| RFC 9605 | SFrame | August 2024 |
| Omara, et al. | Standards Track | [Page] |
This document describes the Secure Frame (SFrame) end-to-end encryption andauthentication mechanism for media frames in a multiparty conference call, inwhich central media servers (Selective Forwarding Units or SFUs) can access themedia metadata needed to make forwarding decisions without having access to theactual media.¶
This mechanism differs from the Secure Real-Time Protocol (SRTP) in thatit is independent of RTP (thus compatible with non-RTP media transport) and canbe applied to whole media frames in order to be more bandwidth efficient.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9605.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern multiparty video call systems use Selective Forwarding Unit (SFU)servers to efficiently route media streams to call endpoints based on factors suchas available bandwidth, desired video size, codec support, and other factors. AnSFU typically does not need access to the media content of the conference,which allows the media to be encrypted "end to end" so that it cannot bedecrypted by the SFU. In order for the SFU to work properly, though, it usuallyneeds to be able to access RTP metadata and RTCP feedback messages, which is notpossible if all RTP/RTCP traffic is end-to-end encrypted.¶
As such, two layers of encryption and authentication are required:¶
Hop-by-hop (HBH) encryption of media, metadata, and feedback messagesbetween the endpoints and SFU¶
End-to-end (E2E) encryption (E2EE) of media between the endpoints¶
The Secure Real-Time Protocol (SRTP) is already widely used for HBH encryption[RFC3711]. The SRTP "double encryption" scheme defines a way to do E2Eencryption in SRTP[RFC8723]. Unfortunately, this scheme has poor efficiencyand high complexity, and its entanglement with RTP makes it unworkable inseveral realistic SFU scenarios.¶
This document proposes a new E2EE protection scheme known as SFrame,specifically designed to work in group conference calls with SFUs. SFrame is ageneral encryption framing that can be used to protect media payloads, agnosticof transport.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
We use "Selective Forwarding Unit (SFU)" and "media stream" in a less formal sensethan in[RFC7656]. An SFU is a selective switching function for mediapayloads, and a media stream is a sequence of media payloads,regardless of whether those media payloads are transported over RTP or someother protocol.¶
SFrame is designed to be a suitable E2EE protection scheme for conference callmedia in a broad range of scenarios, as outlined by the following goals:¶
Provide a secure E2EE mechanism for audio and video in conference callsthat can be used with arbitrary SFU servers.¶
Decouple media encryption from key management to allow SFrame to be usedwith an arbitrary key management system.¶
Minimize packet expansion to allow successful conferencing in as manynetwork conditions as possible.¶
Decouple the media encryption framework from the underlying transport,allowing use in non-RTP scenarios, e.g., WebTransport[WEBTRANSPORT].¶
When used with RTP and its associated error-resilience mechanisms, i.e., RTXand Forward Error Correction (FEC), require no special handling for RTX and FEC packets.¶
Minimize the changes needed in SFU servers.¶
Minimize the changes needed in endpoints.¶
Work with the most popular audio and video codecs used in conferencingscenarios.¶
This document defines an encryption mechanism that provides effective E2EE,is simple to implement, has no dependencies on RTP, and minimizesencryption bandwidth overhead. This section describes how the mechanismworks and includes details of how applications utilize SFrame for media protectionas well as the actual mechanics of E2EE for protecting media.¶
SFrame is a general encryption framing, intended to be used as an E2EElayer over an underlying HBH-encrypted transport such as SRTP or QUIC[RFC3711][MOQ-TRANSPORT].¶
The scale at which SFrame encryption is applied to media determines the overallamount of overhead that SFrame adds to the media stream as well as theengineering complexity involved in integrating SFrame into a particularenvironment. Two patterns are common: using SFrame to encrypt either wholemedia frames (per frame) or individual transport-level media payloads(per packet).¶
For example,Figure 1 shows a typical media sender stack that takes mediafrom some source, encodes it into frames, divides those frames into mediapackets, and then sends those payloads in SRTP packets. The receiver stackperforms the reverse operations, reassembling frames from SRTP packets anddecoding. Arrows indicate two different ways that SFrame protection could beintegrated into this media stack: to encrypt whole frames or individual mediapackets.¶
Applying SFrame per frame in this system offers higher efficiency but mayrequire a more complex integration in environments where depacketization relieson the content of media packets. Applying SFrame per packet avoids thiscomplexity at the cost of higher bandwidth consumption. Some quantitativediscussion of these trade-offs is provided inAppendix B.¶
As noted above, however, SFrame is a general media encapsulation and can beapplied in other scenarios. The important thing is that the sender andreceivers of an SFrame-encrypted object agree on that object's semantics.SFrame does not provide this agreement; it must be arranged by the application.¶
Like SRTP, SFrame does not define how the keys used for SFrame are exchanged bythe parties in the conference. Keys for SFrame might be distributed over anexisting E2E-secure channel (seeSection 5.1) or derived from an E2E-secureshared secret (seeSection 5.2). The key management systemMUST ensure that eachkey used for encrypting media is used by exactly one media sender in order toavoid reuse of nonces.¶
An SFrame ciphertext comprises an SFrame header followed by the output of anAuthenticated Encryption with Associated Data (AEAD) encryption of the plaintext[RFC5116], with the header provided as additionalauthenticated data (AAD).¶
The SFrame header is a variable-length structure described in detail inSection 4.3. The structure of the encrypted data and authentication tagare determined by the AEAD algorithm in use.¶
When SFrame is applied per packet, the payload of each packet will be an SFrameciphertext. When SFrame is applied per frame, the SFrame ciphertextrepresenting an encrypted frame will span several packets, with the headerappearing in the first packet and the authentication tag in the last packet.It is the responsibility of the application to reassemble an encrypted frame fromindividual packets, accounting for packet loss and reordering as necessary.¶
The SFrame header specifies two values from which encryption parameters arederived:¶
A Key ID (KID) that determines which encryption key should be used¶
A Counter (CTR) that is used to construct the nonce for the encryption¶
ApplicationsMUST ensure that each (KID, CTR) combination is used for exactlyone SFrame encryption operation. A typical approach to achieve this guarantee isoutlined inSection 9.1.¶
The SFrame header has the overall structure shown inFigure 3. Thefirst byte is a "config byte", with the following fields:¶
Indicates if the K field contains the KID or the KID length.¶
If the X flag is set to 0, this field contains the KID. If the X flag isset to 1, then it contains the length of the KID, minus one.¶
Indicates if the C field contains the CTR or the CTR length.¶
This field contains the CTR if the Y flag is set to 0, or the CTRlength, minus one, if set to 1.¶
The KID and CTR fields are encoded as compact unsigned integers innetwork (big-endian) byte order. If the value of one of these fields is in therange 0-7, then the value is carried in the corresponding bits of the configbyte (K or C) and the corresponding flag (X or Y) is set to zero. Otherwise,the valueMUST be encoded with the minimum number of bytes required andappended after the config byte, with the KID first and CTR second.The header field (K or C) is set to the number of bytes in the encoded value,minus one. The value 000 represents a length of 1, 001 a length of 2, etc.This allows a 3-bit length field to represent the value lengths 1-8.¶
The SFrame header can thus take one of the four forms shown inFigure 4, depending on which of the X and Y flags are set.¶
SFrame encryption uses an AEAD encryption algorithm and hash function defined bythe cipher suite in use (seeSection 4.5). We will refer to the followingaspects of the AEAD and the hash algorithm below:¶
AEAD.Encrypt andAEAD.Decrypt - The encryption and decryption functionsfor the AEAD. We follow the convention of RFC 5116[RFC5116] and considerthe authentication tag part of the ciphertext produced byAEAD.Encrypt (asopposed to a separate field as in SRTP[RFC3711]).¶
AEAD.Nk - The size in bytes of a key for the encryption algorithm¶
AEAD.Nn - The size in bytes of a nonce for the encryption algorithm¶
AEAD.Nt - The overhead in bytes of the encryption algorithm (typically thesize of a "tag" that is added to the plaintext)¶
AEAD.Nka - For cipher suites using the compound AEAD described inSection 4.5.1, the size in bytes of a key for the underlying encryptionalgorithm¶
Hash.Nh - The size in bytes of the output of the hash function¶
Each SFrame encryption or decryption operation is premised on a single secretbase_key, which is labeled with an integer KID value signaled in the SFrameheader.¶
