Network Working Group M. Baugher
Request for Comments: 3711 D. McGrew
Category: Standards Track Cisco Systems, Inc.
M. Naslund
E. Carrara
K. Norrman
Ericsson Research
March 2004
Network Working Group M. Baugher
Request for Comments: 3711 D. McGrew
Category: Standards Track Cisco Systems, Inc.
M. Naslund
E. Carrara
K. Norrman
Ericsson Research
March 2004
The Secure Real-time Transport Protocol (SRTP)
安全实时传输协议(SRTP)
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP).
本文档描述了安全实时传输协议(SRTP),实时传输协议(RTP)的一个概要文件,它可以为RTP流量和RTP的控制流量(实时传输控制协议(RTCP))提供机密性、消息认证和重播保护。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
2. Goals and Features . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Features . . . . . . . . . . . . . . . . . . . . . . . . 5
3. SRTP Framework . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Secure RTP . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. SRTP Cryptographic Contexts. . . . . . . . . . . . . . . 7
3.2.1. Transform-independent parameters . . . . . . . . 8
3.2.2. Transform-dependent parameters . . . . . . . . . 10
3.2.3. Mapping SRTP Packets to Cryptographic Contexts . 10
3.3. SRTP Packet Processing . . . . . . . . . . . . . . . . . 11
3.3.1. Packet Index Determination, and ROC, s_l Update. 13
3.3.2. Replay Protection. . . . . . . . . . . . . . . . 15
3.4. Secure RTCP . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
2. Goals and Features . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Features . . . . . . . . . . . . . . . . . . . . . . . . 5
3. SRTP Framework . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Secure RTP . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. SRTP Cryptographic Contexts. . . . . . . . . . . . . . . 7
3.2.1. Transform-independent parameters . . . . . . . . 8
3.2.2. Transform-dependent parameters . . . . . . . . . 10
3.2.3. Mapping SRTP Packets to Cryptographic Contexts . 10
3.3. SRTP Packet Processing . . . . . . . . . . . . . . . . . 11
3.3.1. Packet Index Determination, and ROC, s_l Update. 13
3.3.2. Replay Protection. . . . . . . . . . . . . . . . 15
3.4. Secure RTCP . . . . . . . . . . . . . . . . . . . . . . . 15
4. Pre-Defined Cryptographic Transforms . . . . . . . . . . . . . 19
4.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 19
4.1.1. AES in Counter Mode. . . . . . . . . . . . . . . 21
4.1.2. AES in f8-mode . . . . . . . . . . . . . . . . . 22
4.1.3. NULL Cipher. . . . . . . . . . . . . . . . . . . 25
4.2. Message Authentication and Integrity . . . . . . . . . . 25
4.2.1. HMAC-SHA1. . . . . . . . . . . . . . . . . . . . 25
4.3. Key Derivation . . . . . . . . . . . . . . . . . . . . . 26
4.3.1. Key Derivation Algorithm . . . . . . . . . . . . 26
4.3.2. SRTCP Key Derivation . . . . . . . . . . . . . . 28
4.3.3. AES-CM PRF . . . . . . . . . . . . . . . . . . . 28
5. Default and mandatory-to-implement Transforms. . . . . . . . . 28
5.1. Encryption: AES-CM and NULL. . . . . . . . . . . . . . . 29
5.2. Message Authentication/Integrity: HMAC-SHA1. . . . . . . 29
5.3. Key Derivation: AES-CM PRF . . . . . . . . . . . . . . . 29
6. Adding SRTP Transforms . . . . . . . . . . . . . . . . . . . . 29
7. Rationale. . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1. Key derivation . . . . . . . . . . . . . . . . . . . . . 30
7.2. Salting key. . . . . . . . . . . . . . . . . . . . . . . 30
7.3. Message Integrity from Universal Hashing . . . . . . . . 31
7.4. Data Origin Authentication Considerations. . . . . . . . 31
7.5. Short and Zero-length Message Authentication . . . . . . 32
8. Key Management Considerations. . . . . . . . . . . . . . . . . 33
8.1. Re-keying . . . . . . . . . . . . . . . . . . . . . . . 34
8.1.1. Use of the <From, To> for re-keying. . . . . . . 34
8.2. Key Management parameters. . . . . . . . . . . . . . . . 35
9. Security Considerations. . . . . . . . . . . . . . . . . . . . 37
9.1. SSRC collision and two-time pad. . . . . . . . . . . . . 37
9.2. Key Usage. . . . . . . . . . . . . . . . . . . . . . . . 38
9.3. Confidentiality of the RTP Payload . . . . . . . . . . . 39
9.4. Confidentiality of the RTP Header. . . . . . . . . . . . 40
9.5. Integrity of the RTP payload and header. . . . . . . . . 40
9.5.1. Risks of Weak or Null Message Authentication. . . 42
9.5.2. Implicit Header Authentication . . . . . . . . . 43
10. Interaction with Forward Error Correction mechanisms. . . . . 43
11. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 43
11.1. Unicast. . . . . . . . . . . . . . . . . . . . . . . . . 43
11.2. Multicast (one sender) . . . . . . . . . . . . . . . . . 44
11.3. Re-keying and access control . . . . . . . . . . . . . . 45
11.4. Summary of basic scenarios . . . . . . . . . . . . . . . 46
12. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 46
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 47
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 47
14.1. Normative References . . . . . . . . . . . . . . . . . . 47
14.2. Informative References . . . . . . . . . . . . . . . . . 48
Appendix A: Pseudocode for Index Determination . . . . . . . . . . 51
Appendix B: Test Vectors . . . . . . . . . . . . . . . . . . . . . 51
B.1. AES-f8 Test Vectors. . . . . . . . . . . . . . . . . . . 51
4. Pre-Defined Cryptographic Transforms . . . . . . . . . . . . . 19
4.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 19
4.1.1. AES in Counter Mode. . . . . . . . . . . . . . . 21
4.1.2. AES in f8-mode . . . . . . . . . . . . . . . . . 22
4.1.3. NULL Cipher. . . . . . . . . . . . . . . . . . . 25
4.2. Message Authentication and Integrity . . . . . . . . . . 25
4.2.1. HMAC-SHA1. . . . . . . . . . . . . . . . . . . . 25
4.3. Key Derivation . . . . . . . . . . . . . . . . . . . . . 26
4.3.1. Key Derivation Algorithm . . . . . . . . . . . . 26
4.3.2. SRTCP Key Derivation . . . . . . . . . . . . . . 28
4.3.3. AES-CM PRF . . . . . . . . . . . . . . . . . . . 28
5. Default and mandatory-to-implement Transforms. . . . . . . . . 28
5.1. Encryption: AES-CM and NULL. . . . . . . . . . . . . . . 29
5.2. Message Authentication/Integrity: HMAC-SHA1. . . . . . . 29
5.3. Key Derivation: AES-CM PRF . . . . . . . . . . . . . . . 29
6. Adding SRTP Transforms . . . . . . . . . . . . . . . . . . . . 29
7. Rationale. . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1. Key derivation . . . . . . . . . . . . . . . . . . . . . 30
7.2. Salting key. . . . . . . . . . . . . . . . . . . . . . . 30
7.3. Message Integrity from Universal Hashing . . . . . . . . 31
7.4. Data Origin Authentication Considerations. . . . . . . . 31
7.5. Short and Zero-length Message Authentication . . . . . . 32
8. Key Management Considerations. . . . . . . . . . . . . . . . . 33
8.1. Re-keying . . . . . . . . . . . . . . . . . . . . . . . 34
8.1.1. Use of the <From, To> for re-keying. . . . . . . 34
8.2. Key Management parameters. . . . . . . . . . . . . . . . 35
9. Security Considerations. . . . . . . . . . . . . . . . . . . . 37
9.1. SSRC collision and two-time pad. . . . . . . . . . . . . 37
9.2. Key Usage. . . . . . . . . . . . . . . . . . . . . . . . 38
9.3. Confidentiality of the RTP Payload . . . . . . . . . . . 39
9.4. Confidentiality of the RTP Header. . . . . . . . . . . . 40
9.5. Integrity of the RTP payload and header. . . . . . . . . 40
9.5.1. Risks of Weak or Null Message Authentication. . . 42
9.5.2. Implicit Header Authentication . . . . . . . . . 43
10. Interaction with Forward Error Correction mechanisms. . . . . 43
11. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 43
11.1. Unicast. . . . . . . . . . . . . . . . . . . . . . . . . 43
11.2. Multicast (one sender) . . . . . . . . . . . . . . . . . 44
11.3. Re-keying and access control . . . . . . . . . . . . . . 45
11.4. Summary of basic scenarios . . . . . . . . . . . . . . . 46
12. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 46
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 47
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 47
14.1. Normative References . . . . . . . . . . . . . . . . . . 47
14.2. Informative References . . . . . . . . . . . . . . . . . 48
Appendix A: Pseudocode for Index Determination . . . . . . . . . . 51
Appendix B: Test Vectors . . . . . . . . . . . . . . . . . . . . . 51
B.1. AES-f8 Test Vectors. . . . . . . . . . . . . . . . . . . 51
B.2. AES-CM Test Vectors. . . . . . . . . . . . . . . . . . . 52
B.3. Key Derivation Test Vectors. . . . . . . . . . . . . . . 53
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 56
B.2. AES-CM Test Vectors. . . . . . . . . . . . . . . . . . . 52
B.3. Key Derivation Test Vectors. . . . . . . . . . . . . . . 53
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 56
This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, RTCP (the Real-time Transport Control Protocol) [RFC3350].
本文档描述了安全实时传输协议(SRTP),实时传输协议(RTP)的一个概要文件,它可以为RTP、RTCP(实时传输控制协议)[RFC3350]的RTP通信量和控制通信量提供机密性、消息认证和重播保护。
SRTP provides a framework for encryption and message authentication of RTP and RTCP streams (Section 3). SRTP defines a set of default cryptographic transforms (Sections 4 and 5), and it allows new transforms to be introduced in the future (Section 6). With appropriate key management (Sections 7 and 8), SRTP is secure (Sections 9) for unicast and multicast RTP applications (Section 11).
SRTP为RTP和RTCP流的加密和消息认证提供了一个框架(第3节)。SRTP定义了一组默认的加密转换(第4节和第5节),并允许将来引入新的转换(第6节)。通过适当的密钥管理(第7节和第8节),SRTP对于单播和多播RTP应用(第11节)是安全的(第9节)。
SRTP can achieve high throughput and low packet expansion. SRTP proves to be a suitable protection for heterogeneous environments (mix of wired and wireless networks). To get such features, default transforms are described, based on an additive stream cipher for encryption, a keyed-hash based function for message authentication, and an "implicit" index for sequencing/synchronization based on the RTP sequence number for SRTP and an index number for Secure RTCP (SRTCP).
SRTP可以实现高吞吐量和低数据包扩展。SRTP被证明是一种适用于异构环境(有线和无线网络的混合)的保护。为了获得这些特性,描述了基于用于加密的加法流密码、用于消息认证的基于密钥的散列函数以及用于排序/同步的“隐式”索引(基于SRTP的RTP序列号和安全RTCP(SRTCP)的索引号)的默认转换。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The terminology conforms to [RFC2828] with the following exception. For simplicity we use the term "random" throughout the document to denote randomly or pseudo-randomly generated values. Large amounts of random bits may be difficult to obtain, and for the security of SRTP, pseudo-randomness is sufficient [RFC1750].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。术语符合[RFC2828],但以下情况除外。为了简单起见,我们在整个文档中使用术语“随机”来表示随机或伪随机生成的值。大量的随机位可能难以获得,为了SRTP的安全性,伪随机性就足够了[RFC1750]。
By convention, the adopted representation is the network byte order, i.e., the left most bit (octet) is the most significant one. By XOR we mean bitwise addition modulo 2 of binary strings, and || denotes concatenation. In other words, if C = A || B, then the most significant bits of C are the bits of A, and the least significant bits of C equal the bits of B. Hexadecimal numbers are prefixed by 0x.
按照惯例,采用的表示是网络字节顺序,即最左边的位(八位字节)是最重要的位。XOR表示二进制字符串的按位加法模2,| |表示串联。换句话说,如果C=A | | B,则C的最高有效位是A的位,而C的最低有效位等于B的位。十六进制数的前缀为0x。
The word "encryption" includes also use of the NULL algorithm (which in practice does leave the data in the clear).
“加密”一词还包括空算法的使用(实际上,空算法会将数据保留在明文中)。
With slight abuse of notation, we use the terms "message authentication" and "authentication tag" as is common practice, even though in some circumstances, e.g., group communication, the service provided is actually only integrity protection and not data origin authentication.
尽管在某些情况下(例如,组通信),提供的服务实际上只是完整性保护,而不是数据源身份验证,但我们使用术语“消息身份验证”和“身份验证标签”,这是一种常见做法。
The security goals for SRTP are to ensure:
SRTP的安全目标是确保:
* the confidentiality of the RTP and RTCP payloads, and
* RTP和RTCP有效载荷的保密性,以及
* the integrity of the entire RTP and RTCP packets, together with protection against replayed packets.
* 整个RTP和RTCP数据包的完整性,以及防止重播数据包的保护。
These security services are optional and independent from each other, except that SRTCP integrity protection is mandatory (malicious or erroneous alteration of RTCP messages could otherwise disrupt the processing of the RTP stream).
这些安全服务是可选的,彼此独立,但SRTCP完整性保护是强制性的(恶意或错误更改RTCP消息可能会中断RTP流的处理)。
Other, functional, goals for the protocol are:
协议的其他功能性目标包括:
* a framework that permits upgrading with new cryptographic transforms,
* 允许使用新的加密转换进行升级的框架,
* low bandwidth cost, i.e., a framework preserving RTP header compression efficiency,
* 低带宽成本,即保持RTP报头压缩效率的框架,
and, asserted by the pre-defined transforms:
并且,由预定义的转换断言:
* a low computational cost,
* 计算成本低,
* a small footprint (i.e., small code size and data memory for keying information and replay lists),
* 占用空间小(即用于键入信息和重播列表的代码大小和数据内存小),
* limited packet expansion to support the bandwidth economy goal,
* 有限的数据包扩展以支持带宽经济目标,
* independence from the underlying transport, network, and physical layers used by RTP, in particular high tolerance to packet loss and re-ordering.
* 独立于RTP使用的底层传输、网络和物理层,特别是对数据包丢失和重新排序的高容忍度。
These properties ensure that SRTP is a suitable protection scheme for RTP/RTCP in both wired and wireless scenarios.
这些属性确保SRTP是有线和无线场景中RTP/RTCP的合适保护方案。
Besides the above mentioned direct goals, SRTP provides for some additional features. They have been introduced to lighten the burden on key management and to further increase security. They include:
除了上述直接目标之外,SRTP还提供了一些附加功能。它们的引入减轻了密钥管理的负担,并进一步提高了安全性。这些措施包括:
* A single "master key" can provide keying material for confidentiality and integrity protection, both for the SRTP stream and the corresponding SRTCP stream. This is achieved with a key derivation function (see Section 4.3), providing "session keys" for the respective security primitive, securely derived from the master key.
* 单个“主密钥”可以为SRTP流和相应的SRTCP流提供机密性和完整性保护的密钥材料。这是通过密钥派生功能实现的(参见第4.3节),为各个安全原语提供“会话密钥”,安全地从主密钥派生。
* In addition, the key derivation can be configured to periodically refresh the session keys, which limits the amount of ciphertext produced by a fixed key, available for an adversary to cryptanalyze.
* 此外,密钥派生可以配置为定期刷新会话密钥,这限制了由固定密钥生成的密文量,可供对手进行密码分析。
* "Salting keys" are used to protect against pre-computation and time-memory tradeoff attacks [MF00] [BS00].
* “satting key”用于防止预计算和时间-内存权衡攻击[MF00][BS00]。
Detailed rationale for these features can be found in Section 7.
这些特性的详细原理见第7节。
RTP is the Real-time Transport Protocol [RFC3550]. We define SRTP as a profile of RTP. This profile is an extension to the RTP Audio/Video Profile [RFC3551]. Except where explicitly noted, all aspects of that profile apply, with the addition of the SRTP security features. Conceptually, we consider SRTP to be a "bump in the stack" implementation which resides between the RTP application and the transport layer. SRTP intercepts RTP packets and then forwards an equivalent SRTP packet on the sending side, and intercepts SRTP packets and passes an equivalent RTP packet up the stack on the receiving side.
RTP是实时传输协议[RFC3550]。我们将SRTP定义为RTP的概要文件。此配置文件是RTP音频/视频配置文件[RFC3551]的扩展。除非明确指出,该概要文件的所有方面都适用,并添加了SRTP安全特性。从概念上讲,我们认为SRTP是驻留在RTP应用程序和传输层之间的“栈中的凸点”实现。SRTP截获RTP数据包,然后在发送端转发等效的SRTP数据包,并截获SRTP数据包,然后在接收端向上传递等效的RTP数据包。
Secure RTCP (SRTCP) provides the same security services to RTCP as SRTP does to RTP. SRTCP message authentication is MANDATORY and thereby protects the RTCP fields to keep track of membership, provide feedback to RTP senders, or maintain packet sequence counters. SRTCP is described in Section 3.4.
安全RTCP(SRTCP)向RTCP提供的安全服务与SRTP向RTP提供的安全服务相同。SRTCP消息身份验证是强制性的,因此可以保护RTCP字段以跟踪成员身份、向RTP发送者提供反馈或维护数据包序列计数器。第3.4节介绍了SRTCP。
The format of an SRTP packet is illustrated in Figure 1.
SRTP数据包的格式如图1所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
|V=2|P|X| CC |M| PT | sequence number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| timestamp | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| synchronization source (SSRC) identifier | |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| contributing source (CSRC) identifiers | |
| .... | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| RTP extension (OPTIONAL) | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | payload ... | |
| | +-------------------------------+ |
| | | RTP padding | RTP pad count | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
| ~ SRTP MKI (OPTIONAL) ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| : authentication tag (RECOMMENDED) : |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+- Encrypted Portion* Authenticated Portion ---+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
|V=2|P|X| CC |M| PT | sequence number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| timestamp | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| synchronization source (SSRC) identifier | |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| contributing source (CSRC) identifiers | |
| .... | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| RTP extension (OPTIONAL) | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | payload ... | |
| | +-------------------------------+ |
| | | RTP padding | RTP pad count | |
+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
| ~ SRTP MKI (OPTIONAL) ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| : authentication tag (RECOMMENDED) : |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+- Encrypted Portion* Authenticated Portion ---+
Figure 1. The format of an SRTP packet. *Encrypted Portion is the same size as the plaintext for the Section 4 pre-defined transforms.
图1。SRTP数据包的格式*加密部分的大小与第4节预定义转换的明文相同。
The "Encrypted Portion" of an SRTP packet consists of the encryption of the RTP payload (including RTP padding when present) of the equivalent RTP packet. The Encrypted Portion MAY be the exact size of the plaintext or MAY be larger. Figure 1 shows the RTP payload including any possible padding for RTP [RFC3550].
