1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
|
<pre>Network Working Group S. Fries
Request for Comments: 5197 Siemens
Category: Informational D. Ignjatic
Polycom
June 2008
<span class="h1">On the Applicability of Various Multimedia Internet KEYing (MIKEY)</span>
<span class="h1">Modes and Extensions</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
Multimedia Internet Keying (MIKEY) is a key management protocol that
can be used for real-time applications. In particular, it has been
defined focusing on the support of the Secure Real-time Transport
Protocol (SRTP). MIKEY itself is standardized within <a href="./rfc3830">RFC 3830</a> and
defines four key distribution methods. Moreover, it is defined to
allow extensions of the protocol. As MIKEY becomes more and more
accepted, extensions to the base protocol arise, especially in terms
of additional key distribution methods but also in terms of payload
enhancements.
This document provides an overview about the MIKEY base document in
general as well as the existing extensions for MIKEY, which have been
defined or are in the process of definition. It is intended as an
additional source of information for developers or architects to
provide more insight in use case scenarios and motivations as well as
advantages and disadvantages for the different key distribution
schemes. The use cases discussed in this document are strongly
related to dedicated SIP call scenarios providing challenges for key
management in general, among them media before Session Description
Protocol (SDP) answer, forking, and shared key conferencing.
<span class="grey">Fries & Ignjatic Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Terminology and Definitions . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. MIKEY Overview . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-3.1">3.1</a>. Pre-Shared Key (PSK) Protected Distribution . . . . . . . <a href="#page-9">9</a>
<a href="#section-3.2">3.2</a>. Public Key Encrypted Key Distribution . . . . . . . . . . <a href="#page-9">9</a>
3.3. Diffie-Hellman Key Agreement Protected with Digital
Signatures . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-3.4">3.4</a>. Unprotected Key Distribution . . . . . . . . . . . . . . . <a href="#page-11">11</a>
3.5. Diffie-Hellman Key Agreement Protected with Pre-Shared
Secrets . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-3.6">3.6</a>. SAML-Assisted DH key Agreement . . . . . . . . . . . . . . <a href="#page-12">12</a>
3.7. Asymmetric Key Distribution with In-Band Certificate
Exchange . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-4">4</a>. Further MIKEY Extensions . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-4.1">4.1</a>. ECC Algorithms Support . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
4.1.1. Elliptic Curve Integrated Encryption Scheme
application in MIKEY . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
4.1.2. Elliptic Curve Menezes-Qu-Vanstone Scheme
Application in MIKEY . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-4.2">4.2</a>. New MIKEY Payload for Bootstrapping TESLA . . . . . . . . <a href="#page-17">17</a>
<a href="#section-4.3">4.3</a>. MBMS Extensions to the Key ID Information Type . . . . . . <a href="#page-18">18</a>
4.4. OMA BCAST MIKEY General Extension Payload Specification . 18
4.5. Supporting Integrity Transform Carrying the Rollover
Counter . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-5">5</a>. Selection and Interworking of MIKEY Modes . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-5.1">5.1</a>. MIKEY and Early Media . . . . . . . . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-5.2">5.2</a>. MIKEY and Forking . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-5.3">5.3</a>. MIKEY and Call Transfer/Redirect/Retarget . . . . . . . . <a href="#page-23">23</a>
<a href="#section-5.4">5.4</a>. MIKEY and Shared Key Conferencing . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-5.5">5.5</a>. MIKEY Mode Summary . . . . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-6">6</a>. Transport of MIKEY Messages . . . . . . . . . . . . . . . . . <a href="#page-24">24</a>
<a href="#section-7">7</a>. MIKEY Alternatives for SRTP Security Parameter Negotiation . . <a href="#page-25">25</a>
<a href="#section-8">8</a>. Summary of MIKEY-Related IANA Registrations . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-9">9</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-10">10</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-11">11</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-11.1">11.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-11.2">11.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<span class="grey">Fries & Ignjatic Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Key distribution describes the process of delivering cryptographic
keys to the required parties. MIKEY [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>], the Multimedia
Internet Keying, has been defined focusing on support for the
establishment of security context for the Secure Real-time Transport
Protocol [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]. Note that <a href="./rfc3830">RFC 3830</a> is not restricted to be used
for SRTP only, as it features a generic approach and allows for
extensions to the key distribution schemes. Thus, it may also be
used for security parameter negotiation for other protocols.
For MIKEY, meanwhile, seven key distribution methods are described:
o Symmetric key distribution as defined in [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] (MIKEY-PSK)
o Asymmetric key distribution as defined in [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] (MIKEY-RSA)
o Diffie-Hellman key agreement protected by digital signatures as
defined in [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] (MIKEY-DHSIGN)
o Unprotected key distribution (MIKEY-NULL)
o Diffie-Hellman key agreement protected by symmetric pre-shared
keys as defined in [<a href="./rfc4650" title=""HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY)"">RFC4650</a>] (MIKEY-DHHMAC)
o Security Assertion Markup Language (SAML) assisted Diffie-Hellman
key agreement as defined (not available as a separate document,
but discussions are reflected within this document (MIKEY-DHSAML))
o Asymmetric key distribution (based on asymmetric encryption) with
in-band certificate provision as defined in [<a href="./rfc4738" title=""MIKEY-RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)"">RFC4738</a>]
(MIKEY-RSA-R)
Note that the latter three modes are extensions to MIKEY as there
have been scenarios where none of the first four modes defined in
[<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] fits perfectly. There are further extensions to MIKEY
comprising algorithm enhancements and a new payload definition
supporting protocols other than SRTP.
Algorithm extensions are defined in the following document:
o Elliptic Curve Cryptography (ECC) algorithms for MIKEY as defined
in [<a href="#ref-MSEC-MIKEY" title=""ECC Algorithms for MIKEY"">MSEC-MIKEY</a>]
<span class="grey">Fries & Ignjatic Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Payload extensions are defined in the following documents:
o Bootstrapping TESLA, defining a new payload for the Timed
Efficient Stream Loss-tolerant Authentication (TESLA) protocol
[<a href="./rfc4082" title=""Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction"">RFC4082</a>] as defined in [<a href="./rfc4442" title=""Bootstrapping Timed Efficient Stream Loss-Tolerant Authentication (TESLA)"">RFC4442</a>]
o The Key ID information type for the general extension payload as
defined in [<a href="./rfc4563" title=""The Key ID Information Type for the General Extension Payload in Multimedia Internet KEYing (MIKEY)"">RFC4563</a>]
o Open Mobile Alliance (OMA) Broadcast (BCAST) MIKEY General
Extension Payload Specification as defined in [<a href="./rfc4909" title=""Multimedia Internet KEYing (MIKEY) General Extension Payload for Open Mobile Alliance BCAST LTKM/STKM Transport"">RFC4909</a>]
o Integrity Transform Carrying Roll-over Counter for SRTP as defined
in [<a href="./rfc4771" title=""Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)"">RFC4771</a>]. Note that this is rather an extension to SRTP and
requires MIKEY to carry a new parameter, but is stated here for
completeness.
This document provides an overview about <a href="./rfc3830">RFC 3830</a> and the relations
to the different extensions to provide a framework when using MIKEY.
It is intended as an additional source of information for developers
or architects to provide more insight in use case scenarios and
motivations as well as advantages and disadvantages for the different
key distribution schemes. The use cases discussed in this document
are inspired by specific protocol workings of SIP that have proved to
be problematic for a general key distribution mechanisms in general.
These protocol workings are described in detail in Wing, et al.
[<a href="#ref-SIP-MEDIA" title=""Requirements and Analysis of Media Security Management Protocols"">SIP-MEDIA</a>] and include the following:
o Early Media (i.e., media that arrives before the SDP answer)
o Forking
o Call Transfer/Redirect/Retarget
o Shared Key Conferencing
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology and Definitions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
The following definitions have been taken from [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>]:
(Data) Security Protocol: the security protocol used to protect the
actual data traffic. Examples of security
protocols are IPsec and SRTP.
<span class="grey">Fries & Ignjatic Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Data SA Data Security Association information for the security
protocol, including a TEK and a set of parameters/
policies.
