1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
|
<pre>Internet Engineering Task Force (IETF) D. McGrew
Request for Comments: 6188 Cisco Systems, Inc.
Category: Standards Track March 2011
ISSN: 2070-1721
<span class="h1">The Use of AES-192 and AES-256 in Secure RTP</span>
Abstract
This memo describes the use of the Advanced Encryption Standard (AES)
with 192- and 256-bit keys within the Secure RTP (SRTP) protocol. It
details counter mode encryption for SRTP and Secure Realtime
Transport Control Protocol (SRTCP) and a new SRTP Key Derivation
Function (KDF) for AES-192 and AES-256.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6188">http://www.rfc-editor.org/info/rfc6188</a>.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">McGrew Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Conventions Used in This Document ..........................<a href="#page-3">3</a>
<a href="#section-2">2</a>. AES-192 and AES-256 Encryption ..................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions ..4
<a href="#section-3.1">3.1</a>. Usage Requirements .........................................<a href="#page-5">5</a>
<a href="#section-4">4</a>. Crypto Suites ...................................................<a href="#page-6">6</a>
<a href="#section-5">5</a>. IANA Considerations .............................................<a href="#page-9">9</a>
<a href="#section-6">6</a>. Security Considerations .........................................<a href="#page-9">9</a>
<a href="#section-7">7</a>. Test Cases .....................................................<a href="#page-10">10</a>
<a href="#section-7.1">7.1</a>. AES-256-CM Test Cases .....................................<a href="#page-10">10</a>
<a href="#section-7.2">7.2</a>. AES_256_CM_PRF Test Cases .................................<a href="#page-11">11</a>
<a href="#section-7.3">7.3</a>. AES-192-CM Test Cases .....................................<a href="#page-13">13</a>
<a href="#section-7.4">7.4</a>. AES_192_CM_PRF Test Cases .................................<a href="#page-13">13</a>
<a href="#section-8">8</a>. Acknowledgements ...............................................<a href="#page-15">15</a>
<a href="#section-9">9</a>. References .....................................................<a href="#page-15">15</a>
<a href="#section-9.1">9.1</a>. Normative References ......................................<a href="#page-15">15</a>
<a href="#section-9.2">9.2</a>. Informative References ....................................<a href="#page-15">15</a>
<span class="grey">McGrew Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This memo describes the use of the Advanced Encryption Standard (AES)
[<a href="#ref-FIPS197" title=""The Advanced Encryption Standard (AES)"">FIPS197</a>] with 192- and 256-bit keys within the Secure RTP (SRTP)
protocol [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]. Below, those block ciphers are referred to as
AES-192 and AES-256, respectively, and the use of AES with a 128-bit
key is referred to as AES-128. This document describes counter mode
encryption for SRTP and SRTCP and appropriate SRTP key derivation
functions for AES-192 and AES-256. It also defines new crypto suites
that use these new functions.
While AES-128 is widely regarded as more than adequately secure, some
users may be motivated to adopt AES-192 or AES-256 due to a perceived
need to pursue a highly conservative security strategy. For
instance, the Suite B profile requires AES-256 for the protection of
TOP SECRET information [<a href="#ref-suiteB" title=""Suite B Cryptography"">suiteB</a>]. (Note that while the AES-192 and
AES-256 encryption methods defined in this document use Suite B
algorithms, the crypto suites in this document use the HMAC-SHA-1
algorithm, which is not included in Suite B.) See <a href="#section-6">Section 6</a> for more
discussion of security issues.
The crypto functions described in this document are an addition to,
and not a replacement for, the crypto functions defined in [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>].
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. AES-192 and AES-256 Encryption</span>
<a href="./rfc3711#section-4.1.1">Section 4.1.1 of [RFC3711]</a> defines AES counter mode encryption, which
it refers to as AES_CM. This definition applies to all of the AES
key sizes. In this note, AES-192 counter mode and AES-256 counter
mode and are denoted as AES_192_CM and AES_256_CM, respectively. In
both of these ciphers, the plaintext inputs to the block cipher are
formed as in AES_CM, and the block cipher outputs are processed as in
AES_CM. The only difference in the processing is that AES_192_CM
uses AES-192, and AES_256_CM uses AES-256. Both AES_192_CM and
AES_256_CM use a 112-bit salt as an input, as does AES_CM.