The sender and receivers need to agree on whichbase_key should be used for a givenKID. Moreover, senders and receivers need to agree on whether abase_key will be usedfor encryption or decryption only. The process for provisioningbase_key values and their KIDvalues is beyond the scope of this specification, but its security properties willbound the assurances that SFrame provides. For example, if SFrame is used toprovide E2E security against intermediary media nodes, then SFrame keys need tobe negotiated in a way that does not make them accessible to these intermediaries.¶
For each known KID value, the client stores the corresponding symmetric keybase_key. For keys that can be used for encryption, the client also storesthe next CTR value to be used when encrypting (initially 0).¶
When encrypting a plaintext, the application specifies which KID is to be used,and the CTR value is incremented after successful encryption. When decrypting,thebase_key for decryption is selected from the available keys using the KIDvalue in the SFrame header.¶
A givenbase_keyMUST NOT be used for encryption by multiple senders. Such reusewould result in multiple encrypted frames being generated with the same (key,nonce) pair, which harms the protections provided by many AEAD algorithms.ImplementationsMUST mark eachbase_key as usable for encryption or decryption,never both.¶
Note that the set of available keys might change over the lifetime of areal-time session. In such cases, the client will need to manage key usage toavoid media loss due to a key being used to encrypt before all receivers areable to use it to decrypt. For example, an application may make decryption-onlykeys available immediately, but delay the use of keys for encryption until (a)all receivers have acknowledged receipt of the new key, or (b) a timeout expires.¶
SFrame encryption and decryption use a key and salt derived from thebase_keyassociated with a KID. Given abase_key value, the key and salt are derivedusing HMAC-based Key Derivation Function (HKDF)[RFC5869] as follows:¶
def derive_key_salt(KID, base_key): sframe_secret = HKDF-Extract("", base_key) sframe_key_label = "SFrame 1.0 Secret key " + KID + cipher_suite sframe_key = HKDF-Expand(sframe_secret, sframe_key_label, AEAD.Nk) sframe_salt_label = "SFrame 1.0 Secret salt " + KID + cipher_suite sframe_salt = HKDF-Expand(sframe_secret, sframe_salt_label, AEAD.Nn) return sframe_key, sframe_salt¶In the derivation ofsframe_secret:¶
The+ operator represents concatenation of byte strings.¶
The KID value is encoded as an 8-byte big-endian integer, not the compressedform used in the SFrame header.¶
Thecipher_suite value is a 2-byte big-endian integer representing thecipher suite in use (seeSection 8.1).¶
The hash function used for HKDF is determined by the cipher suite in use.¶
SFrame encryption uses the AEAD encryption algorithm for the cipher suite in use.The key for the encryption is thesframe_key. The nonce is formed by first XORingthesframe_salt with the current CTR value, and then encoding the result as a big-endian integer oflengthAEAD.Nn.¶
The encryptor forms an SFrame header using the CTR and KID values provided.The encoded header is provided as AAD to the AEAD encryption operation, togetherwith application-provided metadata about the encrypted media (seeSection 9.4).¶
def encrypt(CTR, KID, metadata, plaintext): sframe_key, sframe_salt = key_store[KID] # encode_big_endian(x, n) produces an n-byte string encoding the # integer x in big-endian byte order. ctr = encode_big_endian(CTR, AEAD.Nn) nonce = xor(sframe_salt, CTR) # encode_sframe_header produces a byte string encoding the # provided KID and CTR values into an SFrame header. header = encode_sframe_header(CTR, KID) aad = header + metadata ciphertext = AEAD.Encrypt(sframe_key, nonce, aad, plaintext) return header + ciphertext¶
For example, the metadata input to encryption allows for frame metadata to beauthenticated when SFrame is applied per frame. After encoding the frame andbefore packetizing it, the necessary media metadata will be moved out of theencoded frame buffer to be sent in some channel visible to the SFU (e.g., anRTP header extension).¶
Before decrypting, a receiver needs to assemble a full SFrame ciphertext. Whenan SFrame ciphertext is fragmented into multiple parts for transport (e.g.,a whole encrypted frame sent in multiple SRTP packets), the receiving clientcollects all the fragments of the ciphertext, using appropriate sequencingand start/end markers in the transport. Once all of the required fragments areavailable, the client reassembles them into the SFrame ciphertext and passesthe ciphertext to SFrame for decryption.¶
The KID field in the SFrame header is used to find the right key and salt forthe encrypted frame, and the CTR field is used to construct the nonce. The SFramedecryption procedure is as follows:¶
def decrypt(metadata, sframe_ciphertext): KID, CTR, header, ciphertext = parse_ciphertext(sframe_ciphertext) sframe_key, sframe_salt = key_store[KID] ctr = encode_big_endian(CTR, AEAD.Nn) nonce = xor(sframe_salt, ctr) aad = header + metadata return AEAD.Decrypt(sframe_key, nonce, aad, ciphertext)¶
If a ciphertext fails to decrypt because there is no key available for the KIDin the SFrame header, the clientMAY buffer the ciphertext and retry decryptiononce a key with that KID is received. If a ciphertext fails to decrypt for anyother reason, the clientMUST discard the ciphertext. Invalid ciphertextsSHOULD bediscarded in a way that is indistinguishable (to an external observer) from havingprocessed a valid ciphertext. In other words, the SFrame decrypt operationshould take the same amount of time regardless of whether decryption succeeds or fails.¶
Each SFrame session uses a single cipher suite that specifies the followingprimitives:¶
A hash function used for key derivation¶
An AEAD encryption algorithm[RFC5116] used for frame encryption, optionallywith a truncated authentication tag¶
This document defines the following cipher suites, with the constants defined inSection 4.4:¶
| Name | Nh | Nka | Nk | Nn | Nt |
|---|---|---|---|---|---|
AES_128_CTR_HMAC_SHA256_80 | 32 | 16 | 48 | 12 | 10 |
AES_128_CTR_HMAC_SHA256_64 | 32 | 16 | 48 | 12 | 8 |
AES_128_CTR_HMAC_SHA256_32 | 32 | 16 | 48 | 12 | 4 |
AES_128_GCM_SHA256_128 | 32 | n/a | 16 | 12 | 16 |
AES_256_GCM_SHA512_128 | 64 | n/a | 32 | 12 | 16 |
Numeric identifiers for these cipher suites are defined in the IANA registrycreated inSection 8.1.¶
In the suite names, the length of the authentication tag is indicated bythe last value: "_128" indicates a 128-bit tag, "_80" indicatesan 80-bit tag, "_64" indicates a 64-bit tag, and "_32" indicates a32-bit tag.¶
In a session that uses multiple media streams, different cipher suites might beconfigured for different media streams. For example, in order to conservebandwidth, a session might use a cipher suite with 80-bit tags for video framesand another cipher suite with 32-bit tags for audio frames.¶
In order to allow very short tag sizes, we define a synthetic AEAD functionusing the authenticated counter mode of AES together with HMAC forauthentication. We use an encrypt-then-MAC approach, as in SRTP[RFC3711].¶
Before encryption or decryption, encryption and authentication subkeys arederived from the single AEAD key. The overall length of the AEAD key isNka +Nh, whereNka represents the key size for the AES block cipher in use andNhrepresents the output size of the hash function (as inSection 4.4).The encryption subkey comprises the firstNka bytes and the authenticationsubkey comprises the remainingNh bytes.¶
def derive_subkeys(sframe_key): # The encryption key comprises the first Nka bytes enc_key = sframe_key[..Nka] # The authentication key comprises Nh remaining bytes auth_key = sframe_key[Nka..] return enc_key, auth_key¶
The AEAD encryption and decryption functions are then composed of individualcalls to the CTR encrypt function and HMAC. The resulting MAC value is truncatedto a number of bytesNt fixed by the cipher suite.¶
def truncate(tag, n): # Take the first `n` bytes of `tag` return tag[..n]def compute_tag(auth_key, nonce, aad, ct): aad_len = encode_big_endian(len(aad), 8) ct_len = encode_big_endian(len(ct), 8) tag_len = encode_big_endian(Nt, 8) auth_data = aad_len + ct_len + tag_len + nonce + aad + ct tag = HMAC(auth_key, auth_data) return truncate(tag, Nt)def AEAD.Encrypt(key, nonce, aad, pt): enc_key, auth_key = derive_subkeys(key) initial_counter = nonce + 0x00000000 # append four zero bytes ct = AES-CTR.Encrypt(enc_key, initial_counter, pt) tag = compute_tag(auth_key, nonce, aad, ct) return ct + tagdef AEAD.Decrypt(key, nonce, aad, ct): inner_ct, tag = split_ct(ct, tag_len) enc_key, auth_key = derive_subkeys(key) candidate_tag = compute_tag(auth_key, nonce, aad, inner_ct) if !constant_time_equal(tag, candidate_tag): raise Exception("Authentication Failure") initial_counter = nonce + 0x00000000 # append four zero bytes return AES-CTR.Decrypt(enc_key, initial_counter, inner_ct)¶SFrame must be integrated with an E2E key management framework to exchange androtate the keys used for SFrame encryption. The key managementframework provides the following functions:¶
Provisioning KID /base_key mappings to participating clients¶
Updating the above data as clients join or leave¶
It is the responsibility of the application to provide the key managementframework, as described inSection 9.2.¶
If the participants in a call have a preexisting E2E-secure channel, they canuse it to distribute SFrame keys. Each client participating in a call generatesa freshbase_key value that it will use to encrypt media. The client then usesthe E2E-secure channel to send their encryption key to the other participants.¶
