the receiver will be unable to verify the end-to-end integrity of the packet.¶
The OHB has the following syntax (in ABNF[RFC5234]):¶
OCTET = %x00-FFPT = OCTETSEQ = 2OCTETConfig = OCTETOHB = [ PT ] [ SEQ ] Config¶
If present, the PT and SEQ parts of the OHB contain the original payload typeand sequence number fields, respectively. The final "Config" octet of the OHBspecifies whether these fields are present, and the original value of themarker bit (if necessary):¶
+-+-+-+-+-+-+-+-+|R R R R B M P Q|+-+-+-+-+-+-+-+-+¶
In particular, an all-zero OHB Config octet (0x00) indicates thatthere have been no modifications from the original header.¶
If the marker bit is not present (M=0), thenBMUST be set to zero.That is, ifC represents the value of the Config octet, then themasked valueC & 0x0CMUST NOT have the value0x80.¶
As implied by the use of the word "double" above, this transformapplies AES-GCM to the SRTP packet twice. This allows mediadistributors to be able to modify some header fields while allowingendpoints to verify the end-to-end integrity of a packet.¶
The first, "inner" application of AES-GCM encrypts the SRTP payloadand protects the integrity of a version of the SRTP header with extensionstruncated. Omitting extensions from the inner integrity check meansthat they can be modified by an MD holding only the outer key.¶
The second, "outer" application of AES-GCM encrypts the ciphertextproduced by the inner encryption (i.e., the encrypted payload andauthentication tag), plus an OHB that expresses any changes madebetween the inner and outer transforms.¶
An MD that has the outer key but not the inner key maymodify the header fields that can be included in the OHB bydecrypting, modifying, and re-encrypting the packet.¶
An endpoint encrypts a packet by using the inner (end-to-end)cryptographic key and then the outer (hop-by-hop) cryptographic key.The encryption also supports a modefor repair packets that only does the outer (hop-by-hop) encryption.The processes is as follows:¶
Form a synthetic RTP packet with the following contents:¶
0x00) to the encryptedpayload (with the authentication tag) obtained fromstep 4.¶When using Encrypted Key Transport (EKT)[EKT-SRTP], the EKTField comesafter the SRTP packet, exactly like using EKT with any other SRTPtransform.¶
The MD has the part of the key for the outer(hop-by-hop) cryptographic algorithm, but it does not have the partof the key for the inner (end-to-end) cryptographic algorithm. Thecryptographic algorithm and key used to decrypt a packet andany encrypted RTP header extensions would be the same as thoseused in the endpoint's outer algorithm and key.¶
In order to modify a packet, the MD decrypts thereceived packet, modifies the packet, updates the OHB withany modifications not already present in the OHB, and re-encryptsthe packet using the outer (hop-by-hop) cryptographic keybefore transmitting using the following steps:¶
Reflect any changes to header fields in the OHB:¶
In order to avoid nonce reuse, the cryptographic contexts used in steps1 and4MUST use different, independent master keys. Notethat this means that the key used for decryption by the MDMUST bedifferent from the key used for re-encryption to the end recipient.¶
Note that if multiple MDs modify the same packet, then the first MDto alter a given header field is the one that adds it to the OHB.If a subsequent MD changes the value of a header field that hasalready been changed, then the original value will already be in theOHB, so no update to the OHB is required.¶
An MD that decrypts, modifies, and re-encryptspackets in this wayMUST use an independent key for each recipient,andMUST NOT re-encrypt the packet using the sender's keys. If theMD decrypts and re-encrypts with the same key andsalt, it will result in the reuse of a (key, nonce) pair,undermining the security of AES-GCM.¶
To decrypt a packet, the endpoint first decrypts and verifies usingthe outer (hop-by-hop) cryptographic key, then uses the OHB toreconstruct the original packet, which it decrypts and verifies withthe inner (end-to-end) cryptographic key using the following steps:¶
Form a new synthetic SRTP packet with:¶
Once the packet has been successfully decrypted, the application needsto be careful about which information it uses to get the correctbehavior. The applicationMUST use only the information found in thesynthetic SRTP packet andMUST NOT use the other data that was in theouter SRTP packet with the following exceptions:¶
The PT and sequence number from the inner SRTP packet can be used forcollection of various statistics.¶
If the RTP header of the outer packet contains extensions, theyMAYbe used. However, because extensions are not protected end-to-end,implementationsSHOULD reject an RTP packet containing headers thatwould require end-to-end protection.¶
Unlike RTP, which is encrypted both hop-by-hop and end-to-end usingtwo separate cryptographic keys, RTCP is encrypted using only the outer(hop-by-hop) cryptographic key. The procedures for RTCP encryptionare specified in[RFC3711], and this document introduces noadditional steps.¶
