| RFC 8870 | EKT SRTP | January 2021 |
| Jennings, et al. | Standards Track | [Page] |
Encrypted Key Transport (EKT) is an extension to DTLS(Datagram Transport Layer Security) and the Secure Real-timeTransport Protocol (SRTP) that provides for the securetransport of SRTP master keys, rollover counters, and otherinformation within SRTP. This facility enables SRTP for decentralizedconferences by distributing a common key to all of the conferenceendpoints.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8870.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The Real-time Transport Protocol (RTP) is designed to allow decentralizedgroups with minimal control to establish sessions, such as formultimedia conferences. Unfortunately, Secure RTP (SRTP)[RFC3711]cannot be used in many minimal-control scenarios, because it requiresthat synchronization source (SSRC) values and other data becoordinated among all of the participants in a session. For example,if a participant joins a session that is already in progress, thatparticipant needs to be informed of the SRTP keys along with the SSRC,rollover counter (ROC), and other details of the other SRTP sources.¶
The inability of SRTP to work in the absence of central control waswell understood during the design of the protocol; the omission wasconsidered less important than optimizations such as bandwidthconservation. Additionally, in many situations, SRTP is used inconjunction with a signaling system that can provide the centralcontrol needed by SRTP. However, there are several cases in whichconventional signaling systems cannot easily provide all of thecoordination required.¶
This document defines Encrypted Key Transport (EKT) for SRTP andreduces the amount of external signaling control that is needed in anSRTP session with multiple receivers. EKT securely distributes theSRTP master key and other information for each SRTP source. With thismethod, SRTP entities are free to choose SSRC values as they see fitand to start up new SRTP sources with new SRTP master keys within asession without coordinating with other entities via external signalingor other external means.¶
EKT extends DTLS and SRTP to enable a common key encryption key(called an "EKTKey") to be distributed to all endpoints, so that eachendpoint can securely send its SRTP master key and current SRTPROC to the other participants in the session. This datafurnishes the information needed by the receiver to instantiate anSRTP receiver context.¶
EKT can be used in conferences where the central Media Distributor orconference bridge cannot decrypt the media, such as the type definedin[RFC8871]. It can also be used forlarge-scale conferences where the conference bridge or MediaDistributor can decrypt all the media but wishes to encrypt the mediait is sending just once and then send the same encrypted media to a largenumber of participants. This reduces encryption CPU timein general and is necessary when sending multicast media.¶
EKT does not control the manner in which the SSRC is generated. Itis only concerned with distributing the security parameters that anendpoint needs to associate with a given SSRC in order to decryptSRTP packets from that sender.¶
EKT is not intended to replace external key establishmentmechanisms. Instead, it is used in conjunction with those methods, andit relieves those methods of the burden of delivering the context foreach SRTP source to every SRTP participant. This document defineshow EKT works with the DTLS-SRTP approach to key establishment, byusing keys derived from the DTLS-SRTP handshake to encipher theEKTKey in addition to the SRTP media.¶
This specification defines a way for the server in a DTLS-SRTPnegotiation (seeSection 5) to provide an EKTKey to the clientduring the DTLS handshake. The EKTKey thus obtained can be used toencrypt the SRTP master key that is used to encrypt the media sent bythe endpoint. This specification also defines a way to send theencrypted SRTP master key (with the EKTKey) along with the SRTP packet(seeSection 4). Endpoints that receive this packet and know the EKTKey can usethe EKTKey to decrypt the SRTP master key, which can then be used to decryptthe SRTP packet.¶
One way to use this specification is described in the architecture definedby[RFC8871]. Each participant in theconference forms a DTLS-SRTP connection to a common Key Distributorthat distributes the same EKTKey to all the endpoints.Then, each endpoint picks its own SRTP master key for the mediait sends. When sending media, the endpoint may also include theSRTP master key encrypted with the EKTKey in the SRTP packet.This allows all the endpoints to decrypt the media.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