SRTP数据包的“加密部分”包括对等效RTP数据包的RTP有效载荷(包括存在时的RTP填充)的加密。加密部分可以是明文的精确大小,也可以更大。图1显示了RTP有效负载,包括RTP[RFC3550]的任何可能的填充。
None of the pre-defined encryption transforms uses any padding; for these, the RTP and SRTP payload sizes match exactly. New transforms added to SRTP (following Section 6) may require padding, and may hence produce larger payloads. RTP provides its own padding format (as seen in Fig. 1), which due to the padding indicator in the RTP header has merits in terms of compactness relative to paddings using prefix-free codes. This RTP padding SHALL be the default method for transforms requiring padding. Transforms MAY specify other padding methods, and MUST then specify the amount, format, and processing of their padding. It is important to note that encryption transforms
所有预定义的加密转换都不使用任何填充;对于这些,RTP和SRTP有效负载大小完全匹配。添加到SRTP的新转换(第6节之后)可能需要填充,因此可能产生更大的有效负载。RTP提供其自己的填充格式(如图1所示),由于RTP报头中的填充指示符相对于使用无前缀代码的填充具有紧凑性方面的优点。此RTP填充应为需要填充的变换的默认方法。转换可以指定其他填充方法,然后必须指定填充的数量、格式和处理。需要注意的是,加密转换
that use padding are vulnerable to subtle attacks, especially when message authentication is not used [V02]. Each specification for a new encryption transform needs to carefully consider and describe the security implications of the padding that it uses. Message authentication codes define their own padding, so this default does not apply to authentication transforms.
使用填充的用户容易受到微妙的攻击,尤其是在未使用消息身份验证的情况下[V02]。一个新的加密转换的每个规范需要仔细考虑和描述它使用的填充的安全含义。消息身份验证代码定义自己的填充,因此此默认值不适用于身份验证转换。
The OPTIONAL MKI and the RECOMMENDED authentication tag are the only fields defined by SRTP that are not in RTP. Only 8-bit alignment is assumed.
可选的MKI和推荐的身份验证标记是SRTP定义的唯一不在RTP中的字段。仅假定为8位对齐。
MKI (Master Key Identifier): configurable length, OPTIONAL. The MKI is defined, signaled, and used by key management. The MKI identifies the master key from which the session key(s) were derived that authenticate and/or encrypt the particular packet. Note that the MKI SHALL NOT identify the SRTP cryptographic context, which is identified according to Section 3.2.3. The MKI MAY be used by key management for the purposes of re-keying, identifying a particular master key within the cryptographic context (Section 3.2.1).
MKI(主密钥标识符):可配置长度,可选。MKI由密钥管理定义、发出信号并使用。MKI标识从中派生会话密钥的主密钥,会话密钥用于对特定数据包进行身份验证和/或加密。注意,MKI不得识别SRTP加密上下文,该上下文根据第3.2.3节进行识别。密钥管理可将MKI用于重新设置密钥,在加密上下文中识别特定主密钥(第3.2.1节)。
Authentication tag: configurable length, RECOMMENDED. The authentication tag is used to carry message authentication data. The Authenticated Portion of an SRTP packet consists of the RTP header followed by the Encrypted Portion of the SRTP packet. Thus, if both encryption and authentication are applied, encryption SHALL be applied before authentication on the sender side and conversely on the receiver side. The authentication tag provides authentication of the RTP header and payload, and it indirectly provides replay protection by authenticating the sequence number. Note that the MKI is not integrity protected as this does not provide any extra protection.
身份验证标签:可配置长度,推荐。身份验证标签用于携带消息身份验证数据。SRTP数据包的认证部分由RTP报头和SRTP数据包的加密部分组成。因此,如果同时应用了加密和认证,则应在发送方认证之前应用加密,反之,在接收方认证之前应用加密。身份验证标签提供RTP报头和有效负载的身份验证,并通过验证序列号间接提供重播保护。请注意,MKI没有完整性保护,因为它不提供任何额外的保护。
Each SRTP stream requires the sender and receiver to maintain cryptographic state information. This information is called the "cryptographic context".
每个SRTP流都需要发送方和接收方维护加密状态信息。此信息称为“加密上下文”。
SRTP uses two types of keys: session keys and master keys. By a "session key", we mean a key which is used directly in a cryptographic transform (e.g., encryption or message authentication), and by a "master key", we mean a random bit string (given by the key management protocol) from which session keys are derived in a
SRTP使用两种类型的密钥:会话密钥和主密钥。“会话密钥”是指直接用于加密转换(例如,加密或消息认证)的密钥,而“主密钥”是指随机比特串(由密钥管理协议给出),会话密钥是从该随机比特串派生的
cryptographically secure way. The master key(s) and other parameters in the cryptographic context are provided by key management mechanisms external to SRTP, see Section 8.
加密安全的方式。加密上下文中的主密钥和其他参数由SRTP外部的密钥管理机制提供,请参见第8节。
Transform-independent parameters are present in the cryptographic context independently of the particular encryption or authentication transforms that are used. The transform-independent parameters of the cryptographic context for SRTP consist of:
与转换无关的参数存在于加密上下文中,与所使用的特定加密或身份验证转换无关。SRTP加密上下文的转换无关参数包括:
* a 32-bit unsigned rollover counter (ROC), which records how many times the 16-bit RTP sequence number has been reset to zero after passing through 65,535. Unlike the sequence number (SEQ), which SRTP extracts from the RTP packet header, the ROC is maintained by SRTP as described in Section 3.3.1.
* 一种32位无符号翻转计数器(ROC),记录16位RTP序列号通过65535后被重置为零的次数。与SRTP从RTP数据包头中提取的序列号(SEQ)不同,ROC由SRTP维护,如第3.3.1节所述。
We define the index of the SRTP packet corresponding to a given ROC and RTP sequence number to be the 48-bit quantity
我们将对应于给定ROC和RTP序列号的SRTP数据包的索引定义为48位数量
i = 2^16 * ROC + SEQ.
i=2^16*ROC+序列。
* for the receiver only, a 16-bit sequence number s_l, which can be thought of as the highest received RTP sequence number (see Section 3.3.1 for its handling), which SHOULD be authenticated since message authentication is RECOMMENDED,
* 仅针对接收器,一个16位序列号s_l,可被视为最高接收RTP序列号(其处理见第3.3.1节),由于建议进行消息认证,因此应对其进行认证,
* an identifier for the encryption algorithm, i.e., the cipher and its mode of operation,
* 加密算法的标识符,即密码及其操作模式,
* an identifier for the message authentication algorithm,
* 消息身份验证算法的标识符,
* a replay list, maintained by the receiver only (when authentication and replay protection are provided), containing indices of recently received and authenticated SRTP packets,
* 仅由接收器维护的重播列表(当提供认证和重播保护时),包含最近接收和认证的SRTP数据包的索引,
* an MKI indicator (0/1) as to whether an MKI is present in SRTP and SRTCP packets,
* 关于SRTP和SRTCP数据包中是否存在MKI的MKI指示符(0/1),
* if the MKI indicator is set to one, the length (in octets) of the MKI field, and (for the sender) the actual value of the currently active MKI (the value of the MKI indicator and length MUST be kept fixed for the lifetime of the context),
* 如果MKI指示符设置为1,则MKI字段的长度(以八位字节为单位)和(对于发送方)当前活动MKI的实际值(MKI指示符的值和长度必须在上下文的生存期内保持固定),
* the master key(s), which MUST be random and kept secret,
* 主密钥必须是随机且保密的,
* for each master key, there is a counter of the number of SRTP packets that have been processed (sent) with that master key (essential for security, see Sections 3.3.1 and 9),
* 对于每个主密钥,都有一个计数器,指示已使用该主密钥处理(发送)的SRTP数据包的数量(对于安全至关重要,请参见第3.3.1和9节),
* non-negative integers n_e, and n_a, determining the length of the session keys for encryption, and message authentication.
* 非负整数n_e和n_a,用于确定用于加密和消息身份验证的会话密钥的长度。
In addition, for each master key, an SRTP stream MAY use the following associated values:
此外,对于每个主密钥,SRTP流可以使用以下关联值:
* a master salt, to be used in the key derivation of session keys. This value, when used, MUST be random, but MAY be public. Use of master salt is strongly RECOMMENDED, see Section 9.2. A "NULL" salt is treated as 00...0.
* 一种主盐,用于会话密钥的密钥派生。此值在使用时必须是随机的,但可以是公共的。强烈建议使用主盐,见第9.2节。“空”盐被视为00…0。
* an integer in the set {1,2,4,...,2^24}, the "key_derivation_rate", where an unspecified value is treated as zero. The constraint to be a power of 2 simplifies the session-key derivation implementation, see Section 4.3.
* 集合{1,2,4,…,2^24}中的一个整数,即“密钥导出率”,其中未指定的值被视为零。2的幂的约束简化了会话密钥派生实现,参见第4.3节。
* an MKI value,
* MKI值,
* <From, To> values, specifying the lifetime for a master key, expressed in terms of the two 48-bit index values inside whose range (including the range end-points) the master key is valid. For the use of <From, To>, see Section 8.1.1. <From, To> is an alternative to the MKI and assumes that a master key is in one-to-one correspondence with the SRTP session key on which the <From, To> range is defined.
* <From,To>值,指定主密钥的生存期,以主密钥在其范围内(包括范围端点)有效的两个48位索引值表示。有关<From,To>的使用,请参见第8.1.1节<From、To>是MKI的替代方案,并假设主密钥与定义了<From、To>范围的SRTP会话密钥一一对应。
SRTCP SHALL by default share the crypto context with SRTP, except:
默认情况下,SRTCP应与SRTP共享加密上下文,但以下情况除外:
* no rollover counter and s_l-value need to be maintained as the RTCP index is explicitly carried in each SRTCP packet,
* 由于RTCP索引显式地包含在每个SRTCP数据包中,因此无需维护滚动计数器和s_l值,
* a separate replay list is maintained (when replay protection is provided),
* 维护单独的重播列表(当提供重播保护时),
* SRTCP maintains a separate counter for its master key (even if the master key is the same as that for SRTP, see below), as a means to maintain a count of the number of SRTCP packets that have been processed with that key.
* SRTCP为其主密钥维护一个单独的计数器(即使主密钥与SRTP的主密钥相同,请参见下文),作为维护使用该密钥处理的SRTCP数据包数量的一种方法。
Note in particular that the master key(s) MAY be shared between SRTP and the corresponding SRTCP, if the pre-defined transforms (including the key derivation) are used but the session key(s) MUST NOT be so shared.
特别注意,如果使用预定义的转换(包括密钥派生),但会话密钥不能共享,则主密钥可以在SRTP和相应的SRTCP之间共享。
In addition, there can be cases (see Sections 8 and 9.1) where several SRTP streams within a given RTP session, identified by their synchronization source (SSRCs, which is part of the RTP header), share most of the crypto context parameters (including possibly master and session keys). In such cases, just as in the normal SRTP/SRTCP parameter sharing above, separate replay lists and packet counters for each stream (SSRC) MUST still be maintained. Also, separate SRTP indices MUST then be maintained.
此外,在某些情况下(见第8节和第9.1节),给定RTP会话中的几个SRTP流(由其同步源(SSRC,RTP报头的一部分)共享大部分加密上下文参数(可能包括主密钥和会话密钥)。在这种情况下,正如在上述正常的SRTP/SRTCP参数共享中一样,每个流(SSRC)的单独重播列表和数据包计数器必须保持不变。此外,还必须保持单独的SRTP指数。
A summary of parameters, pre-defined transforms, and default values for the above parameters (and other SRTP parameters) can be found in Sections 5 and 8.2.
上述参数(以及其他SRTP参数)的参数、预定义转换和默认值的摘要见第5节和第8.2节。
All encryption, authentication/integrity, and key derivation parameters are defined in the transforms section (Section 4). Typical examples of such parameters are block size of ciphers, session keys, data for the Initialization Vector (IV) formation, etc. Future SRTP transform specifications MUST include a section to list the additional cryptographic context's parameters for that transform, if any.
所有加密、身份验证/完整性和密钥派生参数都在transforms部分(第4部分)中定义。此类参数的典型示例包括密码的块大小、会话密钥、用于初始化向量(IV)形成的数据等。未来的SRTP转换规范必须包括一节,列出用于该转换的其他加密上下文参数(如果有)。
Recall that an RTP session for each participant is defined [RFC3550] by a pair of destination transport addresses (one network address plus a port pair for RTP and RTCP), and that a multimedia session is defined as a collection of RTP sessions. For example, a particular multimedia session could include an audio RTP session, a video RTP session, and a text RTP session.
回想一下,每个参与者的RTP会话由一对目标传输地址(一个网络地址加上RTP和RTCP的端口对)定义[RFC3550],多媒体会话定义为RTP会话的集合。例如,特定多媒体会话可以包括音频RTP会话、视频RTP会话和文本RTP会话。
A cryptographic context SHALL be uniquely identified by the triplet context identifier:
密码上下文应由三元组上下文标识符唯一标识:
context id = <SSRC, destination network address, destination
transport port number>
context id = <SSRC, destination network address, destination
transport port number>
where the destination network address and the destination transport port are the ones in the SRTP packet. It is assumed that, when presented with this information, the key management returns a context with the information as described in Section 3.2.
其中,目标网络地址和目标传输端口是SRTP数据包中的地址。假设当呈现此信息时,密钥管理返回一个上下文,其中包含第3.2节所述的信息。
As noted above, SRTP and SRTCP by default share the bulk of the parameters in the cryptographic context. Thus, retrieving the crypto context parameters for an SRTCP stream in practice may imply a binding to the correspondent SRTP crypto context. It is up to the implementation to assure such binding, since the RTCP port may not be
如上所述,默认情况下,SRTP和SRTCP共享加密上下文中的大部分参数。因此,在实践中检索SRTCP流的加密上下文参数可能意味着绑定到相应的SRTP加密上下文。由实现来确保这种绑定,因为RTCP端口可能不可用
directly deducible from the RTP port only. Alternatively, the key management may choose to provide separate SRTP- and SRTCP- contexts, duplicating the common parameters (such as master key(s)). The latter approach then also enables SRTP and SRTCP to use, e.g., distinct transforms, if so desired. Similar considerations arise when multiple SRTP streams, forming part of one single RTP session, share keys and other parameters.
仅可从RTP端口直接推断。或者,密钥管理可以选择提供单独的SRTP和SRTCP上下文,复制公共参数(例如主密钥)。如果需要,后一种方法还允许SRTP和SRTCP使用不同的转换。当构成单个RTP会话一部分的多个SRTP流共享密钥和其他参数时,也会出现类似的考虑。
If no valid context can be found for a packet corresponding to a certain context identifier, that packet MUST be discarded.
如果找不到与特定上下文标识符对应的数据包的有效上下文,则必须丢弃该数据包。
The following applies to SRTP. SRTCP is described in Section 3.4.
以下内容适用于SRTP。第3.4节介绍了SRTCP。
Assuming initialization of the cryptographic context(s) has taken place via key management, the sender SHALL do the following to construct an SRTP packet:
假设加密上下文已通过密钥管理进行初始化,则发送方应执行以下操作来构造SRTP数据包:
1. Determine which cryptographic context to use as described in Section 3.2.3.
1. 如第3.2.3节所述,确定要使用的加密上下文。
2. Determine the index of the SRTP packet using the rollover counter, the highest sequence number in the cryptographic context, and the sequence number in the RTP packet, as described in Section 3.3.1.
2. 如第3.3.1节所述,使用滚动计数器、加密上下文中的最高序列号和RTP数据包中的序列号确定SRTP数据包的索引。
3. Determine the master key and master salt. This is done using the index determined in the previous step or the current MKI in the cryptographic context, according to Section 8.1.
3. 确定主钥匙和主盐。根据第8.1节,使用上一步中确定的索引或加密上下文中的当前MKI完成此操作。
4. Determine the session keys and session salt (if they are used by the transform) as described in Section 4.3, using master key, master salt, key_derivation_rate, and session key-lengths in the cryptographic context with the index, determined in Steps 2 and 3.
4. 如第4.3节所述,使用步骤2和3中确定的索引,在加密上下文中使用主密钥、主密钥、密钥导出率和会话密钥长度,确定会话密钥和会话密钥(如果转换使用)。
5. Encrypt the RTP payload to produce the Encrypted Portion of the packet (see Section 4.1, for the defined ciphers). This step uses the encryption algorithm indicated in the cryptographic context, the session encryption key and the session salt (if used) found in Step 4 together with the index found in Step 2.
5. 对RTP有效载荷进行加密,以生成数据包的加密部分(定义的密码见第4.1节)。此步骤使用加密上下文中指示的加密算法、会话加密密钥和在步骤4中找到的会话盐(如果使用)以及在步骤2中找到的索引。
6. If the MKI indicator is set to one, append the MKI to the packet.
6. 如果MKI指示符设置为1,则将MKI附加到数据包。
7. For message authentication, compute the authentication tag for the Authenticated Portion of the packet, as described in Section 4.2. This step uses the current rollover counter, the authentication
7. 如第4.2节所述,对于消息认证,计算数据包认证部分的认证标签。此步骤使用当前滚动计数器,即身份验证
algorithm indicated in the cryptographic context, and the session authentication key found in Step 4. Append the authentication tag to the packet.
加密上下文中指示的算法,以及在步骤4中找到的会话身份验证密钥。将身份验证标记附加到数据包。
8. If necessary, update the ROC as in Section 3.3.1, using the packet index determined in Step 2.
8. 如有必要,使用步骤2中确定的数据包索引,按照第3.3.1节更新ROC。
To authenticate and decrypt an SRTP packet, the receiver SHALL do the following:
为了验证和解密SRTP数据包,接收方应执行以下操作:
1. Determine which cryptographic context to use as described in Section 3.2.3.
1. 如第3.2.3节所述,确定要使用的加密上下文。
2. Run the algorithm in Section 3.3.1 to get the index of the SRTP packet. The algorithm uses the rollover counter and highest sequence number in the cryptographic context with the sequence number in the SRTP packet, as described in Section 3.3.1.
2. 运行第3.3.1节中的算法以获取SRTP数据包的索引。如第3.3.1节所述,该算法使用滚动计数器和加密上下文中的最高序列号以及SRTP数据包中的序列号。
3. Determine the master key and master salt. If the MKI indicator in the context is set to one, use the MKI in the SRTP packet, otherwise use the index from the previous step, according to Section 8.1.
3. 确定主钥匙和主盐。如果上下文中的MKI指示符设置为1,则根据第8.1节,使用SRTP数据包中的MKI,否则使用上一步骤中的索引。
4. Determine the session keys, and session salt (if used by the transform) as described in Section 4.3, using master key, master salt, key_derivation_rate and session key-lengths in the cryptographic context with the index, determined in Steps 2 and 3.
4. 如第4.3节所述,在加密上下文中使用主密钥、主盐、密钥导出率和会话密钥长度,并在步骤2和3中确定索引,确定会话密钥和会话盐(如果转换使用)。
5. For message authentication and replay protection, first check if the packet has been replayed (Section 3.3.2), using the Replay List and the index as determined in Step 2. If the packet is judged to be replayed, then the packet MUST be discarded, and the event SHOULD be logged.
