| RFC 9335 | Completely Encrypting RTP Header Extensi | January 2023 |
| Uberti, et al. | Standards Track | [Page] |
While the Secure Real-time Transport Protocol (SRTP) provides confidentialityfor the contents of a media packet, a significant amount of metadata is leftunprotected, including RTP header extensions and contributing sources (CSRCs).However, this data can be moderately sensitive in many applications. Whilethere have been previous attempts to protect this data, they have had limiteddeployment, due to complexity as well as technical limitations.¶
This document updates RFC 3711, the SRTP specification, and defines Cryptex as a new mechanism that completely encryptsheader extensions and CSRCs and uses simpler Session Description Protocol (SDP) signaling with the goal offacilitating deployment.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9335.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Secure Real-time Transport Protocol (SRTP)[RFC3711] mechanism provides messageauthentication for the entire RTP packet but only encrypts the RTP payload.This has not historically been a problem, as much of the information carriedin the header has minimal sensitivity (e.g., RTP timestamp); in addition,certain fields need to remain as cleartext because they are used for keyscheduling (e.g., RTP synchronization source (SSRC) and sequence number).¶
However, as noted in[RFC6904], the security requirements can be different forinformation carried in RTP header extensions, including the per-packet soundlevels defined in[RFC6464] and[RFC6465], which are specifically noted asbeing sensitive in the Security Considerations sections of those RFCs.¶
In addition to the contents of the header extensions, there are now enoughheader extensions in active use that the header extension identifiersthemselves can provide meaningful information in terms of determining theidentity of the endpoint and/or application. Accordingly, these identifierscan be considered a fingerprinting issue.¶
Finally, the CSRCs included in RTP packets can also be sensitive, potentiallyallowing a network eavesdropper to determine who was speaking and when duringan otherwise secure conference call.¶
Encryption of Header Extensions in SRTP[RFC6904] was proposed in 2013 as a solution to the problem of unprotectedheader extension values. However, it has not seen significant adoption andhas a few technical shortcomings.¶
First, the mechanism is complicated. Since it allows encryption to benegotiated on a per-extension basis, a fair amount of signaling logic isrequired. And in the SRTP layer, a somewhat complex transform is requiredto allow only the selected header extension values to be encrypted. One ofthe most popular SRTP implementations had a significant bug in this areathat was not detected for five years.¶
Second, the mechanism only protects the header extension values and not their identifiers orlengths. It also does not protect the CSRCs. As noted above, this leavesa fair amount of potentially sensitive information exposed.¶
Third, the mechanism bloats the header extension space. Because each extension mustbe offered in both unencrypted and encrypted forms, twice as many headerextensions must be offered, which will in many cases push implementationspast the 14-extension limit for the use of one-byte extension headersdefined in[RFC8285]. Accordingly, in many cases, implementations will need to usetwo-byte headers, which are not supported well by someexisting implementations.¶
Finally, the header extension bloat combined with the need for backwardcompatibility results in additional wire overhead. Because two-byteextension headers may not be handled well by existing implementations,one-byte extension identifiers will need to be used for the unencrypted(backward-compatible) forms, and two-byte for the encrypted forms.Thus, deployment of encryption for header extensions[RFC6904] willtypically result in multiple extra bytes in each RTP packet, comparedto the present situation.¶
From the previous analysis, the desired properties of a solution are:¶
The last point deserves further discussion. While other possible solutions that would have encrypted more of the RTP header (e.g., the number of CSRCs) were considered, the inability to parse the resultant packets with current tools and a generally higher level of complexity outweighed the slight improvement in confidentiality in these solutions. Hence, a more pragmatic approach was taken to solve the problem described inSection 1.1.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification proposes a mechanism to negotiate encryption of allRTP header extensions (ids, lengths, and values) as well as CSRC values. Itreuses the existing SRTP framework, is accordingly simple to implement, andis backward compatible with existing RTP packet parsing code, even whensupport for the mechanism has been negotiated.¶
Except when explicitly stated otherwise, Cryptex reuses all the framework procedures, transforms, and considerations described in[RFC3711].¶
Cryptex support is indicated via a new "a=cryptex" SDP attribute defined in this specification.¶