EKT defines a new method of providing SRTP master keys to anendpoint. In order to convey the ciphertext corresponding to the SRTPmaster key, and other additional information, an additional field,called the "EKTField", is added to the SRTP packets. The EKTField appearsat the end of the SRTP packet. It appears after the optionalauthentication tag, if one is present; otherwise, the EKTFieldappears after the ciphertext portion of the packet.¶
EKTMUST NOT be used in conjunction with SRTP's MKI (Master KeyIdentifier) or with SRTP's <From, To>[RFC3711], as those SRTPfeatures duplicate some of the functions of EKT. SendersMUST NOTinclude the MKI when using EKT. ReceiversSHOULD simply ignore any MKIfield received if EKT is in use.¶
This document defines the use of EKT with SRTP. Its use with the Secure Real-time Transport Control Protocol (SRTCP)would be similar, but that topic is left for a future specification. SRTPis preferred for transmitting keying material because (1) it shares fatewith the transmitted media, (2) SRTP rekeying can occur withoutconcern for RTCP transmission limits, and (3) it avoids the needfor SRTCP compound packets with RTP translators and mixers.¶
The EKTField uses the formats defined in Figures 1 and2 for theFullEKTField and ShortEKTField. The EKTField appended to an SRTPpacket can be referred to as an "EKT Tag".¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+: :: EKT Ciphertext :: :+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Security Parameter Index | Epoch |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Length |0 0 0 0 0 0 1 0|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7+-+-+-+-+-+-+-+-+|0 0 0 0 0 0 0 0|+-+-+-+-+-+-+-+-+
Figure 3 shows the syntax of the EKTField, expressed in ABNF[RFC5234]. The EKTField is added to the end of an SRTPpacket. The EKTPlaintext is the concatenation of SRTPMasterKeyLength,SRTPMasterKey, SSRC, and ROC, in that order. The EKTCiphertext iscomputed by encrypting the EKTPlaintext using the EKTKey. Futureextensions to the EKTFieldMUST conform to the syntax of theExtensionEKTField.¶
BYTE = %x00-FFEKTMsgTypeFull = %x02EKTMsgTypeShort = %x00EKTMsgTypeExtension = %x03-FF ; Message Type %x01 is not available ; for assignment due to its usage by ; legacy implementations.EKTMsgLength = 2BYTESRTPMasterKeyLength = BYTESRTPMasterKey = 1*242BYTESSRC = 4BYTE ; SSRC from RTPROC = 4BYTE ; ROC from SRTP for the given SSRCEKTPlaintext = SRTPMasterKeyLength SRTPMasterKey SSRC ROCEKTCiphertext = 1*251BYTE ; EKTEncrypt(EKTKey, EKTPlaintext)Epoch = 2BYTESPI = 2BYTEFullEKTField = EKTCiphertext SPI Epoch EKTMsgLength EKTMsgTypeFullShortEKTField = EKTMsgTypeShortExtensionData = 1*1024BYTEExtensionEKTField = ExtensionData EKTMsgLength EKTMsgTypeExtensionEKTField = FullEKTField / ShortEKTField / ExtensionEKTField
These fields and data elements are defined as follows:¶
This field indicates the appropriate EKTKey and other parameters for the receiver to use when processing the packet, within a given conference. The length of this field is 16 bits, representing a two-byte integer in network byte order. The parameters identified by this field are as follows:¶
Together, these data elements are called an "EKT parameter set". To avoid ambiguity, each distinct EKT parameter set that is usedMUST be associated with a distinct SPI value.¶
The SPI identifies the parameters for how the EKT Tag shouldbe processed:¶
Together, these data elements are called an "EKT parameter set". To avoid ambiguity, each distinct EKT parameter set that is usedMUST be associated with a distinct SPI value. The association of a givenparameter set with a given SPI value is configured by some otherprotocol, e.g., the DTLS-SRTP extension defined inSection 5.¶
At any given time, the SSRC for each SRTP source has associated with it a single EKT parameter set. This parameter set is used to process all outbound packets and is called the "outbound parameter set" for that SSRC. There may be other EKT parameter sets that are used by otherSRTP sources in the same session, including other SRTPsources on the same endpoint (e.g., one endpoint with voice and videomight have two EKT parameter sets, or there might be multiple videosources on an endpoint, each with their own EKT parameter set). All ofthe received EKT parameter setsSHOULD be stored by all of theparticipants in an SRTP session, for use in processing inbound SRTPtraffic. If a participant deletes an EKT parameter set(e.g., because of space limitations), then it will be unable toprocess Full EKT Tags containing updated media keys and thus will be unableto receive media from a participant that has changed its media key.¶
Either the FullEKTField or ShortEKTField is appended at the tail endof all SRTP packets. The decision regarding which parameter to send and whenis specified inSection 4.6.¶
SeeSection 4.6, which describes when to send an SRTP packet with aFullEKTField. If a FullEKTField is not being sent, then aShortEKTField is sent so the receiver can correctly determine how toprocess the packet.¶