5. 对于消息身份验证和重播保护,首先使用重播列表和步骤2中确定的索引检查数据包是否已重播(第3.3.2节)。如果该数据包被判断为重播,则必须丢弃该数据包,并记录该事件。
Next, perform verification of the authentication tag, using the rollover counter from Step 2, the authentication algorithm indicated in the cryptographic context, and the session authentication key from Step 4. If the result is "AUTHENTICATION FAILURE" (see Section 4.2), the packet MUST be discarded from further processing and the event SHOULD be logged.
接下来,使用步骤2中的滚动计数器、加密上下文中指示的身份验证算法和步骤4中的会话身份验证密钥,执行身份验证标签的验证。如果结果为“身份验证失败”(见第4.2节),则必须丢弃数据包,不再进行进一步处理,并记录事件。
6. Decrypt the Encrypted Portion of the packet (see Section 4.1, for the defined ciphers), using the decryption algorithm indicated in the cryptographic context, the session encryption key and salt (if used) found in Step 4 with the index from Step 2.
6. 使用加密上下文中指示的解密算法、第4步中的会话加密密钥和salt(如果使用)以及第2步中的索引对数据包的加密部分进行解密(定义的密码见第4.1节)。
7. Update the rollover counter and highest sequence number, s_l, in the cryptographic context as in Section 3.3.1, using the packet index estimated in Step 2. If replay protection is provided, also update the Replay List as described in Section 3.3.2.
7. 使用步骤2中估计的数据包索引,在第3.3.1节所述的加密上下文中更新滚动计数器和最高序列号s_l。如果提供了重播保护,还应按照第3.3.2节所述更新重播列表。
8. When present, remove the MKI and authentication tag fields from the packet.
8. 如果存在,请从数据包中删除MKI和authentication标记字段。
SRTP implementations use an "implicit" packet index for sequencing, i.e., not all of the index is explicitly carried in the SRTP packet. For the pre-defined transforms, the index i is used in replay protection (Section 3.3.2), encryption (Section 4.1), message authentication (Section 4.2), and for the key derivation (Section 4.3).
SRTP实现使用“隐式”分组索引进行排序,即并非所有索引都显式地携带在SRTP分组中。对于预定义的转换,索引i用于重播保护(第3.3.2节)、加密(第4.1节)、消息身份验证(第4.2节)和密钥派生(第4.3节)。
When the session starts, the sender side MUST set the rollover counter, ROC, to zero. Each time the RTP sequence number, SEQ, wraps modulo 2^16, the sender side MUST increment ROC by one, modulo 2^32 (see security aspects below). The sender's packet index is then defined as
当会话开始时,发送方必须将滚动计数器ROC设置为零。每次RTP序列号SEQ封装模2^16时,发送方必须将ROC增加1,模2^32(参见下面的安全方面)。然后,发送方的数据包索引被定义为
i = 2^16 * ROC + SEQ.
i=2^16*ROC+序列。
Receiver-side implementations use the RTP sequence number to determine the correct index of a packet, which is the location of the packet in the sequence of all SRTP packets. A robust approach for the proper use of a rollover counter requires its handling and use to be well defined. In particular, out-of-order RTP packets with sequence numbers close to 2^16 or zero must be properly handled.
接收机端实现使用RTP序列号来确定分组的正确索引,该索引是分组在所有SRTP分组序列中的位置。正确使用翻转计数器的稳健方法要求其处理和使用得到明确定义。特别是,序列号接近2^16或零的无序RTP数据包必须正确处理。
The index estimate is based on the receiver's locally maintained ROC and s_l values. At the setup of the session, the ROC MUST be set to zero. Receivers joining an on-going session MUST be given the current ROC value using out-of-band signaling such as key-management signaling. Furthermore, the receiver SHALL initialize s_l to the RTP sequence number (SEQ) of the first observed SRTP packet (unless the initial value is provided by out of band signaling such as key management).
该指数估计基于接收者的局部维持ROC和s_l值。在会话设置时,ROC必须设置为零。加入正在进行的会话的接收器必须使用带外信令(如密钥管理信令)来获得当前ROC值。此外,接收机应将s_l初始化为第一个观察到的SRTP分组的RTP序列号(SEQ)(除非初始值由诸如密钥管理之类的带外信令提供)。
On consecutive SRTP packets, the receiver SHOULD estimate the index as i = 2^16 * v + SEQ,
在连续的SRTP数据包上,接收器应将索引估计为i=2^16*v+SEQ,
where v is chosen from the set { ROC-1, ROC, ROC+1 } (modulo 2^32) such that i is closest (in modulo 2^48 sense) to the value 2^16 * ROC + s_l (see Appendix A for pseudocode).
其中,v从集合{ROC-1,ROC,ROC+1}(模2^32)中选择,使得i最接近(模2^48意义上)值2^16*ROC+s_l(伪代码见附录A)。
After the packet has been processed and authenticated (when enabled for SRTP packets for the session), the receiver MUST use v to conditionally update its s_l and ROC variables as follows. If v=(ROC-1) mod 2^32, then there is no update to s_l or ROC. If v=ROC, then s_l is set to SEQ if and only if SEQ is larger than the current s_l; there is no change to ROC. If v=(ROC+1) mod 2^32, then s_l is set to SEQ and ROC is set to v.
在对数据包进行处理和验证之后(当为会话的SRTP数据包启用时),接收方必须使用v有条件地更新其s_l和ROC变量,如下所示。如果v=(ROC-1)mod 2^32,则不更新s_l或ROC。如果v=ROC,则当且仅当SEQ大于当前s_l时,s_l设置为SEQ;中华民国没有变化。如果v=(ROC+1)mod 2^32,则s_l设置为SEQ,ROC设置为v。
After a re-keying occurs (changing to a new master key), the rollover counter always maintains its sequence of values, i.e., it MUST NOT be reset to zero.
重新键入(更改为新的主密钥)后,翻转计数器始终保持其值序列,即不得重置为零。
As the rollover counter is 32 bits long and the sequence number is 16 bits long, the maximum number of packets belonging to a given SRTP stream that can be secured with the same key is 2^48 using the pre-defined transforms. After that number of SRTP packets have been sent with a given (master or session) key, the sender MUST NOT send any more packets with that key. (There exists a similar limit for SRTCP, which in practice may be more restrictive, see Section 9.2.) This limitation enforces a security benefit by providing an upper bound on the amount of traffic that can pass before cryptographic keys are changed. Re-keying (see Section 8.1) MUST be triggered, before this amount of traffic, and MAY be triggered earlier, e.g., for increased security and access control to media. Recurring key derivation by means of a non-zero key_derivation_rate (see Section 4.3), also gives stronger security but does not change the above absolute maximum value.
由于滚动计数器的长度为32位,序列号的长度为16位,因此,使用预定义的转换,属于给定SRTP流且可使用相同密钥保护的最大数据包数为2^48。在使用给定(主密钥或会话)密钥发送了该数量的SRTP数据包之后,发送方不得再使用该密钥发送任何数据包。(SRTCP也存在类似的限制,在实践中可能更具限制性,请参见第9.2节。)该限制通过提供加密密钥更改前可通过的通信量上限来实现安全效益。重设密钥(见第8.1节)必须在该流量之前触发,并且可以提前触发,例如,为了提高安全性和对媒体的访问控制。通过非零密钥派生率(见第4.3节)进行的重复密钥派生也提供了更强的安全性,但不会改变上述绝对最大值。
On the receiver side, there is a caveat to updating s_l and ROC: if message authentication is not present, neither the initialization of s_l, nor the ROC update can be made completely robust. The receiver's "implicit index" approach works for the pre-defined transforms as long as the reorder and loss of the packets are not too great and bit-errors do not occur in unfortunate ways. In particular, 2^15 packets would need to be lost, or a packet would need to be 2^15 packets out of sequence before synchronization is lost. Such drastic loss or reorder is likely to disrupt the RTP application itself.
在接收方,更新s_l和ROC有一个警告:如果消息身份验证不存在,则s_l的初始化和ROC更新都不能完全健壮。接收方的“隐式索引”方法适用于预定义的变换,只要数据包的重新排序和丢失不是太大,并且不会以不幸的方式发生位错误。特别是,在同步丢失之前,需要丢失2^15个数据包,或者一个数据包需要有2^15个数据包顺序不一致。这种严重的丢失或重新排序可能会中断RTP应用程序本身。
The algorithm for the index estimate and ROC update is a matter of implementation, and should take into consideration the environment (e.g., packet loss rate) and the cases when synchronization is likely to be lost, e.g., when the initial sequence number (randomly chosen by RTP) is not known in advance (not sent in the key management protocol) but may be near to wrap modulo 2^16.
索引估计和ROC更新的算法是一个实现问题,应考虑环境(例如,数据包丢失率)和同步可能丢失的情况,例如,初始序列号(由RTP随机选择)事先未知(在密钥管理协议中未发送)的情况但可能接近于包裹模2^16。
A more elaborate and more robust scheme than the one given above is the handling of RTP's own "rollover counter", see Appendix A.1 of [RFC3550].
与上面给出的方案相比,一个更详细、更稳健的方案是处理RTP自己的“滚动计数器”,见[RFC3550]的附录A.1。
Secure replay protection is only possible when integrity protection is present. It is RECOMMENDED to use replay protection, both for RTP and RTCP, as integrity protection alone cannot assure security against replay attacks.
只有在存在完整性保护时,才可能实现安全重播保护。建议对RTP和RTCP使用重播保护,因为单独的完整性保护无法确保针对重播攻击的安全性。
A packet is "replayed" when it is stored by an adversary, and then re-injected into the network. When message authentication is provided, SRTP protects against such attacks through a Replay List. Each SRTP receiver maintains a Replay List, which conceptually contains the indices of all of the packets which have been received and authenticated. In practice, the list can use a "sliding window" approach, so that a fixed amount of storage suffices for replay protection. Packet indices which lag behind the packet index in the context by more than SRTP-WINDOW-SIZE can be assumed to have been received, where SRTP-WINDOW-SIZE is a receiver-side, implementation-dependent parameter and MUST be at least 64, but which MAY be set to a higher value.
当对手存储数据包时,数据包被“重放”,然后重新注入网络。当提供消息身份验证时,SRTP通过重播列表防止此类攻击。每个SRTP接收器维护一个重播列表,该列表概念上包含已接收和验证的所有数据包的索引。实际上,该列表可以使用“滑动窗口”方法,因此固定的存储量足以提供重播保护。在上下文中落后于分组索引超过SRTP-WINDOW-SIZE的分组索引可被假定为已被接收,其中SRTP-WINDOW-SIZE是接收机侧的实现相关参数,并且必须至少为64,但其可被设置为更高的值。
The receiver checks the index of an incoming packet against the replay list and the window. Only packets with index ahead of the window, or, inside the window but not already received, SHALL be accepted.
接收器根据重播列表和窗口检查传入数据包的索引。只有索引在窗口前面或窗口内但尚未收到的数据包才可接受。
After the packet has been authenticated (if necessary the window is first moved ahead), the replay list SHALL be updated with the new index.
在对数据包进行身份验证后(如有必要,首先将窗口向前移动),重播列表应使用新索引进行更新。
The Replay List can be efficiently implemented by using a bitmap to represent which packets have been received, as described in the Security Architecture for IP [RFC2401].
重播列表可以通过使用位图来表示已接收到哪些数据包来有效地实现,如IP安全体系结构[RFC2401]中所述。
Secure RTCP follows the definition of Secure RTP. SRTCP adds three mandatory new fields (the SRTCP index, an "encrypt-flag", and the authentication tag) and one optional field (the MKI) to the RTCP packet definition. The three mandatory fields MUST be appended to an RTCP packet in order to form an equivalent SRTCP packet. The added fields follow any other profile-specific extensions.
安全RTCP遵循安全RTP的定义。SRTCP在RTCP数据包定义中添加了三个必填字段(SRTCP索引、“加密标志”和身份验证标记)和一个可选字段(MKI)。这三个必填字段必须附加到RTCP数据包中,以形成等效的SRTCP数据包。添加的字段遵循任何其他特定于配置文件的扩展名。
According to Section 6.1 of [RFC3550], there is a REQUIRED packet format for compound packets. SRTCP MUST be given packets according to that requirement in the sense that the first part MUST be a sender report or a receiver report. However, the RTCP encryption prefix (a random 32-bit quantity) specified in that Section MUST NOT be used since, as is stated there, it is only applicable to the encryption method specified in [RFC3550] and is not needed by the cryptographic mechanisms used in SRTP.
根据[RFC3550]第6.1节,复合数据包需要一种数据包格式。SRTCP必须根据该要求提供数据包,即第一部分必须是发送方报告或接收方报告。但是,该节中指定的RTCP加密前缀(随机32位数量)不得使用,因为如上所述,它仅适用于[RFC3550]中指定的加密方法,SRTP中使用的加密机制不需要。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
|V=2|P| RC | PT=SR or RR | length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| SSRC of sender | |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| ~ sender info ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ report block 1 ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ report block 2 ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ ... ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |V=2|P| SC | PT=SDES=202 | length | |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| | SSRC/CSRC_1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ SDES items ~ |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| ~ ... ~ |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| |E| SRTCP index | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
| ~ SRTCP MKI (OPTIONAL) ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| : authentication tag : |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+-- Encrypted Portion Authenticated Portion -----+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
|V=2|P| RC | PT=SR or RR | length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| SSRC of sender | |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| ~ sender info ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ report block 1 ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ report block 2 ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ ... ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |V=2|P| SC | PT=SDES=202 | length | |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| | SSRC/CSRC_1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| ~ SDES items ~ |
| +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| ~ ... ~ |
+>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ |
| |E| SRTCP index | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+
| ~ SRTCP MKI (OPTIONAL) ~ |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| : authentication tag : |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
+-- Encrypted Portion Authenticated Portion -----+
Figure 2. An example of the format of a Secure RTCP packet, consisting of an underlying RTCP compound packet with a Sender Report and SDES packet.
图2。安全RTCP数据包的格式示例,由底层RTCP复合数据包、发送方报告和SDES数据包组成。
The Encrypted Portion of an SRTCP packet consists of the encryption (Section 4.1) of the RTCP payload of the equivalent compound RTCP packet, from the first RTCP packet, i.e., from the ninth (9) octet to the end of the compound packet. The Authenticated Portion of an SRTCP packet consists of the entire equivalent (eventually compound) RTCP packet, the E flag, and the SRTCP index (after any encryption has been applied to the payload).
SRTCP数据包的加密部分包括等效复合RTCP数据包的RTCP有效载荷的加密(第4.1节),从第一个RTCP数据包开始,即从第九(9)个八位组到复合数据包结束。SRTCP数据包的认证部分包括整个等效(最终复合)RTCP数据包、E标志和SRTCP索引(在对有效负载应用任何加密后)。
The added fields are:
添加的字段包括:
E-flag: 1 bit, REQUIRED The E-flag indicates if the current SRTCP packet is encrypted or unencrypted. Section 9.1 of [RFC3550] allows the split of a compound RTCP packet into two lower-layer packets, one to be encrypted and one to be sent in the clear. The E bit set to "1" indicates encrypted packet, and "0" indicates non-encrypted packet.
E-flag:1位,必需。E-flag指示当前SRTCP数据包是加密的还是未加密的。[RFC3550]第9.1节允许将复合RTCP数据包拆分为两个较低层数据包,一个进行加密,另一个以明文形式发送。设置为“1”的E位表示加密的数据包,“0”表示未加密的数据包。
SRTCP index: 31 bits, REQUIRED The SRTCP index is a 31-bit counter for the SRTCP packet. The index is explicitly included in each packet, in contrast to the "implicit" index approach used for SRTP. The SRTCP index MUST be set to zero before the first SRTCP packet is sent, and MUST be incremented by one, modulo 2^31, after each SRTCP packet is sent. In particular, after a re-key, the SRTCP index MUST NOT be reset to zero again.
SRTCP索引:31位,必需SRTCP索引是SRTCP数据包的31位计数器。与SRTP使用的“隐式”索引方法不同,索引显式地包含在每个数据包中。在发送第一个SRTCP数据包之前,必须将SRTCP索引设置为零,并且在发送每个SRTCP数据包之后,必须将其增加1,模2^31。特别是,在重新设置密钥后,SRTCP索引不得再次重置为零。
Authentication Tag: configurable length, REQUIRED The authentication tag is used to carry message authentication data.
身份验证标签:可配置的长度,所需的身份验证标签用于携带消息身份验证数据。
MKI: configurable length, OPTIONAL The MKI is the Master Key Indicator, and functions according to the MKI definition in Section 3.
MKI:可配置长度,可选。MKI是主钥匙指示器,其功能符合第3节中的MKI定义。
SRTCP uses the cryptographic context parameters and packet processing of SRTP by default, with the following changes:
默认情况下,SRTCP使用SRTP的加密上下文参数和数据包处理,但有以下更改:
* The receiver does not need to "estimate" the index, as it is explicitly signaled in the packet.
* 接收器不需要“估计”索引,因为它在包中显式地发信号。
* Pre-defined SRTCP encryption is as specified in Section 4.1, but using the definition of the SRTCP Encrypted Portion given in this section, and using the SRTCP index as the index i. The encryption transform and related parameters SHALL by default be the same selected for the protection of the associated SRTP stream(s), while the NULL algorithm SHALL be applied to the RTCP packets not to be encrypted. SRTCP may have a different encryption transform
* 预定义的SRTCP加密如第4.1节所述,但使用本节中给出的SRTCP加密部分的定义,并使用SRTCP索引作为索引i。默认情况下,为保护相关SRTP流,选择的加密转换和相关参数应相同,而空算法应用于未加密的RTCP数据包。SRTCP可能具有不同的加密转换
than the one used by the corresponding SRTP. The expected use for this feature is when the former has NULL-encryption and the latter has a non NULL-encryption.
而不是相应的SRTP所使用的。此功能的预期用途是前者具有空加密,而后者具有非空加密。
The E-flag is assigned a value by the sender depending on whether the packet was encrypted or not.
发送方根据数据包是否加密,为E标志分配一个值。
* SRTCP decryption is performed as in Section 4, but only if the E flag is equal to 1. If so, the Encrypted Portion is decrypted, using the SRTCP index as the index i. In case the E-flag is 0, the payload is simply left unmodified.
* SRTCP解密如第4节所述执行,但仅当E标志等于1时执行。如果是,则使用SRTCP索引作为索引i对加密部分进行解密。如果E-flag为0,有效负载将保持不变。
* SRTCP replay protection is as defined in Section 3.3.2, but using the SRTCP index as the index i and a separate Replay List that is specific to SRTCP.
* SRTCP重播保护如第3.3.2节所定义,但使用SRTCP索引作为索引i和单独的重播列表,该列表特定于SRTCP。
* The pre-defined SRTCP authentication tag is specified as in Section 4.2, but with the Authenticated Portion of the SRTCP packet given in this section (which includes the index). The authentication transform and related parameters (e.g., key size) SHALL by default be the same as selected for the protection of the associated SRTP stream(s).