For the convenience of the reader, the structure of the counter
blocks in SRTP counter mode encryption is illustrated in Figure 1,
using the terminology from <a href="./rfc3711#section-4.1.1">Section 4.1.1 of [RFC3711]</a>. In this
diagram, the symbol (+) denotes the bitwise exclusive-or operation,
and the AES encrypt operation uses AES-128, AES-192, or AES-256 for
AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled
<span class="grey">McGrew Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
b_c contains a block counter, the value of which increments once for
each invocation of the "AES Encrypt" function. The SSRC field is
part of the RTP header [<a href="./rfc3550" title=""RTP: A Transport Protocol for Real-Time Applications"">RFC3550</a>].
one octet
<-->
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00| SSRC | packet index | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v
| salt (k_s) |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
v
+-------------+
encryption key (k_e) -> | AES encrypt |
+-------------+
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
| keystream block |<--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 1: AES Counter Mode
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions</span>
<a href="./rfc3711#section-4.3.3">Section 4.3.3 of [RFC3711]</a> defines an AES counter mode key derivation
function, which it refers to as AES_CM PRF (and sometimes as AES-CM
PRF). (That specification uses the term PRF, or pseudo-random
function, interchangeably with the phrase "key derivation function".)
This key derivation function can be used with any AES key size. In
this note, the AES-192 counter mode PRF and AES-256 counter mode PRF
are denoted as AES_192_CM_PRF and AES_256_CM_PRF, respectively. In
both of these PRFs, the plaintext inputs to the block cipher are
formed as in the AES_CM PRF, and the block cipher outputs are
processed as in the AES_CM PRF. The only difference in the
processing is that AES_192_CM_PRF uses AES-192, and AES_256_CM_PRF
uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF use a 112-bit
salt as an input, as does the AES_CM PRF.
For the convenience of the reader, the structure of the counter
blocks in SRTP counter mode key derivation is illustrated in
Figure 2, using the terminology from <a href="./rfc3711#section-4.3.3">Section 4.3.3 of [RFC3711]</a>. In
this diagram, the symbol (+) denotes the bitwise exclusive-or
operation, and the "AES Encrypt" operation uses AES-128, AES-192, or
AES-256 for the AES_CM PRF, AES_192_CM_PRF, and AES_256_CM_PRF,
<span class="grey">McGrew Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
respectively. The field "LB" contains the 8-bit constant "label",
which is provided as an input to the key derivation function (and
which is distinct for each type of key generated by that function).
The field labeled b_c contains a block counter, the value of which
increments once for each invocation of the "AES Encrypt" function.
The DIV operation is defined in <a href="./rfc3711#section-4.3.1">Section 4.3.1 of [RFC3711]</a> as
follows. Let "a DIV t" denote integer division of a by t, rounded
down, and with the convention that "a DIV 0 = 0" for all a. We also
make the convention of treating "a DIV t" as a bit string of the same
length as a, and thus "a DIV t" will, in general, have leading zeros.
one octet
<-->
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|00|00|00|00|00|00|00|LB| index DIV kdr | b_c |---+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ v
| master salt |00|00|->(+)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
|
v
+-------------+
master key -> | AES encrypt |
+-------------+
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |
| output block |<--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 2: The AES Counter Mode Key Derivation Function
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Usage Requirements</span>
When AES_192_CM is used for encryption, AES_192_CM_PRF SHOULD be used
as the key derivation function, and AES_128_CM_PRF MUST NOT be used
as the key derivation function.
When AES_256_CM is used for encryption, AES_256_CM_PRF SHOULD be used
as the key derivation function. Both AES_128_CM_PRF and
AES_192_CM_PRF MUST NOT be used as the key derivation function.
AES_256_CM_PRF MAY be used as the key derivation function when AES_CM
is used for encryption, and when AES_192_CM is used for encryption.
AES_192_CM_PRF MAY be used as the key derivation function when AES_CM
is used for encryption.
<span class="grey">McGrew Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
Rationale: it is essential that the cryptographic strength of the
key derivation meets or exceeds that of the encryption method. It
is natural to use the same function for both encryption and key
derivation. However, it is not required to do so because it is
desirable to allow these ciphers to be used with alternative key
derivation functions that may be defined in the future.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Crypto Suites</span>
This section defines SRTP crypto suites that use the ciphers and key
derivation functions defined in this document. The parameters in
these crypto suites are described in <a href="./rfc3711#section-8.2">Section 8.2 of [RFC3711]</a>. These
suites are registered with IANA for use with the SDP Security
Descriptions attributes (<a href="./rfc4568#section-10.3.2.1">Section 10.3.2.1 of [RFC4568]</a>). Other SRTP
key management methods that use the crypto functions defined in this
document are encouraged to also use these crypto suite definitions.