CS Crypto Session, uni- or bidirectional data stream(s),
protected by a single instance of a security protocol.
CSB Crypto Session Bundle, collection of one or more
Crypto Sessions, which can have common TGKs (see
below) and security parameters.
CS ID Crypto Session ID, unique identifier for the CS within
a CSB.
CSB ID Crypto Session Bundle ID, unique identifier for the
CSB.
TGK TEK Generation Key, a bit-string agreed upon by two or
more parties, associated with CSB. From the TGK,
Traffic-Encrypting Keys can then be generated without
needing further communication.
TEK Traffic-Encrypting Key, the key used by the security
protocol to protect the CS (this key may be used
directly by the security protocol or may be used to
derive further keys depending on the security
protocol). The TEKs are derived from the CSB's TGK.
TGK re-keying the process of re-negotiating/updating the TGK (and
consequently future TEK(s)).
Initiator the initiator of the key management protocol, not
necessarily the initiator of the communication.
Responder the responder in the key management protocol.
Salting key a random or pseudo-random (see [<a href="./rfc4086" title=""Randomness Requirements for Security"">RFC4086</a>]) string used
to protect against some off-line pre-computation
attacks on the underlying security protocol.
HDR the protocol header
PRF(k,x) a keyed pseudo-random function
E(k,m) encryption of m with the key k
RAND random value
<span class="grey">Fries & Ignjatic Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
T timestamp
CERTx the certificate of x
SIGNx the signature from x using the private key of x
PKx the public key of x
IDx the identity of x
[] an optional piece of information
{} zero or more occurrences
|| concatenation
| OR (selection operator)
^ exponentiation
XOR exclusive or
The following definitions have been added to the ones from [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>]:
SSRC Synchronization Source Identifier
KEMAC MIKEY Key Data Transport Payload, containing a set of
encrypted sub-payloads and a Message Authentication
Code (MAC).
V MIKEY Verification Message
SP Security Parameter
Forking The ability of a SIP proxy to replicate an incoming
request to multiple outgoing requests in order to
efficiently find the called party for rendezvous. SIP
forking can be done in serial (depth-first search) or
in parallel (breadth-first search).
Redirect The ability of a SIP proxy to send a final response
that redirects the caller to send a request to an
alternate location.
Retarget The ability of a SIP proxy to re-write the Request-URI
thereby altering the destination of the request
without explicitly notifying the user agent client.
<span class="grey">Fries & Ignjatic Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. MIKEY Overview</span>
This section will provide an overview about MIKEY. MIKEY focuses on
the setup of cryptographic context to secure multimedia sessions in a
heterogeneous environment. MIKEY is mainly intended to be used for
peer-to-peer, simple one-to-many, and small-size (interactive)
groups. One objective of MIKEY is to produce a data security
association (SA) for the security protocol, including a Traffic-
Encrypting Key (TEK), which is derived from a TEK Generation Key
(TGK), and used as input for the security protocol.
MIKEY supports the possibility of establishing keys and parameters
for more than one security protocol (or for several instances of the
same security protocol) at the same time. The concept of Crypto
Session Bundle (CSB) is used to denote a collection of one or more
Crypto Sessions that can have common TGK and security parameters, but
that obtain distinct TEKs from MIKEY.
MIKEY as defined in <a href="./rfc3830">RFC 3830</a> may proceed with one roundtrip at most,
using a so-called Initiator message for the forward direction and a
Responder message for the backward direction. Note that there exist
MIKEY schemes that may proceed within a half roundtrip (e.g., based
on a pre-shared key), while other schemes require a full roundtrip
(e.g., Diffie-Hellman-based schemes). The main objective of the
Initiator's message (I_MESSAGE) is to transport one or more TGKs
(carried in the KEMAC field) and a set of security parameters (SPs)
to the Responder in a secure manner. As the verification message
from the Responder is optional for some schemes, the Initiator
indicates whether or not it requires a verification message from the
Responder.
The focus of the following subsections lies on the key distribution
methods as well as the discussion about advantages and disadvantages
of the different schemes. Note that the MIKEY key distribution
schemes rely on loosely synchronized clocks. If clock
synchronization is not available, the replay handling of MIKEY (cf.
[<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>]) may not work. This is due to the fact that MIKEY does not
use a challenge-response mechanism for replay handling; instead,
timestamps are used together with message caching. Thus, the
required synchronization depends on the number of messages that can
be cached on either side. Therefore, MIKEY recommends adjusting the
cache size depending on the clock skew in the deployment environment.
Moreover, <a href="./rfc3830">RFC 3830</a> recommends the ISO time synchronization protocol
[<a href="#ref-ISO_sec_time" title=""ISO/IEC 18014 Information technology - Security techniques - Time-stamping services, Part 1- 3.http://www.oasis-open.org/committees/ documents.php?wg_abbrev=security"">ISO_sec_time</a>]. If replay handling is not available, an attacker may
be able to replay an older message that he eavesdropped earlier,
leading to different TGKs on both sides. As these are fed to the
application utilizing MIKEY (e.g., SRTP or TESLA), both sides may
rely on different keys and thus may be unable to communicate with
<span class="grey">Fries & Ignjatic Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
each other. The format applied to the timestamps submitted in MIKEY
have to match the NTP format described in [<a href="./rfc1305" title=""Network Time Protocol (Version 3) Specification, Implementation"">RFC1305</a>]. In other cases,
such as of a SIP endpoint, clock synchronization by deriving time
from a trusted outbound proxy may be appropriate .
The different MIKEY-related schemes are compared regarding the
following criteria:
o Mandatory for implementation: provides information, if <a href="./rfc3830">RFC 3830</a>
requires the implementation of this scheme.
o Scalability: describes the technical feasibility to easily deploy
a solution based on the considered scheme.
o Dependency on PKI: states if the support of a PKI is required to
support this scheme. Note that PKI here relates to PKI services
like key generation, distribution, and revocation.
o Provision of Perfect Forward Secrecy (PFS): describes the support
of PFS, which is, according to <a href="./rfc4949">RFC 4949</a> [<a href="./rfc4949" title=""Internet Security Glossary, Version 2"">RFC4949</a>], the property
that compromising the long-term keying material does not
compromise session keys that were previously derived from the
long-term material.
o Key generation involvement: describes if both or just one of the
participants is actively involved in key generation. The option
to involve both parties in the key generation is considered here
as it addresses several points:
* If both sides contribute public entropy, it is ensured that
each side can guarantee that keys are fresh to avoid replay
attacks.
* Involvement of both sides avoids that one side generates
(intentionally or unintentionally) weak (predictable) nonces,
which in turn may result in weak keys.
o Support of group keying: feasibility of the MIKEY option to be
used also for group keying, e.g., in conferencing scenarios.
If MIKEY is used for SRTP [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>] bootstrapping, it also uses the
SSRC to associate security policies with actual sessions. The SSRC
identifies the synchronization source. The value is chosen randomly,
with the intent that no two synchronization sources within the same
SRTP session will have the same SSRC. Although the probability of
multiple sources choosing the same identifier is low, all (S)RTP
implementations must be prepared to detect and resolve collisions.
Nevertheless, in multimedia communication scenarios supporting
<span class="grey">Fries & Ignjatic Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
forking (see <a href="#section-5.2">Section 5.2</a>) or retargeting (see <a href="#section-5.3">Section 5.3</a>) collisions
may occur leading to so-called two-time pads; i.e., the same key is
used for media streams to different destinations. This occurs if two
branches have the same TEK (based on the MIKEY key establishment) and
choose the same 32-bit SSRC for the SRTP streams. The SRTP key
derivation will then produce the same session keys (as the input
values are the same) and also derive the same initialization vector
per packet, as the SSRCs are the same. Note that two time pads may
also occur for media streams to the same destination. This is
outlined in [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>].
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Pre-Shared Key (PSK) Protected Distribution</span>
This option of the key management uses a pre-shared secret key to
derive key material for integrity protection and encryption to
protect the actual exchange of key material. Note that the pre-
shared secret is agreed upon before the session, e.g., by out-of-band
means. The responder message is optional and may be used for mutual
authentication (proof of possession of the pre-shared secret) or
error signaling.