* 预定义的SRTCP身份验证标签如第4.2节所述,但本节给出了SRTCP数据包的身份验证部分(包括索引)。默认情况下,认证转换和相关参数(如密钥大小)应与为保护相关SRTP流而选择的参数相同。
* In the last step of the processing, only the sender needs to update the value of the SRTCP index by incrementing it modulo 2^31 and for security reasons the sender MUST also check the number of SRTCP packets processed, see Section 9.2.
* 在处理的最后一步中,只有发送方需要通过增加SRTCP索引的模2^31来更新该索引的值,出于安全原因,发送方还必须检查已处理的SRTCP数据包的数量,请参见第9.2节。
Message authentication for RTCP is REQUIRED, as it is the control protocol (e.g., it has a BYE packet) for RTP.
RTCP需要消息认证,因为它是RTP的控制协议(例如,它有一个BYE数据包)。
Precautions must be taken so that the packet expansion in SRTCP (due to the added fields) does not cause SRTCP messages to use more than their share of RTCP bandwidth. To avoid this, the following two measures MUST be taken:
必须采取预防措施,以便SRTCP中的数据包扩展(由于添加了字段)不会导致SRTCP消息使用的RTCP带宽超过其份额。为了避免这种情况,必须采取以下两种措施:
1. When initializing the RTCP variable "avg_rtcp_size" defined in chapter 6.3 of [RFC3550], it MUST include the size of the fields that will be added by SRTCP (index, E-bit, authentication tag, and when present, the MKI).
1. 初始化[RFC3550]第6.3章中定义的RTCP变量“avg_RTCP_size”时,必须包括SRTCP将添加的字段大小(索引、E位、身份验证标签,以及存在时的MKI)。
2. When updating the "avg_rtcp_size" using the variable "packet_size" (section 6.3.3 of [RFC3550]), the value of "packet_size" MUST include the size of the additional fields added by SRTCP.
2. 使用变量“packet_size”(RFC3550第6.3.3节)更新“avg_rtcp_size”时,“packet_size”的值必须包括SRTCP添加的附加字段的大小。
With these measures in place the SRTCP messages will not use more than the allotted bandwidth. The effect of the size of the added fields on the SRTCP traffic will be that messages will be sent with longer packet intervals. The increase in the intervals will be directly proportional to size of the added fields. For the pre-defined transforms, the size of the added fields will be at least 14 octets, and upper bounded depending on MKI and the authentication tag sizes.
有了这些措施,SRTCP消息使用的带宽将不会超过分配的带宽。添加字段的大小对SRTCP流量的影响是,消息将以更长的数据包间隔发送。间隔的增加将与添加字段的大小成正比。对于预定义的转换,添加字段的大小将至少为14个八位字节,上限取决于MKI和身份验证标记的大小。
While there are numerous encryption and message authentication algorithms that can be used in SRTP, below we define default algorithms in order to avoid the complexity of specifying the encodings for the signaling of algorithm and parameter identifiers. The defined algorithms have been chosen as they fulfill the goals listed in Section 2. Recommendations on how to extend SRTP with new transforms are given in Section 6.
虽然SRTP中可以使用许多加密和消息认证算法,但下面我们定义了默认算法,以避免为算法和参数标识符的信令指定编码的复杂性。选择定义的算法是因为它们实现了第2节中列出的目标。第6节给出了关于如何使用新转换扩展SRTP的建议。
The following parameters are common to both pre-defined, non-NULL, encryption transforms specified in this section.
以下参数对于本节中指定的预定义、非空的加密转换都是通用的。
* BLOCK_CIPHER-MODE indicates the block cipher used and its mode of operation * n_b is the bit-size of the block for the block cipher * k_e is the session encryption key * n_e is the bit-length of k_e * k_s is the session salting key * n_s is the bit-length of k_s * SRTP_PREFIX_LENGTH is the octet length of the keystream prefix, a non-negative integer, specified by the message authentication code in use.
* BLOCK_CIPHER-MODE表示使用的分组密码及其操作模式*n_b是分组密码的块的位大小*k_e是会话加密密钥*n_e是k_e的位长度*k_s是会话加密密钥*n_s是k_s的位长度*SRTP_前缀\u长度是密钥流前缀的八位字节长度,由正在使用的消息身份验证代码指定的非负整数。
The distinct session keys and salts for SRTP/SRTCP are by default derived as specified in Section 4.3.
默认情况下,SRTP/SRTCP的不同会话密钥和SALT按照第4.3节的规定派生。
The encryption transforms defined in SRTP map the SRTP packet index and secret key into a pseudo-random keystream segment. Each keystream segment encrypts a single RTP packet. The process of encrypting a packet consists of generating the keystream segment corresponding to the packet, and then bitwise exclusive-oring that keystream segment onto the payload of the RTP packet to produce the Encrypted Portion of the SRTP packet. In case the payload size is not an integer multiple of n_b bits, the excess (least significant) bits of the keystream are simply discarded. Decryption is done the same way, but swapping the roles of the plaintext and ciphertext.
SRTP中定义的加密转换将SRTP数据包索引和密钥映射为伪随机密钥流段。每个密钥流段加密一个RTP数据包。加密数据包的过程包括生成与该数据包相对应的密钥流段,然后将该密钥流段以位排他方式存储到RTP数据包的有效载荷上,以生成SRTP数据包的加密部分。如果有效负载大小不是n_b位的整数倍,则仅丢弃密钥流的多余(最低有效)位。解密是以同样的方式进行的,但交换了明文和密文的角色。
+----+ +------------------+---------------------------------+
| KG |-->| Keystream Prefix | Keystream Suffix |---+
+----+ +------------------+---------------------------------+ |
|
+---------------------------------+ v
| Payload of RTP Packet |->(*)
+---------------------------------+ |
|
+---------------------------------+ |
| Encrypted Portion of SRTP Packet|<--+
+---------------------------------+
+----+ +------------------+---------------------------------+
| KG |-->| Keystream Prefix | Keystream Suffix |---+
+----+ +------------------+---------------------------------+ |
|
+---------------------------------+ v
| Payload of RTP Packet |->(*)
+---------------------------------+ |
|
+---------------------------------+ |
| Encrypted Portion of SRTP Packet|<--+
+---------------------------------+
Figure 3: Default SRTP Encryption Processing. Here KG denotes the keystream generator, and (*) denotes bitwise exclusive-or.
图3:默认SRTP加密处理。这里KG表示键流生成器,(*)表示按位异或。
The definition of how the keystream is generated, given the index, depends on the cipher and its mode of operation. Below, two such keystream generators are defined. The NULL cipher is also defined, to be used when encryption of RTP is not required.
给定索引,如何生成密钥流的定义取决于密码及其操作模式。下面定义了两个这样的密钥流生成器。还定义了空密码,在不需要RTP加密时使用。
The SRTP definition of the keystream is illustrated in Figure 3. The initial octets of each keystream segment MAY be reserved for use in a message authentication code, in which case the keystream used for encryption starts immediately after the last reserved octet. The initial reserved octets are called the "keystream prefix" (not to be confused with the "encryption prefix" of [RFC3550, Section 6.1]), and the remaining octets are called the "keystream suffix". The keystream prefix MUST NOT be used for encryption. The process is illustrated in Figure 3.
键流的SRTP定义如图3所示。每个密钥流段的初始八位字节可以保留用于消息认证码,在这种情况下,用于加密的密钥流在最后一个保留八位字节之后立即开始。初始保留的八位字节称为“密钥流前缀”(不要与[RFC3550,第6.1节]中的“加密前缀”混淆),其余八位字节称为“密钥流后缀”。密钥流前缀不得用于加密。该过程如图3所示。
The number of octets in the keystream prefix is denoted as SRTP_PREFIX_LENGTH. The keystream prefix is indicated by a positive, non-zero value of SRTP_PREFIX_LENGTH. This means that, even if confidentiality is not to be provided, the keystream generator output may still need to be computed for packet authentication, in which case the default keystream generator (mode) SHALL be used.
密钥流前缀中的八位字节数表示为SRTP_prefix_LENGTH。密钥流前缀由SRTP_prefix_LENGTH的非零值表示。这意味着,即使不提供机密性,也可能需要计算密钥流生成器输出以进行分组认证,在这种情况下,应使用默认密钥流生成器(模式)。
The default cipher is the Advanced Encryption Standard (AES) [AES], and we define two modes of running AES, (1) Segmented Integer Counter Mode AES and (2) AES in f8-mode. In the remainder of this section, let E(k,x) be AES applied to key k and input block x.
默认密码是高级加密标准(AES)[AES],我们定义了两种运行AES的模式,(1)分段整数计数器模式AES和(2)f8模式下的AES。在本节的其余部分中,将E(k,x)应用于键k和输入块x。
Conceptually, counter mode [AES-CTR] consists of encrypting successive integers. The actual definition is somewhat more complicated, in order to randomize the starting point of the integer sequence. Each packet is encrypted with a distinct keystream segment, which SHALL be computed as follows.
从概念上讲,计数器模式[AES-CTR]由加密连续整数组成。为了使整数序列的起点随机化,实际的定义要复杂一些。每个数据包使用不同的密钥流段加密,其计算如下。
A keystream segment SHALL be the concatenation of the 128-bit output blocks of the AES cipher in the encrypt direction, using key k = k_e, in which the block indices are in increasing order. Symbolically, each keystream segment looks like
密钥流段应为加密方向上AES密码128位输出块的串联,使用密钥k=k_e,其中块索引为递增顺序。从象征意义上讲,每个键流段看起来像
E(k, IV) || E(k, IV + 1 mod 2^128) || E(k, IV + 2 mod 2^128) ...
E(k,IV)| E(k,IV+1模2^128)| E(k,IV+2模2^128)。。。
where the 128-bit integer value IV SHALL be defined by the SSRC, the SRTP packet index i, and the SRTP session salting key k_s, as below.
其中,128位整数值IV应由SSRC、SRTP数据包索引i和SRTP会话盐析密钥k_s定义,如下所示。
IV = (k_s * 2^16) XOR (SSRC * 2^64) XOR (i * 2^16)
IV = (k_s * 2^16) XOR (SSRC * 2^64) XOR (i * 2^16)
Each of the three terms in the XOR-sum above is padded with as many leading zeros as needed to make the operation well-defined, considered as a 128-bit value.
上述XOR和中的三个项中的每一项都填充了所需的前导零,以使操作定义良好,被视为128位值。
The inclusion of the SSRC allows the use of the same key to protect distinct SRTP streams within the same RTP session, see the security caveats in Section 9.1.
SSRC的加入允许使用相同的密钥在同一RTP会话中保护不同的SRTP流,请参见第9.1节中的安全注意事项。
In the case of SRTCP, the SSRC of the first header of the compound packet MUST be used, i SHALL be the 31-bit SRTCP index and k_e, k_s SHALL be replaced by the SRTCP encryption session key and salt.
在SRTCP的情况下,必须使用复合数据包的第一个报头的SSRC,i应为31位SRTCP索引,k_e,k_s应替换为SRTCP加密会话密钥和salt。
Note that the initial value, IV, is fixed for each packet and is formed by "reserving" 16 zeros in the least significant bits for the purpose of the counter. The number of blocks of keystream generated for any fixed value of IV MUST NOT exceed 2^16 to avoid keystream re-use, see below. The AES has a block size of 128 bits, so 2^16 output blocks are sufficient to generate the 2^23 bits of keystream needed to encrypt the largest possible RTP packet (except for IPv6 "jumbograms" [RFC2675], which are not likely to be used for RTP-based multimedia traffic). This restriction on the maximum bit-size of the packet that can be encrypted ensures the security of the encryption method by limiting the effectiveness of probabilistic attacks [BDJR].
注意,初始值IV对于每个分组是固定的,并且为了计数器的目的通过在最低有效位中“保留”16个零来形成。为IV的任何固定值生成的密钥流块数不得超过2^16,以避免密钥流重复使用,见下文。AES的块大小为128位,因此2^16个输出块足以生成加密最大可能RTP数据包所需的2^23位密钥流(IPv6“jumbograms”[RFC2675]除外,它不可能用于基于RTP的多媒体通信)。对可加密数据包的最大比特大小的限制通过限制概率攻击的有效性[BDJR]确保了加密方法的安全性。
For a particular Counter Mode key, each IV value used as an input MUST be distinct, in order to avoid the security exposure of a two-time pad situation (Section 9.1). To satisfy this constraint, an implementation MUST ensure that the combination of the SRTP packet
对于特定计数器模式键,用作输入的每个IV值必须是不同的,以避免两次pad情况的安全暴露(第9.1节)。要满足此约束,实现必须确保SRTP数据包的组合
index of ROC || SEQ, and the SSRC used in the construction of the IV are distinct for any particular key. The failure to ensure this uniqueness could be catastrophic for Secure RTP. This is in contrast to the situation for RTP itself, which may be able to tolerate such failures. It is RECOMMENDED that, if a dedicated security module is present, the RTP sequence numbers and SSRC either be generated or checked by that module (i.e., sequence-number and SSRC processing in an SRTP system needs to be protected as well as the key).
ROC | | SEQ索引和IV构造中使用的SSRC对于任何特定键都是不同的。无法确保这种唯一性对于安全RTP来说可能是灾难性的。这与RTP本身的情况相反,RTP本身可能能够容忍此类故障。如果存在专用安全模块,建议该模块生成或检查RTP序列号和SSRC(即SRTP系统中的序列号和SSRC处理以及密钥需要保护)。
To encrypt UMTS (Universal Mobile Telecommunications System, as 3G networks) data, a solution (see [f8-a] [f8-b]) known as the f8- algorithm has been developed. On a high level, the proposed scheme is a variant of Output Feedback Mode (OFB) [HAC], with a more elaborate initialization and feedback function. As in normal OFB, the core consists of a block cipher. We also define here the use of AES as a block cipher to be used in what we shall call "f8-mode of operation" RTP encryption. The AES f8-mode SHALL use the same default sizes for session key and salt as AES counter mode.
为了加密UMTS(通用移动通信系统,如3G网络)数据,开发了一种称为f8-算法的解决方案(参见[f8-a][f8-b])。在高层次上,所提出的方案是输出反馈模式(OFB)[HAC]的一种变体,具有更精细的初始化和反馈功能。与普通OFB一样,核心由分组密码组成。在此,我们还将AES定义为分组密码,用于我们称之为“f8操作模式”的RTP加密。AES f8模式应使用与AES计数器模式相同的会话密钥和salt默认大小。
Figure 4 shows the structure of block cipher, E, running in f8-mode.
图4显示了在f8模式下运行的分组密码E的结构。
IV
|
v
+------+
| |
+--->| E |
| +------+
| |
m -> (*) +-----------+-------------+-- ... ------+
| IV' | | | |
| | j=1 -> (*) j=2 -> (*) ... j=L-1 ->(*)
| | | | |
| | +-> (*) +-> (*) ... +-> (*)
| | | | | | | |
| v | v | v | v
| +------+ | +------+ | +------+ | +------+
k_e ---+--->| E | | | E | | | E | | | E |
| | | | | | | | | | |
+------+ | +------+ | +------+ | +------+
| | | | | | |
+------+ +--------+ +-- ... ----+ |
| | | |
v v v v
S(0) S(1) S(2) . . . S(L-1)
IV
|
v
+------+
| |
+--->| E |
| +------+
| |
m -> (*) +-----------+-------------+-- ... ------+
| IV' | | | |
| | j=1 -> (*) j=2 -> (*) ... j=L-1 ->(*)
| | | | |
| | +-> (*) +-> (*) ... +-> (*)
| | | | | | | |
| v | v | v | v
| +------+ | +------+ | +------+ | +------+
k_e ---+--->| E | | | E | | | E | | | E |
| | | | | | | | | | |
+------+ | +------+ | +------+ | +------+
| | | | | | |
+------+ +--------+ +-- ... ----+ |
| | | |
v v v v
S(0) S(1) S(2) . . . S(L-1)
Figure 4. f8-mode of operation (asterisk, (*), denotes bitwise XOR). The figure represents the KG in Figure 3, when AES-f8 is used.
图4。f8操作模式(星号,(*),表示按位异或)。当使用AES-f8时,该图表示图3中的KG。
The Initialization Vector (IV) SHALL be determined as described in Section 4.1.2.2 (and in Section 4.1.2.3 for SRTCP).
应按照第4.1.2.2节(以及第4.1.2.3节SRTCP)的规定确定初始化向量(IV)。
Let IV', S(j), and m denote n_b-bit blocks. The keystream,
S(0) ||... || S(L-1), for an N-bit message SHALL be defined by
setting IV' = E(k_e XOR m, IV), and S(-1) = 00..0. For
j = 0,1,..,L-1 where L = N/n_b (rounded up to nearest integer if it
is not already an integer) compute
Let IV', S(j), and m denote n_b-bit blocks. The keystream,
S(0) ||... || S(L-1), for an N-bit message SHALL be defined by
setting IV' = E(k_e XOR m, IV), and S(-1) = 00..0. For
j = 0,1,..,L-1 where L = N/n_b (rounded up to nearest integer if it
is not already an integer) compute
S(j) = E(k_e, IV' XOR j XOR S(j-1))
S(j) = E(k_e, IV' XOR j XOR S(j-1))
Notice that the IV is not used directly. Instead it is fed through E under another key to produce an internal, "masked" value (denoted IV') to prevent an attacker from gaining known input/output pairs.
请注意,IV不是直接使用的。相反,它通过另一个键下的E来产生一个内部“屏蔽”值(表示为IV'),以防止攻击者获得已知的输入/输出对。
The role of the internal counter, j, is to prevent short keystream cycles. The value of the key mask m SHALL be
内部计数器j的作用是防止短键流循环。键掩码m的值应为
m = k_s || 0x555..5,
m=k|s | 0x555..5,
i.e., the session salting key, appended by the binary pattern 0101.. to fill out the entire desired key size, n_e.
i、 例如,会话盐析键,由二进制模式0101追加。。要填写所需的全部密钥大小,请使用n_e。
The sender SHOULD NOT generate more than 2^32 blocks, which is sufficient to generate 2^39 bits of keystream. Unlike counter mode, there is no absolute threshold above (below) which f8 is guaranteed to be insecure (secure). The above bound has been chosen to limit, with sufficient security margin, the probability of degenerative behavior in the f8 keystream generation.
发送方不应生成超过2^32个块,这足以生成2^39位的密钥流。与计数器模式不同,f8上(下)没有保证不安全(安全)的绝对阈值。选择上述界限是为了限制f8密钥流生成过程中出现退化行为的可能性,并具有足够的安全余量。
The purpose of the following IV formation is to provide a feature which we call implicit header authentication (IHA), see Section 9.5.
以下IV格式的目的是提供我们称之为隐式报头认证(IHA)的功能,请参见第9.5节。
The SRTP IV for 128-bit block AES-f8 SHALL be formed in the following way:
128位块AES-f8的SRTP IV应按以下方式形成:
IV = 0x00 || M || PT || SEQ || TS || SSRC || ROC
IV=0x00 | M | PT | SEQ | TS | SSRC | ROC
M, PT, SEQ, TS, SSRC SHALL be taken from the RTP header; ROC is from the cryptographic context.