In this scheme, it is assumed that receivers have a signal outside of SFrame forwhich client has sent a given frame (e.g., an RTP synchronization source (SSRC)). SFrame KIDvalues are then used to distinguish between versions of the sender'sbase_key.¶
KID values in this scheme have two parts: a "key generation" and a "ratchet step".Both are unsigned integers that begin at zero. The key generation incrementseach time the sender distributes a new key to receivers. The ratchet step isincremented each time the sender ratchets their key forward for forward secrecy:¶
base_key[i+1] = HKDF-Expand( HKDF-Extract("", base_key[i]), "SFrame 1.0 Ratchet", CipherSuite.Nh)¶For compactness, we do not send the whole ratchet step. Instead, we send onlyits low-orderR bits, whereR is a value set by the application. Differentsenders may use different values ofR, but each receiver of a given senderneeds to know what value ofR is used by the sender so that they can recognizewhen they need to ratchet (vs. expecting a new key).R effectively defines areordering window, since no more than 2R ratchet steps can beactive at a given time. The key generation is sent in the remaining64 - Rbits of the KID.¶
KID = (key_generation << R) + (ratchet_step % (1 << R))¶
The sender signals such a ratchet step update by sending with a KID value inwhich the ratchet step has been incremented. A receiver who receives from asender with a new KID computes the new key as above. The old key may be keptfor some time to allow for out-of-order delivery, but should be deletedpromptly.¶
If a new participant joins in the middle of a session, they will need to receivefrom each sender (a) the current sender key for that sender and (b) the currentKID value for the sender. Evicting a participant requires each sender to senda fresh sender key to all receivers.¶
It is the application's responsibility to decide when sender keys are updated. A senderkey may be updated by sending a newbase_key (updating the key generation) orby hashing the currentbase_key (updating the ratchet step). Ratcheting thekey forward is useful when adding new receivers to an SFrame-based interaction,since it ensures that the new receivers can't decrypt any media encrypted beforethey were added. If a sender wishes to assure the opposite property whenremoving a receiver (i.e., ensuring that the receiver can't decrypt media afterthey are removed), then the sender will need to distribute a new sender key.¶
The Messaging Layer Security (MLS) protocol provides group authenticated keyexchange[MLS-ARCH][MLS-PROTO]. Inprinciple, it could be used to instantiate the sender key scheme above, but itcan also be used more efficiently directly.¶
MLS creates a linear sequence of keys, each of which is shared among the membersof a group at a given point in time. When a member joins or leaves the group, anew key is produced that is known only to the augmented or reduced group. Eachstep in the lifetime of the group is known as an "epoch", and each member of thegroup is assigned an "index" that is constant for the time they are in thegroup.¶
To generate keys and nonces for SFrame, we use the MLS exporter function togenerate abase_key value for each MLS epoch. Each member of the group isassigned a set of KID values so that each member has a uniquesframe_key andsframe_salt that it uses to encrypt with. Senders may choose any KID valuewithin their assigned set of KID values, e.g., to allow a single sender to sendmultiple, uncoordinated outbound media streams.¶
base_key = MLS-Exporter("SFrame 1.0 Base Key", "", AEAD.Nk)¶For compactness, we do not send the whole epoch number. Instead, we send onlyits low-orderE bits, whereE is a value set by the application.Eeffectively defines a reordering window, since no more than 2Eepochs can be active at a given time. To handle rollover of the epoch counter,receiversMUST remove an old epoch when a new epoch with the same low-orderE bits is introduced.¶
LetS be the number of bits required to encode a member index in the group,i.e., the smallest value such thatgroup_size <= (1 << S). The sender indexis encoded in theS bits above the epoch. The remaining64 - S - E bits ofthe KID value are acontext value chosen by the sender (context value0 willproduce the shortest encoded KID).¶
KID = (context << (S + E)) + (sender_index << E) + (epoch % (1 << E))¶
Once an SFrame stack has been provisioned with thesframe_epoch_secret for anepoch, it can compute the required KID values on demand (as well as theresulting SFrame keys/nonces derived from thebase_key and KID) as it needsto encrypt or decrypt for a given member.¶
SFUs (e.g., those described inSection 3.7 of [RFC7667]) receive the media streams from each participant and select whichones should be forwarded to each of the other participants. There are severalapproaches for stream selection, but in general, the SFU needs to accessmetadata associated with each frame and modify the RTP information of the incomingpackets when they are transmitted to the received participants.¶
This section describes how these normal SFU modes of operation interact with theE2EE provided by SFrame.¶
The SFU may choose to send only a certain number of streams based on the voiceactivity of the participants. To avoid the overhead involved in establishing newtransport streams, the SFU may decide to reuse previously existing streams oreven pre-allocate a predefined number of streams and choose in each moment intime which participant media will be sent through it.¶
This means that the same transport-level stream (e.g., an RTP stream definedby either SSRC or Media Identification (MID)) may carry media from differentstreams of different participants. Because each participant uses a different keyto encrypt their media, the receiver will be able to verify the sender of themedia within the RTP stream at any given point in time. Thus the receiver willcorrectly associate the media with the sender indicated by the authenticatedSFrame KID value, irrespective of how the SFU transmits the media to the client.¶
Note that in order to prevent impersonation by a malicious participant (not theSFU), a mechanism based on digital signature would be required. SFrame does notprotect against such attacks.¶
When using simulcast, the same input image will produce N different encodedframes (one per simulcast layer), which would be processed independently by theframe encryptor and assigned an unique CTR value for each.¶
In both temporal and spatial scalability, the SFU may choose to drop layers inorder to match a certain bitrate or to forward specific media sizes or frames persecond. In order to support the SFU selectively removing layers, the senderMUSTencapsulate each layer in a different SFrame ciphertext.¶
Forward security and post-compromise security require that the E2EE keys (base keys)are updated any time a participant joins or leaves the call.¶
The key exchange happens asynchronously and on a different path than the SFU signalingand media. So it may happen that when a new participant joins the call and theSFU side requests a key frame, the sender generates the E2EE framewith a key that is not known by the receiver, so it will be discarded. When the senderupdates his sending key with the new key, it will send it in a non-key frame, sothe receiver will be able to decrypt it, but not decode it.¶
The new receiver will then re-request a key frame, but due to sender and SFUpolicies, that new key frame could take some time to be generated.¶
If the sender sends a key frame after the new E2EE key is in use, the timerequired for the new participant to display the video is minimized.¶
Note that this issue does not arise for media streams that do not havedependencies among frames, e.g., audio streams. In these streams, each frame isindependently decodable, so a frame never depends on another frame that might beon the other side of a key rotation.¶
Some codecs support partial decoding, where individual packets can be decodedwithout waiting for the full frame to arrive. When SFrame is applied per frame,partial decoding is not possible because the decoder cannot access data until an entireframe has arrived and has been decrypted.¶
SFrame provides integrity protection to the SFrame header (the KID andCTR values), but it does not provide confidentiality protection. Parties thatcan observe the SFrame header may learn, for example, which parties are sendingSFrame payloads (from KID values) and at what rates (from CTR values). In caseswhere SFrame is used for end-to-end security on top of hop-by-hop protections(e.g., running over SRTP as described inAppendix B.5), the hop-by-hop securitymechanisms provide confidentiality protection of the SFrame header between hops.¶
SFrame does not provide per-sender authentication of media data. Any sender ina session can send media that will be associated with any other sender. This isbecause SFrame uses symmetric encryption to protect media data, so that anyreceiver also has the keys required to encrypt packets for the sender.¶
The specifics of key management are beyond the scope of this document. However, every clientSHOULD change their keys when new clients join or leave the call for forwardsecrecy and post-compromise security.¶
The handling of replay is out of the scope of this document. However, sendersMUST reject requests to encrypt multiple times with the same key and noncesince several AEAD algorithms fail badly in such cases (see, e.g.,Section 5.1.1 of [RFC5116]).¶
