Network Working Group D. McGrew Internet-Draft Cisco Systems, Inc. Intended status: Standards Track March 5, 2009 Expires: September 6, 2009 The use of AES-192 and AES-256 in Secure RTP draft-mcgrew-srtp-big-aes-01.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 6, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. McGrew Expires September 6, 2009 [Page 1] Internet-Draft SRTP AES-192 and AES-256 March 2009 Abstract This memo describes the use of the Advanced Encryption Standard (AES) with 192 and 256 bit keys within the Secure RTP protocol. It defines Counter Mode encryption for SRTP and SRTCP and a new SRTP Key Derivation Function (KDF) for AES-192 and AES-256. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 2. AES-192 and AES-256 Encryption . . . . . . . . . . . . . . . . 4 3. The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Usage Requirements . . . . . . . . . . . . . . . . . . . . 6 4. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Crypto Suties . . . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. Open Questions . . . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 McGrew Expires September 6, 2009 [Page 2] Internet-Draft SRTP AES-192 and AES-256 March 2009 1. Introduction This memo describes the use of the Advanced Encryption Standard (AES) [FIPS197] with 192 and 256 bit keys within the Secure RTP protocol [RFC3711]. Below those block ciphers are referred to as AES-192 and AES-256, respectively, and the use of AES with a 128 bit key is referred to as AES-128. This document defines Counter Mode encryption for SRTP and SRTCP and a new SRTP Key Derivation Function for AES-192 and AES-256. It also defines new cryptosuites that use these new functions. While AES-128 is widely regarded as more than adequately secure, some users may be motivated to adopt AES-192 or AES-256. One motivation is conformance to the Suite B profile (which requires AES-256 for the protection of TOP SECRET information) [suiteB]. Others may be motivated by a perceived need to purse a highly conservative security strategy; see Section 7 for more discussion of security issues. The crypto functions defined in this document are an addition to, and not a replacement for, the crypto functions defined in [RFC3711]. 1.1. Conventions Used In This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. McGrew Expires September 6, 2009 [Page 3] Internet-Draft SRTP AES-192 and AES-256 March 2009 2. AES-192 and AES-256 Encryption Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, which it refers to as AES_CM. AES-192 counter mode and AES-256 counter mode are defined in a similar manner, and are denoted as AES_192_CM and AES_256_CM respectively. In both of these ciphers, the plaintext inputs to the block cipher are formed as in AES_CM, and the block cipher outputs are processed as in AES_CM. The only difference in the processing is that AES_192_CM uses AES-192, and AES_256_CM uses AES-256. Both AES_192_CM and AES_256_CM use a 112- bit salt as an input, as does AES_CM. For the convenience of the reader, the structure of the counter blocks in SRTP counter mode encryption is illustrated in Figure 1, using the terminology from Section 4.1.1 of [RFC3711] . In this diagram, the symbol (+) denotes the bitwise exclusive-or operation, and the AES encrypt operation uses AES-128, AES-192, or AES-256 for AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled b_c contains a block counter, the value of which increments once for each invocation of the "AES Encrypt" function. one octet <--> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00|00|00|00| SSRC | packet index | b_c |---+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v | salt (k_s) |00|00|->(+) +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | v +-------------+ encryption key (k_e) -> | AES encrypt | +-------------+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | keystream block |<--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ Figure 1: AES Counter Mode. McGrew Expires September 6, 2009 [Page 4] Internet-Draft SRTP AES-192 and AES-256 March 2009 3. The AES_CM_192_PRF and AES_CM_256_PRF Key Derivation Functions Section 4.3.3 of [RFC3711] defines AES-128 counter mode key derivation function, which it refers to as "AES-CM PRF". (That specification uses the term PRF, or pseudo-random function, interchangeably with the term "key derivation function". ) The AES- 192 counter mode PRF and AES-256 counter mode PRF are defined in a similar manner, and are denoted as AES_192_CM_PRF and AES_256_CM_PRF respectively. In both of these PRFs, the plaintext inputs to the block cipher are formed as in the AES-CM PRF, and the block cipher outputs are processed as in the AES-CM PRF. The only difference in the processing is that AES_192_CM_PRF uses AES-192, and AES_256_CM_PRF uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF use a 112-bit salt as an input, as does the AES-CM PRF. For the convenience of the reader, the structure of the counter blocks in SRTP counter mode key derivation is illustrated in Figure 2, using the terminology from Section 4.3.3 of [RFC3711]. In this diagram, the symbol (+) denotes the bitwise exclusive-or operation, and the "AES Encrypt" operation uses AES-128, AES-192, or AES-256 for the "AES-CM PRF", AES_192_CM_PRF, and