M、 PT、SEQ、TS、SSRC应取自RTP总管;ROC来自加密上下文。
The presence of the SSRC as part of the IV allows AES-f8 to be used when a master key is shared between multiple streams within the same RTP session, see Section 9.1.
当主密钥在同一RTP会话中的多个流之间共享时,作为IV一部分的SSRC允许使用AES-f8,参见第9.1节。
The SRTCP IV for 128-bit block AES-f8 SHALL be formed in the following way:
128位块AES-f8的SRTCP IV应按以下方式形成:
IV= 0..0 || E || SRTCP index || V || P || RC || PT || length || SSRC
IV=0..0 | | | | | | SRTCP索引| | V | | | P | | | RC | | PT | |长度| SSRC
where V, P, RC, PT, length, SSRC SHALL be taken from the first header in the RTCP compound packet. E and SRTCP index are the 1-bit and 31-bit fields added to the packet.
式中,V、P、RC、PT、长度、SSRC应从RTCP复合数据包的第一个报头中获取。E和SRTCP索引是添加到数据包中的1位和31位字段。
The NULL cipher is used when no confidentiality for RTP/RTCP is requested. The keystream can be thought of as "000..0", i.e., the encryption SHALL simply copy the plaintext input into the ciphertext output.
当未请求RTP/RTCP的机密性时,使用空密码。密钥流可以被认为是“000..0”,即加密应简单地将明文输入复制到密文输出中。
Throughout this section, M will denote data to be integrity protected. In the case of SRTP, M SHALL consist of the Authenticated Portion of the packet (as specified in Figure 1) concatenated with the ROC, M = Authenticated Portion || ROC; in the case of SRTCP, M SHALL consist of the Authenticated Portion (as specified in Figure 2) only.
在本节中,M将表示受完整性保护的数据。在SRTP的情况下,M应包括与ROC连接的数据包的认证部分(如图1所示),M=认证部分| | ROC;对于SRTCP,M应仅包括认证部分(如图2所示)。
Common parameters:
通用参数:
* AUTH_ALG is the authentication algorithm * k_a is the session message authentication key * n_a is the bit-length of the authentication key * n_tag is the bit-length of the output authentication tag * SRTP_PREFIX_LENGTH is the octet length of the keystream prefix as defined above, a parameter of AUTH_ALG
* AUTH_ALG是认证算法*k_a是会话消息认证密钥*n_a是认证密钥的位长度*n_tag是输出认证标签的位长度*SRTP_PREFIX_length是如上定义的密钥流前缀的八位字节长度,AUTH_ALG的一个参数
The distinct session authentication keys for SRTP/SRTCP are by default derived as specified in Section 4.3.
默认情况下,SRTP/SRTCP的不同会话身份验证密钥按照第4.3节的规定派生。
The values of n_a, n_tag, and SRTP_PREFIX_LENGTH MUST be fixed for any particular fixed value of the key.
对于密钥的任何特定固定值,n_a、n_标记和SRTP_PREFIX_LENGTH的值必须是固定的。
We describe the process of computing authentication tags as follows. The sender computes the tag of M and appends it to the packet. The SRTP receiver verifies a message/authentication tag pair by computing a new authentication tag over M using the selected algorithm and key, and then compares it to the tag associated with the received message. If the two tags are equal, then the message/tag pair is valid; otherwise, it is invalid and the error audit message "AUTHENTICATION FAILURE" MUST be returned.
我们如下描述计算身份验证标签的过程。发送方计算M的标记并将其附加到数据包中。SRTP接收机通过使用所选算法和密钥计算M上的新认证标签来验证消息/认证标签对,然后将其与与接收到的消息相关联的标签进行比较。如果两个标记相等,则消息/标记对有效;否则,它将无效,并且必须返回错误审核消息“身份验证失败”。
The pre-defined authentication transform for SRTP is HMAC-SHA1 [RFC2104]. With HMAC-SHA1, the SRTP_PREFIX_LENGTH (Figure 3) SHALL be 0. For SRTP (respectively SRTCP), the HMAC SHALL be applied to the session authentication key and M as specified above, i.e., HMAC(k_a, M). The HMAC output SHALL then be truncated to the n_tag left-most bits.
SRTP的预定义身份验证转换是HMAC-SHA1[RFC2104]。对于HMAC-SHA1,SRTP_前缀_长度(图3)应为0。对于SRTP(分别为SRTCP),HMAC应应用于上述会话认证密钥和M,即HMAC(k_a,M)。然后,HMAC输出应截断为n_标签最左边的位。
Regardless of the encryption or message authentication transform that is employed (it may be an SRTP pre-defined transform or newly introduced according to Section 6), interoperable SRTP implementations MUST use the SRTP key derivation to generate session keys. Once the key derivation rate is properly signaled at the start of the session, there is no need for extra communication between the parties that use SRTP key derivation.
无论采用何种加密或消息认证转换(可能是SRTP预定义转换或根据第6节新引入的转换),可互操作的SRTP实现都必须使用SRTP密钥派生来生成会话密钥。一旦在会话开始时正确地通知了密钥派生率,就不需要在使用SRTP密钥派生的各方之间进行额外的通信。
packet index ---+
|
v
+-----------+ master +--------+ session encr_key
| ext | key | |---------->
| key mgmt |-------->| key | session auth_key
| (optional | | deriv |---------->
| rekey) |-------->| | session salt_key
| | master | |---------->
+-----------+ salt +--------+
packet index ---+
|
v
+-----------+ master +--------+ session encr_key
| ext | key | |---------->
| key mgmt |-------->| key | session auth_key
| (optional | | deriv |---------->
| rekey) |-------->| | session salt_key
| | master | |---------->
+-----------+ salt +--------+
Figure 5: SRTP key derivation.
图5:SRTP密钥派生。
At least one initial key derivation SHALL be performed by SRTP, i.e., the first key derivation is REQUIRED. Further applications of the key derivation MAY be performed, according to the "key_derivation_rate" value in the cryptographic context. The key derivation function SHALL initially be invoked before the first packet and then, when r > 0, a key derivation is performed whenever index mod r equals zero. This can be thought of as "refreshing" the session keys. The value of "key_derivation_rate" MUST be kept fixed for the lifetime of the associated master key.
SRTP应至少进行一次初始密钥推导,即需要进行第一次密钥推导。根据密码上下文中的“密钥导出率”值,可以执行密钥导出的进一步应用。密钥派生函数最初应在第一个数据包之前调用,然后,当r>0时,只要索引mod r等于零,就执行密钥派生。这可以被认为是“刷新”会话密钥。在相关主密钥的生命周期内,“密钥导出率”的值必须保持固定。
Interoperable SRTP implementations MAY also derive session salting keys for encryption transforms, as is done in both of the pre-defined transforms.
可互操作的SRTP实现还可以派生用于加密转换的会话盐析密钥,就像在两种预定义转换中所做的那样。
Let m and n be positive integers. A pseudo-random function family is a set of keyed functions {PRF_n(k,x)} such that for the (secret) random key k, given m-bit x, PRF_n(k,x) is an n-bit string, computationally indistinguishable from random n-bit strings, see [HAC]. For the purpose of key derivation in SRTP, a secure PRF with m = 128 (or more) MUST be used, and a default PRF transform is defined in Section 4.3.3.
设m和n为正整数。伪随机函数族是一组键控函数{PRF_n(k,x)},因此对于(秘密)随机密钥k,给定m位x,PRF_n(k,x)是一个n位字符串,在计算上与随机n位字符串无法区分,请参见[HAC]。为了在SRTP中进行密钥推导,必须使用m=128(或更多)的安全PRF,并且在第4.3.3节中定义了默认PRF转换。
Let "a DIV t" denote integer division of a by t, rounded down, and with the convention that "a DIV 0 = 0" for all a. We also make the convention of treating "a DIV t" as a bit string of the same length as a, and thus "a DIV t" will in general have leading zeros.
让“a DIV t”表示a除以t的整数,四舍五入,并使用所有a的约定“a DIV 0=0”。我们还约定将“a DIV t”视为与a长度相同的位字符串,因此“a DIV t”通常具有前导零。
Key derivation SHALL be defined as follows in terms of <label>, an 8-bit constant (see below), master_salt and key_derivation_rate, as determined in the cryptographic context, and index, the packet index (i.e., the 48-bit ROC || SEQ for SRTP):
密钥派生应根据以下定义:在加密上下文中确定的<label>、8位常数(见下文)、master_salt和密钥派生率,以及索引、数据包索引(即SRTP的48位ROC | SEQ):
* Let r = index DIV key_derivation_rate (with DIV as defined above).
* 设r=索引DIV key_派生率(DIV如上定义)。
* Let key_id = <label> || r.
* 让key_id=<label>|r。
* Let x = key_id XOR master_salt, where key_id and master_salt are aligned so that their least significant bits agree (right-alignment).
* 设x=key_id XOR master_salt,其中key_id和master_salt对齐,以便它们的最低有效位一致(右对齐)。
<label> MUST be unique for each type of key to be derived. We currently define <label> 0x00 to 0x05 (see below), and future extensions MAY specify new values in the range 0x06 to 0xff for other purposes. The n-bit SRTP key (or salt) for this packet SHALL then be derived from the master key, k_master as follows:
<label>对于要派生的每种类型的键都必须是唯一的。我们目前定义<label>0x00到0x05(见下文),未来的扩展可能会指定0x06到0xff范围内的新值,以用于其他目的。然后,该数据包的n位SRTP密钥(或salt)应从主密钥k_master中导出,如下所示:
PRF_n(k_master, x).
PRF_n(k_master,x)。
(The PRF may internally specify additional formatting and padding of x, see e.g., Section 4.3.3 for the default PRF.)
(PRF可在内部指定x的附加格式和填充,例如,默认PRF见第4.3.3节。)
The session keys and salt SHALL now be derived using:
会话密钥和salt现在应使用以下公式推导:
- k_e (SRTP encryption): <label> = 0x00, n = n_e.
- k_e(SRTP加密):<label>=0x00,n=n_e。
- k_a (SRTP message authentication): <label> = 0x01, n = n_a.
- k_a(SRTP消息身份验证):<label>=0x01,n=n_a。
- k_s (SRTP salting key): <label> = 0x02, n = n_s.
- k_s(SRTP盐析键):<label>=0x02,n=n_s。
where n_e, n_s, and n_a are from the cryptographic context.
其中n_e、n_s和n_a来自加密上下文。
The master key and master salt MUST be random, but the master salt MAY be public.
主密钥和主盐必须是随机的,但主盐可以是公共的。
Note that for a key_derivation_rate of 0, the application of the key derivation SHALL take place exactly once.
请注意,对于0的密钥导出率,密钥导出的应用应仅发生一次。
The definition of DIV above is purely for notational convenience. For a non-zero t among the set of allowed key derivation rates, "a DIV t" can be implemented as a right-shift by the base-2 logarithm of
上述DIV的定义纯粹是为了便于注释。对于一组允许的密钥派生率中的非零t,“DIV t”可以实现为以
t. The derivation operation is further facilitated if the rates are chosen to be powers of 256, but that granularity was considered too coarse to be a requirement of this specification.
t. 如果将速率选择为256的幂,则推导操作将进一步简化,但该粒度被认为太粗,不符合本规范的要求。
The upper limit on the number of packets that can be secured using the same master key (see Section 9.2) is independent of the key derivation.
使用同一主密钥(见第9.2节)可以保护的数据包数量上限与密钥派生无关。
SRTCP SHALL by default use the same master key (and master salt) as SRTP. To do this securely, the following changes SHALL be done to the definitions in Section 4.3.1 when applying session key derivation for SRTCP.
默认情况下,SRTCP应使用与SRTP相同的主密钥(和主盐)。为了安全地实现这一点,在为SRTCP应用会话密钥派生时,应对第4.3.1节中的定义进行以下更改。
Replace the SRTP index by the 32-bit quantity: 0 || SRTCP index (i.e., excluding the E-bit, replacing it with a fixed 0-bit), and use <label> = 0x03 for the SRTCP encryption key, <label> = 0x04 for the SRTCP authentication key, and, <label> = 0x05 for the SRTCP salting key.
用32位数量替换SRTP索引:0 | | SRTCP索引(即,不包括e位,替换为固定的0位),并使用<label>=0x03表示SRTCP加密密钥,<label>=0x04表示SRTCP身份验证密钥,<label>=0x05表示SRTCP盐析密钥。
The currently defined PRF, keyed by 128, 192, or 256 bit master key, has input block size m = 128 and can produce n-bit outputs for n up to 2^23. PRF_n(k_master,x) SHALL be AES in Counter Mode as described in Section 4.1.1, applied to key k_master, and IV equal to (x*2^16), and with the output keystream truncated to the n first (left-most) bits. (Requiring n/128, rounded up, applications of AES.)
当前定义的PRF由128、192或256位主密钥设置密钥,其输入块大小为m=128,可以为n到2^23生成n位输出。PRF_n(k_-master,x)应为第4.1.1节所述计数器模式下的AES,应用于密钥k_-master,IV等于(x*2^16),且输出密钥流截断为n个第一(最左边)位。(需要n/128,四舍五入,AES的应用。)
The default transforms also are mandatory-to-implement transforms in SRTP. Of course, "mandatory-to-implement" does not imply "mandatory-to-use". Table 1 summarizes the pre-defined transforms. The default values below are valid for the pre-defined transforms.
默认转换也是在SRTP中实现转换所必需的。当然,“强制实施”并不意味着“强制使用”。表1总结了预定义的转换。以下默认值对预定义的变换有效。
mandatory-to-impl. optional default
强制执行。可选默认值
encryption AES-CM, NULL AES-f8 AES-CM message integrity HMAC-SHA1 - HMAC-SHA1 key derivation (PRF) AES-CM - AES-CM
加密AES-CM,空AES-f8 AES-CM消息完整性HMAC-SHA1-HMAC-SHA1密钥派生(PRF)AES-CM-AES-CM
Table 1: Mandatory-to-implement, optional and default transforms in SRTP and SRTCP.
表1:在SRTP和SRTCP中实现强制转换、可选转换和默认转换。
AES running in Segmented Integer Counter Mode, as defined in Section 4.1.1, SHALL be the default encryption algorithm. The default key lengths SHALL be 128-bit for the session encryption key (n_e). The default session salt key-length (n_s) SHALL be 112 bits.
按照第4.1.1节的定义,在分段整数计数器模式下运行的AES应为默认加密算法。会话加密密钥(n_e)的默认密钥长度应为128位。默认会话盐密钥长度(n_s)应为112位。
The NULL cipher SHALL also be mandatory-to-implement.
空密码也应强制执行。
HMAC-SHA1, as defined in Section 4.2.1, SHALL be the default message authentication code. The default session authentication key-length (n_a) SHALL be 160 bits, the default authentication tag length (n_tag) SHALL be 80 bits, and the SRTP_PREFIX_LENGTH SHALL be zero for HMAC-SHA1. In addition, for SRTCP, the pre-defined HMAC-SHA1 MUST NOT be applied with a value of n_tag, nor n_a, that are smaller than these defaults. For SRTP, smaller values are NOT RECOMMENDED, but MAY be used after careful consideration of the issues in Section 7.5 and 9.5.
第4.2.1节中定义的HMAC-SHA1应为默认消息认证码。HMAC-SHA1的默认会话认证密钥长度(n_a)应为160位,默认认证标签长度(n_标签)应为80位,SRTP_前缀长度应为零。此外,对于SRTCP,预定义的HMAC-SHA1不得应用小于这些默认值的n_tag或n_a值。对于SRTP,不建议使用较小的值,但可在仔细考虑第7.5节和第9.5节中的问题后使用。
The AES Counter Mode based key derivation and PRF defined in Sections 4.3.1 to 4.3.3, using a 128-bit master key, SHALL be the default method for generating session keys. The default master salt length SHALL be 112 bits and the default key-derivation rate SHALL be zero.
第4.3.1至4.3.3节中定义的基于AES计数器模式的密钥派生和PRF(使用128位主密钥)应为生成会话密钥的默认方法。默认主盐长度应为112位,默认密钥派生率应为零。
Section 4 provides examples of the level of detail needed for defining transforms. Whenever a new transform is to be added to SRTP, a companion standard track RFC MUST be written to exactly define how the new transform can be used with SRTP (and SRTCP). Such a companion RFC SHOULD avoid overlap with the SRTP protocol document. Note however, that it MAY be necessary to extend the SRTP or SRTCP cryptographic context definition with new parameters (including fixed or default values), add steps to the packet processing, or even add fields to the SRTP/SRTCP packets. The companion RFC SHALL explain any known issues regarding interactions between the transform and other aspects of SRTP.
第4节提供了定义转换所需的详细级别示例。每当要向SRTP添加一个新的转换时,必须编写一个配套的标准轨迹RFC,以准确定义新转换如何与SRTP(和SRTCP)一起使用。此类配套RFC应避免与SRTP协议文件重叠。但是,请注意,可能需要使用新参数(包括固定值或默认值)扩展SRTP或SRTCP加密上下文定义,向数据包处理添加步骤,甚至向SRTP/SRTCP数据包添加字段。配套RFC应解释与转换和SRTP其他方面之间的交互有关的任何已知问题。
Each new transform document SHOULD specify its key attributes, e.g., size of keys (minimum, maximum, recommended), format of keys, recommended/required processing of input keying material, requirements/recommendations on key lifetime, re-keying and key derivation, whether sharing of keys between SRTP and SRTCP is allowed or not, etc.
每个新的转换文件都应指定其关键属性,例如,密钥的大小(最小值、最大值、建议值)、密钥的格式、输入密钥材料的建议/要求处理、密钥生命周期、重设密钥和密钥派生的要求/建议、SRTP和SRTCP之间是否允许共享密钥等。
An added message integrity transform SHOULD define a minimum acceptable key/tag size for SRTCP, equivalent in strength to the minimum values as defined in Section 5.2.
添加的消息完整性转换应定义SRTCP的最小可接受密钥/标记大小,其强度等同于第5.2节中定义的最小值。
This section explains the rationale behind several important features of SRTP.
本节解释了SRTP几个重要特性背后的基本原理。
Key derivation reduces the burden on the key establishment. As many as six different keys are needed per crypto context (SRTP and SRTCP encryption keys and salts, SRTP and SRTCP authentication keys), but these are derived from a single master key in a cryptographically secure way. Thus, the key management protocol needs to exchange only one master key (plus master salt when required), and then SRTP itself derives all the necessary session keys (via the first, mandatory application of the key derivation function).
密钥派生减少了密钥建立的负担。每个加密上下文需要多达六个不同的密钥(SRTP和SRTCP加密密钥和SALT、SRTP和SRTCP身份验证密钥),但这些密钥是以加密安全的方式从单个主密钥派生的。因此,密钥管理协议只需要交换一个主密钥(在需要时加上主salt),然后SRTP本身派生所有必要的会话密钥(通过密钥派生函数的第一个强制应用)。
Multiple applications of the key derivation function are optional, but will give security benefits when enabled. They prevent an attacker from obtaining large amounts of ciphertext produced by a single fixed session key. If the attacker was able to collect a large amount of ciphertext for a certain session key, he might be helped in mounting certain attacks.