Rationale: the crypto suites use the same authentication function
that is mandatory to implement in SRTP, HMAC-SHA1 with a 160-bit
key. HMAC-SHA1 would accept larger key sizes, but when it is used
with keys larger than 160 bits, it does not provide resistance to
cryptanalysis greater than that security level, because it has
only 160 bits of internal state. By retaining 160-bit
authentication keys, the crypto suites in this note have more
compatibility with existing crypto suites and implementations of
them.
<span class="grey">McGrew Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
+------------------------------+------------------------------------+
| Parameter | Value |
+------------------------------+------------------------------------+
| Master key length | 192 bits |
| Master salt length | 112 bits |
| Key Derivation Function | AES_192_CM_PRF (<a href="#section-3">Section 3</a>) |
| Default key lifetime | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AES_192_CM (<a href="#section-2">Section 2</a>) |
| SRTP authentication function | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTP authentication key | 160 bits |
| length | |
| SRTP authentication tag | 80 bits |
| length | |
| SRTCP authentication | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| function | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTCP authentication key | 160 bits |
| length | |
| SRTCP authentication tag | 80 bits |
| length | |
+------------------------------+------------------------------------+
Table 1: The AES_192_CM_HMAC_SHA1_80 Crypto Suite
+------------------------------+------------------------------------+
| Parameter | Value |
+------------------------------+------------------------------------+
| Master key length | 192 bits |
| Master salt length | 112 bits |
| Key Derivation Function | AES_192_CM_PRF (<a href="#section-3">Section 3</a>) |
| Default key lifetime | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AES_192_CM (<a href="#section-2">Section 2</a>) |
| SRTP authentication function | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTP authentication key | 160 bits |
| length | |
| SRTP authentication tag | 32 bits |
| length | |
| SRTCP authentication | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| function | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTCP authentication key | 160 bits |
| length | |
| SRTCP authentication tag | 80 bits |
| length | |
+------------------------------+------------------------------------+
Table 2: The AES_192_CM_HMAC_SHA1_32 Crypto Suite
<span class="grey">McGrew Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
+------------------------------+------------------------------------+
| Parameter | Value |
+------------------------------+------------------------------------+
| Master key length | 256 bits |
| Master salt length | 112 bits |
| Key Derivation Function | AES_256_CM_PRF (<a href="#section-3">Section 3</a>) |
| Default key lifetime | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AES_256_CM (<a href="#section-2">Section 2</a>) |
| SRTP authentication function | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTP authentication key | 160 bits |
| length | |
| SRTP authentication tag | 80 bits |
| length | |
| SRTCP authentication | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| function | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTCP authentication key | 160 bits |
| length | |
| SRTCP authentication tag | 80 bits |
| length | |
+------------------------------+------------------------------------+
Table 3: The AES_256_CM_HMAC_SHA1_80 Crypto Suite
+------------------------------+------------------------------------+
| Parameter | Value |
+------------------------------+------------------------------------+
| Master key length | 256 bits |
| Master salt length | 112 bits |
| Key Derivation Function | AES_256_CM_PRF (<a href="#section-3">Section 3</a>) |
| Default key lifetime | 2^31 packets |
| Cipher (for SRTP and SRTCP) | AES_256_CM (<a href="#section-2">Section 2</a>) |
| SRTP authentication function | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTP authentication key | 160 bits |
| length | |
| SRTP authentication tag | 32 bits |
| length | |
| SRTCP authentication | HMAC-SHA1 (<a href="#section-4.2.1">Section 4.2.1</a> of |
| function | [<a href="./rfc3711" title=""The Secure Real-time Transport Protocol (SRTP)"">RFC3711</a>]) |
| SRTCP authentication key | 160 bits |
| length | |
| SRTCP authentication tag | 80 bits |
| length | |
+------------------------------+------------------------------------+
Table 4: The AES_256_CM_HMAC_SHA1_32 Crypto Suite
<span class="grey">McGrew Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. IANA Considerations</span>
IANA has assigned the following parameters in the Session Description
Protocol (SDP) Security Descriptions registry.