The SFrame cipher suites based on AES-CTR allow for the use of shortauthentication tags, which bring a higher risk that an attacker will beable to cause an SFrame receiver to accept an SFrame ciphertext of theattacker's choosing.¶
Assuming that the authentication properties of the cipher suite are robust, theonly attack that an attacker can mount is an attempt to find an acceptable(ciphertext, tag) combination through brute force. Such a brute-force attackwill have an expected success rate of the following form:¶
attacker_success_rate = attempts_per_second / 2^(8*Nt)¶
For example, a gigabit Ethernet connection is able to transmit roughly 220packets per second. If an attacker saturated such a link with guesses against a32-bit authentication tag (Nt=4), then the attacker would succeed on averageroughly once every 212 seconds, or about once an hour.¶
In a typical SFrame usage in a real-time media application, there are a fewapproaches to mitigating this risk:¶
Receivers only accept SFrame ciphertexts over HBH-secure channels (e.g., SRTPsecurity associations or QUIC connections). If this is the case, only anentity that is part of such a channel can mount the above attack.¶
The expected packet rate for a media stream is very predictable (and typicallyfar lower than the above example). On the one hand, attacks at this rate willsucceed even less often than the high-rate attack described above. On theother hand, the application may use an elevated packet arrival rate as asignal of a brute-force attack. This latter approach is common in othersettings, e.g., mitigating brute-force attacks on passwords.¶
Media applications typically do not provide feedback to media senders as towhich media packets failed to decrypt. When media-quality feedbackmechanisms are used, decryption failures will typically appear as packetlosses, but only at an aggregate level.¶
Anti-replay mechanisms (seeSection 7.4) prevent the attacker from reusingvalid ciphertexts (either observed or guessed by the attacker). A receiverapplying anti-replay controls will only accept one valid plaintext per CTRvalue. Since the CTR value is covered by SFrame authentication, an attackerhas to do a fresh search for a valid tag for every forged ciphertext, even ifthe encrypted content is unchanged. In other words, when the above brute-forceattack succeeds, it only allows the attacker to send a single SFrameciphertext; the ciphertext cannot be reused because either it will have thesame CTR value and be discarded as a replay, or else it will have a differentCTR value and its tag will no longer be valid.¶
Nonetheless, without these mitigations, an application that makes use of shorttags will be at heightened risk of forgery attacks. In many cases, it issimpler to use full-size tags and tolerate slightly higher bandwidth usagerather than to add the additional defenses necessary to safely use short tags.¶
IANA has created a new registry called "SFrame Cipher Suites" (Section 8.1)under the "SFrame" group registry heading.¶
The "SFrame Cipher Suites" registry lists identifiers for SFrame cipher suites as defined inSection 4.5. The cipher suite field is two bytes wide, so the valid ciphersuites are in the range 0x0000 to 0xFFFF. Except as noted below, assignments are madevia the Specification Required policy[RFC8126].¶
The registration template is as follows:¶
Value: The numeric value of the cipher suite¶
Name: The name of the cipher suite¶
Recommended: Whether support for this cipher suite is recommended by the IETF.Valid values are "Y", "N", and "D" as described inSection 17.1 of [MLS-PROTO]. The default value of the "Recommended" column is "N". Setting theRecommended item to "Y" or "D", or changing an item whose current value is "Y"or "D", requires Standards Action[RFC8126].¶
Reference: The document where this cipher suite is defined¶
Change Controller: Who is authorized to update the row in the registry¶
Initial contents:¶
| Value | Name | R | Reference | Change Controller |
|---|---|---|---|---|
| 0x0000 | Reserved | - | RFC 9605 | IETF |
| 0x0001 | AES_128_CTR_HMAC_SHA256_80 | Y | RFC 9605 | IETF |
| 0x0002 | AES_128_CTR_HMAC_SHA256_64 | Y | RFC 9605 | IETF |
| 0x0003 | AES_128_CTR_HMAC_SHA256_32 | Y | RFC 9605 | IETF |
| 0x0004 | AES_128_GCM_SHA256_128 | Y | RFC 9605 | IETF |
| 0x0005 | AES_256_GCM_SHA512_128 | Y | RFC 9605 | IETF |
| 0xF000 - 0xFFFF | Reserved for Private Use | - | RFC 9605 | IETF |
To use SFrame, an application needs to define the inputs to the SFrameencryption and decryption operations, and how SFrame ciphertexts are deliveredfrom sender to receiver (including any fragmentation and reassembly). In thissection, we lay out additional requirements that an application must meet inorder for SFrame to operate securely.¶
In general, an application using SFrame is responsible for configuring SFrame.The application must first define when SFrame is applied at all. When SFrame isapplied, the application must define which cipher suite is to be used. If newversions of SFrame are defined in the future, it will be the application's responsibilityto determine which version should be used.¶
This division of responsibilities is similar to the way other media parameters(e.g., codecs) are typically handled in media applications, in the sense thatthey are set up in some signaling protocol and not described in the media.Applications might find it useful to extend the protocols used for negotiatingother media parameters (e.g., Session Description Protocol (SDP)[RFC8866]) to also negotiate parameters forSFrame.¶
ApplicationsMUST ensure that each (base_key, KID, CTR) combination is usedfor at most one SFrame encryption operation. This ensures that the (key, nonce)pairs used by the underlying AEAD algorithm are never reused. Typically this isdone by assigning each sender a KID or set of KIDs, then having each sender usethe CTR field as a monotonic counter, incrementing for each plaintext that isencrypted. In addition to its simplicity, this scheme minimizes overhead bykeeping CTR values as small as possible.¶
In applications where an SFrame context might be written to persistent storage,this context needs to include the last-used CTR value. When the context is usedlater, the application should use the stored CTR value to determine the next CTRvalue to be used in an encryption operation, and then write the next CTR valueback to storage before using the CTR value for encryption. Storing the CTRvalue before usage (vs. after) helps ensure that a storage failure will notcause reuse of the same (base_key, KID, CTR) combination.¶
The application is responsible for provisioning SFrame with a mapping of KID values tobase_key values and the resulting keys and salts. More importantly, theapplication specifies which KID values are used for which purposes (e.g., bywhich senders). An application's KID assignment strategyMUST be structured toassure the non-reuse properties discussed inSection 9.1.¶
The application is also responsible for defining a rotation schedule for keys. Forexample, one application might have an ephemeral group for every call and keeprotating keys when endpoints join or leave the call, while another applicationcould have a persistent group that can be used for multiple calls and simplyderives ephemeral symmetric keys for a specific call.¶
It should be noted that KID values are not encrypted by SFrame and are thusvisible to any application-layer intermediaries that might handle an SFrameciphertext. If there are application semantics included in KID values, thenthis information would be exposed to intermediaries. For example, in the schemeofSection 5.1, the number of ratchet steps per sender is exposed, and inthe scheme ofSection 5.2, the number of epochs and the MLS sender ID of the SFramesender are exposed.¶
It is the responsibility of the application to handle anti-replay. Replay by networkattackers is assumed to be prevented by network-layer facilities (e.g., TLS, SRTP).As mentioned inSection 7.4, sendersMUST reject requests to encrypt multiple timeswith the same key and nonce.¶
It is not mandatory to implement anti-replay on the receiver side. ReceiversMAYapply time- or counter-based anti-replay mitigations. For example,Section 3.3.2 of [RFC3711] specifies a counter-based anti-replay mitigation, whichcould be adapted to use with SFrame, using the CTR field as the counter.¶
Themetadata input to SFrame operations is an opaque byte string specified by the application. Assuch, the application needs to define what information should go in themetadata input and ensure that it is provided to the encryption and decryptionfunctions at the appropriate points. A receiverMUST NOT use SFrame-authenticatedmetadata until after the SFrame decrypt function has authenticated it, unlessthe purpose of such usage is to prepare an SFrame ciphertext for SFramedecryption. Essentially, metadata may be used "upstream of SFrame" in aprocessing pipeline, but only to prepare for SFrame decryption.¶
For example, consider an application where SFrame is used to encrypt audioframes that are sent over SRTP, with some application data included in the RTPheader extension. Suppose the application also includes this application data inthe SFrame metadata, so that the SFU is allowed to read, but not modify, theapplication data. A receiver can use the application data in the RTP headerextension as part of the standard SRTP decryption process since this isrequired to recover the SFrame ciphertext carried in the SRTP payload. However,the receiverMUST NOT use the application data for other purposes before SFramedecryption has authenticated the application data.¶