When an SRTP packet is sent with a FullEKTField, the EKTField for thatpacket is created per either the steps below or an equivalent set of steps.¶
Then, the FullEKTField is formed using the EKTCiphertext and the SPIassociated with the EKTKey used above. Also appended are the lengthand Message Type using the FullEKTField format.¶
Note: The value of the EKTCiphertext field is identical in successivepackets protected by the same EKTKey and SRTP master key. This valueMAYbe cached by an SRTP sender to minimize computational effort.¶
The computed value of the FullEKTField is appended to the end of the SRTP packet, after the encrypted payload.¶
When a packet is sent with the ShortEKTField, the ShortEKTField is simply appended to the packet.¶
Outbound packetsSHOULD continue to use the old SRTP master key for250 ms after sending any new key in a FullEKTField value. This givesall the receivers in the system time to get the new key before theystart receiving media encrypted with the new key. (The specificvalue of 250 ms is chosen to represent a reasonable upper bound onthe amount of latency and jitter that is tolerable in a real-timecontext.)¶
When receiving a packet on an RTP stream, the following steps areapplied for each received SRTP packet.¶
The SRTP master key, ROC, and SRTP master salt from the previoussteps are saved in a map indexed by the SSRC found in theEKTPlaintext and can be used for any future crypto operations onthe inbound packets with that SSRC.¶
The value of the EKTCiphertext field is identical in successivepackets protected by the same EKT parameter set, SRTPmaster key, and ROC. SRTP senders and receiversMAY cache anEKTCiphertext value to optimize processing in cases where the masterkey hasn't changed. Instead of encrypting and decrypting, senderscan simply copy the precomputed value and receivers can compare areceived EKTCiphertext to the known value.¶
Section 4.3.1 recommends that SRTP senders continue usingan old key for some time after sending a new key in an EKT Tag.Receivers that wish to avoid packet loss due to decryption failuresMAY perform trial decryption with both the old key and the new key,keeping the result of whichever decryption succeeds. Note that thisapproach is only compatible with SRTP transforms that includeintegrity protection.¶
When receiving a new EKTKey, implementations need to use theekt_ttl field (seeSection 5.2.2)to create a time after which this key cannot be used, and they alsoneed to create a counter that keeps track of how many times the keyhas been used to encrypt data, to ensure that it does not exceed the T valuefor that cipher (seeSection 4.4). If either ofthese limits is exceeded,the key can no longer be used for encryption. At this point, implementationsneed to either use call signaling to renegotiate a new sessionor terminate the existing session. Terminating the session is areasonable implementation choice because these limits should not beexceeded, except under an attack or error condition.¶
EKT uses an authenticated cipher to encrypt and authenticate theEKTPlaintext. This specification defines the interface to the cipher,in order to abstract the interface away from the details of thatfunction. This specification also defines the default cipher that isused in EKT. The default cipher described inSection 4.4.1MUSTbe implemented, but another cipher that conforms to this interfaceMAY be used. The cipher used for a given EKTCiphertext value isnegotiated using the supported_ekt_ciphers extension (seeSection 5.2) and indicated with theSPI value in the FullEKTField.¶
An EKTCipher consists of an encryption function and a decryptionfunction. The encryption function E(K, P) takes the following inputs:¶
The encryption function returns a ciphertext value C whose length is Nbytes, where N may be larger than M. The decryption function D(K, C)takes the following inputs:¶
The decryption function returns a plaintext value P that is M byteslong, or it returns an indication that the decryption operation failedbecause the ciphertext was invalid (i.e., it was not generated by theencryption of plaintext with the key K).¶
These functions have the property that D(K, E(K, P)) = P for allvalues of K and P. Each cipher also has a limit T on the number oftimes that it can be used with any fixed key value. The EKTKeyMUST NOT be used for encryption more than T times. Note that if the sameFullEKTField is retransmitted three times, that only counts as oneencryption.¶
Security requirements for EKT Ciphers are discussed inSection 6.¶
The default EKT Cipher is the Advanced Encryption Standard (AES) Key Wrap with Padding algorithm[RFC5649]. It requires a plaintext length M that is at least one octet, and it returns a ciphertext with a length of N = M + (M mod 8) + 8 octets. It can be used with key sizes of L = 16 octets or L = 32 octets, and its use with those key sizes is indicated as AESKW128 or AESKW256, respectively. The key size determines the length of the AES key used by the Key Wrap algorithm. With this cipher, T=248.¶