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi],[IDr],
{SP}, KEMAC --->
R_MESSAGE =
[<---] HDR, T, [IDr], V
The advantages of this approach lay in the fact that there is no
dependency on a PKI (Public Key Infrastructure), the solution
consumes low bandwidth and enables high performance, and is all in
all a simple straightforward master key provisioning. The
disadvantages are that perfect forward secrecy is not provided and
key generation is just performed by the Initiator. Furthermore, the
approach is not scalable to larger configurations but is acceptable
in small-sized groups. Note that according to [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>], this option
is mandatory to implement.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Public Key Encrypted Key Distribution</span>
Using the asymmetric option of the key management, the Initiator
generates the key material (TGKs) to be transmitted and sends it
encrypted with a so-called envelope key, which in turn is encrypted
with the receiver's public key. The envelope key, env-key, which is
a random number, is used to derive the auth-key and the enc-key.
Moreover, the envelope key may be used as a pre-shared key to
<span class="grey">Fries & Ignjatic Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
establish further crypto sessions. The responder message is optional
and may be used for mutual authentication or error signaling.
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi|CERTi],
[IDr], {SP}, KEMAC, [CHASH],
PKE, SIGNi --->
R_MESSAGE =
[<---] HDR, T, [IDr], V
An advantage of this approach is that it allows the usage of self-
signed certificates, which in turn can avoid a full-blown PKI. Note
that using self-signed certificates may result in limited scalability
and also require additional means for authentication such as exchange
of fingerprints of the certificates or similar techniques. The
disadvantages comprise the necessity of a PKI for full scalability,
the performance of the key generation just by the Initiator, and no
provision of perfect forward secrecy. Additionally, the Responder
certificate needs to be available in advance at the sender's side.
Furthermore, the verification of certificates may not be done in real
time. This could be the case in scenarios where the revocation
status of certificates is checked through a further component.
Depending on the Initiator role, this scheme can also be applied in
group-based communication, where a central server distributes the
group key protected with the public keys of the associated clients.
Note that according to [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>], this option is mandatory to
implement.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Diffie-Hellman Key Agreement Protected with Digital Signatures</span>
The Diffie-Hellman option of the key management enables a shared
secret establishment between the Initiator and Responder in a way
where both parties contribute to the shared secret. The Diffie-
Hellman key agreement is authenticated (and integrity protected)
using digital signatures.
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi|CERTi],
[IDr], {SP}, DHi, SIGNi --->
R_MESSAGE =
<--- HDR, T, [IDr|CERTr],
IDi, DHr, DHi, SIGNr
<span class="grey">Fries & Ignjatic Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
[<a id="ref-RFC3830">RFC3830</a>] does mandate the support of RSA as a specific asymmetric
algorithm for the signature generation. Additionally, the algorithm
used for signature or public key encryption is defined by, and
dependent on, the certificate used. Besides the use of X.509v3
certificates, it is mandatory to support the Diffie-Hellman group
"OAKLEY5" [<a href="./rfc2412" title=""The OAKLEY Key Determination Protocol"">RFC2412</a>]. It is also possible to use other Diffie-Hellman
groups within MIKEY. This can be done by defining a new mapping sub-
payload and the associated policy payload according to [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>].
The advantages of this approach are a fair, mutual key agreement
(both parties provide to the key), perfect forward secrecy, and the
absence of the need to fetch a certificate in advance as needed for
the MIKEY-RSA method depicted above. Moreover, it also provides the
option to use self-signed certificates to avoid a PKI deployment.
Note that, depending on the security policy, self-signed certificates
may not be suitable for every use case.
Negatively to remark is that this approach scales mainly to point-to-
point and depends on PKI for full scalability. Multiparty
conferencing is not supported using just MIKEY-DHSIGN. Nevertheless,
the established Diffie-Hellman-Secret may serve as a pre-shared key
to bootstrap group-related security parameter. Furthermore, as for
the MIKEY-RSA mode described above, the verification of certificates
may not necessarily be done in real time. This could be the case in
scenarios where the revocation status of certificates is checked
through a further component. Note that, according to [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>], it
is optional to implement this scheme.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Unprotected Key Distribution</span>
<a href="./rfc3830">RFC 3830</a> also supports a mode to provide a key in an unprotected
manner (MIKEY-NULL). This is based on the symmetric key encryption
option depicted in <a href="#section-3.1">Section 3.1</a> but is used with the NULL encryption
and the NULL authentication algorithms. It may be compared with the
plain approach in SDP security descriptions [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>]. MIKEY-NULL
completely relies on the security of the underlying layer, e.g.,
provided by TLS. This option should be used with caution as it does
not protect the key management.
Based on the missing cryptographic protection of this method, it is
obvious that perfect forward secrecy is not provided. As it is based
on the pre-shared secret mode, only the Initiator contributes to the
key management. The method itself is highly scalable, but again,
without proper protection through an underlying security layer, it is
not advisable for use.
<span class="grey">Fries & Ignjatic Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Diffie-Hellman Key Agreement Protected with Pre-Shared Secrets</span>
This is an additional option, which has been defined in [<a href="./rfc4650" title=""HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY)"">RFC4650</a>].
In contrast to the method described in <a href="#section-3.3">Section 3.3</a>, here the Diffie-
Hellman key agreement is authenticated (and integrity protected)
using a pre-shared secret and keyed hash function.
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi],
IDr, {SP}, DHi, KEMAC --->
R_MESSAGE =
<--- HDR, T,[IDr], IDi,
DHr, DHi, KEMAC
TGK = g^(xi * yi) TGK = g^(xi * yi)
For the integrity protection of the Diffie-Hellman key agreement,
[<a href="./rfc4650" title=""HMAC-Authenticated Diffie-Hellman for Multimedia Internet KEYing (MIKEY)"">RFC4650</a>] mandates the use of HMAC SHA-1. Regarding Diffie-Hellman
groups, [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>] is referenced. Thus, it is mandatory to support
the Diffie-Hellman group "OAKLEY5" [<a href="./rfc2412" title=""The OAKLEY Key Determination Protocol"">RFC2412</a>]. It is also possible to
use other Diffie-Hellman groups within MIKEY. This can be done by
defining a new mapping sub-payload and the associated policy payload
according to <a href="./rfc3830">RFC 3830</a>. This option has also several advantages, as
there are the fair mutual key agreement, the perfect forward secrecy,
and no dependency on a PKI and PKI standards. Moreover, this scheme
has a sound performance and reduced bandwidth requirements compared
to MIKEY-DH-SIGN and provides a simple and straightforward master key
provisioning. The establishment of shared secrets and the lack of
support for group keying is a disadvantage.
This mode of operation provides an efficient scheme in deployments
where there is a central trusted server that is provisioned with
shared secrets for many clients. Such setups could, for example, be
enterprise Private Branch Exchanges (PBXs), service provider proxies,
etc. In contrast to the plain pre-shared key encryption-based mode,
described in <a href="#section-3.1">Section 3.1</a>, this mode offers perfect forward secrecy as
well as active involvement in the key generation of both parties
involved.
<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a>. SAML-Assisted DH key Agreement</span>
There has been a longer discussion during IETF meetings and also on
the IETF MSEC mailing list about a SAML-assisted DH approach. This
idea has not been submitted as a separate document. Nevertheless,
the discussion is reflected here as it is targeted to fulfill general
<span class="grey">Fries & Ignjatic Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
requirements on key management approaches. Those requirements can be
summarized as:
1. Mutual authentication of involved parties
2. Both parties involved contribute to the session key generation
3. Provide perfect forward secrecy
4. Support distribution of group session keys
5. Provide liveliness tests when involved parties do not have a
reliable clock
6. Support of limited parties involved
To fulfill all of the requirements, it was proposed to use a classic
Diffie-Hellman key agreement protocol for key establishment in
conjunction with a User Agent's (UA's) SIP server signed element,
authenticating the Diffie-Hellman key and the ID using the SAML
(Security Assertion Markup Language [<a href="#ref-SAML_overview" title=""Security Assertion Markup Language (SAML) 2.0 Technical Overview, Working Draft"">SAML_overview</a>]) approach. Here
the client's public Diffie-Hellman credentials are signed by the
server to form a SAML assertion (referred to as CRED below), which
may be used for later sessions with other clients. This assertion
needs at least to convey the ID, public DH key, expiry, and the
signature from the server. It provides the involved clients with
mutual authentication and message integrity of the key management
messages exchanged.