+-------------------------+-----------+
| Crypto Suite Name | Reference |
+-------------------------+-----------+
| AES_192_CM_HMAC_SHA1_80 | [<a href="./rfc6188">RFC6188</a>] |
| AES_192_CM_HMAC_SHA1_32 | [<a href="./rfc6188">RFC6188</a>] |
| AES_256_CM_HMAC_SHA1_80 | [<a href="./rfc6188">RFC6188</a>] |
| AES_256_CM_HMAC_SHA1_32 | [<a href="./rfc6188">RFC6188</a>] |
+-------------------------+-----------+
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
AES-128 provides a level of security that is widely regarded as being
more than sufficient for providing confidentiality. It is believed
that the economic cost of breaking AES-128 is significantly higher
than the cost of more direct approaches to violating system security,
e.g., theft, bribery, wiretapping, and other forms of malfeasance.
Future advances in state-of-the art cryptanalysis could eliminate
this confidence in AES-128, and motivate the use of AES-192 or AES-
256. AES-192 is regarded as being secure even against some
adversaries for which breaking AES-128 may be feasible. Similarly,
AES-256 is regarded as being secure even against some adversaries for
which it may be feasible to break AES-192. The availability of the
larger key size versions of AES provides a fallback plan in case of
unanticipated cryptanalytic results.
It is conjectured that AES-256 provides adequate security even
against adversaries that possess the ability to construct a quantum
computer that works on 256 or more quantum bits. No such computer is
known to exist; its feasibility is an area of active speculation and
research.
Despite the apparent sufficiency of AES-128, some users are
interested in the larger AES key sizes. For some applications, the
40% increase in computational cost for AES-256 over AES-128 is a
worthwhile bargain when traded for the security advantages outlined
above. These applications include those with a perceived need for
very high security, e.g., due to a desire for very long-term
confidentiality.
AES-256 (as it is used in this note) provides the highest level of
security, and it SHOULD be used whenever the highest possible
security is desired. AES-192 provides a middle ground between the
<span class="grey">McGrew Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
128-bit and 256-bit versions of AES, and it MAY be used when security
higher than that of AES-128 is desired. In this note, AES-192 and
AES-256 are used with keys that are generated via a strong pseudo-
random source, and thus the related-key attacks that have been
described in the theoretical literature are not applicable.
As with any cipher, the conjectured security level of AES may change
over time. The considerations in this section reflect the best
knowledge available at the time of publication of this document.
It is desirable that AES_192_CM and AES_192_CM_PRF be used with an
authentication function that uses a 192-bit key, and that AES_256_CM
and AES_256_CM_PRF be used with an authentication function that uses
a 256-bit key. However, this desire is not regarded as security
critical. Cryptographic authentication is resilient against future
advances in cryptanalysis, since the opportunity for a forgery attack
against a session closes when that session closes. For this reason,
this note defines new ciphers, but not new authentication functions.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Test Cases</span>
The test cases in this section are based on <a href="./rfc3711#appendix-B">Appendix B of [RFC3711]</a>.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. AES-256-CM Test Cases</span>
Keystream segment length: 1044512 octets (65282 AES blocks)
Session Key: 57f82fe3613fd170a85ec93c40b1f092
2ec4cb0dc025b58272147cc438944a98
Rollover Counter: 00000000
Sequence Number: 0000
SSRC: 00000000
Session Salt: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
Counter Keystream
f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 92bdd28a93c3f52511c677d08b5515a4
f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 9da71b2378a854f67050756ded165bac
f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 63c4868b7096d88421b563b8c94c9a31
... ...
f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff cea518c90fd91ced9cbb18c078a54711
f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 3dbc4814f4da5f00a08772b63c6a046d
f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 6eb246913062a16891433e97dd01a57f
<span class="grey">McGrew Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. AES_256_CM_PRF Test Cases</span>
This section provides test data for the AES_256_CM_PRF key derivation
function, which uses AES-256 in counter mode. In the following, we
walk through the initial key derivation for the AES-256 counter mode
cipher, which requires a 32-octet session encryption key and a 14-
octet session salt, and the HMAC-SHA1 authentication function, which
requires a 20-octet session authentication key. These values are
called the cipher key, the cipher salt, and the auth key in the
following. Since this is the initial key derivation and the key
derivation rate is equal to zero, the value of (index DIV
key_derivation_rate) is zero (actually, a six-octet string of zeros).
In the following, we shorten key_derivation_rate to kdr.