| Cipher | L | T |
|---|---|---|
| AESKW128 | 16 | 248 |
| AESKW256 | 32 | 248 |
As AES-128 is the mandatory-to-implement transform in SRTP, AESKW128MUST be implemented for EKT. AESKW256MAY be implemented.¶
Other specifications may extend this document by defining otherEKTCiphers, as described inSection 7. This section defines how thoseciphers interact with this specification.¶
An EKTCipher determines how the EKTCiphertext field is written andhow it is processed when it is read. This field is opaque to the otheraspects of EKT processing. EKT Ciphers are free to use this field inany way, but theySHOULD NOT use other EKT or SRTP fields as aninput. The values of the parameters L and TMUST be defined by eachEKTCipher. The cipherMUST provide integrity protection.¶
If a source has its EKTKey changed by key management, itMUST alsochange its SRTP master key, which will cause it to send out a newFullEKTField and eventually begin encrypting with it, as described inSection 4.3.1.This ensures that if key management thought the EKTKeyneeds changing (due to a participant leaving or joining) andcommunicated that to a source, the source will also change its SRTPmaster key, so that traffic can be decrypted only by those who knowthe current EKTKey.¶
A system using EKT learns the SRTP master keys distributed withthe FullEKTField sent with SRTP, rather than with call signaling. Areceiver can immediately decrypt an SRTP packet, provided the SRTPpacket contains a FullEKTField.¶
This section describes how to reliably and expediently deliver newSRTP master keys to receivers.¶
There are three cases to consider. In the first case, a new sender joins a session and needs to communicate its SRTP master key to all the receivers. In the second case, a sender changes its SRTP master key, which needs to be communicated to all the receivers. In the third case, a new receiver joins a session already in progress and needs to know the sender's SRTP master key.¶
The three cases are as follows:¶
If none of the above three cases apply, a ShortEKTFieldSHOULD be sent.¶
In general, sending FullEKTField tags less frequently will consume lessbandwidth but will increase the time it takes for a join or rekey totake effect. Applications should schedule the sending of FullEKTField tags ina way that makes sense for their bandwidth and latency requirements.¶
This document defines an extension to DTLS-SRTP called "SRTP EKTKeyTransport", which enables secure transport of EKT keying material fromthe DTLS-SRTP peer in the server role to the client. This allowssuch a peer to process EKT keying material in SRTP andretrieve the embedded SRTP keying material. This combination ofprotocols is valuable because it combines the advantages of DTLS,which has strong authentication of the endpoint and flexibility,along with allowing secure multi-party RTP with loose coordinationand efficient communication of per-source keys.¶
In cases where the DTLS termination point is more trusted than themedia relay, the protection that DTLS affords to EKT keying materialcan allow EKT Keys to be tunneled through an untrusted relay such asa centralized conference bridge. For more details, see[RFC8871].¶
DTLS-SRTP[RFC5764] uses an extended DTLS exchange between twopeers to exchange keying material, algorithms, and parameters forSRTP. The SRTP flow operates over the same transport as theDTLS-SRTP exchange (i.e., the same 5-tuple). DTLS-SRTP combines theperformance and encryption flexibility benefits of SRTP with theflexibility and convenience of DTLS-integrated key and associationmanagement. DTLS-SRTP can be viewed in two equivalent ways: as a newkey management method for SRTP and as a new RTP-specific data formatfor DTLS.¶
This document defines a new TLS negotiated extensioncalled "supported_ekt_ciphers" and a new TLS handshake message type called"ekt_key". The extension negotiates the cipher to be used inencrypting and decrypting EKTCiphertext values, and the handshakemessage carries the corresponding key.¶
Figure 4 shows a messageflow between a DTLS 1.3 client and serverusing EKT configured using the DTLS extensions described in thissection. (The initial cookie exchange and other normal DTLSmessages are omitted.) To be clear, EKT can be used with versionsof DTLS prior to 1.3. The only difference is that in pre-1.3 TLS,stacks will not have built-in support for generating and processingACK messages.¶