AES_256_CM_PRF, respectively. The field "LB" contains the 8-bit constant "label" which is provided as an input to the key derivation function (and which is distint for each key generated by that function). The field labeled b_c contains a block counter, the value of which increments once for each invocation of the "AES Encrypt" function. one octet <--> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |00|00|00|00|00|00|00|LB| index DIV kdr | b_c |---+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v | master salt |00|00|->(+) +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | v +-------------+ master key -> | AES encrypt | +-------------+ | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | output block |<--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ Figure 2: The AES counter mode Key Derivation Function McGrew Expires September 6, 2009 [Page 5] Internet-Draft SRTP AES-192 and AES-256 March 2009 3.1. Usage Requirements When AES_192_CM is used for encryption, AES_192_CM SHOULD be used as the key derivation function, and AES_128_CM MUST NOT be used as the key derivation function. When AES_256_CM is used for encryption, AES_256_CM SHOULD be used as the key derivation function. Both AES_128_CM and AES_192_CM MUST NOT be used as the key derivation function. Rationale: it is essential that the cryptographic strength of the key derivation meets or exceeds that of the encryption method. It is natural to use the same function for both encryption and key derivation. However, it is not required to do so because it is desirable to allow these ciphers to be used with alternative key derivation functions that may be defined in the future. McGrew Expires September 6, 2009 [Page 6] Internet-Draft SRTP AES-192 and AES-256 March 2009 4. Test Cases In a future version of this document, this section will provide test cases that can be used to validate implementations. McGrew Expires September 6, 2009 [Page 7] Internet-Draft SRTP AES-192 and AES-256 March 2009 5. Crypto Suties This section defines SRTP crypto suites that use the ciphers and key derivation functions defined in this document. These suites are registered with IANA for use with the SDP Security Descriptions attributes (Section 10.3.2.1 of [RFC4568]). Other SRTP key management methods that use the crypto functions defined in this document are encouraged to also use these crypto suite definitions. +------------------------------+------------------------------------+ | Parameter | Value | +------------------------------+------------------------------------+ | Master key length | 192 bits | | | | | Master salt length | 112 bits | | | | | Key Derivation Function | AES_192_CM_PRF (Section 3) | | | | | Default key lifetime | 2^31 packets | | | | | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | | | | | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | | | [RFC3711]) | | | | | SRTP authentication key | 160 bits | | length | | | | | | SRTP authentication tag | 80 bits | | length | | | | | | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | | function | [RFC3711]) | | | | | SRTCP authentication key | 160 bits | | length | | | | | | SRTCP authentication tag | 80 bits | | length | | +------------------------------+------------------------------------+ Table 1: The AES_CM_192_HMAC_SHA1_80 cryptosuite. McGrew Expires September 6, 2009 [Page 8] Internet-Draft SRTP AES-192 and AES-256 March 2009 +------------------------------+------------------------------------+ | Parameter | Value | +------------------------------+------------------------------------+ | Master key length | 192 bits | | | | | Master salt length | 112 bits | | | | | Key Derivation Function | AES_192_CM_PRF (Section 3) | | | | | Default key lifetime | 2^31 packets | | | | | Cipher (for SRTP and SRTCP) | AES_192_CM (Section 2) | | | | | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | | | [RFC3711]) | | | | | SRTP authentication key | 160 bits | | length | | | | | | SRTP authentication tag | 32 bits | | length | | | | | | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | | function | [RFC3711]) | | | | | SRTCP authentication key | 160 bits | | length | | | | | | SRTCP authentication tag | 80 bits | | length | | +------------------------------+------------------------------------+ Table 2: The AES_CM_192_HMAC_SHA1_32 cryptosuite. McGrew Expires September 6, 2009 [Page 9] Internet-Draft SRTP AES-192 and AES-256 March 2009 +------------------------------+------------------------------------+ | Parameter | Value | +------------------------------+------------------------------------+ | Master key length | 256 bits | | | | | Master salt length | 112 bits | | | | | Key Derivation Function | AES_256_CM_PRF (Section 3) | | | | | Default key lifetime | 2^31 packets | | | | | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | | | | | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | | | [RFC3711]) | | | | | SRTP authentication key | 160 bits | | length | | | | | | SRTP authentication tag | 80 bits | | length | | | | | | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | | function | [RFC3711]) | | | | | SRTCP authentication key | 160 bits | | length | | | | | | SRTCP authentication tag | 80 bits | | length | | +------------------------------+------------------------------------+ Table 3: The AES_CM_256_HMAC_SHA1_80 cryptosuite. McGrew Expires September 6, 2009 [Page 10] Internet-Draft SRTP AES-192 and AES-256 March 2009 +------------------------------+------------------------------------+ | Parameter | Value | +------------------------------+------------------------------------+ | Master key length | 256 bits | | | | | Master salt length | 112 bits | | | | | Key Derivation Function | AES_256_CM_PRF (Section 3) | | | | | Default key lifetime | 2^31 packets | | | | | Cipher (for SRTP and SRTCP) | AES_256_CM (Section 2) | | | | | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of | | | [RFC3711]) | | | | | SRTP authentication key | 160 bits | | length | | | | | | SRTP authentication tag | 32 bits | | length | | | | | | SRTCP authentication | HMAC-SHA1 (Section 4.2.1 of | | function | [RFC3711]) | | | | | SRTCP authentication key | 160 bits | | length | | | | | | SRTCP authentication tag | 80 bits | | length | | +------------------------------+------------------------------------+ Table 4: The AES_CM_256_HMAC_SHA1_32 cryptosuite. McGrew Expires September 6, 2009 [Page 11] Internet-Draft SRTP AES-192 and AES-256 March 2009 6. IANA Considerations IANA is expected to assign the following parameters for the SDP Security Descriptions crypto suite attribute. AES_CM_192_HMAC_SHA1_80 AES_CM_192_HMAC_SHA1_32 AES_CM_256_HMAC_SHA1_80 AES_CM_256_HMAC_SHA1_32 The cryptosuites are as defined in Section 5. McGrew Expires September 6, 2009 [Page 12] Internet-Draft SRTP AES-192 and AES-256 March 2009 7. Security Considerations AES-128 provides a level of security that is widely regarded as being more than sufficient for providing confidentiality. It is believed that the economic cost of breaking AES-128 is significantly higher than the cost of more direct approaches to violating system security, e.g. theft, bribery, wiretapping, and other forms of malfeasance. Future advances in the state of the art of cryptanalysis could eliminate this confidence in AES-128, and motivate the use of AES-192 or AES-256. AES-192 is regarded as being secure even against some adversaries for which breaking AES-128 may be feasible. Similarly, AES-256 is regarded as being secure even against some adversaries for which it may be feasible to break AES-192. The availability of the larger key size versions of AES provides a fallback plan in case of unanticipated cryptanalytic results. It is conjectured that AES-256 provides adequate security even against adversaries that possess the ability to construct a quantum computer that works on 256 or more quantum bits. No such computer is known to exist; its feasibility is an area of active speculation and research. Despite the apparent sufficiency of AES-128, some users are interested in the larger AES key sizes. For some applications, the 40% increase in computational cost for AES-256 over AES-128 is a worthwhile bargain when traded for the security advantages outlined above. These applications include those with a perceived need for very high security, e.g. due to a desire for very long-term confidentiality. As with any cipher, the conjectured security level of AES may change over time. The considerations in this section reflect the best knowledge available at the time of publication of this document. It is desirable that AES_192_CM and AES_192_CM_PRF be used with an authentication function that uses a 192 bit key, and that AES_256_CM and AES_256_CM_PRF be used with an authentication function that uses a 256 bit key. However, this desire is not regarded as security- critical. Cryptographic authentication is resilient against future advances in cryptanalysis, since the opportunity for a forgery attack against a session closes when that session closes. McGrew Expires September 6, 2009 [Page 13] Internet-Draft SRTP AES-192 and AES-256 March 2009 8. Open Questions It may be desirable to eliminate AES-192 altogether, leaving users with the simpler choice of using AES-128 or AES-256. This option preserves the possibility of Suite B conformance. Given that the incremental computational cost of AES-256 over AES-192 is only 16%, and the additional key storage overhead is only 33%, this option imposes only a minimal burden on implementations. McGrew Expires September 6, 2009 [Page 14] Internet-Draft SRTP AES-192 and AES-256 March 2009 9. Acknowledgements Thanks to Bob Bell for feedback and encouragement. McGrew Expires September 6, 2009 [Page 15] Internet-Draft SRTP AES-192 and AES-256 March 2009 10. References 10.1. Normative References [FIPS197] "The Advanced Encryption Standard (AES)", FIPS-197 Federal Information Processing Standard. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004. [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol (SDP) Security Descriptions for Media Streams", RFC 4568, July 2006. 10.2. Informative References [suiteB] "Fact Sheet for NSA Suite B Cryptography", http://www.nsa.gov/ia/industry/crypto_suite_b.cfm. McGrew Expires September 6, 2009 [Page 16] Internet-Draft SRTP AES-192 and AES-256 March 2009 Author's Address David A. McGrew Cisco Systems, Inc. 510 McCarthy Blvd. Milpitas, CA 95035 US Phone: (408) 525 8651 Email: mcgrew@cisco.com URI: http://www.mindspring.com/~dmcgrew/dam.htm McGrew Expires September 6, 2009 [Page 17]