Initiator Responder
I_MESSAGE =
HDR, T, RAND1, [CREDi],
IDr, {SP} --->
R_MESSAGE =
<--- HDR, T, [CREDr], IDi, DHr,
RAND2, (SP)
TGK = HMACx(RAND1|RAND2), where x = g^(xi * xr).
Additionally, the scheme proposes a second roundtrip to avoid the
dependence on synchronized clocks and provide liveliness checks.
This is achieved by exchanging nonces, protected with the session
key. The second roundtrip can also be used for distribution of group
keys or to leverage a weak DH key for a stronger session key. The
trigger for the second roundtrip would be handled via SP, the
security policy communicated via MIKEY.
<span class="grey">Fries & Ignjatic Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Initiator Responder
I_MESSAGE =
HDR, SIGN(ENC(RAND3)) --->
R_MESSAGE =
<--- SIGN(ENC(RAND4))
Note that if group keys are to be provided, RAND would be substituted
by that group key.
With the second roundtrip, this approach also provides an option for
all of the other key distribution methods, when liveliness checks are
needed. The drawback of the second roundtrip is that these messages
need to be integrated into the call flow of the signaling protocol.
In a straight-forward call, one roundtrip may be enough to set up a
session. Thus, this second roundtrip would require additional
messages to be exchanged.
Regarding the different criteria discussed in the introduction of
this section, the advantages of this approach are a fair, mutual key
agreement (both parties provide to the key), and perfect forward
secrecy. Through the second roundtrip, the dependency on
synchronized clocks can be avoided. Moreover, this second roundtrip
enables the distribution of a group key and thus enhances the
scalability from mainly point-to-point to also multiparty
conferencing. The usage of SAML-assisted DH may decrease the hidden
latency cost through the credential validation necessary to be done
for the signed DH scheme described in <a href="#section-3.3">Section 3.3</a>. If the UA
received its SAML assertion from its domain's SIP server, it is
trusting the server implicitly, thus, it may extend that trust to
relying on it to validate the other party's SAML assertion. This
eliminates not only the hidden validation latency but also its
computational cost to the UA.
Negatively to remark is that this proposal does have one significant
security risk. The UA's SIP server can cheat and create an extra
authentication object for the UA where it has the Diffie-Hellman
private key. With this, the (SIP) server issuing the SAML assertion
can successfully launch a Man-in-the-Middle (MITM) attack against two
of its UAs. Also, two SIP servers can collude so that either can
successfully launch a MITM attack against their UAs. A UA can block
this attack if its Diffie-Hellman key is authenticated by a
trustworthy third party and this whole object is signed by the SIP
server. Moreover, this approach uses two roundtrips, increasing the
necessary bandwidth and also the setup time, which may be crucial for
many scenarios. For the credential generation, usually a separate
component (server) is necessary, so serverless call setup is not
supported.
<span class="grey">Fries & Ignjatic Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h3"><a class="selflink" id="section-3.7" href="#section-3.7">3.7</a>. Asymmetric Key Distribution with In-Band Certificate Exchange</span>
This is an additional option, which has been defined in [<a href="./rfc4738" title=""MIKEY-RSA-R: An Additional Mode of Key Distribution in Multimedia Internet KEYing (MIKEY)"">RFC4738</a>].
It describes the asymmetric key distribution with optional in-band
certificate exchange.
Initiator Responder
I_MESSAGE =
HDR, T, [IDi|CERTi], [IDr],
{SP}, [RAND], SIGNi --->
R_MESSAGE =
<--- HDR, [GenExt(CSB-ID)], T,
RAND, [IDr|CERTr], [SP],
KEMAC, SIGNr
This option has some advantages compared to the asymmetric key
distribution stated in <a href="#section-3.2">Section 3.2</a>. Here, the sender and receiver do
not need to know the certificate of the other peer in advance as it
may be sent in the MIKEY Initiator message (if the receiver knows the
certificate in advance, <a href="./rfc3830">RFC 3830</a>'s MIKEY-RSA mode may be used
instead). Thus, the receiver of this message can utilize the
received key material to encrypt the session parameter and send them
back as part of the MIKEY responder message. The certificate check
may be done depending on the signing authority. If the certificate
is signed by a publicly accepted authority, the certificate
validation can be done in a straightforward manner, by using the
commonly known certificate authority's public key. In the other
case, additional steps may be necessary. The disadvantage is that no
perfect forward secrecy is provided.
This mode is meant to provide an easy option for certificate
provisioning when PKI is present and/or required. Specifically in
SIP, session invitations can be retargeted or forked. MIKEY modes
that require the Initiator to target a single well-known Responder
may be impractical here as they may require multiple roundtrips to do
key negotiation. By allowing the Responder to generate secret
material used for key derivation, this mode allows for an efficient
key delivery scheme. Note that the Initiator can contribute to the
key material since the key is derived from CSB-ID and RAND payloads
in unicast use cases. This mode is also useful in multicast
scenarios where multiple clients are contacting a known server and
are downloading the key. Responder workload is significantly reduced
in these scenarios compared to MIKEY in public key mode. This is due
to the fact that the RSA asymmetric encryption requires less effort
compared to the decryption using the private key (the public key is
usually shorter than the private key, hence less performance for
encryption compared to decryption). Examples of deployments where
<span class="grey">Fries & Ignjatic Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
this mode can be used are enterprises with PKI, service provider
setups where the service provider decides to provision certificates
to its users, etc.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Further MIKEY Extensions</span>
This section will provide an overview about further MIKEY [<a href="./rfc3830" title=""MIKEY: Multimedia Internet KEYing"">RFC3830</a>]
extensions for crypto algorithms and generic payload enhancements, as
well as enhancements to support the negotiation of security
parameters for security protocols other than SRTP. These extensions
have been defined in several additional documents.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. ECC Algorithms Support</span>
[<a id="ref-MSEC-MIKEY">MSEC-MIKEY</a>] proposes extensions to the authentication, encryption,
and digital signature methods described for use in MIKEY, employing
elliptic curve cryptography (ECC). These extensions are defined to
align MIKEY with other ECC implementations and standards.
The motivation for supporting ECC within MIKEY stems from the
following advantages:
o ECC modes are more and more added to security protocols.
o ECC support requires considerably smaller keys by keeping the same
security level compared to other asymmetric techniques (like RSA).
Elliptic curve algorithms are capable of providing security
consistent with Advanced Encryption Standard (AES) keys of 128,
192, and 256 bits without extensive growth in asymmetric key
sizes.
o As stated in [<a href="#ref-MSEC-MIKEY" title=""ECC Algorithms for MIKEY"">MSEC-MIKEY</a>], implementations have shown that
elliptic curve algorithms can significantly improve performance
and security-per-bit over other recommended algorithms.
These advantages make the usage of ECC especially interesting for
embedded devices, which may have only limited performance and storage
capabilities.