The new "a=cryptex" attribute is a property attribute as defined inSection 5.13 of [RFC8866]; it therefore takes no value and can be used at the session level or media level.¶
The presence of the "a=cryptex" attribute in the SDP (in either an offer or an answer) indicates thatthe endpoint is capable of receiving RTP packets encrypted with Cryptex, as defined below.¶
Once each peer has verified that the other party supports receiving RTP packets encrypted with Cryptex, senders can unilaterally decide whether or not to use the Cryptex mechanism on a per-packet basis.¶
If BUNDLE is in use as per[RFC9143] and the "a=cryptex" attribute is present for a media line, itMUST be present for all RTP-based "m=" sections belonging to the same bundle group. This ensures that the encrypted Media Identifier (MID) header extensions can be processed, allowing RTP streams to be associated with the correct "m=" section in each BUNDLE group as specified inSection 9.2 of [RFC9143]. When used with BUNDLE, this attribute is assigned to the TRANSPORT category[RFC8859].¶
Both endpoints can change the Cryptex support status by modifying the session as specified inSection 8 of [RFC3264]. Generating subsequent SDP offers and answersMUST use the same procedures for including the "a=cryptex" attribute as the ones on the initial offer and answer.¶
A General Mechanism for RTP Header Extensions[RFC8285] defines two values for the "defined by profile" field for carryingone-byte and two-byte header extensions. In order to allow a receiver to determineif an incoming RTP packet is using the encryption scheme in this specification,two new values are defined:¶
In the case of using two-byte header extensions, the extension identifier with value 256MUST NOTbe negotiated, as the value of this identifier is meant to be contained in the "appbits" of the"defined by profile" field, which are not available when using the values above.¶
Note that as per[RFC8285], it is not possible to mix one-byte and two-byte headers on the same RTP packet. Mixing one-byte and two-byte headers on the same RTP stream requires negotiation of the "extmap-allow-mixed" SDP attribute as defined inSection 6 of [RFC8285].¶
PeersMAY negotiate both Cryptex and the Encryption of Header Extensions mechanism defined in[RFC6904] via SDP offer/answer as described inSection 4, and if both mechanisms are supported, either one can be used for any given packet. However, if a packet is encrypted with Cryptex, itMUST NOT also use header extension encryption[RFC6904], and vice versa.¶
If one of the peers has advertised the ability to receive both Cryptex andheader extensions encrypted as per[RFC6904] in the SDPexchange, it isRECOMMENDED that the other peer use Cryptexrather than the mechanism in[RFC6904] when sending RTP packetsso that all the header extensions and CSRCS are encrypted. However, if there is acompelling reason to use the mechanism in[RFC6904] (e.g., aneed for some header extensions to be sent in the clear so that so they areprocessable by RTP middleboxes), the other peerSHOULD usethe mechanism in[RFC6904] instead.¶
When the mechanism defined by this specification has been negotiated,sending an RTP packet that has any CSRCs or contains any header extensions[RFC8285] follows the steps below. This mechanismMUST NOT beused with header extensions other than the variety described in[RFC8285].¶
If the RTP packet contains one-byte headers, the 16-bit RTP header extension tagMUST be set to 0xC0DE to indicate that the encryption has been applied and the one-byte framing is being used. If the RTP packet contains two-byte headers, the header extension tagMUST be set to 0xC2DE to indicate encryption has been applied and the two-byte framing is being used.¶
If the packet contains CSRCs but no header extensions, an empty extension blockconsisting of the 0xC0DE tag and a 16-bit length field set to zero (explicitlypermitted by[RFC3550])MUST be appended, and the X bitMUST be set to 1 toindicate an extension block is present. This is necessary to provide the receiveran indication that the CSRCs in the packet are encrypted.¶
The RTP packetMUST then be encrypted as described inSection 6.2 ("Encryption Procedure").¶
When receiving an RTP packet that contains header extensions, the"defined by profile" fieldMUST be checked to ensure the payload isformatted according to this specification. If the field does not matchone of the values defined above, the implementationMUST insteadhandle it according to the specification that defines that value.¶
Alternatively, if the implementation considers the use of this specification mandatory and the "defined by profile" field does not match one of the values defined above, itMUST stop the processing of the RTP packet and report an error for the RTP stream.¶
If the RTP packet passes this check, it is then decrypted as described inSection 6.3 ("Decryption Procedure") and passed to the next layer to processthe packet and its extensions. In the event that a zero-length extensionblock was added as indicated above, it can be left as is and will beprocessed normally.¶