The inputs to the key derivation function are the 32-octet master key
and the 14-octet master salt:
master key: f0f04914b513f2763a1b1fa130f10e29
98f6f6e43e4309d1e622a0e332b9f1b6
master salt: 3b04803de51ee7c96423ab5b78d2
We first show how the cipher key is generated. The input block for
AES-256-CM is generated by exclusive-oring the master salt with the
concatenation of the encryption key label 0x00 with (index DIV kdr),
then padding on the right with two null octets (which implements the
multiply-by-2^16 operation, see <a href="./rfc3711#section-4.3.3">Section 4.3.3 of RFC 3711</a>). The
resulting value is then AES-256-CM-encrypted using the master key to
get the cipher key.
index DIV kdr: 000000000000
label: 00
master salt: 3b04803de51ee7c96423ab5b78d2
-----------------------------------------------
xor: 3b04803de51ee7c96423ab5b78d2 (x, PRF input)
x*2^16: 3b04803de51ee7c96423ab5b78d20000 (AES-256-CM input)
x*2^16 + 1: 3b04803de51ee7c96423ab5b78d20001 (2nd AES input)
cipher key: 5ba1064e30ec51613cad926c5a28ef73 (1st AES output)
1ec7fb397f70a960653caf06554cd8c4 (2nd AES output)
Next, we show how the cipher salt is generated. The input block for
AES-256-CM is generated by exclusive-oring the master salt with the
concatenation of the encryption salt label. That value is padded and
encrypted as above.
<span class="grey">McGrew Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
index DIV kdr: 000000000000
label: 02
master salt: 3b04803de51ee7c96423ab5b78d2
----------------------------------------------
xor: 3b04803de51ee7cb6423ab5b78d2 (x, PRF input)
x*2^16: 3b04803de51ee7cb6423ab5b78d20000 (AES-256-CM input)
fa31791685ca444a9e07c6c64e93ae6b (AES-256 ouptut)
cipher salt: fa31791685ca444a9e07c6c64e93
We now show how the auth key is generated. The input block for AES-
256-CM is generated as above, but using the authentication key label.
index DIV kdr: 000000000000
label: 01
master salt: 3b04803de51ee7c96423ab5b78d2
-----------------------------------------------
xor: 3b04803de51ee7c86423ab5b78d2 (x, PRF input)
x*2^16: 3b04803de51ee7c86423ab5b78d20000 (AES-256-CM in)
Below, the AES-256 output blocks that form the auth key are shown
on the left, while the corresponding AES-256 input blocks are shown
on the right. Note that the final AES-256 output is truncated to a
4-byte length. The final auth key is shown below.
auth key blocks AES-256 input blocks
fd9c32d39ed5fbb5a9dc96b30818454d 3b04803de51ee7c86423ab5b78d20000
1313dc05 3b04803de51ee7c86423ab5b78d20001
auth key: fd9c32d39ed5fbb5a9dc96b30818454d1313dc05
<span class="grey">McGrew Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. AES-192-CM Test Cases</span>
Keystream segment length: 1044512 octets (65282 AES blocks)
Session Key: eab234764e517b2d3d160d587d8c8621
9740f65f99b6bcf7
Rollover Counter: 00000000
Sequence Number: 0000
SSRC: 00000000
Session Salt: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
Counter Keystream
f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 35096cba4610028dc1b57503804ce37c
f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 5de986291dcce161d5165ec4568f5c9a
f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 474a40c77894bc17180202272a4c264d
... ...
f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff d108d1a31a00bad6367ec23eb044b415
f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 c8f57129fdeb970b59f917b257662d4c
f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 a5dab625811034e8cebdfeb6dc158dd3
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. AES_192_CM_PRF Test Cases</span>
This section provides test data for the AES_192_CM_PRF key derivation
function, which uses AES-192 in counter mode. In the following, we
walk through the initial key derivation for the AES-192 counter mode
cipher, which requires a 24-octet session encryption key and a 14-
octet session salt, and the HMAC-SHA1 authentication function, which
requires a 20-octet session authentication key. These values are
called the cipher key, the cipher salt, and the auth key in the
following. Since this is the initial key derivation and the key
derivation rate is equal to zero, the value of (index DIV
key_derivation_rate) is zero (actually, a six-octet string of zeros).
In the following, we shorten key_derivation_rate to kdr.