Client ServerClientHello + use_srtp + supported_ekt_ciphers --------> ServerHello {EncryptedExtensions} + use_srtp + supported_ekt_ciphers {... Finished} <--------{... Finished} --------> [ACK] <-------- [EKTKey][ACK] -------->|SRTP packets| <-------> |SRTP packets|+ <EKT Tags> + <EKT Tags>{} Messages protected using DTLS handshake keys[] Messages protected using DTLS application traffic keys<> Messages protected using the EKTKey and EKT Cipher|| Messages protected using the SRTP master key sent in a Full EKT TagIn the context of a multi-party SRTP session in which each endpointperforms a DTLS handshake as a client with a central DTLS server,the extensions defined in this document allow the DTLS server to seta common EKTKey for all participants. Each endpoint can then useEKT Tags encrypted with that common key to inform other endpoints ofthe keys it uses to protect SRTP packets. This avoids the needfor many individual DTLS handshakes among the endpoints, at the costof preventing endpoints from directly authenticating one another.¶
Client A Server Client B <----DTLS Handshake----> <--------EKTKey--------- <----DTLS Handshake----> ---------EKTKey--------> -------------SRTP Packet + EKT Tag-------------> <------------SRTP Packet + EKT Tag--------------¶
To indicate its support for EKT, a DTLS-SRTP client includes in itsClientHello an extension of type supported_ekt_ciphers listing theciphers used for EKT by the client, in preference order, withthe most preferred version first. If the server agrees to use EKT,then it includes a supported_ekt_ciphers extension in itsEncryptedExtensions (or ServerHello for DTLS 1.2)containing a cipher selected from among those advertised by theclient.¶
The extension_data field of this extension contains an "EKTCipher" value,encoded using the syntax defined in[RFC8446]:¶
enum { reserved(0), aeskw_128(1), aeskw_256(2), } EKTCipherType; struct { select (Handshake.msg_type) { case client_hello: EKTCipherType supported_ciphers<1..255>; case server_hello: EKTCipherType selected_cipher; case encrypted_extensions: EKTCipherType selected_cipher; }; } EKTCipher;¶Once a client and server have concluded a handshake that negotiatedan EKTCipher, the serverMUST provide to the client a key to beused when encrypting and decrypting EKTCiphertext values. EKTKeysare sent in encrypted handshake records, using handshake typeekt_key(26). The body of the handshake message contains anEKTKey structure as follows:¶
struct { opaque ekt_key_value<1..256>; opaque srtp_master_salt<1..256>; uint16 ekt_spi; uint24 ekt_ttl;} EKTKey;¶The contents of the fields in this message are as follows:¶
If the server did not provide a supported_ekt_ciphers extension inits EncryptedExtensions (or ServerHello for DTLS 1.2), then EKTKey messagesMUST NOT be sent by the clientor the server.¶
When an EKTKey is received and processed successfully, the recipientMUST respond with an ACK message as described inSection 7 of [TLS-DTLS13]. The EKTKey message and ACKMUST be retransmitted following the rules of the negotiated version of DTLS.¶
EKTMAY be used with versions of DTLS prior to 1.3. In such cases, to provide reliability, the ACK message is still used. Thus, DTLSimplementations supporting EKT with pre-1.3 versions of DTLS will need to haveexplicit affordances for sending the ACK message in response to anEKTKey message and for verifying that an ACK message was received.The retransmission rules for both sides are otherwise defined by thenegotiated version of DTLS.¶
If an EKTKey message is received that cannot be processed, then therecipientMUST respond with an appropriate DTLS alert.¶
When using EKT with DTLS-SRTP, the negotiation to use EKT is done atthe DTLS handshake level and does not change the SDP Offer/Answer messaging[RFC3264].¶
The DTLS EKTKey message is sent using the retransmissions specified inSection 4.2.4 of DTLS [RFC6347]. Retransmission is finished with an ACK message, or an alert is received.¶
EKT inherits the security properties of the key management protocol that is used to establish the EKTKey, e.g., the DTLS-SRTP extension defined in this document.¶
With EKT, each SRTP sender and receiverMUST generate distinct SRTPmaster keys. This property avoids any security concerns over the reuseof keys, by empowering the SRTP layer to create keys on demand. Notethat the inputs of EKT are the same as for SRTP with key-sharing: asingle key is provided to protect an entire SRTP session. However, EKTremains secure even when SSRC values collide.¶
SRTP master keysMUST be randomly generated, and[RFC4086] offerssome guidance about random number generation. SRTP master keysMUST NOT be reused for any other purpose, and SRTP master keysMUST NOT bederived from other SRTP master keys.¶
The EKT Cipher includes its own authentication/integrity check.¶