This section is not normative.¶
This section describes a notional API that an SFrame implementation mightexpose. The core concept is an "SFrame context", within which KID values aremeaningful. In the key management scheme described inSection 5.1, eachsender has a different context; in the scheme described inSection 5.2, all sendersshare the same context.¶
An SFrame context stores mappings from KID values to "key contexts", which aredifferent depending on whether the KID is to be used for sending or receiving(an SFrame key should never be used for both operations). A key context tracksthe key and salt associated to the KID, and the current CTR value. A keycontext to be used for sending also tracks the next CTR value to be used.¶
The primary operations on an SFrame context are as follows:¶
Create an SFrame context: The context is initialized with a cipher suite andno KID mappings.¶
Add a key for sending: The key and salt are derived from the base key andused to initialize a send context, together with a zero CTR value.¶
Add a key for receiving: The key and salt are derived from the base key andused to initialize a send context.¶
Encrypt a plaintext: Encrypt a given plaintext using the key for a given KID,including the specified metadata.¶
Decrypt an SFrame ciphertext: Decrypt an SFrame ciphertext with the KIDand CTR values specified in the SFrame header, and the provided metadata.¶
Figure 10 shows an example of the types of structures and methods that couldbe used to create an SFrame API in Rust.¶
type KeyId = u64;type Counter = u64;type CipherSuite = u16;struct SendKeyContext { key: Vec<u8>, salt: Vec<u8>, next_counter: Counter,}struct RecvKeyContext { key: Vec<u8>, salt: Vec<u8>,}struct SFrameContext { cipher_suite: CipherSuite, send_keys: HashMap<KeyId, SendKeyContext>, recv_keys: HashMap<KeyId, RecvKeyContext>,}trait SFrameContextMethods { fn create(cipher_suite: CipherSuite) -> Self; fn add_send_key(&self, kid: KeyId, base_key: &[u8]); fn add_recv_key(&self, kid: KeyId, base_key: &[u8]); fn encrypt(&mut self, kid: KeyId, metadata: &[u8], plaintext: &[u8]) -> Vec<u8>; fn decrypt(&self, metadata: &[u8], ciphertext: &[u8]) -> Vec<u8>;}Any use of SFrame will impose overhead in terms of the amount of bandwidthnecessary to transmit a given media stream. Exactly how much overhead will be addeddepends on several factors:¶
The number of senders involved in a conference (length of KID)¶
The duration of the conference (length of CTR)¶
The cipher suite in use (length of authentication tag)¶
Whether SFrame is used to encrypt packets, whole frames, or some other unit¶
Overall, the overhead rate in kilobits per second can be estimated as:¶
OverheadKbps = (1 + |CTR| + |KID| + |TAG|) * 8 * CTPerSecond / 1024¶
Here the constant value1 reflects the fixed SFrame header;|CTR| and|KID| reflect the lengths of those fields;|TAG| reflects the cipheroverhead; andCTPerSecond reflects the number of SFrame ciphertextssent per second (e.g., packets or frames per second).¶
In the remainder of this section, we compute overhead estimates for a collectionof common scenarios.¶
In the below calculations, we make conservative assumptions about SFrameoverhead so that the overhead amounts we compute here are likely to be an upperbound of those seen in practice.¶
| Field | Bytes | Explanation |
|---|---|---|
| Config byte | 1 | Fixed |
| Key ID (KID) | 2 | >255 senders; or MLS epoch (E=4) and >16 senders |
| Counter (CTR) | 3 | More than 24 hours of media in common cases |
| Cipher overhead | 16 | Full authentication tag (longest defined here) |
In total, then, we assume that each SFrame encryption will add 22 bytes ofoverhead.¶
We consider two scenarios: applying SFrame per frame and per packet. In eachscenario, we compute the SFrame overhead in absolute terms (kbps) and as apercentage of the base bandwidth.¶
In audio streams, there is typically a one-to-one relationship between framesand packets, so the overhead is the same whether one uses SFrame at a per-packetor per-frame level.¶
Table 4 considers three scenarios that are based on recommended configurationsof the Opus codec[RFC6716] (where "fps" stands for "frames per second"):¶
| Scenario | Frame length | fps | Base kbps | Overhead kbps | Overhead % |
|---|---|---|---|---|---|
| Narrow-band speech | 120 ms | 8.3 | 8 | 1.4 | 17.9% |
| Full-band speech | 20 ms | 50 | 32 | 8.6 | 26.9% |
| Full-band stereo music | 10 ms | 100 | 128 | 17.2 | 13.4% |
Video frames can be larger than an MTU and thus are commonly split acrossmultiple frames. Tables5and6show the estimated overhead of encrypting a video stream, where SFrame isapplied per frame and per packet, respectively. The choices of resolution,frames per second, and bandwidth roughly reflect the capabilities ofmodern video codecs across a range from very low to very high quality.¶
| Scenario | fps | Base kbps | Overhead kbps | Overhead % |
|---|---|---|---|---|
| 426 x 240 | 7.5 | 45 | 1.3 | 2.9% |
| 640 x 360 | 15 | 200 | 2.6 | 1.3% |
| 640 x 360 | 30 | 400 | 5.2 | 1.3% |
| 1280 x 720 | 30 | 1500 | 5.2 | 0.3% |
| 1920 x 1080 | 60 | 7200 | 10.3 | 0.1% |
| Scenario | fps | Packets per Second (pps) | Base kbps | Overhead kbps | Overhead % |
|---|---|---|---|---|---|
| 426 x 240 | 7.5 | 7.5 | 45 | 1.3 | 2.9% |
| 640 x 360 | 15 | 30 | 200 | 5.2 | 2.6% |
| 640 x 360 | 30 | 60 | 400 | 10.3 | 2.6% |
| 1280 x 720 | 30 | 180 | 1500 | 30.9 | 2.1% |
| 1920 x 1080 | 60 | 780 | 7200 | 134.1 | 1.9% |
In the per-frame case, the SFrame percentage overhead approaches zero as thequality of the video improves since bandwidth is driven more by picture sizethan frame rate. In the per-packet case, the SFrame percentage overheadapproaches the ratio between the SFrame overhead per packet and the MTU (here 22bytes of SFrame overhead divided by an assumed 1200-byte MTU, or about 1.8%).¶
Real conferences usually involve several audio and video streams. The overheadof SFrame in such a conference is the aggregate of the overhead across all theindividual streams. Thus, while SFrame incurs a large percentage overhead on anaudio stream, if the conference also involves a video stream, then the audiooverhead is likely negligible relative to the overall bandwidth of theconference.¶
For example,Table 7 shows the overhead estimates for a two-personconference where one person is sending low-quality media and the other issending high-quality media. (And we assume that SFrame is applied per frame.) Thevideo streams dominate the bandwidth at the SFU, so the total bandwidth overheadis only around 1%.¶
| Stream | Base Kbps | Overhead Kbps | Overhead % |
|---|---|---|---|
| Participant 1 audio | 8 | 1.4 | 17.9% |
| Participant 1 video | 45 | 1.3 | 2.9% |
| Participant 2 audio | 32 | 9 | 26.9% |
| Participant 2 video | 1500 | 5 | 0.3% |
| Total at SFU | 1585 | 16.5 | 1.0% |
SFrame is a generic encapsulation format, but many of the applications in whichit is likely to be integrated are based on RTP. This section discusses how anintegration between SFrame and RTP could be done, and some of the challengesthat would need to be overcome.¶
As discussed inSection 4.1, there are two natural patterns forintegrating SFrame into an application: applying SFrame per frame or per packet.In RTP-based applications, applying SFrame per packet means that the payload ofeach RTP packet will be an SFrame ciphertext, starting with an SFrame header, asshown inFigure 11. Applying SFrame per frame means that differentRTP payloads will have different formats: The first payload of a frame willcontain the SFrame headers, and subsequent payloads will contain further chunksof the ciphertext, as shown inFigure 12.¶
In order for these media payloads to be properly interpreted by receivers,receivers will need to be configured to know which of the above schemes thesender has applied to a given sequence of RTP packets. SFrame does not providea mechanism for distributing this configuration information. In applicationsthat use SDP for negotiating RTP media streams[RFC8866], an appropriateextension to SDP could provide this function.¶
Applying SFrame per frame also requires that packetization and depacketizationbe done in a generic manner that does not depend on the media content of thepackets, since the content being packetized or depacketized will be opaqueciphertext (except for the SFrame header). In order for such a genericpacketization scheme to work interoperably, one would have to be defined, e.g.,as proposed in[RTP-PAYLOAD].¶
This section provides a set of test vectors that implementations can use toverify that they correctly implement SFrame encryption and decryption. Inaddition to test vectors for the overall process of SFrameencryption/decryption, we also provide test vectors for headerencoding/decoding, and for AEAD encryption/decryption using the AES-CTRconstruction defined inSection 4.5.1.¶
All values are either numeric or byte strings. Numeric values are representedas hex values, prefixed with0x. Byte strings are represented in hexencoding.¶
Line breaks and whitespace within values are inserted to conform to the widthrequirements of the RFC format. They should be removed before use.¶
These test vectors are also available in JSON format at[TestVectors]. In theJSON test vectors, numeric values are JSON numbers and byte string values areJSON strings containing the hex encoding of the byte strings.¶
For each case, we provide:¶
An implementation should verify that:¶