密钥派生函数的多个应用程序是可选的,但启用后将提供安全性优势。它们防止攻击者获取单个固定会话密钥产生的大量密文。如果攻击者能够为某个会话密钥收集大量密文,则可能有助于发动某些攻击。
Multiple applications of the key derivation function provide backwards and forward security in the sense that a compromised session key does not compromise other session keys derived from the same master key. This means that the attacker who is able to recover a certain session key, is anyway not able to have access to messages secured under previous and later session keys (derived from the same master key). (Note that, of course, a leaked master key reveals all the session keys derived from it.)
密钥派生功能的多个应用程序提供向后和向前安全性,即受损会话密钥不会危害从同一主密钥派生的其他会话密钥。这意味着能够恢复特定会话密钥的攻击者无论如何都无法访问以前和以后会话密钥(源自同一主密钥)下的安全消息。(当然,请注意,泄漏的主密钥会显示从它派生的所有会话密钥。)
Considerations arise with high-rate key refresh, especially in large multicast settings, see Section 11.
高速密钥刷新会引起注意事项,特别是在大型多播设置中,请参见第11节。
The master salt guarantees security against off-line key-collision attacks on the key derivation that might otherwise reduce the effective key size [MF00].
主salt保证了密钥派生上的离线密钥冲突攻击的安全性,否则可能会减少有效密钥大小[MF00]。
The derived session salting key used in the encryption, has been introduced to protect against some attacks on additive stream ciphers, see Section 9.2. The explicit inclusion method of the salt in the IV has been selected for ease of hardware implementation.
加密中使用的派生会话加密密钥已被引入,以防止对加法流密码的某些攻击,请参见第9.2节。为了便于硬件实现,选择了在IV中明确包含盐的方法。
The particular definition of the keystream given in Section 4.1 (the keystream prefix) is to give provision for particular universal hash functions, suitable for message authentication in the Wegman-Carter paradigm [WC81]. Such functions are provably secure, simple, quick, and especially appropriate for Digital Signal Processors and other processors with a fast multiply operation.
第4.1节(密钥流前缀)中给出的密钥流的特定定义是提供特定的通用哈希函数,适用于Wegman-Carter范例[WC81]中的消息认证。这些函数是可证明的安全、简单、快速的,尤其适用于数字信号处理器和其他具有快速乘法运算的处理器。
No authentication transforms are currently provided in SRTP other than HMAC-SHA1. Future transforms, like the above mentioned universal hash functions, MAY be added following the guidelines in Section 6.
除了HMAC-SHA1之外,SRTP中目前没有提供任何身份验证转换。未来的转换,如上述通用哈希函数,可以按照第6节中的指导原则添加。
Note that in pair-wise communications, integrity and data origin authentication are provided together. However, in group scenarios where the keys are shared between members, the MAC tag only proves that a member of the group sent the packet, but does not prevent against a member impersonating another. Data origin authentication (DOA) for multicast and group RTP sessions is a hard problem that needs a solution; while some promising proposals are being investigated [PCST1] [PCST2], more work is needed to rigorously specify these technologies. Thus SRTP data origin authentication in groups is for further study.
注意,在成对通信中,完整性和数据源身份验证一起提供。但是,在成员之间共享密钥的组场景中,MAC标记仅证明组中的成员发送了数据包,但不能防止成员模仿另一个。多播和组RTP会话的数据源认证(DOA)是一个需要解决的难题;虽然正在研究一些有希望的方案[PCST1][PCST2],但需要做更多的工作来严格指定这些技术。因此,分组SRTP数据源认证有待进一步研究。
DOA can be done otherwise using signatures. However, this has high impact in terms of bandwidth and processing time, therefore we do not offer this form of authentication in the pre-defined packet-integrity transform.
DOA可以使用签名以其他方式完成。但是,这对带宽和处理时间有很大影响,因此我们不在预定义的数据包完整性转换中提供这种形式的身份验证。
The presence of mixers and translators does not allow data origin authentication in case the RTP payload and/or the RTP header are manipulated. Note that these types of middle entities also disrupt end-to-end confidentiality (as the IV formation depends e.g., on the RTP header preservation). A certain trust model may choose to trust the mixers/translators to decrypt/re-encrypt the media (this would imply breaking the end-to-end security, with related security implications).
如果RTP有效负载和/或RTP报头被操纵,混频器和转换器的存在不允许数据源身份验证。请注意,这些类型的中间实体也会破坏端到端的机密性(因为IV的形成取决于RTP报头的保存)。某个信任模型可能会选择信任混音器/翻译器来解密/重新加密媒体(这意味着破坏端到端的安全性,并产生相关的安全影响)。
As shown in Figure 1, the authentication tag is RECOMMENDED in SRTP. A full 80-bit authentication-tag SHOULD be used, but a shorter tag or even a zero-length tag (i.e., no message authentication) MAY be used under certain conditions to support either of the following two application environments.
如图1所示,在SRTP中建议使用身份验证标签。应使用完整的80位身份验证标签,但在某些条件下,可使用较短的标签,甚至零长度标签(即,无消息身份验证),以支持以下两种应用程序环境之一。
1. Strong authentication can be impractical in environments where bandwidth preservation is imperative. An important special case is wireless communication systems, in which bandwidth is a scarce and expensive resource. Studies have shown that for certain applications and link technologies, additional bytes may result in a significant decrease in spectrum efficiency [SWO]. Considerable effort has been made to design IP header compression techniques to improve spectrum efficiency [RFC3095]. A typical voice application produces 20 byte samples, and the RTP, UDP and IP headers need to be jointly compressed to one or two bytes on average in order to obtain acceptable wireless bandwidth economy [RFC3095]. In this case, strong authentication would impose nearly fifty percent overhead.
1. 在必须保留带宽的环境中,强身份验证可能是不切实际的。一个重要的特例是无线通信系统,其中带宽是一种稀缺且昂贵的资源。研究表明,对于某些应用和链路技术,额外的字节可能会导致频谱效率的显著降低[SWO]。设计IP报头压缩技术以提高频谱效率已经付出了相当大的努力[RFC3095]。典型的语音应用程序产生20字节的样本,RTP、UDP和IP报头需要平均联合压缩到一个或两个字节,以获得可接受的无线带宽经济性[RFC3095]。在这种情况下,强身份验证将带来近50%的开销。
2. Authentication is impractical for applications that use data links with fixed-width fields that cannot accommodate the expansion due to the authentication tag. This is the case for some important existing wireless channels. For example, zero-byte header compression is used to adapt EVRC/SMV voice with the legacy IS-95 bearer channel in CDMA2000 VoIP services. It was found that not a single additional octet could be added to the data, which motivated the creation of a zero-byte profile for ROHC [RFC3242].
2. 对于使用具有固定宽度字段的数据链接的应用程序,由于身份验证标记而无法容纳扩展,因此身份验证是不切实际的。一些重要的现有无线信道就是这样。例如,在CDMA2000 VoIP服务中,零字节报头压缩用于将EVRC/SMV语音与传统is-95承载信道相适应。结果发现,没有一个额外的八位字节可以添加到数据中,这促使为ROHC创建零字节配置文件[RFC3242]。
A short tag is secure for a restricted set of applications. Consider a voice telephony application, for example, such as a G.729 audio codec with a 20-millisecond packetization interval, protected by a 32-bit message authentication tag. The likelihood of any given packet being successfully forged is only one in 2^32. Thus an adversary can control no more than 20 milliseconds of audio output during a 994-day period, on average. In contrast, the effect of a single forged packet can be much larger if the application is stateful. A codec that uses relative or predictive compression across packets will propagate the maliciously generated state, affecting a longer duration of output.
短标记对于一组受限的应用程序是安全的。考虑语音电话应用程序,例如G.729音频编解码器,其具有20毫秒打包间隔,由32位消息认证标签保护。任何给定数据包被成功伪造的可能性只有2^32分之一。因此,敌方在994天的时间内平均控制不超过20毫秒的音频输出。相反,如果应用程序是有状态的,则单个伪造数据包的影响可能要大得多。跨数据包使用相对或预测压缩的编解码器将传播恶意生成的状态,从而影响更长的输出持续时间。
Certainly not all SRTP or telephony applications meet the criteria for short or zero-length authentication tags. Section 9.5.1 discusses the risks of weak or no message authentication, and section 9.5 describes the circumstances when it is acceptable and when it is unacceptable.
当然,并非所有SRTP或电话应用程序都符合短或零长度身份验证标签的标准。第9.5.1节讨论了弱消息认证或无消息认证的风险,第9.5节描述了可接受和不可接受的情况。
There are emerging key management standards [MIKEY] [KEYMGT] [SDMS] for establishing an SRTP cryptographic context (e.g., an SRTP master key). Both proprietary and open-standard key management methods are likely to be used for telephony applications [MIKEY] [KINK] and multicast applications [GDOI]. This section provides guidance for key management systems that service SRTP session.
有新兴的密钥管理标准[MIKEY][KEYMGT][SDMS]用于建立SRTP加密上下文(例如,SRTP主密钥)。专有和开放标准密钥管理方法都可能用于电话应用程序[MIKEY][KINK]和多播应用程序[GDOI]。本节为服务于SRTP会话的密钥管理系统提供指导。
For initialization, an interoperable SRTP implementation SHOULD be given the SSRC and MAY be given the initial RTP sequence number for the RTP stream by key management (thus, key management has a dependency on RTP operational parameters). Sending the RTP sequence number in the key management may be useful e.g., when the initial sequence number is close to wrapping (to avoid synchronization problems), and to communicate the current sequence number to a joining endpoint (to properly initialize its replay list).
对于初始化,应为可互操作的SRTP实现提供SSRC,并可通过密钥管理为RTP流提供初始RTP序列号(因此,密钥管理依赖于RTP操作参数)。在密钥管理中发送RTP序列号可能有用,例如,当初始序列号接近包装时(以避免同步问题),以及将当前序列号传送给加入端点(以正确初始化其重播列表)。
If the pre-defined transforms are used, SRTP allows sharing of the same master key between SRTP/SRTCP streams belonging to the same RTP session.
如果使用预定义的转换,SRTP允许在属于同一RTP会话的SRTP/SRTCP流之间共享相同的主密钥。
First, sharing between SRTP streams belonging to the same RTP session is secure if the design of the synchronization mechanism, i.e., the IV, avoids keystream re-use (the two-time pad, Section 9.1). This is taken care of by the fact that RTP provides for unique SSRCs for streams belonging to the same RTP session. See Section 9.1 for further discussion.
首先,如果同步机制(即IV)的设计避免了密钥流的重复使用(两次pad,第9.1节),则属于同一RTP会话的SRTP流之间的共享是安全的。RTP为属于同一RTP会话的流提供了唯一的SSRC,这就解决了这个问题。进一步讨论见第9.1节。
Second, sharing between SRTP and the corresponding SRTCP is secure. The fact that an SRTP stream and its associated SRTCP stream both carry the same SSRC does not constitute a problem for the two-time pad due to the key derivation. Thus, SRTP and SRTCP corresponding to one RTP session MAY share master keys (as they do by default).
其次,SRTP和相应的SRTCP之间的共享是安全的。由于密钥派生,SRTP流及其关联的SRTCP流都携带相同的SSRC这一事实并不构成两次pad的问题。因此,对应于一个RTP会话的SRTP和SRTCP可以共享主密钥(默认情况下也是如此)。
Note that message authentication also has a dependency on SSRC uniqueness that is unrelated to the problem of keystream reuse: SRTP streams authenticated under the same key MUST have a distinct SSRC in order to identify the sender of the message. This requirement is needed because the SSRC is the cryptographically authenticated field
请注意,消息身份验证还依赖于SSRC唯一性,这与密钥流重用问题无关:在同一密钥下进行身份验证的SRTP流必须具有不同的SSRC,以便识别消息的发送者。之所以需要此要求,是因为SSRC是经过加密验证的字段
used to distinguish between different SRTP streams. Were two streams to use identical SSRC values, then an adversary could substitute messages from one stream into the other without detection.
用于区分不同的SRTP流。如果两个流使用相同的SSRC值,那么对手可以将一个流中的消息替换为另一个流中的消息,而无需检测。
SRTP/SRTCP MUST NOT share master keys under any other circumstances than the ones given above, i.e., between SRTP and its corresponding SRTCP, and, between streams belonging to the same RTP session.
除上述情况外,SRTP/SRTCP不得在任何其他情况下共享主密钥,即SRTP与其对应的SRTCP之间,以及属于同一RTP会话的流之间。
The recommended way for a particular key management system to provide re-key within SRTP is by associating a master key in a crypto context with an MKI.
特定密钥管理系统在SRTP中提供重密钥的推荐方法是将加密上下文中的主密钥与MKI关联。
This provides for easy master key retrieval (see Scenarios in Section 11), but has the disadvantage of adding extra bits to each packet. As noted in Section 7.5, some wireless links do not cater for added bits, therefore SRTP also defines a more economic way of triggering re-keying, via use of <From, To>, which works in some specific, simple scenarios (see Section 8.1.1).
这提供了容易的主密钥检索(参见第11节中的场景),但缺点是向每个数据包添加额外的位。如第7.5节所述,一些无线链路不适合增加的比特,因此SRTP还定义了一种更经济的方式,通过使用<From,To>,触发重设密钥,这种方式在一些特定的简单场景中工作(见第8.1.1节)。
SRTP senders SHALL count the amount of SRTP and SRTCP traffic being used for a master key and invoke key management to re-key if needed (Section 9.2). These interactions are defined by the key management interface to SRTP and are not defined by this protocol specification.
SRTP发送方应统计主密钥使用的SRTP和SRTCP通信量,并在需要时调用密钥管理重新设置密钥(第9.2节)。这些交互由SRTP的密钥管理接口定义,不由本协议规范定义。
In addition to the use of the MKI, SRTP defines another optional mechanism for master key retrieval, the <From, To>. The <From, To> specifies the range of SRTP indices (a pair of sequence number and ROC) within which a certain master key is valid, and is (when used) part of the crypto context. By looking at the 48-bit SRTP index of the current SRTP packet, the corresponding master key can be found by determining which From-To interval it belongs to. For SRTCP, the most recently observed/used SRTP index (which can be obtained from the cryptographic context) is used for this purpose, even though SRTCP has its own (31-bit) index (see caveat below).
除了使用MKI之外,SRTP还定义了另一种可选的主密钥检索机制<From,to>。<From,To>指定SRTP索引(一对序列号和ROC)的范围,其中某个主密钥有效,并且(使用时)是加密上下文的一部分。通过查看当前SRTP分组的48位SRTP索引,可以通过确定其所属的从到间隔来找到相应的主密钥。对于SRTCP,最近观察到/使用的SRTP索引(可从加密上下文中获得)用于此目的,即使SRTCP有自己的(31位)索引(请参见下面的警告)。
This method, compared to the MKI, has the advantage of identifying the master key and defining its lifetime without adding extra bits to each packet. This could be useful, as already noted, for some wireless links that do not cater for added bits. However, its use SHOULD be limited to specific, very simple scenarios. We recommend to limit its use when the RTP session is a simple unidirectional or bi-directional stream. This is because in case of multiple streams, it is difficult to trigger the re-key based on the <From, To> of a single RTP stream. For example, if several streams share a master
与MKI相比,该方法具有识别主密钥和定义其生存期的优点,而无需向每个数据包添加额外比特。如前所述,这对于某些不适合增加比特的无线链路可能很有用。但是,它的使用应限于特定的、非常简单的场景。当RTP会话是简单的单向或双向流时,我们建议限制其使用。这是因为在多个流的情况下,很难基于单个RTP流的<From,to>,触发重新密钥。例如,如果多个流共享一个主数据流
key, there is no simple one-to-one correspondence between the index sequence space of a certain stream, and the index sequence space on which the <From, To> values are based. Consequently, when a master key is shared between streams, one of these streams MUST be designated by key management as the one whose index space defines the re-keying points. Also, the re-key triggering on SRTCP is based on the correspondent SRTP stream, i.e., when the SRTP stream changes the master key, so does the correspondent SRTCP. This becomes obviously more and more complex with multiple streams.
某个流的索引序列空间与<From,to>值所基于的索引序列空间之间没有简单的一一对应关系。因此,当在流之间共享主密钥时,密钥管理必须将这些流中的一个流指定为其索引空间定义重设密钥点的流。此外,SRTCP上的重新密钥触发基于相应的SRTP流,即,当SRTP流更改主密钥时,相应的SRTCP也会更改主密钥。对于多个流,这显然变得越来越复杂。
The default values for the <From, To> are "from the first observed packet" and "until further notice". However, the maximum limit of SRTP/SRTCP packets that are sent under each given master/session key (Section 9.2) MUST NOT be exceeded.
<From,To>的默认值为“从第一个观察到的数据包”和“直到进一步通知”。但是,不得超过在每个给定主/会话密钥(第9.2节)下发送的SRTP/SRTCP数据包的最大限制。
In case the <From, To> is used as key retrieval, then the MKI is not inserted in the packet (and its indicator in the crypto context is zero). However, using the MKI does not exclude using <From, To> key lifetime simultaneously. This can for instance be useful to signal at the sender side at which point in time an MKI is to be made active.
如果<From,To>被用作密钥检索,则MKI不会插入到数据包中(其在加密上下文中的指示符为零)。但是,使用MKI并不排除同时使用<From,To>密钥生存期。例如,这可用于在发送方发出信号,在该时间点将激活MKI。
The table below lists all SRTP parameters that key management can supply. For reference, it also provides a summary of the default and mandatory-to-support values for an SRTP implementation as described in Section 5.
下表列出了密钥管理可以提供的所有SRTP参数。为了便于参考,它还提供了第5节中描述的支持SRTP实现值的默认值和强制值的摘要。
Parameter Mandatory-to-support Default
--------- -------------------- -------
Parameter Mandatory-to-support Default
--------- -------------------- -------
SRTP and SRTCP encr transf. AES_CM, NULL AES_CM (Other possible values: AES_f8)
SRTP和SRTCP encr传输。AES_CM,空AES_CM(其他可能的值:AES_f8)
SRTP and SRTCP auth transf. HMAC-SHA1 HMAC-SHA1
SRTP和SRTCP身份验证传输。HMAC-SHA1 HMAC-SHA1
SRTP and SRTCP auth params: n_tag (tag length) 80 80 SRTP prefix_length 0 0
SRTP和SRTCP身份验证参数:n_标记(标记长度)80 80 SRTP前缀_长度0
Key derivation PRF AES_CM AES_CM
密钥派生PRF AES_CM AES_CM
Key material params (for each master key): master key length 128 128 n_e (encr session key length) 128 128 n_a (auth session key length) 160 160 master salt key length of the master salt 112 112 n_s (session salt key length) 112 112 key derivation rate 0 0
密钥材料参数(对于每个主密钥):主密钥长度128 128 n_e(encr会话密钥长度)128 128 n_a(身份验证会话密钥长度)160 160主盐密钥的主盐密钥长度112 112 n_s(会话盐密钥长度)112 112密钥派生率0
key lifetime SRTP-packets-max-lifetime 2^48 2^48 SRTCP-packets-max-lifetime 2^31 2^31 from-to-lifetime <From, To> MKI indicator 0 0 length of the MKI 0 0 value of the MKI
密钥生存期SRTP数据包最大生存期2^48 2^48 SRTCP数据包最大生存期2^31 2^31从到生存期<从,到>MKI指示符0 MKI的长度0 MKI的值0
Crypto context index params: SSRC value ROC SEQ SRTCP Index Transport address Port number
加密上下文索引参数:SSRC值ROC SEQ SRTCP索引传输地址端口号
Relation to other RTP profiles: sender's order between FEC and SRTP FEC-SRTP FEC-SRTP (see Section 10)
与其他RTP配置文件的关系:FEC和SRTP FEC-SRTP FEC-SRTP之间的发送方订单(见第10节)
Any fixed keystream output, generated from the same key and index MUST only be used to encrypt once. Re-using such keystream (jokingly called a "two-time pad" system by cryptographers), can seriously compromise security. The NSA's VENONA project [C99] provides a historical example of such a compromise. It is REQUIRED that automatic key management be used for establishing and maintaining SRTP and SRTCP keying material; this requirement is to avoid keystream reuse, which is more likely to occur with manual key management. Furthermore, in SRTP, a "two-time pad" is avoided by requiring the key, or some other parameter of cryptographic significance, to be unique per RTP/RTCP stream and packet. The pre-defined SRTP transforms accomplish packet-uniqueness by including the packet index and stream-uniqueness by inclusion of the SSRC.