When this mechanism is active, the SRTP packet is protected as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ |V=2|P|X| CC |M| PT | sequence number | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | timestamp | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | synchronization source (SSRC) identifier | |+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ || | contributing source (CSRC) identifiers | || | .... | |+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |X | 0xC0 or 0xC2 | 0xDE | length | |+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | RFC 8285 header extensions | || +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | payload ... | || | +-------------------------------+ || | | RTP padding | RTP pad count | |+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+| ~ SRTP Master Key Identifier (MKI) (OPTIONAL) ~ || +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || : authentication tag (RECOMMENDED) : || +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || |+- Encrypted Portion Authenticated Portion ---+
Note that, as required by[RFC8285], the 4 bytes at the start of the extension block are not encrypted.¶
Specifically, the Encrypted PortionMUST include any CSRC identifiers, anyRTP header extension (except for the first 4 bytes), and the RTP payload.¶
The encryption procedure is identical to that of[RFC3711] except for the Encrypted Portion of the SRTP packet. The plaintext input to the cipher is as follows:¶
Plaintext = CSRC identifiers (if used) || header extension data || RTP payload || RTP padding (if used) || RTP pad count (if used)¶
Here "header extension data" refers to the content of the RTP extension field,excluding the first four bytes (the extension header[RFC8285]). The first4 * CSRC count (CC) bytes of the ciphertext are placed in the CSRC field of the RTP header.The remainder of the ciphertext is the RTP payload of the encrypted packet.¶
To minimize changes to surrounding code, the encryption mechanism can chooseto replace a "defined by profile" field from[RFC8285] with its counterpartdefined inSection 5 ("RTP Header Processing") and encrypt at the same time.¶
For Authenticated Encryption with Associated Data (AEAD) ciphers (e.g., AES-GCM), the 12-byte fixed header and the four-byte headerextension header (the "defined by profile" field and the length) are consideredadditional authenticated data (AAD), even though they are non-contiguous in the packet if CSRCs are present.¶
Associated Data: fixed header || extension header (if X=1)¶
Here "fixed header" refers to the 12-byte fixed portion of the RTP header, and"extension header" refers to the four-byte extension header[RFC8285] ("definedby profile" and extension length).¶
Implementations can rearrange a packet so that the AAD and plaintext arecontiguous by swapping the order of the extension header and the CSRCidentifiers, resulting in an intermediate representation of the form shown inFigure 2. After encryption, the CSRCs (now encrypted) andextension header would need to be swapped back to their original positions. Asimilar operation can be done when decrypting to create contiguous ciphertextand AAD inputs.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ |V=2|P|X| CC |M| PT | sequence number | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | timestamp | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | synchronization source (SSRC) identifier | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 0xC0 or 0xC2 | 0xDE | length | |+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<+| | contributing source (CSRC) identifiers | || | .... | || +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | RFC 8285 header extensions | || +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || | payload ... | || | +-------------------------------+ || | | RTP padding | RTP pad count | |+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ || |+- Plaintext Input AAD Input ---+
Note that this intermediate representation is only displayed as reference for implementations and is not meant to be sent on the wire.¶
The decryption procedure is identical to that of[RFC3711] exceptfor the Encrypted Portion of the SRTP packet, which is as shown in the section above.¶
To minimize changes to surrounding code, the decryption mechanism can chooseto replace the "defined by profile" field with its no-encryption counterpartfrom[RFC8285] and decrypt at the same time.¶
This specification attempts to encrypt as much as possible without interferingwith backward compatibility for systems that expect a certain structure froman RTPv2 packet, including systems that perform demultiplexing based on packetheaders. Accordingly, the first two bytes of the RTP packet are not encrypted.¶
This specification also attempts to reuse the key scheduling from SRTP, whichdepends on the RTP packet sequence number and SSRC identifier. Accordingly,these values are also not encrypted.¶
All security considerations inSection 9 of [RFC3711] are applicable to this specification; the exception is Section9.4, because confidentiality of the RTP Header is the purpose of this specification.¶