The inputs to the key derivation function are the 24-octet master key
and the 14-octet master salt:
master key: 73edc66c4fa15776fb57f9505c171365
50ffda71f3e8e5f1
master salt: c8522f3acd4ce86d5add78edbb11
We first show how the cipher key is generated. The input block for
AES-192-CM is generated by exclusive-oring the master salt with the
concatenation of the encryption key label 0x00 with (index DIV kdr),
then padding on the right with two null octets (which implements the
<span class="grey">McGrew Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
multiply-by-2^16 operation, see <a href="./rfc3711#section-4.3.3">Section 4.3.3 of RFC 3711</a>). The
resulting value is then AES-192-CM encrypted using the master key to
get the cipher key.
index DIV kdr: 000000000000
label: 00
master salt: c8522f3acd4ce86d5add78edbb11
-----------------------------------------------
xor: c8522f3acd4ce86d5add78edbb11 (x, PRF input)
x*2^16: c8522f3acd4ce86d5add78edbb110000 (AES-192-CM input)
x*2^16 + 1: c8522f3acd4ce86d5add78edbb110001 (2nd AES input)
cipher key: 31874736a8f1143870c26e4857d8a5b2 (1st AES output)
c4a354407faadabb (2nd AES output)
Next, we show how the cipher salt is generated. The input block for
AES-192-CM is generated by exclusive-oring the master salt with the
concatenation of the encryption salt label. That value is padded and
encrypted as above.
index DIV kdr: 000000000000
label: 02
master salt: c8522f3acd4ce86d5add78edbb11
----------------------------------------------
xor: c8522f3acd4ce86f5add78edbb11 (x, PRF input)
x*2^16: c8522f3acd4ce86f5add78edbb110000 (AES-192-CM input)
2372b82d639b6d8503a47adc0a6c2590 (AES-192 ouptut)
cipher salt: 2372b82d639b6d8503a47adc0a6c
We now show how the auth key is generated. The input block for AES-
192-CM is generated as above, but using the authentication key label.
index DIV kdr: 000000000000
label: 01
master salt: c8522f3acd4ce86d5add78edbb11
-----------------------------------------------
xor: c8522f3acd4ce86c5add78edbb11 (x, PRF input)
x*2^16: c8522f3acd4ce86c5add78edbb110000 (AES-192-CM in)
<span class="grey">McGrew Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
Below, the AES-192 output blocks that form the auth key are shown
on the left, while the corresponding AES-192 input blocks are shown
on the right. Note that the final AES-192 output is truncated to a
four-byte length. The final auth key is shown below.
auth key blocks AES-192 input blocks
355b10973cd95b9eacf4061c7e1a7151 c8522f3acd4ce86c5add78edbb110000
e7cfbfcb c8522f3acd4ce86c5add78edbb110001
auth key: 355b10973cd95b9eacf4061c7e1a7151e7cfbfcb
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Acknowledgements</span>
Thanks are due to John Mattsson for verifying the test cases in the
document and providing comments, to Bob Bell for feedback and
encouragement, and to Richard Barnes and Hilarie Orman for
constructive review.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. References</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Normative References</span>
[<a id="ref-FIPS197">FIPS197</a>] "The Advanced Encryption Standard (AES)", FIPS-197 Federal
Information Processing Standard.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC3550">RFC3550</a>] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, <a href="./rfc3550">RFC 3550</a>, July 2003.
[<a id="ref-RFC3711">RFC3711</a>] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
<a href="./rfc3711">RFC 3711</a>, March 2004.
[<a id="ref-RFC4568">RFC4568</a>] Andreasen, F., Baugher, M., and D. Wing, "Session
Description Protocol (SDP) Security Descriptions for Media
Streams", <a href="./rfc4568">RFC 4568</a>, July 2006.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Informative References</span>
[<a id="ref-suiteB">suiteB</a>] "Suite B Cryptography", <a href="http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml">http://www.nsa.gov/ia/programs/</a>
<a href="http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml">suiteb_cryptography/index.shtml</a>.
<span class="grey">McGrew Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6188">RFC 6188</a> SRTP AES-192 and AES-256 March 2011</span>
Author's Address
David A. McGrew
Cisco Systems, Inc.
510 McCarthy Blvd.
Milpitas, CA 95035
US
Phone: (408) 525 8651
EMail: mcgrew@cisco.com
URI: <a href="http://www.mindspring.com/~dmcgrew/dam.htm">http://www.mindspring.com/~dmcgrew/dam.htm</a>
McGrew Standards Track [Page 16]
</pre>
|