[<a id="ref-MSEC-MIKEY">MSEC-MIKEY</a>] proposes several ECC-based mechanisms to enhance the
MIKEY key distribution schemes:
o Use of ECC methods extending the Diffie-Hellman key exchange:
MIKEY-DHSIGN with ECDSA or ECGDSA
o Use of ECC methods extending the Diffie-Hellman key exchange:
MIKEY-DHSIGN with ECDH
<span class="grey">Fries & Ignjatic Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
o Use of Elliptic Curve Integrated Encryption Scheme (MIKEY-ECIES)
o Use of Elliptic Curve Menezes-Qu-Vanstone Scheme(MIKEY-ECMQV)
The following subsections will provide more detailed information
about the message exchanges for MIKEY-ECIES and MIKEY-ECMQV.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. Elliptic Curve Integrated Encryption Scheme application in MIKEY</span>
The following figure shows the message exchange for the MIKEY-ECIES
scheme:
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi|CERTi],
[IDr], {SP}, KEMAC,
[CHASH], PKE, SIGNi --->
R_MESSAGE =
[<---] HDR, T, [IDr], V
<span class="h4"><a class="selflink" id="section-4.1.2" href="#section-4.1.2">4.1.2</a>. Elliptic Curve Menezes-Qu-Vanstone Scheme Application in MIKEY</span>
The following figure shows the message exchange for the MIKEY-ECMQV
scheme:
Initiator Responder
I_MESSAGE =
HDR, T, RAND, [IDi|CERTi],
[IDr], {SP},
ECCPTi, SIGNi --->
R_MESSAGE =
[<---] HDR, T, [IDr], V
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. New MIKEY Payload for Bootstrapping TESLA</span>
TESLA [<a href="./rfc4082" title=""Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction"">RFC4082</a>] is a protocol for providing source authentication in
multicast scenarios. TESLA is an efficient protocol with low
communication and computation overhead, which scales to large numbers
of receivers, and also tolerates packet loss. TESLA is based on
loose time synchronization between the sender and the receivers.
Source authentication is realized in TESLA by using Message
Authentication Code (MAC) chaining. The use of TESLA within the
Secure Real-time Transport Protocol (SRTP) has been published in
[<a href="./rfc4383" title=""The Use of Timed Efficient Stream Loss-Tolerant Authentication (TESLA) in the Secure Real-time Transport Protocol (SRTP)"">RFC4383</a>] targeting multicast authentication in scenarios, where SRTP
is applied to protect the multimedia data. This solution assumes
that TESLA parameters are made available by out-of-band mechanisms.
<span class="grey">Fries & Ignjatic Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
[<a id="ref-RFC4442">RFC4442</a>] specifies payloads for MIKEY to bootstrap TESLA for source
authentication of secure group communications using SRTP. TESLA may
be bootstrapped using one of the MIKEY key management approaches
described above by sending the MIKEY message via unicast, multicast,
or broadcast. This approach provides the necessary parameter payload
extensions for the usage of TESLA in SRTP. Nevertheless, if the
parameter set is also sufficient for other TESLA use cases, it can be
applied as well.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. MBMS Extensions to the Key ID Information Type</span>
This extension specifies a new Type (the Key ID Information Type) for
the General Extension Payload. This is used in, e.g., the Multimedia
Broadcast/Multicast Service (MBMS) specified in the 3rd Generation
Partnership Project (3GPP). MBMS requires the use of MIKEY to convey
the keys and related security parameters needed to secure the
multimedia that is multicast or broadcast.
One of the requirements that MBMS puts on security is the ability to
perform frequent updates of the keys. The rationale behind this is
that it will be costly for subscribers to re-distribute the
decryption keys to non-subscribers. The cost for re-distributing the
keys using the unicast channel should be higher than the cost of
purchasing the keys for this scheme to have an effect. To achieve
this, MBMS uses a three-level key management, to distribute group
keys to the clients, and be able to re-key by pushing down a new
group key. MBMS has the need to identify which types of keys are
involved in the MIKEY message and their identity.
[<a id="ref-RFC4563">RFC4563</a>] specifies a new Type for the General Extension Payload in
MIKEY, to identify the type and identity of involved keys. Moreover,
as MBMS uses MIKEY both as a registration protocol and a re-key
protocol, this RFC specifies the necessary additions that allow MIKEY
to function both as a unicast and multicast re-key protocol in the
MBMS setting.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. OMA BCAST MIKEY General Extension Payload Specification</span>
The document [<a href="./rfc4909" title=""Multimedia Internet KEYing (MIKEY) General Extension Payload for Open Mobile Alliance BCAST LTKM/STKM Transport"">RFC4909</a>] specifies a new general extension payload type
for use in the Open Mobile Alliance (OMA) Browser and Content
Broadcast (BCAST) group. OMA BCAST's service and content protection
specification uses short-term key message and long-term key message
payloads that in certain broadcast distribution systems are carried
in MIKEY. The document defines a general extension payload to allow
possible extensions to MIKEY without defining a new payload. The
general extension payload can be used in any MIKEY message and is
part of the authenticated or signed data part. Note that only a
parameter description is included, but no key information.
<span class="grey">Fries & Ignjatic Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Supporting Integrity Transform Carrying the Rollover Counter</span>
The document [<a href="./rfc4771" title=""Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)"">RFC4771</a>] defines a new integrity transform for SRTP
[<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>] providing the option to also transmit the Roll Over Counter
(ROC) as part of dedicated SRTP packets. This extension has been
defined for use in the 3GPP multicast/broadcast service. While the
communicating parties did agree on a starting ROC, in some cases the
receiver may not be able to synchronize his ROC with the one used by
the sender even if it is signaled to him out of band. Here the new
extension provides the possibility for the receiver to re-synchronize
to the sender's ROC. To signal the use of the new integrity
transform, new definitions for certain MIKEY payloads need to be
done. These new definitions comprise the integrity transform itself
as well as a new integrity transform parameters. Moreover, the
document specifies additional parameter, to enable the usage of
different integrity transforms for SRTP and SRTCP.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Selection and Interworking of MIKEY Modes</span>
While MIKEY and its extensions provide a variety of choices in terms
of modes of operation, an implementation may choose to simplify its
behavior. This can be achieved by operating in a single mode of
operation when in the Initiator's role. Where PKI is available
and/or required, an implementation may choose, for example, to start
all sessions in RSA-R mode, and it would be trivial for it to act as
a Responder in public key mode. If envelope keys are cached, it can
then also choose to do re-keying in shared key mode. It is outside
the scope of MIKEY or MIKEY extensions if the caching of envelope
keys is allowed. This is a matter of the configuration of the
involved components. This local configuration is also outside the
scope of MIKEY. In general, modes of operation where the Initiator
generates keying material are useful when two peers are aware of each
other before the MIKEY communication takes place. If a peer chooses
not to operate in the public key mode, it may reject the certificate
of the Initiator. The same applies to peers that choose to operate
in one of the DH modes exclusively.
Forward MIKEY modes, where the Initiator provides the key material,
like public key or shared key mode when used in SIP/SDP may lead to
complications in some call scenarios, for example, forking scenarios
where key derivation material gets distributed to multiple parties.
As mentioned earlier, this may be impractical as some of the
destinations may not have the resources to validate the message and
may cause the Initiator to drop the session invitation. Even in the
case in which all parties involved have all the prerequisites for
interpreting the MIKEY message received, there is a possible problem
with multiple Responders starting media sessions using the same key.
While the SSRCs will be different in most of the cases, they are only
<span class="grey">Fries & Ignjatic Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
32 bits long and there is a high probability of a two-time pad
problem. This is due to the support of scenarios like forking (see
also <a href="#section-5.2">Section 5.2</a>) or retargeting (see also <a href="#section-5.3">Section 5.3</a>), where a two-
time pad occurs if two branches have the same TEK (based on the MIKEY
key establishment) and choose the same 32-bit SSRC for the SRTP
streams and transmit SRTP packets. As suggested earlier, forward
modes are most useful when the two peers are aware of each other
before the communication takes place (as is the case in key renewal
scenarios when costly public key operations can be avoided by using
the envelope key).
The following list gives an idea how the different MIKEY modes may be
used or combined, depending on available key material at the
Initiator side.
1. If the Initiator has a PSK with the Responder, it uses the PSK
mode.
2. If the Initiator has a PSK with the Responder, but needs PFS or
knows that the Responder has a policy that both parties should
provide entropy to the key, then it uses the DH-HMAC mode.
3. If the Initiator has the RSA key of the Responder, it uses the
RSA mode to establish the TGK. Note that the TGK may be used as
PSK together with Option 1 for further key management operations.
4. If the Initiator does not expect the responder to have his
certificate, he may use RSA-R. Using RSA-R, he can provide the
Initiator's certificate information in-band to the receiver.
Moreover, the Initiator may also provide a random number that can
be used by the receiver for key generation. Thus, both parties
can be involved in the key management. But as the inclusion of
the random number cannot be forced by the Initiator, true PFS
cannot be provided. Note that in this mode, after establishing
the TGK, it may be used as PSK with other MIKEY modes.