The presence of the SSRC in the EKTPlaintext ensures that an attackercannot substitute an EKTCiphertext from one SRTP stream into anotherSRTP stream. This mitigates the impact of cut-and-paste attacksthat arise due to the lack of a cryptographic binding between theEKT Tag and the rest of the SRTP packet. SRTP tags can only becut-and-pasted within the stream of packets sent by a given RTPendpoint; an attacker cannot "cross the streams" and use an EKT Tagfrom one SSRC to reset the key for another SSRC. The Epoch fieldin the FullEKTField also prevents an attacker from rolling back to aprevious key.¶
An attacker could send packets containing a FullEKTField, in anattempt to consume additional CPU resources of the receiving system bycausing the receiving system to decrypt the EKT ciphertext anddetect an authentication failure. In some cases, caching the previousvalues of the ciphertext as described inSection 4.3.2 helpsmitigate this issue.¶
In a similar vein, EKT has no replay protection, so an attackercould implant improper keys in receivers by capturing EKTCiphertextvalues encrypted with a given EKTKey and replaying them in adifferent context, e.g., from a different sender. When theunderlying SRTP transform provides integrity protection, this attackwill just result in packet loss. If it does not, then it willresult in random data being fed to RTP payload processing. Anattacker that is in a position to mount these attacks, however,could achieve the same effects more easily without attacking EKT.¶
The key encryption keys distributed with EKTKey messages are groupshared symmetric keys, which means they do not provide protectionwithin the group. Group members can impersonate each other; forexample, any group member can generate an EKT Tag for any SSRC. Theentity that distributes EKTKeys can decrypt any keys distributedusing EKT and thus any media protected with those keys.¶
Each EKT Cipher specifies a value T that is the maximum number oftimes a given key can be used. An endpointMUST NOT encrypt more thanT different FullEKTField values using the same EKTKey. In addition, theEKTKeyMUST NOT be used beyond the lifetime provided by the TTLdescribed inSection 5.2.¶
The key length of the EKT CipherMUST be at least as long as the SRTP cipher and at least as longas the DTLS-SRTP ciphers.¶
Part of the EKTPlaintext is known or is easily guessable to anattacker. Thus, the EKT CipherMUST resist known plaintext attacks. Inpractice, this requirement does not impose any restrictions on ourchoices, since the ciphers in use provide high security even when muchplaintext is known.¶
An EKT CipherMUST resist attacks in which both ciphertexts andplaintexts can be adaptively chosen by an attacker querying boththe encryption and decryption functions.¶
In some systems, when a member of a conference leaves the conference,that conference is rekeyed so that the member who left the conference no longer has the key. Whenchanging to a new EKTKey, it is possible that the attacker could blockthe EKTKey message getting to a particular endpoint and that endpointwould keep sending media encrypted using the old key. To mitigate thatrisk, the lifetime of the EKTKeyMUST be limited by using the ekt_ttl.¶
IANA has created a new table for "EKT Message Types" inthe "Real-Time Transport Protocol (RTP) Parameters" registry. Theinitial values in this registry are as follows:¶
| Message Type | Value | Specification |
|---|---|---|
| Short | 0 | RFC 8870 |
| Unassigned | 1 | |
| Full | 2 | RFC 8870 |
| Unassigned | 3-254 | |
| Reserved | 255 | RFC 8870 |
New entries in this table can be added via "Specification Required" asdefined in[RFC8126]. To avoid conflicts withpre-standard versions of EKT that have been deployed, IANASHOULD give preference to the allocation of even values over odd values untilthe even code points are consumed. Allocated valuesMUST be in the range of 0 to 254.¶
All new EKT messagesMUST be defined to include a length parameter, as specified inSection 4.1.¶
IANA has created a new table for "EKT Ciphers" in the"Real-Time Transport Protocol (RTP) Parameters" registry. The initialvalues in this registry are as follows:¶
| Name | Value | Specification |
|---|---|---|
| AESKW128 | 0 | RFC 8870 |
| AESKW256 | 1 | RFC 8870 |
| Unassigned | 2-254 | |
| Reserved | 255 | RFC 8870 |
New entries in this table can be added via "Specification Required" asdefined in[RFC8126]. The expertSHOULD ensure that the specificationdefines the values for L and T as required inSection 4.4 of this document. Allocated valuesMUST be in the range of 0 to 254.¶
IANA has added supported_ekt_ciphers as a new extensionname to the "TLS ExtensionType Values" table of the "Transport LayerSecurity (TLS) Extensions" registry:¶
Thank you toRuss Housley, who provided a detailed review and significant help with crafting text for this document. Thanks toDavid Benham,Yi Cheng,Lakshminath Dondeti,Kai Fischer,Nermeen Ismail,Paul Jones,Eddy Lem,Jonathan Lennox,Michael Peck,Rob Raymond,Sean Turner,Magnus Westerlund, andFelix Wyss for fruitful discussions, comments, and contributions to this document.¶