Encoding a header with the KID and CTR results in the provided header value¶
Decoding the provided header value results in the provided KID and CTR values¶
kid: 0x0000000000000000ctr: 0x0000000000000000header: 00¶
kid: 0x0000000000000000ctr: 0x0000000000000001header: 01¶
kid: 0x0000000000000000ctr: 0x00000000000000ffheader: 08ff¶
kid: 0x0000000000000000ctr: 0x0000000000000100header: 090100¶
kid: 0x0000000000000000ctr: 0x000000000000ffffheader: 09ffff¶
kid: 0x0000000000000000ctr: 0x0000000000010000header: 0a010000¶
kid: 0x0000000000000000ctr: 0x0000000000ffffffheader: 0affffff¶
kid: 0x0000000000000000ctr: 0x0000000001000000header: 0b01000000¶
kid: 0x0000000000000000ctr: 0x00000000ffffffffheader: 0bffffffff¶
kid: 0x0000000000000000ctr: 0x0000000100000000header: 0c0100000000¶
kid: 0x0000000000000000ctr: 0x000000ffffffffffheader: 0cffffffffff¶
kid: 0x0000000000000000ctr: 0x0000010000000000header: 0d010000000000¶
kid: 0x0000000000000000ctr: 0x0000ffffffffffffheader: 0dffffffffffff¶
kid: 0x0000000000000000ctr: 0x0001000000000000header: 0e01000000000000¶
kid: 0x0000000000000000ctr: 0x00ffffffffffffffheader: 0effffffffffffff¶
kid: 0x0000000000000000ctr: 0x0100000000000000header: 0f0100000000000000¶
kid: 0x0000000000000000ctr: 0xffffffffffffffffheader: 0fffffffffffffffff¶
kid: 0x0000000000000001ctr: 0x0000000000000000header: 10¶
kid: 0x0000000000000001ctr: 0x0000000000000001header: 11¶
kid: 0x0000000000000001ctr: 0x00000000000000ffheader: 18ff¶
kid: 0x0000000000000001ctr: 0x0000000000000100header: 190100¶
kid: 0x0000000000000001ctr: 0x000000000000ffffheader: 19ffff¶
kid: 0x0000000000000001ctr: 0x0000000000010000header: 1a010000¶
kid: 0x0000000000000001ctr: 0x0000000000ffffffheader: 1affffff¶
kid: 0x0000000000000001ctr: 0x0000000001000000header: 1b01000000¶
kid: 0x0000000000000001ctr: 0x00000000ffffffffheader: 1bffffffff¶
kid: 0x0000000000000001ctr: 0x0000000100000000header: 1c0100000000¶
kid: 0x0000000000000001ctr: 0x000000ffffffffffheader: 1cffffffffff¶
kid: 0x0000000000000001ctr: 0x0000010000000000header: 1d010000000000¶
kid: 0x0000000000000001ctr: 0x0000ffffffffffffheader: 1dffffffffffff¶
kid: 0x0000000000000001ctr: 0x0001000000000000header: 1e01000000000000¶
kid: 0x0000000000000001ctr: 0x00ffffffffffffffheader: 1effffffffffffff¶
kid: 0x0000000000000001ctr: 0x0100000000000000header: 1f0100000000000000¶
kid: 0x0000000000000001ctr: 0xffffffffffffffffheader: 1fffffffffffffffff¶
kid: 0x00000000000000ffctr: 0x0000000000000000header: 80ff¶
kid: 0x00000000000000ffctr: 0x0000000000000001header: 81ff¶
kid: 0x00000000000000ffctr: 0x00000000000000ffheader: 88ffff¶
kid: 0x00000000000000ffctr: 0x0000000000000100header: 89ff0100¶
kid: 0x00000000000000ffctr: 0x000000000000ffffheader: 89ffffff¶
kid: 0x00000000000000ffctr: 0x0000000000010000header: 8aff010000¶
kid: 0x00000000000000ffctr: 0x0000000000ffffffheader: 8affffffff¶
kid: 0x00000000000000ffctr: 0x0000000001000000header: 8bff01000000¶
kid: 0x00000000000000ffctr: 0x00000000ffffffffheader: 8bffffffffff¶
kid: 0x00000000000000ffctr: 0x0000000100000000header: 8cff0100000000¶
kid: 0x00000000000000ffctr: 0x000000ffffffffffheader: 8cffffffffffff¶
kid: 0x00000000000000ffctr: 0x0000010000000000header: 8dff010000000000¶
kid: 0x00000000000000ffctr: 0x0000ffffffffffffheader: 8dffffffffffffff¶
kid: 0x00000000000000ffctr: 0x0001000000000000header: 8eff01000000000000¶
kid: 0x00000000000000ffctr: 0x00ffffffffffffffheader: 8effffffffffffffff¶
kid: 0x00000000000000ffctr: 0x0100000000000000header: 8fff0100000000000000¶
kid: 0x00000000000000ffctr: 0xffffffffffffffffheader: 8fffffffffffffffffff¶
kid: 0x0000000000000100ctr: 0x0000000000000000header: 900100¶
kid: 0x0000000000000100ctr: 0x0000000000000001header: 910100¶
kid: 0x0000000000000100ctr: 0x00000000000000ffheader: 980100ff¶
kid: 0x0000000000000100ctr: 0x0000000000000100header: 9901000100¶
kid: 0x0000000000000100ctr: 0x000000000000ffffheader: 990100ffff¶
kid: 0x0000000000000100ctr: 0x0000000000010000header: 9a0100010000¶
kid: 0x0000000000000100ctr: 0x0000000000ffffffheader: 9a0100ffffff¶
kid: 0x0000000000000100ctr: 0x0000000001000000header: 9b010001000000¶
kid: 0x0000000000000100ctr: 0x00000000ffffffffheader: 9b0100ffffffff¶
kid: 0x0000000000000100ctr: 0x0000000100000000header: 9c01000100000000¶
kid: 0x0000000000000100ctr: 0x000000ffffffffffheader: 9c0100ffffffffff¶
kid: 0x0000000000000100ctr: 0x0000010000000000header: 9d0100010000000000¶
kid: 0x0000000000000100ctr: 0x0000ffffffffffffheader: 9d0100ffffffffffff¶
kid: 0x0000000000000100ctr: 0x0001000000000000header: 9e010001000000000000¶
kid: 0x0000000000000100ctr: 0x00ffffffffffffffheader: 9e0100ffffffffffffff¶
kid: 0x0000000000000100ctr: 0x0100000000000000header: 9f01000100000000000000¶
kid: 0x0000000000000100ctr: 0xffffffffffffffffheader: 9f0100ffffffffffffffff¶
kid: 0x000000000000ffffctr: 0x0000000000000000header: 90ffff¶
kid: 0x000000000000ffffctr: 0x0000000000000001header: 91ffff¶
kid: 0x000000000000ffffctr: 0x00000000000000ffheader: 98ffffff¶
kid: 0x000000000000ffffctr: 0x0000000000000100header: 99ffff0100¶
kid: 0x000000000000ffffctr: 0x000000000000ffffheader: 99ffffffff¶
kid: 0x000000000000ffffctr: 0x0000000000010000header: 9affff010000¶
kid: 0x000000000000ffffctr: 0x0000000000ffffffheader: 9affffffffff¶
kid: 0x000000000000ffffctr: 0x0000000001000000header: 9bffff01000000¶
kid: 0x000000000000ffffctr: 0x00000000ffffffffheader: 9bffffffffffff¶
kid: 0x000000000000ffffctr: 0x0000000100000000header: 9cffff0100000000¶
kid: 0x000000000000ffffctr: 0x000000ffffffffffheader: 9cffffffffffffff¶
kid: 0x000000000000ffffctr: 0x0000010000000000header: 9dffff010000000000¶
kid: 0x000000000000ffffctr: 0x0000ffffffffffffheader: 9dffffffffffffffff¶
kid: 0x000000000000ffffctr: 0x0001000000000000header: 9effff01000000000000¶
kid: 0x000000000000ffffctr: 0x00ffffffffffffffheader: 9effffffffffffffffff¶
kid: 0x000000000000ffffctr: 0x0100000000000000header: 9fffff0100000000000000¶
kid: 0x000000000000ffffctr: 0xffffffffffffffffheader: 9fffffffffffffffffffff¶
kid: 0x0000000000010000ctr: 0x0000000000000000header: a0010000¶
kid: 0x0000000000010000ctr: 0x0000000000000001header: a1010000¶
kid: 0x0000000000010000ctr: 0x00000000000000ffheader: a8010000ff¶
kid: 0x0000000000010000ctr: 0x0000000000000100header: a90100000100¶
kid: 0x0000000000010000ctr: 0x000000000000ffffheader: a9010000ffff¶
kid: 0x0000000000010000ctr: 0x0000000000010000header: aa010000010000¶
kid: 0x0000000000010000ctr: 0x0000000000ffffffheader: aa010000ffffff¶
kid: 0x0000000000010000ctr: 0x0000000001000000header: ab01000001000000¶
kid: 0x0000000000010000ctr: 0x00000000ffffffffheader: ab010000ffffffff¶
kid: 0x0000000000010000ctr: 0x0000000100000000header: ac0100000100000000¶
kid: 0x0000000000010000ctr: 0x000000ffffffffffheader: ac010000ffffffffff¶
kid: 0x0000000000010000ctr: 0x0000010000000000header: ad010000010000000000¶
kid: 0x0000000000010000ctr: 0x0000ffffffffffffheader: ad010000ffffffffffff¶
kid: 0x0000000000010000ctr: 0x0001000000000000header: ae01000001000000000000¶
kid: 0x0000000000010000ctr: 0x00ffffffffffffffheader: ae010000ffffffffffffff¶
kid: 0x0000000000010000ctr: 0x0100000000000000header: af0100000100000000000000¶
kid: 0x0000000000010000ctr: 0xffffffffffffffffheader: af010000ffffffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0000000000000000header: a0ffffff¶
kid: 0x0000000000ffffffctr: 0x0000000000000001header: a1ffffff¶
kid: 0x0000000000ffffffctr: 0x00000000000000ffheader: a8ffffffff¶
kid: 0x0000000000ffffffctr: 0x0000000000000100header: a9ffffff0100¶
kid: 0x0000000000ffffffctr: 0x000000000000ffffheader: a9ffffffffff¶
kid: 0x0000000000ffffffctr: 0x0000000000010000header: aaffffff010000¶
kid: 0x0000000000ffffffctr: 0x0000000000ffffffheader: aaffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0000000001000000header: abffffff01000000¶
kid: 0x0000000000ffffffctr: 0x00000000ffffffffheader: abffffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0000000100000000header: acffffff0100000000¶
kid: 0x0000000000ffffffctr: 0x000000ffffffffffheader: acffffffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0000010000000000header: adffffff010000000000¶
kid: 0x0000000000ffffffctr: 0x0000ffffffffffffheader: adffffffffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0001000000000000header: aeffffff01000000000000¶
kid: 0x0000000000ffffffctr: 0x00ffffffffffffffheader: aeffffffffffffffffffff¶
kid: 0x0000000000ffffffctr: 0x0100000000000000header: afffffff0100000000000000¶
kid: 0x0000000000ffffffctr: 0xffffffffffffffffheader: afffffffffffffffffffffff¶
kid: 0x0000000001000000ctr: 0x0000000000000000header: b001000000¶
kid: 0x0000000001000000ctr: 0x0000000000000001header: b101000000¶
kid: 0x0000000001000000ctr: 0x00000000000000ffheader: b801000000ff¶
kid: 0x0000000001000000ctr: 0x0000000000000100header: b9010000000100¶
kid: 0x0000000001000000ctr: 0x000000000000ffffheader: b901000000ffff¶
kid: 0x0000000001000000ctr: 0x0000000000010000header: ba01000000010000¶
kid: 0x0000000001000000ctr: 0x0000000000ffffffheader: ba01000000ffffff¶
kid: 0x0000000001000000ctr: 0x0000000001000000header: bb0100000001000000¶
kid: 0x0000000001000000ctr: 0x00000000ffffffffheader: bb01000000ffffffff¶
kid: 0x0000000001000000ctr: 0x0000000100000000header: bc010000000100000000¶
kid: 0x0000000001000000ctr: 0x000000ffffffffffheader: bc01000000ffffffffff¶
kid: 0x0000000001000000ctr: 0x0000010000000000header: bd01000000010000000000¶
kid: 0x0000000001000000ctr: 0x0000ffffffffffffheader: bd01000000ffffffffffff¶
kid: 0x0000000001000000ctr: 0x0001000000000000header: be0100000001000000000000¶
kid: 0x0000000001000000ctr: 0x00ffffffffffffffheader: be01000000ffffffffffffff¶