5. The Initiator uses DH-SIGN when PFS is required by his policy and
he knows that the Responder has a policy that both parties should
provide entropy. Note that also in this mode, after establishing
the TGK, it may be used as PSK with other MIKEY modes.
6. If no PSK or certificate is available at the Initiator's side
(and likewise at the responder's side) but lower-level security
(like TLS or IPsec) is in place the user may use the unprotected
mode of MIKEY. It has to considered that using the unprotected
mode enables intermediate nodes like proxies to actually get the
exchanged master key in plain. This may not be intended,
especially in cases where the intermediate node is not trusted.
<span class="grey">Fries & Ignjatic Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Besides the available key material, choosing between the different
modes of MIKEY depends strongly on the use case. This section will
depict dedicated scenarios to discuss the feasibility of the
different modes in these scenarios. A comparison of the different
modes of operation regarding the influences and requirements to the
deploying infrastructure as well as the cryptographic strength can be
found in [<a href="#ref-SIP-MEDIA" title=""Requirements and Analysis of Media Security Management Protocols"">SIP-MEDIA</a>]. The following list provides the most prominent
call scenarios and are matter of further discussion:
o Early Media
o Forking
o Call Transfer/Redirect/Retarget
o Shared Key Conferencing
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. MIKEY and Early Media</span>
The term early media describes two different scenarios. The first
one relates to the case where media data are received before the
actual SDP signaling answer has been received. This may arise
through the different latency on the signaling and media path. This
case is often referred to as media before signaling answer. The
second scenario describes the case were media data are send from the
callee before sending the final SIP 200 OK message. This situation
appears usually in call center scenarios, when queuing a waiting loop
or when providing personal ring tones.
In early media scenarios, SRTP data may be received before the answer
over the SIP signaling arrives. The two MIKEY modes, which only
require one message to be transported (<a href="#section-3.1">Section 3.1</a> and <a href="#section-3.2">Section 3.2</a>),
work nicely in early media situations, as both sender and receiver
have all the necessary parameters in place before actually sending/
receiving encrypted data. The other modes, featuring either Diffie-
Hellman key agreement (<a href="#section-3.3">Section 3.3</a>, <a href="#section-3.5">Section 3.5</a>, and <a href="#section-3.6">Section 3.6</a>) or
the enhanced asymmetric variant (<a href="#section-3.7">Section 3.7</a>), suffer from the
requirements that the Initiator has to wait for the response before
being able to decrypt the incoming SRTP media. In fact, even if
early media is not used, in other words if media is not sent before
the SDP answer, a similar problem may arise from the fact that SIP/
SDP signaling has to traverse multiple proxies on its way back and
media may arrive before the SDP answer. It is expected that this
delay would be significantly shorter than in the case of early media
though.
<span class="grey">Fries & Ignjatic Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
It is worth mentioning here that security descriptions [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>] have
basically the same problem as the initiating end needs the SDP answer
before it can start decrypting SRTP media.
To cope with the early media problem, there are further approaches to
describe security preconditions [<a href="./rfc5027" title=""Security Preconditions for Session Description Protocol (SDP) Media Streams"">RFC5027</a>]; i.e., certain
preconditions need to be met to enable voice data encryption. One
example, for instance, is that a scenario where a provisional
response, containing the required MIKEY parameter, is sent before
encrypted media is processed.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. MIKEY and Forking</span>
In SIP forking scenarios, a SIP proxy server sends an INVITE request
to more than one location. This means also that the MIKEY payload,
which is part of the SDP, is sent to several (different) locations.
MIKEY modes supporting signatures may be used in forking scenarios
(<a href="#section-3.3">Section 3.3</a> and <a href="#section-3.7">Section 3.7</a>) as here the receiver can validate the
signature. There are limitations with the symmetric key encryption
as well as the asymmetric key encryption modes (<a href="#section-3.1">Section 3.1</a> and
<a href="#section-3.2">Section 3.2</a>). This is due to the fact that in symmetric encryption
the recipient needs to possess the symmetric key before handling the
MIKEY data. For asymmetric MIKEY modes, if the sender is aware of
the forking he may not know in advance to which location the INVITE
is forked and thus may not use the right receiver certificate to
encrypt the MIKEY envelope key. Note that the sender may include
several MIKEY containers into the same INVITE message to cope with
forking, but this requires the knowledge of all forking targets in
advance and also requires the possession of the target certificates.
It is out of the scope of MIKEY to specify behavior in such a case.
MIKEY Diffie Hellman modes or MIKEY-RSA_R <a href="#section-3.7">Section 3.7</a> do not have
this problem. In scenarios where the sender is not aware of forking,
only the intended receiver is able to decrypt the MIKEY container.
If forking is combined with early media, the situation gets
aggravated. If MIKEY modes requiring a full roundtrip are used, like
the signed Diffie-Hellman, multiple responses may overload the end
device. An example is forking to 30 destinations (group pickup),
while MIKEY is used with the signed Diffie-Hellman mode together with
security preconditions. Here, every target would answer with a
provisional response, leading to 30 signature validations and Diffie-
Hellman calculations at the sender's site. This may lead to a
prolonged media setup delay.
Moreover, depending on the MIKEY mode chosen, a two-time pad may
occur in dependence of the negotiated key material and the SSRC. For
the non Diffie-Hellman modes other than RSA-R, a two-time pad may
occur when multiple receivers pick the same SSRC.
<span class="grey">Fries & Ignjatic Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. MIKEY and Call Transfer/Redirect/Retarget</span>
In a SIP environment, MIKEY exchange is tied to SDP offer/answer and
irrespective of the implementation model used for call transfer the
same properties and limitations of MIKEY modes apply as in a normal
call setup scenario.
In certain SIP scenarios, the functionality of redirect is supported.
In redirect scenarios, the call initiator gets a response that the
called party for instance has temporarily moved and may be reached at
a different destination. The caller can now perform a call
establishment with the new destination. Depending on the originally
chosen MIKEY mode, the caller may not be able to perform this mode
with the new destination. To be more precise, MIKEY-PSK and MIKEY-
DHHMAC require a pre-shared secret in advance. MIKEY-RSA requires
the knowledge about the target's certificate. Thus, these modes may
influence the ability of the caller to initiate a session.
Another functionality that may be supported in SIP is retargeting.
In contrast to redirect, the call initiator does not get a response
about the different target. The SIP proxy sends the request to a
different target about receiving a redirect response from the
originally called target. This most likely will lead to problems
when using MIKEY modes requiring a pre-shared key (MIKEY-PSK, MIKEY-
DHHMAC) or where the caller used asymmetric key encryption (MIKEY-
RSA) because the key management was originally targeted to a
different destination.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. MIKEY and Shared Key Conferencing</span>
First of all, not all modes of MIKEY support shared key conferencing.
Mainly the Diffie-Hellman modes cannot be used straight-forward for
conferencing as this mechanism results in a pair wise shared secret
key. All other modes can be applied in conferencing scenarios by
obeying the Initiator and Responder roles; i.e., the half roundtrip
modes need to be initiated by the conferencing unit to be able to
distribute the conferencing key. The remaining full roundtrip mode,
MIKEY RSA-R, will be initiated by the client, while the conferencing
unit provides the conferencing key based on the received certificate.
An example conferencing architecture is defined in the IETF's XCON
WG. The scope of this working group relates to a mechanism for
membership and authorization control, a mechanism to manipulate and
describe media "mixing" or "topology" for multiple media types
(audio, video, text), a mechanism for notification of conference-
related events/changes (for example, a floor change), and a basic
floor control protocol. A document describing possible use case
scenarios is available in [<a href="./rfc4597" title=""Conferencing Scenarios"">RFC4597</a>].
<span class="grey">Fries & Ignjatic Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
<span class="h3"><a class="selflink" id="section-5.5" href="#section-5.5">5.5</a>. MIKEY Mode Summary</span>
The following two tables summarize the discussion from the previous
subsections. The first table matches the scenarios discussed in this
section to the different MIKEY modes.