由相同密钥和索引生成的任何固定密钥流输出只能用于加密一次。重复使用这样的密钥流(密码学家戏称为“两次pad”系统)会严重危害安全性。美国国家安全局的维诺纳项目[C99]提供了一个历史性的例子,证明了这种妥协。需要使用自动密钥管理来建立和维护SRTP和SRTCP密钥材料;此要求是为了避免密钥流重用,而手动密钥管理更可能发生这种情况。此外,在SRTP中,通过要求每个RTP/RTCP流和数据包的密钥或其他具有密码意义的参数是唯一的,从而避免了“两次pad”。预定义的SRTP变换通过包含数据包索引实现数据包唯一性,通过包含SSRC实现流唯一性。
The pre-defined transforms (AES-CM and AES-f8) allow master keys to be shared across streams belonging to the same RTP session by the inclusion of the SSRC in the IV. A master key MUST NOT be shared among different RTP sessions.
通过在IV中包含SSRC,预定义转换(AES-CM和AES-f8)允许在属于同一RTP会话的流之间共享主密钥。不同RTP会话之间不得共享主密钥。
Thus, the SSRC MUST be unique between all the RTP streams within the same RTP session that share the same master key. RTP itself provides an algorithm for detecting SSRC collisions within the same RTP session. Thus, temporary collisions could lead to temporary two-time pad, in the unfortunate event that SSRCs collide at a point in time when the streams also have identical sequence numbers (occurring with probability roughly 2^(-48)). Therefore, the key management SHOULD take care of avoiding such SSRC collisions by including the SSRCs to be used in the session as negotiation parameters, proactively assuring their uniqueness. This is a strong requirements in scenarios where for example, there are multiple senders that can start to transmit simultaneously, before SSRC collision are detected at the RTP level.
因此,SSRC在共享相同主密钥的同一RTP会话中的所有RTP流之间必须是唯一的。RTP本身提供了一种算法,用于检测同一RTP会话中的SSRC冲突。因此,临时冲突可能导致临时两次pad,不幸的是,SSRC在流也具有相同序列号的时间点发生冲突(发生概率约为2^(-48))。因此,密钥管理应注意避免此类SSRC冲突,将会话中使用的SSRC作为协商参数,主动确保其唯一性。例如,在RTP级别检测到SSRC冲突之前,有多个发送方可以同时开始传输的场景中,这是一个很强的要求。
Note also that even with distinct SSRCs, extensive use of the same key might improve chances of probabilistic collision and time-memory-tradeoff attacks succeeding.
还请注意,即使使用不同的SSRC,大量使用同一密钥也可能会提高概率冲突和时间-内存权衡攻击成功的几率。
As described, master keys MAY be shared between streams belonging to the same RTP session, but it is RECOMMENDED that each SSRC have its own master key. When master keys are shared among SSRC participants and SSRCs are managed by a key management module as recommended above, the RECOMMENDED policy for an SSRC collision error is for the participant to leave the SRTP session as it is a sign of malfunction.
如上所述,主密钥可在属于同一RTP会话的流之间共享,但建议每个SSRC具有其自己的主密钥。当主密钥在SSRC参与者之间共享且SSRC由密钥管理模块按照上述建议进行管理时,SSRC冲突错误的建议策略是参与者离开SRTP会话,因为这是故障的迹象。
The effective key size is determined (upper bounded) by the size of the master key and, for encryption, the size of the salting key. Any additive stream cipher is vulnerable to attacks that use statistical knowledge about the plaintext source to enable key collision and time-memory tradeoff attacks [MF00] [H80] [BS00]. These attacks take advantage of commonalities among plaintexts, and provide a way for a cryptanalyst to amortize the computational effort of decryption over many keys, or over many bytes of output, thus reducing the effective key size of the cipher. A detailed analysis of these attacks and their applicability to the encryption of Internet traffic is provided in [MF00]. In summary, the effective key size of SRTP when used in a security system in which m distinct keys are used, is equal to the key size of the cipher less the logarithm (base two) of m. Protection against such attacks can be provided simply by increasing the size of the keys used, which here can be accomplished by the use of the salting key. Note that the salting key MUST be random but MAY be public. A salt size of (the suggested) size 112 bits protects against attacks in scenarios where at most 2^112 keys are in use. This is sufficient for all practical purposes.
有效密钥大小由主密钥的大小以及加密密钥的大小决定(上限)。任何加法流密码都容易受到攻击,这些攻击使用有关明文源的统计知识来启用密钥冲突和时间内存折衷攻击[MF00][H80][BS00]。这些攻击利用了明文之间的共性,并为密码分析师提供了一种方法,可以将解密的计算工作量分摊到多个密钥或多个字节的输出上,从而减少密码的有效密钥大小。[MF00]中详细分析了这些攻击及其对互联网流量加密的适用性。总之,在使用m个不同密钥的安全系统中,SRTP的有效密钥大小等于密码的密钥大小减去m的对数(以2为底)。只需增加所用密钥的大小即可提供针对此类攻击的保护,这可以通过使用satting密钥来实现。请注意,salting密钥必须是随机的,但可以是公共的。在最多使用2^112个密钥的情况下,(建议的)大小为112位的salt可以防止攻击。这对于所有实际目的都是足够的。
Implementations SHOULD use keys that are as large as possible. Please note that in many cases increasing the key size of a cipher does not affect the throughput of that cipher.
实现应该使用尽可能大的键。请注意,在许多情况下,增加密码的密钥大小不会影响该密码的吞吐量。
The use of the SRTP and SRTCP indices in the pre-defined transforms fixes the maximum number of packets that can be secured with the same key. This limit is fixed to 2^48 SRTP packets for an SRTP stream, and 2^31 SRTCP packets, when SRTP and SRTCP are considered independently. Due to for example re-keying, reaching this limit may or may not coincide with wrapping of the indices, and thus the sender MUST keep packet counts. However, when the session keys for related SRTP and SRTCP streams are derived from the same master key (the default behavior, Section 4.3), the upper bound that has to be considered is in practice the minimum of the two quantities. That is, when 2^48 SRTP packets or 2^31 SRTCP packets have been secured with the same key (whichever occurs before), the key management MUST be called to provide new master key(s) (previously stored and used keys MUST NOT be used again), or the session MUST be terminated. If a sender of RTCP discovers that the sender of SRTP (or SRTCP) has not updated the master or session key prior to sending 2^48 SRTP (or 2^31 SRTCP) packets belonging to the same SRTP (SRTCP) stream, it is up to the security policy of the RTCP sender how to behave, e.g., whether an RTCP BYE-packet should be sent and/or if the event should be logged.
在预定义的转换中使用SRTP和SRTCP索引可以固定使用相同密钥可以保护的最大数据包数。当单独考虑SRTP和SRTCP时,此限制固定为SRTP流的2^48 SRTP数据包和2^31 SRTCP数据包。由于例如重新键控,达到该限制可能与索引的包装一致,也可能不一致,因此发送方必须保持数据包计数。但是,当相关SRTP和SRTCP流的会话密钥来自同一主密钥(默认行为,第4.3节)时,实际上必须考虑的上限是这两个数量中的最小值。也就是说,当2^48 SRTP数据包或2^31 SRTCP数据包使用相同的密钥进行安全保护时(以较早发生的为准),必须调用密钥管理以提供新的主密钥(以前存储和使用的密钥不得再次使用),或者必须终止会话。如果RTCP的发送方发现SRTP(或SRTCP)的发送方在发送属于同一SRTP(SRTCP)流的2^48 SRTP(或2^31 SRTCP)数据包之前未更新主密钥或会话密钥,则取决于RTCP发送方的安全策略,例如。,是否应发送RTCP BYE数据包和/或是否应记录事件。
Note: in most typical applications (assuming at least one RTCP packet for every 128,000 RTP packets), it will be the SRTCP index that first reaches the upper limit, although the time until this occurs is very long: even at 200 SRTCP packets/sec, the 2^31 index space of SRTCP is enough to secure approximately 4 months of communication.
注意:在大多数典型应用中(假设每128000个RTP数据包中至少有一个RTCP数据包),SRTCP索引将首先达到上限,尽管达到上限的时间非常长:即使是200个SRTCP数据包/秒,SRTCP的2^31索引空间也足以确保大约4个月的通信安全。
Note that if the master key is to be shared between SRTP streams within the same RTP session (Section 9.1), although the above bounds are on a per stream (i.e., per SSRC) basis, the sender MUST base re-key decision on the stream whose sequence number space is the first to be exhausted.
注意,如果主密钥将在同一RTP会话(第9.1节)内的SRTP流之间共享,尽管上述边界是基于每个流(即,每个SSRC),但发送方必须基于序列号空间第一个耗尽的流进行重新密钥决策。
Key derivation limits the amount of plaintext that is encrypted with a fixed session key, and made available to an attacker for analysis, but key derivation does not extend the master key's lifetime. To see this, simply consider our requirements to avoid two-time pad: two distinct packets MUST either be processed with distinct IVs, or with distinct session keys, and both the distinctness of IV and of the session keys are (for the pre-defined transforms) dependent on the distinctness of the packet indices.
密钥派生限制了使用固定会话密钥加密并可供攻击者分析的明文量,但密钥派生不会延长主密钥的生命周期。为了看到这一点,简单地考虑我们的要求,以避免两个时间PAD:两个不同的数据包必须处理不同的IVS,或具有不同的会话密钥,并且IV和会话密钥的区别是(对于预定义的变换)依赖于分组索引的显著性。
Note that with the key derivation, the effective key size is at most that of the master key, even if the derived session key is considerably longer. With the pre-defined authentication transform, the session authentication key is 160 bits, but the master key by default is only 128 bits. This design choice was made to comply with certain recommendations in [RFC2104] so that an existing HMAC implementation can be plugged into SRTP without problems. Since the default tag size is 80 bits, it is, for the applications in mind, also considered acceptable from security point of view. Users having concerns about this are RECOMMENDED to instead use a 192 bit master key in the key derivation. It was, however, chosen not to mandate 192-bit keys since existing AES implementations to be used in the key-derivation may not always support key-lengths other than 128 bits. Since AES is not defined (or properly analyzed) for use with 160 bit keys it is NOT RECOMMENDED that ad-hoc key-padding schemes are used to pad shorter keys to 192 or 256 bits.
请注意,对于密钥派生,有效密钥大小最多为主密钥的大小,即使派生的会话密钥相当长。通过预定义的身份验证转换,会话身份验证密钥为160位,但默认情况下主密钥仅为128位。此设计选择符合[RFC2104]中的某些建议,因此现有HMAC实现可以毫无问题地插入SRTP。由于默认标记大小为80位,因此从安全角度来看,对于所考虑的应用程序,它也是可以接受的。对此有顾虑的用户建议在密钥派生中使用192位主密钥。然而,选择不强制要求192位密钥,因为密钥派生中使用的现有AES实现可能并不总是支持128位以外的密钥长度。由于AES未定义(或正确分析)用于160位密钥,因此不建议使用特殊密钥填充方案将较短的密钥填充到192或256位。
SRTP's pre-defined ciphers are "seekable" stream ciphers, i.e., ciphers able to efficiently seek to arbitrary locations in their keystream (so that the encryption or decryption of one packet does not depend on preceding packets). By using seekable stream ciphers, SRTP avoids the denial of service attacks that are possible on stream ciphers that lack this property. It is important to be aware that, as with any stream cipher, the exact length of the payload is revealed by the encryption. This means that it may be possible to
SRTP的预定义密码是“可搜索”流密码,即能够有效搜索其密钥流中任意位置的密码(因此一个数据包的加密或解密不依赖于前面的数据包)。通过使用可查找的流密码,SRTP避免了对缺少此属性的流密码可能发生的拒绝服务攻击。重要的是要知道,与任何流密码一样,有效负载的确切长度是通过加密显示的。这意味着有可能
deduce certain "formatting bits" of the payload, as the length of the codec output might vary due to certain parameter settings etc. This, in turn, implies that the corresponding bit of the keystream can be deduced. However, if the stream cipher is secure (counter mode and f8 are provably secure under certain assumptions [BDJR] [KSYH] [IK]), knowledge of a few bits of the keystream will not aid an attacker in predicting subsequent keystream bits. Thus, the payload length (and information deducible from this) will leak, but nothing else.
推导有效负载的某些“格式化位”,因为编解码器输出的长度可能因某些参数设置等而变化。这反过来意味着可以推导出密钥流的相应位。但是,如果流密码是安全的(计数器模式和f8在某些假设[BDJR][KSYH][IK]下是可证明安全的),则对密钥流的一些位的了解将不会帮助攻击者预测随后的密钥流位。因此,有效载荷长度(以及由此推断出的信息)将泄漏,但不会泄漏其他信息。
As some RTP packet could contain highly predictable data, e.g., SID, it is important to use a cipher designed to resist known plaintext attacks (which is the current practice).
由于某些RTP数据包可能包含高度可预测的数据,例如SID,因此必须使用设计用于抵抗已知明文攻击的密码(这是当前的做法)。
In SRTP, RTP headers are sent in the clear to allow for header compression. This means that data such as payload type, synchronization source identifier, and timestamp are available to an eavesdropper. Moreover, since RTP allows for future extensions of headers, we cannot foresee what kind of possibly sensitive information might also be "leaked".
在SRTP中,RTP报头以明文形式发送,以允许报头压缩。这意味着有效负载类型、同步源标识符和时间戳等数据可供窃听者使用。此外,由于RTP允许将来扩展报头,我们无法预见哪种可能的敏感信息也可能被“泄漏”。
SRTP is a low-cost method, which allows header compression to reduce bandwidth. It is up to the endpoints' policies to decide about the security protocol to employ. If one really needs to protect headers, and is allowed to do so by the surrounding environment, then one should also look at alternatives, e.g., IPsec [RFC2401].
SRTP是一种低成本的方法,它允许报头压缩以减少带宽。由端点的策略决定要采用的安全协议。如果确实需要保护头,并且周围环境允许这样做,那么还应该考虑其他选择,例如IPsec[RFC2401]。
SRTP messages are subject to attacks on their integrity and source identification, and these risks are discussed in Section 9.5.1. To protect against these attacks, each SRTP stream SHOULD be protected by HMAC-SHA1 [RFC2104] with an 80-bit output tag and a 160-bit key, or a message authentication code with equivalent strength. Secure RTP SHOULD NOT be used without message authentication, except under the circumstances described in this section. It is important to note that encryption algorithms, including AES Counter Mode and f8, do not provide message authentication. SRTCP MUST NOT be used with weak (or NULL) authentication.
SRTP消息的完整性和源标识会受到攻击,这些风险将在第9.5.1节中讨论。为了防止这些攻击,每个SRTP流都应该由HMAC-SHA1[RFC2104]保护,HMAC-SHA1[RFC2104]具有80位输出标签和160位密钥,或者具有同等强度的消息认证码。除非在本节描述的情况下,否则在没有消息身份验证的情况下不应使用安全RTP。需要注意的是,加密算法(包括AES计数器模式和f8)不提供消息身份验证。SRTCP不能与弱(或空)身份验证一起使用。
SRTP MAY be used with weak authentication (e.g., a 32-bit authentication tag), or with no authentication (the NULL authentication algorithm). These options allow SRTP to be used to provide confidentiality in situations where
SRTP可与弱身份验证(例如,32位身份验证标签)或无身份验证(空身份验证算法)一起使用。这些选项允许使用SRTP在以下情况下提供机密性:
* weak or null authentication is an acceptable security risk, and * it is impractical to provide strong message authentication.
* 弱身份验证或空身份验证是可接受的安全风险,并且*提供强消息身份验证是不切实际的。
These conditions are described below and in Section 7.5. Note that both conditions MUST hold in order for weak or null authentication to be used. The risks associated with exercising the weak or null authentication options need to be considered by a security audit prior to their use for a particular application or environment given the risks, which are discussed in Section 9.5.1.
这些条件在下文和第7.5节中描述。请注意,这两个条件都必须保持,才能使用弱身份验证或空身份验证。在将弱认证或空认证选项用于特定应用程序或环境之前,安全审计需要考虑与行使弱认证或空认证选项相关的风险,这些风险将在第9.5.1节中讨论。
Weak authentication is acceptable when the RTP application is such that the effect of a small fraction of successful forgeries is negligible. If the application is stateless, then the effect of a single forged RTP packet is limited to the decoding of that particular packet. Under this condition, the size of the authentication tag MUST ensure that only a negligible fraction of the packets passed to the RTP application by the SRTP receiver can be forgeries. This fraction is negligible when an adversary, if given control of the forged packets, is not able to make a significant impact on the output of the RTP application (see the example of Section 7.5).
当RTP应用程序中一小部分成功伪造的影响可以忽略时,弱身份验证是可以接受的。如果应用程序是无状态的,则单个伪造RTP数据包的效果仅限于对该特定数据包的解码。在这种情况下,身份验证标签的大小必须确保SRTP接收器传递给RTP应用程序的数据包中只有一小部分是伪造的。当对手在控制伪造数据包的情况下无法对RTP应用程序的输出产生重大影响时,该分数可以忽略不计(参见第7.5节的示例)。
Weak or null authentication MAY be acceptable when it is unlikely that an adversary can modify ciphertext so that it decrypts to an intelligible value. One important case is when it is difficult for an adversary to acquire the RTP plaintext data, since for many codecs, an adversary that does not know the input signal cannot manipulate the output signal in a controlled way. In many cases it may be difficult for the adversary to determine the actual value of the plaintext. For example, a hidden snooping device might be required in order to know a live audio or video signal. The adversary's signal must have a quality equivalent to or greater than that of the signal under attack, since otherwise the adversary would not have enough information to encode that signal with the codec used by the victim. Plaintext prediction may also be especially difficult for an interactive application such as a telephone call.