MDs sometimes interact with RTP media packets sentby endpoints, e.g., to provide recovery or receive commands viadual-tone multi-frequency (DTMF) signaling. When media packets are encrypted end-to-end, these proceduresrequire modification. (End-to-end interactions, includingend-to-end recovery, are not affected by end-to-end encryption.)¶
Repair mechanisms, in general, will need to perform recovery onencrypted packets (double-encrypted when using this transform),since the MD does not have access to the plaintext ofthe packet, only an intermediate, E2E-encrypted form.¶
When the recovery mechanism calls for the recovery packet itself tobe encrypted, it is encrypted with only the outer, hop-by-hop key. Thisallows an MD to generate recovery packets withouthaving access to the inner, end-to-end keys. However, it also results inrecovery packets being triple-encrypted, twice for the basetransform, and once for the recovery protection.¶
When using RTX[RFC4588] with the double transform, the cached payloadsMUST be thedouble-encrypted packets, i.e., the bits that are sent over the wire to theother side. When encrypting a retransmission packet, itMUST beencrypted like a packet in repair mode (i.e., with only the hop-by-hop key).¶
If the MD were to cache the inner, E2E-encryptedpayload and retransmit it with an RTX original sequence number field prepended, thenthe modifications to the payload would cause the inner integritycheck to fail at the receiver.¶
A typical RTX receiver would decrypt the packet, undo the RTXtransformation, then process the resulting packet normally byusing the steps inSection 5.3.¶
When using RED[RFC2198] with the double transform, the processing at the senderand receiver is the same as when using RED with any other SRTPtransform.¶
The main difference between the double transform and any other transform is thatin an intermediated environment, usage of RED must be end-to-end. An MD cannot synthesize RED packets, because it lacksaccess to the plaintext media payloads that are combined to form aRED payload.¶
Note that Flexible Forward Error Correction (Flex FEC) may often provide similar or better repaircapabilities compared to RED. For most applications, Flex FEC is abetter choice than RED; in particular, Flex FEC has modes in whichthe MD can synthesize recovery packets.¶
When using Flex FEC[RFC8627] withthe double transform, repair packetsMUST be constructed by firstdouble-encrypting the packet, then performing FEC. Processing ofrepair packets proceeds in the opposite order, performing FECrecovery and then decrypting. This ensures that the original mediais not revealed to the MD but, at the same time, allowsthe MD to repair media. When encrypting a packetthat contains the Flex FEC data, which is already encrypted, itMUSTbe encrypted with only the outer, hop-by-hop transform.¶
The algorithm recommended in[WEBRTC-FEC] for repair of videois Flex FEC[RFC8627]. Note that forinteroperability with WebRTC,[WEBRTC-FEC] recommends notusing additional FEC-only "m=" lines in SDP for the repair packets.¶
This specification recommends and defines AES-GCM as both the innerand outer cryptographic algorithms, identified asDOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM andDOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These algorithms provide forauthenticated encryption and will consume additional processing timedouble-encrypting for hop-by-hop and end-to-end. However, theapproach is secure and simple; thus, it is viewed as an acceptabletrade-off in processing efficiency.¶
Note that names for the cryptographic transforms are of the formDOUBLE_(inner algorithm)_(outer algorithm).¶
While this document only defines a profile based on AES-GCM, it ispossible for future documents to define further profiles withdifferent inner and outer algorithms in this same framework. For example,if a new SRTP transform were defined that encrypts some or all of theRTP header, it would be reasonable for systems to have the option ofusing that for the outer algorithm. Similarly, if a new transform weredefined that provided only integrity, that would also be reasonable touse for the outer transform as the payload data is already encrypted by theinner transform.¶
The AES-GCM cryptographic algorithm introduces an additional 16octets to the length of the packet. When using AES-GCM for both theinner and outer cryptographic algorithms, the total additionallength is 32 octets. The OHB will consume an additional 1-4 octets.Packets in repair mode will carry additional repair data, furtherincreasing their size.¶
This SRTP transform provides protection against two classes ofattacker: a network attacker that knows neither the inner nor outerkeys and a malicious MD that knows the outer key. Obviously, itprovides no protections against an attacker that holds both theinner and outer keys.¶