kid: 0x0000000001000000ctr: 0x0100000000000000header: bf010000000100000000000000¶
kid: 0x0000000001000000ctr: 0xffffffffffffffffheader: bf01000000ffffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000000000000header: b0ffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000000000001header: b1ffffffff¶
kid: 0x00000000ffffffffctr: 0x00000000000000ffheader: b8ffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000000000100header: b9ffffffff0100¶
kid: 0x00000000ffffffffctr: 0x000000000000ffffheader: b9ffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000000010000header: baffffffff010000¶
kid: 0x00000000ffffffffctr: 0x0000000000ffffffheader: baffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000001000000header: bbffffffff01000000¶
kid: 0x00000000ffffffffctr: 0x00000000ffffffffheader: bbffffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000000100000000header: bcffffffff0100000000¶
kid: 0x00000000ffffffffctr: 0x000000ffffffffffheader: bcffffffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0000010000000000header: bdffffffff010000000000¶
kid: 0x00000000ffffffffctr: 0x0000ffffffffffffheader: bdffffffffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0001000000000000header: beffffffff01000000000000¶
kid: 0x00000000ffffffffctr: 0x00ffffffffffffffheader: beffffffffffffffffffffff¶
kid: 0x00000000ffffffffctr: 0x0100000000000000header: bfffffffff0100000000000000¶
kid: 0x00000000ffffffffctr: 0xffffffffffffffffheader: bfffffffffffffffffffffffff¶
kid: 0x0000000100000000ctr: 0x0000000000000000header: c00100000000¶
kid: 0x0000000100000000ctr: 0x0000000000000001header: c10100000000¶
kid: 0x0000000100000000ctr: 0x00000000000000ffheader: c80100000000ff¶
kid: 0x0000000100000000ctr: 0x0000000000000100header: c901000000000100¶
kid: 0x0000000100000000ctr: 0x000000000000ffffheader: c90100000000ffff¶
kid: 0x0000000100000000ctr: 0x0000000000010000header: ca0100000000010000¶
kid: 0x0000000100000000ctr: 0x0000000000ffffffheader: ca0100000000ffffff¶
kid: 0x0000000100000000ctr: 0x0000000001000000header: cb010000000001000000¶
kid: 0x0000000100000000ctr: 0x00000000ffffffffheader: cb0100000000ffffffff¶
kid: 0x0000000100000000ctr: 0x0000000100000000header: cc01000000000100000000¶
kid: 0x0000000100000000ctr: 0x000000ffffffffffheader: cc0100000000ffffffffff¶
kid: 0x0000000100000000ctr: 0x0000010000000000header: cd0100000000010000000000¶
kid: 0x0000000100000000ctr: 0x0000ffffffffffffheader: cd0100000000ffffffffffff¶
kid: 0x0000000100000000ctr: 0x0001000000000000header: ce010000000001000000000000¶
kid: 0x0000000100000000ctr: 0x00ffffffffffffffheader: ce0100000000ffffffffffffff¶
kid: 0x0000000100000000ctr: 0x0100000000000000header: cf01000000000100000000000000¶
kid: 0x0000000100000000ctr: 0xffffffffffffffffheader: cf0100000000ffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000000000000header: c0ffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000000000001header: c1ffffffffff¶
kid: 0x000000ffffffffffctr: 0x00000000000000ffheader: c8ffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000000000100header: c9ffffffffff0100¶
kid: 0x000000ffffffffffctr: 0x000000000000ffffheader: c9ffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000000010000header: caffffffffff010000¶
kid: 0x000000ffffffffffctr: 0x0000000000ffffffheader: caffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000001000000header: cbffffffffff01000000¶
kid: 0x000000ffffffffffctr: 0x00000000ffffffffheader: cbffffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000000100000000header: ccffffffffff0100000000¶
kid: 0x000000ffffffffffctr: 0x000000ffffffffffheader: ccffffffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0000010000000000header: cdffffffffff010000000000¶
kid: 0x000000ffffffffffctr: 0x0000ffffffffffffheader: cdffffffffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0001000000000000header: ceffffffffff01000000000000¶
kid: 0x000000ffffffffffctr: 0x00ffffffffffffffheader: ceffffffffffffffffffffffff¶
kid: 0x000000ffffffffffctr: 0x0100000000000000header: cfffffffffff0100000000000000¶
kid: 0x000000ffffffffffctr: 0xffffffffffffffffheader: cfffffffffffffffffffffffffff¶
kid: 0x0000010000000000ctr: 0x0000000000000000header: d0010000000000¶
kid: 0x0000010000000000ctr: 0x0000000000000001header: d1010000000000¶
kid: 0x0000010000000000ctr: 0x00000000000000ffheader: d8010000000000ff¶
kid: 0x0000010000000000ctr: 0x0000000000000100header: d90100000000000100¶
kid: 0x0000010000000000ctr: 0x000000000000ffffheader: d9010000000000ffff¶
kid: 0x0000010000000000ctr: 0x0000000000010000header: da010000000000010000¶
kid: 0x0000010000000000ctr: 0x0000000000ffffffheader: da010000000000ffffff¶
kid: 0x0000010000000000ctr: 0x0000000001000000header: db01000000000001000000¶
kid: 0x0000010000000000ctr: 0x00000000ffffffffheader: db010000000000ffffffff¶
kid: 0x0000010000000000ctr: 0x0000000100000000header: dc0100000000000100000000¶
kid: 0x0000010000000000ctr: 0x000000ffffffffffheader: dc010000000000ffffffffff¶
kid: 0x0000010000000000ctr: 0x0000010000000000header: dd010000000000010000000000¶
kid: 0x0000010000000000ctr: 0x0000ffffffffffffheader: dd010000000000ffffffffffff¶
kid: 0x0000010000000000ctr: 0x0001000000000000header: de01000000000001000000000000¶
kid: 0x0000010000000000ctr: 0x00ffffffffffffffheader: de010000000000ffffffffffffff¶
kid: 0x0000010000000000ctr: 0x0100000000000000header: df0100000000000100000000000000¶
kid: 0x0000010000000000ctr: 0xffffffffffffffffheader: df010000000000ffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000000000000header: d0ffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000000000001header: d1ffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x00000000000000ffheader: d8ffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000000000100header: d9ffffffffffff0100¶
kid: 0x0000ffffffffffffctr: 0x000000000000ffffheader: d9ffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000000010000header: daffffffffffff010000¶
kid: 0x0000ffffffffffffctr: 0x0000000000ffffffheader: daffffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000001000000header: dbffffffffffff01000000¶
kid: 0x0000ffffffffffffctr: 0x00000000ffffffffheader: dbffffffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000000100000000header: dcffffffffffff0100000000¶
kid: 0x0000ffffffffffffctr: 0x000000ffffffffffheader: dcffffffffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0000010000000000header: ddffffffffffff010000000000¶
kid: 0x0000ffffffffffffctr: 0x0000ffffffffffffheader: ddffffffffffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0001000000000000header: deffffffffffff01000000000000¶
kid: 0x0000ffffffffffffctr: 0x00ffffffffffffffheader: deffffffffffffffffffffffffff¶
kid: 0x0000ffffffffffffctr: 0x0100000000000000header: dfffffffffffff0100000000000000¶
kid: 0x0000ffffffffffffctr: 0xffffffffffffffffheader: dfffffffffffffffffffffffffffff¶
kid: 0x0001000000000000ctr: 0x0000000000000000header: e001000000000000¶
kid: 0x0001000000000000ctr: 0x0000000000000001header: e101000000000000¶
kid: 0x0001000000000000ctr: 0x00000000000000ffheader: e801000000000000ff¶
kid: 0x0001000000000000ctr: 0x0000000000000100header: e9010000000000000100¶
kid: 0x0001000000000000ctr: 0x000000000000ffffheader: e901000000000000ffff¶
kid: 0x0001000000000000ctr: 0x0000000000010000header: ea01000000000000010000¶
kid: 0x0001000000000000ctr: 0x0000000000ffffffheader: ea01000000000000ffffff¶
kid: 0x0001000000000000ctr: 0x0000000001000000header: eb0100000000000001000000¶
kid: 0x0001000000000000ctr: 0x00000000ffffffffheader: eb01000000000000ffffffff¶
kid: 0x0001000000000000ctr: 0x0000000100000000header: ec010000000000000100000000¶
kid: 0x0001000000000000ctr: 0x000000ffffffffffheader: ec01000000000000ffffffffff¶
kid: 0x0001000000000000ctr: 0x0000010000000000header: ed01000000000000010000000000¶
kid: 0x0001000000000000ctr: 0x0000ffffffffffffheader: ed01000000000000ffffffffffff¶
kid: 0x0001000000000000ctr: 0x0001000000000000header: ee0100000000000001000000000000¶
kid: 0x0001000000000000ctr: 0x00ffffffffffffffheader: ee01000000000000ffffffffffffff¶
kid: 0x0001000000000000ctr: 0x0100000000000000header: ef010000000000000100000000000000¶
kid: 0x0001000000000000ctr: 0xffffffffffffffffheader: ef01000000000000ffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000000000000header: e0ffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000000000001header: e1ffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x00000000000000ffheader: e8ffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000000000100header: e9ffffffffffffff0100¶
kid: 0x00ffffffffffffffctr: 0x000000000000ffffheader: e9ffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000000010000header: eaffffffffffffff010000¶
kid: 0x00ffffffffffffffctr: 0x0000000000ffffffheader: eaffffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000001000000header: ebffffffffffffff01000000¶
kid: 0x00ffffffffffffffctr: 0x00000000ffffffffheader: ebffffffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000000100000000header: ecffffffffffffff0100000000¶
kid: 0x00ffffffffffffffctr: 0x000000ffffffffffheader: ecffffffffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0000010000000000header: edffffffffffffff010000000000¶
kid: 0x00ffffffffffffffctr: 0x0000ffffffffffffheader: edffffffffffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0001000000000000header: eeffffffffffffff01000000000000¶
kid: 0x00ffffffffffffffctr: 0x00ffffffffffffffheader: eeffffffffffffffffffffffffffff¶
kid: 0x00ffffffffffffffctr: 0x0100000000000000header: efffffffffffffff0100000000000000¶
kid: 0x00ffffffffffffffctr: 0xffffffffffffffffheader: efffffffffffffffffffffffffffffff¶