The risks of using weak or NULL authentication with SRTP, described inSection 9.5 of [RFC3711], apply to encrypted header extensions as well.¶
This specification extends SRTP by expanding the Encrypted Portion of the RTP packet,as shown inSection 6.1 ("Packet Structure"). It does not change how SRTP authenticationworks in any way. Given that more of the packet is being encrypted than before,this is necessarily an improvement.¶
The RTP fields that are left unencrypted (see rationale above) are as follows:¶
These values contain a fixed set (i.e., one that won't be changed byextensions) of information that, at present, is observed to have lowsensitivity. In the event any of these values need to be encrypted, SRTPis likely the wrong protocol to use and a fully encapsulating protocolsuch as DTLS is preferred (with its attendant per-packet overhead).¶
This document updates the "attribute-name (formerly "att-field")" subregistry of the "Session Description Protocol (SDP) Parameters" registry (seeSection 8.2.4 of [RFC8866]). Specifically, it adds the SDP "a=cryptex" attribute for use at both the media level and the session level.¶
All values are in hexadecimal and represented in network order (big endian).¶
The following subsections list the test vectors for using Cryptex with AES-CTR as per[RFC3711].¶
Common values are organized as follows:¶
Rollover Counter: 00000000Master Key: e1f97a0d3e018be0d64fa32c06de4139Master Salt: 0ec675ad498afeebb6960b3aabe6Crypto Suite: AES_CM_128_HMAC_SHA1_80Session Key: c61e7a93744f39ee10734afe3ff7a087Session Salt: 30cbbc08863d8c85d49db34a9ae1Authentication Key: cebe321f6ff7716b6fd4ab49af256a156d38baa4¶
RTP Packet:¶
900f1235 decafbad cafebabe bede0001 51000200 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
900f1235 decafbad cafebabe c0de0001 eb923652 51c3e036 f8de27e9 c27ee3e0 b4651d9f bc4218a7 0244522f 34a5¶
RTP Packet:¶
900f1236 decafbad cafebabe 10000001 05020002 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
900f1236 decafbad cafebabe c2de0001 4ed9cc4e 6a712b30 96c5ca77 339d4204 ce0d7739 6cab6958 5fbce381 94a5¶
RTP Packet:¶
920f1238 decafbad cafebabe 0001e240 0000b26e bede0001 51000200 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f1238 decafbad cafebabe 8bb6e12b 5cff16dd c0de0001 92838c8c 09e58393 e1de3a9a 74734d67 45671338 c3acf11d a2df8423 bee0¶
RTP Packet:¶
920f1239 decafbad cafebabe 0001e240 0000b26e 10000001 05020002 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f1239 decafbad cafebabe f70e513e b90b9b25 c2de0001 bbed4848 faa64466 5f3d7f34 125914e9 f4d0ae92 3c6f479b 95a0f7b5 3133¶
RTP Packet:¶
920f123a decafbad cafebabe 0001e240 0000b26e bede0000 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f123a decafbad cafebabe 7130b6ab fe2ab0e3 c0de0000 e3d9f64b 25c9e74c b4cf8e43 fb92e378 1c2c0cea b6b3a499 a14c¶
RTP Packet:¶
920f123b decafbad cafebabe 0001e240 0000b26e 10000000 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f123b decafbad cafebabe cbf24c12 4330e1c8 c2de0000 599dd45b c9d687b6 03e8b59d 771fd38e 88b170e0 cd31e125 eabe¶
The following subsections list the test vectors for using Cryptex with AES-GCM as per[RFC7714].¶
Common values are organized as follows:¶
Rollover Counter: 00000000 Master Key: 000102030405060708090a0b0c0d0e0f Master Salt: a0a1a2a3a4a5a6a7a8a9aaab Crypto Suite: AEAD_AES_128_GCM Session Key: 077c6143cb221bc355ff23d5f984a16e Session Salt: 9af3e95364ebac9c99c5a7c4¶
RTP Packet:¶
900f1235 decafbad cafebabe bede0001 51000200 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
900f1235 decafbad cafebabe c0de0001 39972dc9 572c4d99 e8fc355d e743fb2e 94f9d8ff 54e72f41 93bbc5c7 4ffab0fa 9fa0fbeb¶
RTP Packet:¶
900f1236 decafbad cafebabe 10000001 05020002 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
900f1236 decafbad cafebabe c2de0001 bb75a4c5 45cd1f41 3bdb7daa 2b1e3263 de313667 c9632490 81b35a65 f5cb6c88 b394235f¶
RTP Packet:¶
920f1238 decafbad cafebabe 0001e240 0000b26e bede0001 51000200 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f1238 decafbad cafebabe 63bbccc4 a7f695c4 c0de0001 8ad7c71f ac70a80c 92866b4c 6ba98546 ef913586 e95ffaaf fe956885 bb0647a8 bc094ac8¶
RTP Packet:¶
920f1239 decafbad cafebabe 0001e240 0000b26e 10000001 05020002 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f1239 decafbad cafebabe 3680524f 8d312b00 c2de0001 c78d1200 38422bc1 11a7187a 18246f98 0c059cc6 bc9df8b6 26394eca 344e4b05 d80fea83¶
RTP Packet:¶
920f123a decafbad cafebabe 0001e240 0000b26e bede0000 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f123a decafbad cafebabe 15b6bb43 37906fff c0de0000 b7b96453 7a2b03ab 7ba5389c e9331712 6b5d974d f30c6884 dcb651c5 e120c1da¶
RTP Packet:¶
920f123b decafbad cafebabe 0001e240 0000b26e 10000000 abababab abababab abababab abababab¶
Encrypted RTP Packet:¶
920f123b decafbad cafebabe dcb38c9e 48bf95f4 c2de0000 61ee432c f9203170 76613258 d3ce4236 c06ac429 681ad084 13512dc9 8b5207d8¶
The authors wish to thankLennart Grahl for pointing out many of the issues with the existing header encryption mechanism, as well as suggestions for this proposal. Thanks also toJonathan Lennox,Inaki Castillo, andBernard Aboba for their reviews and suggestions.¶