MIKEY Early Secure Retarget Redirect Shared
mode Media Forking Key Conf
---------------------------------------------------------------------
PSK (3.1) Yes Yes*
RSA (3.2) Yes Yes*
DH-SIGN (3.3) Yes* Yes Yes
Unprotected (3.4) Yes
DH-HMAC (3.5)
RSA-R (3.7) Yes Yes Yes Yes
* In centralized conferencing, the media mixer needs to send the
MIKEY Initiator message.
The following table maps the MIKEY modes to key management-related
properties.
MIKEY Manual Needs PFS Key Generation
mode Keys PKI Involvement
--------------------------------------------------------------
PSK (3.1) Yes No No Initiator
RSA (3.2) No Yes No Initiator
DH-SIGN (3.3) No Yes Yes Both
Unprotected (3.4) No No No Initiator
DH-HMAC (3.5) Yes No Yes Both
RSA-R (3.7) No Yes No Both*
* Assumed the Initiator provides the (optional) RAND value
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Transport of MIKEY Messages</span>
MIKEY defines message formats to transport key information and
security policies between communicating entities. It does not define
the embedding of these messages into the used signaling protocol.
This definition is provided in separate documents, depending on the
used signaling protocol. Nevertheless, MIKEY can also be transported
over plain UDP or TCP to port 2269.
Several IETF-defined protocols utilize the Session Description
Protocol (SDP, [<a href="./rfc4566" title=""SDP: Session Description Protocol"">RFC4566</a>]) to transport the session parameters.
Examples are the Session Initiation Protocol (SIP, [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>] or the
Gateway Control Protocol (GCP, [<a href="./rfc5125" title=""Reclassification of RFC 3525 to Historic"">RFC5125</a>]). The transport of MIKEY
messages as part of SDP is described in [<a href="./rfc4567" title=""Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)"">RFC4567</a>]. Here, the
<span class="grey">Fries & Ignjatic Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
complete MIKEY message is base64 encoded and transmitted as part of
the SDP part of the signaling protocol message. Note that as several
key distribution messages may be transported within one SDP
container, [<a href="./rfc4567" title=""Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)"">RFC4567</a>] also comprises an integrity protection regarding
all supplied key distribution attempts. Thus, bidding-down attacks
will be recognized. Regarding RTSP, [<a href="./rfc4567" title=""Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)"">RFC4567</a>] defines header
extensions allowing the transport of MIKEY messages. Here, the
initial messages uses SDP, while the remaining part of the key
management is performed using the header extensions.
MIKEY is also applied in ITU-T protocols like H.323, which is used to
establish communication sessions similar to SIP. For H.323, a
security framework exists, which is defined in H.235. Within this
framework, H.235.7 [<a href="#ref-H.235.7" title=""ITU-T Recommendation H.235.7: Usage of the MIKEY Key Management Protocol for the Secure Real Time Transport Protocol (SRTP) within H.235"">H.235.7</a>] describes the usage of MIKEY and SRTP in
the context of H.323. In contrast to SIP, H.323 uses ASN.1 (Abstract
Syntax Notation). Thus, there is no need to encode the MIKEY
container as base64. Within H.323, the MIKEY container is binary
encoded.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. MIKEY Alternatives for SRTP Security Parameter Negotiation</span>
Besides MIKEY, there exist several approaches to handle the security
parameter establishment. This is due to the fact that some
limitations in certain scenarios have been seen. Examples are early
media and forking situations as described in <a href="#section-5">Section 5</a>. The
following list provides a short summary about possible alternatives:
o sdescription - [<a href="./rfc4568" title=""Session Description Protocol (SDP) Security Descriptions for Media Streams"">RFC4568</a>] describes a key management scheme, which
uses SDP for transport and completely relies on underlying
protocol security. For transport, the document defines an SDP
attribute transmitting all necessary SRTP parameter in clear. For
security, it references TLS and S/MIME. In contrast to MIKEY, the
SRTP parameter in the Initiator-to-Responder direction is actually
sent in the message from the Initiator to the Responder rather
than vice versa. This may lead to problems in early media
scenarios.
o sdescription with early media support - [<a href="#ref-WING-MMUSIC" title=""Security Descriptions Extension for Early Media"">WING-MMUSIC</a>] enhances the
above scheme with the possibility to also be usable in early media
scenarios, when security preconditions are not used.
o Encrypted Key Transport for Secure RTP - [<a href="#ref-MCGREW-SRTP" title=""Encrypted Key Transport for Secure RTP"">MCGREW-SRTP</a>] is an
extension to SRTP that provides for the secure transport of SRTP
master keys, Rollover Counters, and other information, within
SRTCP. This facility enables SRTP to work for decentralized
conferences with minimal control, and to handle situations caused
by SIP forking and early media. It may also be used in
conjunction with MIKEY.
<span class="grey">Fries & Ignjatic Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
o Diffie-Hellman support in SDP - [<a href="#ref-BAUGHER" title=""Diffie-Hellman Exchanges for Multimedia Sessions"">BAUGHER</a>] defines a new SDP
attribute for exchanging Diffie-Hellman public keys. The
attribute is an SDP session-level attribute for describing DH
keys, and there is a new media-level parameter for describing
public keying material for SRTP key generation.
o DTLS-SRTP describing SRTP extensions for DTLS - [<a href="#ref-AVT-DTLS" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP)"">AVT-DTLS</a>]
describes a method of using DTLS key management for SRTP by using
a new extension that indicates that SRTP is to be used for data
protection and that establishes SRTP keys.
o ZRTP - [<a href="#ref-ZIMMERMANN" title=""ZRTP: Media Path Key Agreement for Secure RTP"">ZIMMERMANN</a>] defines ZRTP as RTP header extensions for a
Diffie-Hellman exchange to agree on a session key and parameters
for establishing SRTP sessions. The ZRTP protocol is completely
self-contained in RTP and does not require support in the
signaling protocol or assume a PKI.
There has been a long discussion regarding a preferred key management
approach in the IETF coping with the different scenarios and
requirements continuously sorting out key management approaches.
During IETF 68, three options were considered: MIKEY in an updated
version (referred to as MIKEYv2), ZRTP, and DTLS-SRTP. The potential
key management protocol for the standards track for media security
was voted in favor of DTLS-SRTP. Thus, the reader is pointed to the
appropriate resources for further information on DTLS-SRTP
[<a href="#ref-AVT-DTLS" title=""Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP)"">AVT-DTLS</a>]. Note that MIKEY has already been deployed for setting up
SRTP security context and is also targeted for use in MBMS
applications.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Summary of MIKEY-Related IANA Registrations</span>
For MIKEY and the extensions to MIKEY, IANA registrations have been
made. Here only a link to the appropriate IANA registration is
provided to avoid inconsistencies. The IANA registrations for MIKEY
payloads can be found under
<a href="http://www.iana.org/assignments/mikey-payloads">http://www.iana.org/assignments/mikey-payloads</a>. These registrations
comprise the MIKEY base registrations as well as registrations made
by MIKEY extensions regarding the payload.
The IANA registrations for MIKEY port numbers can be found under
<a href="http://www.iana.org/assignments/port-numbers">http://www.iana.org/assignments/port-numbers</a> (search for MIKEY).
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Security Considerations</span>
This document does not define extensions to existing protocols. It
rather provides an overview about the set of MIKEY modes and
available extensions and provides information about the applicability
of the different modes in different scenarios to support the decision
<span class="grey">Fries & Ignjatic Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
making for network architects regarding the appropriate MIKEY scheme
or extension to be used in a dedicated target scenario. Choosing
between the different schemes described in this document strongly
influences the security of the target system as the different schemes
provide different levels of security and also require different
infrastructure support.
As this document is based on the MIKEY base specification as well as
the different specifications of the extensions, the reader is
referred to the original documents for the specific security
considerations.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Acknowledgments</span>
The authors would like to thank Lakshminath Dondeti for his document
reviews and for his guidance.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. References</span>
<span class="h3"><a class="selflink" id="section-11.1" href="#section-11.1">11.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC3830">RFC3830</a>] Arkko, J., Carrara, E., Lindholm, F., Naslund, M.,
and K. Norrman, "MIKEY: Multimedia Internet KEYing",
<a href="./rfc3830">RFC 3830</a>, August 2004.