kid: 0x0100000000000000ctr: 0x0000000000000000header: f00100000000000000¶
kid: 0x0100000000000000ctr: 0x0000000000000001header: f10100000000000000¶
kid: 0x0100000000000000ctr: 0x00000000000000ffheader: f80100000000000000ff¶
kid: 0x0100000000000000ctr: 0x0000000000000100header: f901000000000000000100¶
kid: 0x0100000000000000ctr: 0x000000000000ffffheader: f90100000000000000ffff¶
kid: 0x0100000000000000ctr: 0x0000000000010000header: fa0100000000000000010000¶
kid: 0x0100000000000000ctr: 0x0000000000ffffffheader: fa0100000000000000ffffff¶
kid: 0x0100000000000000ctr: 0x0000000001000000header: fb010000000000000001000000¶
kid: 0x0100000000000000ctr: 0x00000000ffffffffheader: fb0100000000000000ffffffff¶
kid: 0x0100000000000000ctr: 0x0000000100000000header: fc01000000000000000100000000¶
kid: 0x0100000000000000ctr: 0x000000ffffffffffheader: fc0100000000000000ffffffffff¶
kid: 0x0100000000000000ctr: 0x0000010000000000header: fd0100000000000000010000000000¶
kid: 0x0100000000000000ctr: 0x0000ffffffffffffheader: fd0100000000000000ffffffffffff¶
kid: 0x0100000000000000ctr: 0x0001000000000000header: fe010000000000000001000000000000¶
kid: 0x0100000000000000ctr: 0x00ffffffffffffffheader: fe0100000000000000ffffffffffffff¶
kid: 0x0100000000000000ctr: 0x0100000000000000header: ff010000000000000001000000000000 00¶
kid: 0x0100000000000000ctr: 0xffffffffffffffffheader: ff0100000000000000ffffffffffffff ff¶
kid: 0xffffffffffffffffctr: 0x0000000000000000header: f0ffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000000000000001header: f1ffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x00000000000000ffheader: f8ffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000000000000100header: f9ffffffffffffffff0100¶
kid: 0xffffffffffffffffctr: 0x000000000000ffffheader: f9ffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000000000010000header: faffffffffffffffff010000¶
kid: 0xffffffffffffffffctr: 0x0000000000ffffffheader: faffffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000000001000000header: fbffffffffffffffff01000000¶
kid: 0xffffffffffffffffctr: 0x00000000ffffffffheader: fbffffffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000000100000000header: fcffffffffffffffff0100000000¶
kid: 0xffffffffffffffffctr: 0x000000ffffffffffheader: fcffffffffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0000010000000000header: fdffffffffffffffff010000000000¶
kid: 0xffffffffffffffffctr: 0x0000ffffffffffffheader: fdffffffffffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0001000000000000header: feffffffffffffffff01000000000000¶
kid: 0xffffffffffffffffctr: 0x00ffffffffffffffheader: feffffffffffffffffffffffffffffff¶
kid: 0xffffffffffffffffctr: 0x0100000000000000header: ffffffffffffffffff01000000000000 00¶
kid: 0xffffffffffffffffctr: 0xffffffffffffffffheader: ffffffffffffffffffffffffffffffff ff¶
For each case, we provide:¶
cipher_suite: The index of the cipher suite in use (seeSection 8.1)¶
key: Thekey input to encryption/decryption¶
enc_key: The encryption subkey produced by thederive_subkeys() algorithm¶
auth_key: The encryption subkey produced by thederive_subkeys() algorithm¶
nonce: Thenonce input to encryption/decryption¶
aad: Theaad input to encryption/decryption¶
pt: The plaintext¶
ct: The ciphertext¶
An implementation should verify that the following are true, whereAEAD.Encrypt andAEAD.Decrypt are as defined inSection 4.5.1:¶
The other values in the test vector are intermediate values provided tofacilitate debugging of test failures.¶
cipher_suite: 0x0001key: 000102030405060708090a0b0c0d0e0f 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fenc_key: 000102030405060708090a0b0c0d0e0fauth_key: 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fnonce: 101112131415161718191a1baad: 4945544620534672616d65205747pt: 64726166742d696574662d736672616d 652d656e63ct: 6339af04ada1d064688a442b8dc69d5b 6bfa40f4bef0583e8081069cc60705¶
cipher_suite: 0x0002key: 000102030405060708090a0b0c0d0e0f 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fenc_key: 000102030405060708090a0b0c0d0e0fauth_key: 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fnonce: 101112131415161718191a1baad: 4945544620534672616d65205747pt: 64726166742d696574662d736672616d 652d656e63ct: 6339af04ada1d064688a442b8dc69d5b 6bfa40f4be6e93b7da076927bb¶
cipher_suite: 0x0003key: 000102030405060708090a0b0c0d0e0f 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fenc_key: 000102030405060708090a0b0c0d0e0fauth_key: 101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2fnonce: 101112131415161718191a1baad: 4945544620534672616d65205747pt: 64726166742d696574662d736672616d 652d656e63ct: 6339af04ada1d064688a442b8dc69d5b 6bfa40f4be09480509¶
For each case, we provide:¶
cipher_suite: The index of the cipher suite in use (seeSection 8.1)¶
kid: A KID value¶
ctr: A CTR value¶
base_key: Thebase_key input to thederive_key_salt algorithm¶
sframe_key_label: The label used to derivesframe_key in thederive_key_salt algorithm¶
sframe_salt_label: The label used to derivesframe_salt in thederive_key_salt algorithm¶
sframe_secret: Thesframe_secret variable in thederive_key_salt algorithm¶
sframe_key: Thesframe_key value produced by thederive_key_salt algorithm¶
sframe_salt: Thesframe_salt value produced by thederive_key_salt algorithm¶
metadata: Themetadata input to the SFrameencrypt algorithm¶
pt: The plaintext¶
ct: The SFrame ciphertext¶
An implementation should verify that the following are true, whereencrypt anddecrypt are as defined inSection 4.4, using an SFramecontext initialized withbase_key assigned tokid:¶
The other values in the test vector are intermediate values provided tofacilitate debugging of test failures.¶
cipher_suite: 0x0001kid: 0x0000000000000123ctr: 0x0000000000004567base_key: 000102030405060708090a0b0c0d0e0fsframe_key_label: 534672616d6520312e30205365637265 74206b65792000000000000001230001sframe_salt_label: 534672616d6520312e30205365637265 742073616c7420000000000000012300 01sframe_secret: d926952ca8b7ec4a95941d1ada3a5203 ceff8cceee34f574d23909eb314c40c0sframe_key: 3f7d9a7c83ae8e1c8a11ae695ab59314 b367e359fadac7b9c46b2bc6f81f46e1 6b96f0811868d59402b7e870102720b3sframe_salt: 50b29329a04dc0f184ac3168metadata: 4945544620534672616d65205747nonce: 50b29329a04dc0f184ac740faad: 99012345674945544620534672616d65 205747pt: 64726166742d696574662d736672616d 652d656e63ct: 9901234567449408b6f490086165b9d6 f62b24ae1a59a56486b4ae8ed036b889 12e24f11¶
cipher_suite: 0x0002kid: 0x0000000000000123ctr: 0x0000000000004567base_key: 000102030405060708090a0b0c0d0e0fsframe_key_label: 534672616d6520312e30205365637265 74206b65792000000000000001230002sframe_salt_label: 534672616d6520312e30205365637265 742073616c7420000000000000012300 02sframe_secret: d926952ca8b7ec4a95941d1ada3a5203 ceff8cceee34f574d23909eb314c40c0sframe_key: e2ec5c797540310483b16bf6e7a570d2 a27d192fe869c7ccd8584a8d9dab9154 9fbe553f5113461ec6aa83bf3865553esframe_salt: e68ac8dd3d02fbcd368c5577metadata: 4945544620534672616d65205747nonce: e68ac8dd3d02fbcd368c1010aad: 99012345674945544620534672616d65 205747pt: 64726166742d696574662d736672616d 652d656e63ct: 99012345673f31438db4d09434e43afa 0f8a2f00867a2be085046a9f5cb4f101 d607¶
cipher_suite: 0x0003kid: 0x0000000000000123ctr: 0x0000000000004567base_key: 000102030405060708090a0b0c0d0e0fsframe_key_label: 534672616d6520312e30205365637265 74206b65792000000000000001230003sframe_salt_label: 534672616d6520312e30205365637265 742073616c7420000000000000012300 03sframe_secret: d926952ca8b7ec4a95941d1ada3a5203 ceff8cceee34f574d23909eb314c40c0sframe_key: 2c5703089cbb8c583475e4fc461d97d1 8809df79b6d550f78eb6d50ffa80d892 11d57909934f46f5405e38cd583c69fesframe_salt: 38c16e4f5159700c00c7f350metadata: 4945544620534672616d65205747nonce: 38c16e4f5159700c00c7b637aad: 99012345674945544620534672616d65 205747pt: 64726166742d696574662d736672616d 652d656e63ct: 990123456717fc8af28a5a695afcfc6c 8df6358a17e26b2fcb3bae32e443¶
cipher_suite: 0x0004kid: 0x0000000000000123ctr: 0x0000000000004567base_key: 000102030405060708090a0b0c0d0e0fsframe_key_label: 534672616d6520312e30205365637265 74206b65792000000000000001230004sframe_salt_label: 534672616d6520312e30205365637265 742073616c7420000000000000012300 04sframe_secret: d926952ca8b7ec4a95941d1ada3a5203 ceff8cceee34f574d23909eb314c40c0sframe_key: d34f547f4ca4f9a7447006fe7fcbf768sframe_salt: 75234edefe07819026751816metadata: 4945544620534672616d65205747nonce: 75234edefe07819026755d71aad: 99012345674945544620534672616d65 205747pt: 64726166742d696574662d736672616d 652d656e63ct: 9901234567b7412c2513a1b66dbb4884 1bbaf17f598751176ad847681a69c6d0 b091c07018ce4adb34eb¶
cipher_suite: 0x0005kid: 0x0000000000000123ctr: 0x0000000000004567base_key: 000102030405060708090a0b0c0d0e0fsframe_key_label: 534672616d6520312e30205365637265 74206b65792000000000000001230005sframe_salt_label: 534672616d6520312e30205365637265 742073616c7420000000000000012300 05sframe_secret: 0fc3ea6de6aac97a35f194cf9bed94d4 b5230f1cb45a785c9fe5dce9c188938a b6ba005bc4c0a19181599e9d1bcf7b74 aca48b60bf5e254e546d809313e083a3sframe_key: d3e27b0d4a5ae9e55df01a70e6d4d28d 969b246e2936f4b7a5d9b494da6b9633sframe_salt: 84991c167b8cd23c93708ec7metadata: 4945544620534672616d65205747nonce: 84991c167b8cd23c9370cba0aad: 99012345674945544620534672616d65 205747pt: 64726166742d696574662d736672616d 652d656e63ct: 990123456794f509d36e9beacb0e261d 99c7d1e972f1fed787d4049f17ca2135 3c1cc24d56ceabced279¶
The authors wish to specially thankDr. Alex Gouaillard as one of the earlycontributors to the document. His passion and energy were key to the design anddevelopment of SFrame.¶