The protections with regard to the network are the same as with thenormal SRTP AES-GCM transforms. The major difference is that thedouble transforms are designed to work better in a group context.In such contexts, it is important to note that because thesetransforms are symmetric, they do not protect against attacks withinthe group. Any member of the group can generate valid SRTP packetsfor any SSRC in use by the group.¶
With regard to a malicious MD, the recipient can verify theintegrity of the base header fields and confidentiality andintegrity of the payload. The recipient has no assurance, however,of the integrity of the header extensions in the packet.¶
The main innovation of this transform relative to other SRTPtransforms is that it allows a partly trusted MD to decrypt, modify,and re-encrypt a packet. When this is done, the cryptographiccontexts used for decryption and re-encryptionMUST use different,independent master keys. If the same context isused, the nonce formation rules for SRTP will cause the same key andnonce to be used with two different plaintexts, which substantiallydegrades the security of AES-GCM.¶
In other words, from the perspective of the MD, re-encryptingpackets using this protocol will involve the same cryptographicoperations as if it had established independent AES-GCM cryptocontexts with the sender and the receiver. This property allowsthe use of an MD that supports AES-GCM but does not modify anyheader fields, without requiring any modification to the MD.¶
IANA has added the following protection profiles to the"DTLS-SRTP Protection Profiles" registry defined in[RFC5764].¶
| Value | Profile | Reference |
|---|---|---|
| {0x00, 0x09} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFC 8723 |
| {0x00, 0x0A} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFC 8723 |
The SRTP transform parameters for each of these protection profiles are:¶
| DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | |
|---|---|
| cipher: | AES_128_GCM then AES_128_GCM |
| cipher_key_length: | 256 bits |
| cipher_salt_length: | 192 bits |
| aead_auth_tag_length: | 256 bits |
| auth_function: | NULL |
| auth_key_length: | N/A |
| auth_tag_length: | N/A |
| maximum lifetime: | at most 231 SRTCP packets and at most 248 SRTP packets |
| DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | |
|---|---|
| cipher: | AES_256_GCM then AES_256_GCM |
| cipher_key_length: | 512 bits |
| cipher_salt_length: | 192 bits |
| aead_auth_tag_length: | 256 bits |
| auth_function: | NULL |
| auth_key_length: | N/A |
| auth_tag_length: | N/A |
| maximum lifetime: | at most 231 SRTCP packets and at most 248 SRTP packets |
The first half of the key and salt is used for the inner (end-to-end)algorithm and the second half is used for the outer (hop-by-hop)algorithm.¶
The following figures show a double-encrypted SRTP packet. The sidesindicate the parts of the packet that are encrypted and authenticatedby the hop-by-hop and end-to-end operations.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M| PT | sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | synchronization source (SSRC) identifier | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | contributing source (CSRC) identifiers | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RTP extension (OPTIONAL) ... |+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+O I | payload ... |O I | +-------------------------------+O I | | RTP padding | RTP pad count |O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+O | | E2E authentication tag |O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+O | | OHB ... |+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| | | HBH authentication tag || | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| || +- E2E Encrypted Portion|+--- HBH Encrypted Portion¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+|V=2|P|X| CC |M| PT | sequence number | I O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O| timestamp | I O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O| synchronization source (SSRC) identifier | I O+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O| contributing source (CSRC) identifiers | I O| .... | I O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O| RTP extension (OPTIONAL) ... | | O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O| payload ... | I O| +-------------------------------+ I O| | RTP padding | RTP pad count | I O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O| E2E authentication tag | | O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O| OHB ... | | O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+| HBH authentication tag | | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | E2E Authenticated Portion ---+ | | HBH Authenticated Portion -----+¶
Thank you toAlex Gouaillard,David Benham,Magnus Westerlund,Nils Ohlmeier,Roni Even, andSuhas Nandakumar for reviews and improvements to this specification. In addition, thank you toSergio Garcia Murillo, who proposed the change of transporting the OHBinformation in the RTP payload instead of the RTP header.¶