<span class="h3"><a class="selflink" id="section-11.2" href="#section-11.2">11.2</a>. Informative References</span>
[<a id="ref-AVT-DTLS">AVT-DTLS</a>] McGrew, D. and E. Rescorla, "Datagram Transport
Layer Security (DTLS) Extension to Establish Keys
for Secure Real-time Transport Protocol (SRTP)",
Work in Progress, February 2008.
[<a id="ref-BAUGHER">BAUGHER</a>] Baugher, M. and D. McGrew, "Diffie-Hellman Exchanges
for Multimedia Sessions", Work in Progress,
February 2006.
[<a id="ref-H.235.7">H.235.7</a>] ""ITU-T Recommendation H.235.7: Usage of the MIKEY
Key Management Protocol for the Secure Real Time
Transport Protocol (SRTP) within H.235"", 2005.
[<a id="ref-ISO_sec_time">ISO_sec_time</a>] ""ISO/IEC 18014 Information technology - Security
techniques - Time-stamping services, Part 1-
3.http://www.oasis-open.org/committees/
documents.php?wg_abbrev=security"", 2002.
<span class="grey">Fries & Ignjatic Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
[<a id="ref-MCGREW-SRTP">MCGREW-SRTP</a>] McGrew, D., "Encrypted Key Transport for Secure
RTP", Work in Progress, March 2007.
[<a id="ref-MSEC-MIKEY">MSEC-MIKEY</a>] Milne, A., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22ECC+Algorithms+for+MIKEY%22'>"ECC Algorithms for MIKEY"</a>, Work in
Progress, June 2007.
[<a id="ref-RFC1305">RFC1305</a>] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation", <a href="./rfc1305">RFC 1305</a>,
March 1992.
[<a id="ref-RFC2412">RFC2412</a>] Orman, H., "The OAKLEY Key Determination Protocol",
<a href="./rfc2412">RFC 2412</a>, November 1998.
[<a id="ref-RFC3261">RFC3261</a>] Rosenberg, J., Schulzrinne, H., Camarillo, G.,
Johnston, A., Peterson, J., Sparks, R., Handley, M.,
and E. Schooler, "SIP: Session Initiation Protocol",
<a href="./rfc3261">RFC 3261</a>, June 2002.
[<a id="ref-RFC3711">RFC3711</a>] Baugher, M., McGrew, D., Naslund, M., Carrara, E.,
and K. Norrman, "The Secure Real-time Transport
Protocol (SRTP)", <a href="./rfc3711">RFC 3711</a>, March 2004.
[<a id="ref-RFC4082">RFC4082</a>] Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
Briscoe, "Timed Efficient Stream Loss-Tolerant
Authentication (TESLA): Multicast Source
Authentication Transform Introduction", <a href="./rfc4082">RFC 4082</a>,
June 2005.
[<a id="ref-RFC4086">RFC4086</a>] Eastlake, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a>,
<a href="./rfc4086">RFC 4086</a>, June 2005.
[<a id="ref-RFC4383">RFC4383</a>] Baugher, M. and E. Carrara, "The Use of Timed
Efficient Stream Loss-Tolerant Authentication
(TESLA) in the Secure Real-time Transport Protocol
(SRTP)", <a href="./rfc4383">RFC 4383</a>, February 2006.
[<a id="ref-RFC4442">RFC4442</a>] Fries, S. and H. Tschofenig, "Bootstrapping Timed
Efficient Stream Loss-Tolerant Authentication
(TESLA)", <a href="./rfc4442">RFC 4442</a>, March 2006.
[<a id="ref-RFC4563">RFC4563</a>] Carrara, E., Lehtovirta, V., and K. Norrman, "The
Key ID Information Type for the General Extension
Payload in Multimedia Internet KEYing (MIKEY)",
<a href="./rfc4563">RFC 4563</a>, June 2006.
[<a id="ref-RFC4566">RFC4566</a>] Handley, M., Jacobson, V., and C. Perkins, "SDP:
Session Description Protocol", <a href="./rfc4566">RFC 4566</a>, July 2006.
<span class="grey">Fries & Ignjatic Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
[<a id="ref-RFC4567">RFC4567</a>] Arkko, J., Lindholm, F., Naslund, M., Norrman, K.,
and E. Carrara, "Key Management Extensions for
Session Description Protocol (SDP) and Real Time
Streaming Protocol (RTSP)", <a href="./rfc4567">RFC 4567</a>, July 2006.
[<a id="ref-RFC4568">RFC4568</a>] Andreasen, F., Baugher, M., and D. Wing, "Session
Description Protocol (SDP) Security Descriptions for
Media Streams", <a href="./rfc4568">RFC 4568</a>, July 2006.
[<a id="ref-RFC4597">RFC4597</a>] Even, R. and N. Ismail, "Conferencing Scenarios",
<a href="./rfc4597">RFC 4597</a>, August 2006.
[<a id="ref-RFC4650">RFC4650</a>] Euchner, M., "HMAC-Authenticated Diffie-Hellman for
Multimedia Internet KEYing (MIKEY)", <a href="./rfc4650">RFC 4650</a>,
September 2006.
[<a id="ref-RFC4738">RFC4738</a>] Ignjatic, D., Dondeti, L., Audet, F., and P. Lin,
"MIKEY-RSA-R: An Additional Mode of Key Distribution
in Multimedia Internet KEYing (MIKEY)", <a href="./rfc4738">RFC 4738</a>,
November 2006.
[<a id="ref-RFC4771">RFC4771</a>] Lehtovirta, V., Naslund, M., and K. Norrman,
"Integrity Transform Carrying Roll-Over Counter for
the Secure Real-time Transport Protocol (SRTP)",
<a href="./rfc4771">RFC 4771</a>, January 2007.
[<a id="ref-RFC4909">RFC4909</a>] Dondeti, L., Castleford, D., and F. Hartung,
"Multimedia Internet KEYing (MIKEY) General
Extension Payload for Open Mobile Alliance BCAST
LTKM/STKM Transport", <a href="./rfc4909">RFC 4909</a>, June 2007.
[<a id="ref-RFC4949">RFC4949</a>] Shirey, R., "Internet Security Glossary, Version 2",
<a href="./rfc4949">RFC 4949</a>, August 2007.
[<a id="ref-RFC5027">RFC5027</a>] Andreasen, F. and D. Wing, "Security Preconditions
for Session Description Protocol (SDP) Media
Streams", <a href="./rfc5027">RFC 5027</a>, October 2007.
[<a id="ref-RFC5125">RFC5125</a>] Taylor, T., "Reclassification of <a href="./rfc3525">RFC 3525</a> to
Historic", <a href="./rfc5125">RFC 5125</a>, February 2008.
[<a id="ref-SAML_overview">SAML_overview</a>] Huges, J. and E. Maler, "Security Assertion Markup
Language (SAML) 2.0 Technical Overview, Working
Draft", 2005.
[<a id="ref-SIP-MEDIA">SIP-MEDIA</a>] Wing, D., Fries, S., Tschofenig, H., and F. Audet,
"Requirements and Analysis of Media Security
Management Protocols", Work in Progress, June 2008.
<span class="grey">Fries & Ignjatic Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
[<a id="ref-WING-MMUSIC">WING-MMUSIC</a>] Raymond, R. and D. Wing, "Security Descriptions
Extension for Early Media", Work in Progress,
October 2005.
[<a id="ref-ZIMMERMANN">ZIMMERMANN</a>] Zimmermann, P., Johnston, A., and J. Callas, "ZRTP:
Media Path Key Agreement for Secure RTP", Work in
Progress, June 2008.
Authors' Addresses
Steffen Fries
Siemens Corporate Technology
Otto-Hahn-Ring 6
Munich, Bavaria 81739
Germany
EMail: steffen.fries@siemens.com
Dragan Ignjatic
Polycom
3605 Gilmore Way
Burnaby, BC V5G 4X5
Canada
EMail: dignjatic@polycom.com
<span class="grey">Fries & Ignjatic Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc5197">RFC 5197</a> MIKEY Modes Applicability June 2008</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Fries & Ignjatic Informational [Page 31]
</pre>
|