当对手不太可能修改密文以使其解密为可理解的值时,弱身份验证或空身份验证是可以接受的。一个重要的情况是当对手难以获取RTP明文数据时,因为对于许多编解码器,不知道输入信号的对手无法以受控方式操纵输出信号。在许多情况下,对手可能很难确定明文的实际价值。例如,为了了解实时音频或视频信号,可能需要一个隐藏的窥探设备。敌方信号的质量必须等于或大于被攻击信号的质量,因为否则敌方将没有足够的信息用受害者使用的编解码器对该信号进行编码。对于交互式应用程序(如电话呼叫),明文预测也可能特别困难。
Weak or null authentication MUST NOT be used when the RTP application makes data forwarding or access control decisions based on the RTP data. In such a case, an attacker may be able to subvert confidentiality by causing the receiver to forward data to an attacker. See Section 3 of [B96] for a real-life example of such attacks.
当RTP应用程序基于RTP数据做出数据转发或访问控制决策时,不得使用弱身份验证或空身份验证。在这种情况下,攻击者可以通过使接收方将数据转发给攻击者来破坏机密性。有关此类攻击的真实示例,请参见[B96]第3节。
Null authentication MUST NOT be used when a replay attack, in which an adversary stores packets then replays them later in the session, could have a non-negligible impact on the receiver. An example of a successful replay attack is the storing of the output of a surveillance camera for a period of time, later followed by the
当重放攻击(对手存储数据包,然后在会话中稍后重放数据包)可能对接收方产生不可忽略的影响时,不得使用空身份验证。成功重放攻击的一个例子是将监控摄像机的输出存储一段时间,然后再存储
injection of that output to the monitoring station to avoid surveillance. Encryption does not protect against this attack, and non-null authentication is REQUIRED in order to defeat it.
将该输出注入监测站以避免监测。加密无法抵御此攻击,因此需要非空身份验证才能击败此攻击。
If existential message forgery is an issue, i.e., when the accuracy of the received data is of non-negligible importance, null authentication MUST NOT be used.
如果存在伪造消息的问题,即当接收数据的准确性具有不可忽略的重要性时,不得使用空身份验证。
During a security audit considering the use of weak or null authentication, it is important to keep in mind the following attacks which are possible when no message authentication algorithm is used.
在考虑使用弱身份验证或空身份验证的安全审计期间,重要的是要记住以下攻击,这些攻击在未使用消息身份验证算法时可能发生。
An attacker who cannot predict the plaintext is still always able to modify the message sent between the sender and the receiver so that it decrypts to a random plaintext value, or to send a stream of bogus packets to the receiver that will decrypt to random plaintext values. This attack is essentially a denial of service attack, though in the absence of message authentication, the RTP application will have inputs that are bit-wise correlated with the true value. Some multimedia codecs and common operating systems will crash when such data are accepted as valid video data. This denial of service attack may be a much larger threat than that due to an attacker dropping, delaying, or re-ordering packets.
无法预测明文的攻击者仍然能够修改发送方和接收方之间发送的消息,使其解密为随机明文值,或向接收方发送伪造数据包流,以解密为随机明文值。此攻击本质上是一种拒绝服务攻击,尽管在没有消息身份验证的情况下,RTP应用程序将具有与真值相关的位输入。当这些数据被接受为有效的视频数据时,一些多媒体编解码器和通用操作系统将崩溃。这种拒绝服务攻击的威胁可能比攻击者丢弃、延迟或重新排序数据包造成的威胁大得多。
An attacker who cannot predict the plaintext can still replay a previous message with certainty that the receiver will accept it. Applications with stateless codecs might be robust against this type of attack, but for other, more complex applications these attacks may be far more grave.
无法预测明文的攻击者仍然可以重播以前的消息,并确信接收者会接受它。具有无状态编解码器的应用程序可能对这种类型的攻击具有鲁棒性,但对于其他更复杂的应用程序,这些攻击可能更严重。
An attacker who can predict the plaintext can modify the ciphertext so that it will decrypt to any value of her choosing. With an additive stream cipher, an attacker will always be able to change individual bits.
能够预测明文的攻击者可以修改密文,使其解密为她选择的任何值。使用加法流密码,攻击者将始终能够更改单个位。
An attacker may be able to subvert confidentiality due to the lack of authentication when a data forwarding or access control decision is made on decrypted but unauthenticated plaintext. This is because the receiver may be fooled into forwarding data to an attacker, leading to an indirect breach of confidentiality (see Section 3 of [B96]). This is because data-forwarding decisions are made on the decrypted plaintext; information in the plaintext will determine to what subnet (or process) the plaintext is forwarded in ESP [RFC2401] tunnel mode (respectively, transport mode). When Secure RTP is used without
当对解密但未经验证的明文做出数据转发或访问控制决定时,攻击者可能会由于缺乏身份验证而破坏机密性。这是因为接收者可能被愚弄,将数据转发给攻击者,从而间接违反保密性(见[B96]第3节)。这是因为数据转发决定是在解密的明文上做出的;明文中的信息将确定以ESP[RFC2401]隧道模式(分别为传输模式)将明文转发到哪个子网(或进程)。当使用安全RTP时,没有
message authentication, it should be verified that the application does not make data forwarding or access control decisions based on the decrypted plaintext.
消息身份验证时,应验证应用程序不会基于解密的明文做出数据转发或访问控制决策。
Some cipher modes of operation that require padding, e.g., standard cipher block chaining (CBC) are very sensitive to attacks on confidentiality if certain padding types are used in the absence of integrity. The attack [V02] shows that this is indeed the case for the standard RTP padding as discussed in reference to Figure 1, when used together with CBC mode. Later transform additions to SRTP MUST therefore carefully consider the risk of using this padding without proper integrity protection.
如果在缺乏完整性的情况下使用某些填充类型,则某些需要填充的密码操作模式(例如,标准密码块链接(CBC))对机密性攻击非常敏感。攻击[V02]表明,当与CBC模式一起使用时,标准RTP填充的情况确实如此,如参考图1所述。因此,对SRTP的后期变换添加必须仔细考虑使用这种填充而没有适当的完整性保护的风险。
The IV formation of the f8-mode gives implicit authentication (IHA) of the RTP header, even when message authentication is not used. When IHA is used, an attacker that modifies the value of the RTP header will cause the decryption process at the receiver to produce random plaintext values. While this protection is not equivalent to message authentication, it may be useful for some applications.
f8模式的IV格式提供RTP报头的隐式身份验证(IHA),即使未使用消息身份验证。使用IHA时,修改RTP报头值的攻击者将导致接收方的解密过程产生随机明文值。虽然这种保护并不等同于消息身份验证,但它可能对某些应用程序有用。
The default processing when using Forward Error Correction (e.g., RFC 2733) processing with SRTP SHALL be to perform FEC processing prior to SRTP processing on the sender side and to perform SRTP processing prior to FEC processing on the receiver side. Any change to this ordering (reversing it, or, placing FEC between SRTP encryption and SRTP authentication) SHALL be signaled out of band.
对SRTP使用前向纠错(例如RFC 2733)处理时的默认处理应是在发送方的SRTP处理之前执行FEC处理,在接收方的FEC处理之前执行SRTP处理。对该命令的任何更改(将其反转,或将FEC置于SRTP加密和SRTP认证之间)应发出带外信号。
SRTP can be used as security protocol for the RTP/RTCP traffic in many different scenarios. SRTP has a number of configuration options, in particular regarding key usage, and can have impact on the total performance of the application according to the way it is used. Hence, the use of SRTP is dependent on the kind of scenario and application it is used with. In the following, we briefly illustrate some use cases for SRTP, and give some guidelines for recommended setting of its options.
SRTP可以在许多不同的场景中用作RTP/RTCP流量的安全协议。SRTP有许多配置选项,特别是关于密钥使用的选项,并且根据其使用方式,可以对应用程序的总体性能产生影响。因此,SRTP的使用取决于它所使用的场景类型和应用程序。在下文中,我们简要说明了SRTP的一些用例,并给出了一些建议设置选项的指南。
A typical example would be a voice call or video-on-demand application.
典型的例子是语音通话或视频点播应用程序。
Consider one bi-directional RTP stream, as one RTP session. It is possible for the two parties to share the same master key in the two directions according to the principles of Section 9.1. The first round of the key derivation splits the master key into any or all of the following session keys (according to the provided security functions):
考虑一个双向RTP流,作为一个RTP会话。根据第9.1节的原则,双方可以在两个方向上共享相同的主密钥。第一轮密钥派生将主密钥拆分为以下任何或所有会话密钥(根据提供的安全功能):
SRTP_encr_key, SRTP_auth_key, SRTCP_encr_key, and SRTCP_auth key.
SRTP_encr_密钥、SRTP_auth_密钥、SRTCP_encr_密钥和SRTCP_auth密钥。
(For simplicity, we omit discussion of the salts, which are also derived.) In this scenario, it will in most cases suffice to have a single master key with the default lifetime. This guarantees sufficiently long lifetime of the keys and a minimum set of keys in place for most practical purposes. Also, in this case RTCP protection can be applied smoothly. Under these assumptions, use of the MKI can be omitted. As the key-derivation in combination with large difference in the packet rate in the respective directions may require simultaneous storage of several session keys, if storage is an issue, we recommended to use low-rate key derivation.
(为了简单起见,我们省略了对盐的讨论,盐也是派生出来的。)在这种情况下,在大多数情况下,拥有一个具有默认生存期的主密钥就足够了。这保证了钥匙有足够长的使用寿命,并为最实际的目的提供了一组最少的钥匙。此外,在这种情况下,RTCP保护可以顺利应用。在这些假设下,可以省略MKI的使用。由于密钥派生与各个方向上分组速率的巨大差异相结合,可能需要同时存储多个会话密钥,如果存在存储问题,我们建议使用低速率密钥派生。
The same considerations can be extended to the unicast scenario with multiple RTP sessions, where each session would have a distinct master key.
同样的考虑也可以扩展到具有多个RTP会话的单播场景,其中每个会话都有一个不同的主密钥。
Just as with (unprotected) RTP, a scalability issue arises in big groups due to the possibly very large amount of SRTCP Receiver Reports that the sender might need to process. In SRTP, the sender may have to keep state (the cryptographic context) for each receiver, or more precisely, for the SRTCP used to protect Receiver Reports. The overhead increases proportionally to the size of the group. In particular, re-keying requires special concern, see below.
与(不受保护的)RTP一样,由于发送方可能需要处理大量SRTCP接收方报告,因此在大型组中会出现可伸缩性问题。在SRTP中,发送方可能必须为每个接收方保留状态(加密上下文),或者更准确地说,为用于保护接收方报告的SRTCP保留状态。管理费用随团队规模成比例增加。特别是,重新键入需要特别关注,请参见下文。
Consider first a small group of receivers. There are a few possible setups with the distribution of master keys among the receivers. Given a single RTP session, one possibility is that the receivers share the same master key as per Section 9.1 to secure all their respective RTCP traffic. This shared master key could then be the same one used by the sender to protect its outbound SRTP traffic. Alternatively, it could be a master key shared only among the receivers and used solely for their SRTCP traffic. Both alternatives require the receivers to trust each other.
首先考虑一小部分接收器。在接收器之间分配主钥匙有一些可能的设置。给定单个RTP会话,一种可能性是,根据第9.1节,接收器共享相同的主密钥,以保护其各自的RTCP通信。然后,该共享主密钥可能与发送方用于保护其出站SRTP流量的主密钥相同。或者,它可以是仅在接收器之间共享的主密钥,并且仅用于其SRTCP通信。这两种选择都要求接收者相互信任。
Considering SRTCP and key storage, it is recommended to use low-rate (or zero) key_derivation (except the mandatory initial one), so that the sender does not need to store too many session keys (each SRTCP stream might otherwise have a different session key at a given point
考虑到SRTCP和密钥存储,建议使用低速率(或零)密钥派生(强制初始密钥除外),以便发送方不需要存储太多会话密钥(否则每个SRTCP流在给定点可能具有不同的会话密钥)
in time, as the SRTCP sources send at different times). Thus, in case key derivation is wanted for SRTP, the cryptographic context for SRTP can be kept separate from the SRTCP crypto context, so that it is possible to have a key_derivation_rate of 0 for SRTCP and a non-zero value for SRTP.
随着SRTCP源在不同时间发送的时间的推移)。因此,如果SRTP需要密钥派生,则SRTP的加密上下文可以与SRTCP加密上下文分开,以便SRTCP的密钥派生速率可以为0,SRTP的密钥派生速率可以为非零值。
Use of the MKI for re-keying is RECOMMENDED for most applications (see Section 8.1).
对于大多数应用,建议使用MKI重新设置密钥(见第8.1节)。
If there are more than one SRTP/SRTCP stream (within the same RTP session) that share the master key, the upper limit of 2^48 SRTP packets / 2^31 SRTCP packets means that, before one of the streams reaches its maximum number of packets, re-keying MUST be triggered on ALL streams sharing the master key. (From strict security point of view, only the stream reaching the maximum would need to be re-keyed, but then the streams would no longer be sharing master key, which is the intention.) A local policy at the sender side should force rekeying in a way that the maximum packet limit is not reached on any of the streams. Use of the MKI for re-keying is RECOMMENDED.
如果有多个SRTP/SRTCP流(在同一RTP会话中)共享主密钥,则2^48 SRTP数据包/2^31 SRTCP数据包的上限意味着,在其中一个数据流达到其最大数据包数之前,必须在共享主密钥的所有数据流上触发重设密钥。(从严格的安全性角度来看,只有达到最大值的流才需要重新设置密钥,但随后这些流将不再共享主密钥,这就是目的。)发送方的本地策略应强制以一种方式重新设置密钥,即在任何流上都不会达到最大数据包限制。建议使用MKI重新设置密钥。
In large multicast with one sender, the same considerations as for the small group multicast hold. The biggest issue in this scenario is the additional load placed at the sender side, due to the state (cryptographic contexts) that has to be maintained for each receiver, sending back RTCP Receiver Reports. At minimum, a replay window might need to be maintained for each RTCP source.
在只有一个发送方的大型多播中,考虑的因素与小组多播相同。在这种情况下,最大的问题是由于必须为每个接收器维护的状态(加密上下文)而在发送方端施加的额外负载,从而发回RTCP接收器报告。至少,可能需要为每个RTCP源维护一个重播窗口。
Re-keying may occur due to access control (e.g., when a member is removed during a multicast RTP session), or for pure cryptographic reasons (e.g., the key is at the end of its lifetime). When using SRTP default transforms, the master key MUST be replaced before any of the index spaces are exhausted for any of the streams protected by one and the same master key.
由于访问控制(例如,当一个成员在多播RTP会话期间被移除时)或纯粹的密码原因(例如,密钥在其生命周期结束时),可能会发生重设密钥。使用SRTP default转换时,必须先替换主键,然后才能为受同一主键保护的任何流耗尽任何索引空间。
How key management re-keys SRTP implementations is out of scope, but it is clear that there are straightforward ways to manage keys for a multicast group. In one-sender multicast, for example, it is typically the responsibility of the sender to determine when a new key is needed. The sender is the one entity that can keep track of when the maximum number of packets has been sent, as receivers may join and leave the session at any time, there may be packet loss and delay etc. In scenarios other than one-sender multicast, other methods can be used. Here, one must take into consideration that key exchange can be a costly operation, taking several seconds for a single exchange. Hence, some time before the master key is exhausted/expires, out-of-band key management is initiated, resulting
密钥管理如何为SRTP实现重新设置密钥超出了范围,但显然有一些简单的方法可以管理多播组的密钥。例如,在一个发送方多播中,发送方通常负责确定何时需要新密钥。发送方是一个实体,可以跟踪何时发送了最大数量的数据包,因为接收方可能随时加入和离开会话,可能存在数据包丢失和延迟等。在一个发送方多播之外的场景中,可以使用其他方法。在这里,必须考虑到密钥交换可能是一项代价高昂的操作,一次交换需要几秒钟的时间。因此,在主密钥耗尽/过期之前的一段时间,启动带外密钥管理,从而
in a new master key that is shared with the receiver(s). In any event, to maintain synchronization when switching to the new key, group policy might choose between using the MKI and the <From, To>, as described in Section 8.1.
在与接收器共享的新主密钥中。在任何情况下,为了在切换到新密钥时保持同步,组策略可能会在使用MKI和<From,to>之间进行选择,如第8.1节所述。
For access control purposes, the <From, To> periods are set at the desired granularity, dependent on the packet rate. High rate re-keying can be problematic for SRTCP in some large-group scenarios. As mentioned, there are potential problems in using the SRTP index, rather than the SRTCP index, for determining the master key. In particular, for short periods during switching of master keys, it may be the case that SRTCP packets are not under the current master key of the correspondent SRTP. Therefore, using the MKI for re-keying in such scenarios will produce better results.
出于访问控制的目的,<From,To>时段被设置为所需的粒度,具体取决于分组速率。在某些大型组场景中,SRTCP的高速重设密钥可能会出现问题。如前所述,在使用SRTP索引而不是SRTCP索引来确定主密钥时存在潜在问题。特别地,对于主密钥切换期间的短时间,可能存在SRTCP分组不在对应SRTP的当前主密钥之下的情况。因此,在此类场景中使用MKI重新键入将产生更好的结果。
The description of these scenarios highlights some recommendations on the use of SRTP, mainly related to re-keying and large scale multicast:
这些场景的描述强调了有关SRTP使用的一些建议,主要与密钥更新和大规模多播相关:
- Do not use fast re-keying with the <From, To> feature. It may, in particular, give problems in retrieving the correct SRTCP key, if an SRTCP packet arrives close to the re-keying time. The MKI SHOULD be used in this case.
- 不要使用<From,To>功能快速重新设置关键帧。特别是,如果SRTCP数据包到达的时间接近重新设置密钥的时间,则可能会在检索正确的SRTCP密钥时出现问题。在这种情况下,应使用MKI。
- If multiple SRTP streams in the same RTP session share the same master key, also moderate rate re-keying MAY have the same problems, and the MKI SHOULD be used.
- 如果同一RTP会话中的多个SRTP流共享同一主密钥,那么中等速率的密钥重设也可能有相同的问题,并且应该使用MKI。
- Though offering increased security, a non-zero key_derivation_rate is NOT RECOMMENDED when trying to minimize the number of keys in use with multiple streams.
- 虽然提供了更高的安全性,但在尝试最小化多个流中使用的密钥数量时,不建议使用非零密钥派生率。
The RTP specification establishes a registry of profile names for use by higher-level control protocols, such as the Session Description Protocol (SDP), to refer to transport methods. This profile registers the name "RTP/SAVP".
RTP规范建立了一个配置文件名称注册表,供更高级别的控制协议(如会话描述协议(SDP))使用,以引用传输方法。此配置文件注册名称“RTP/SAVP”。
SRTP uses cryptographic transforms which a key management protocol signals. It is the task of each particular key management protocol to register the cryptographic transforms or suites of transforms with IANA. The key management protocol conveys these protocol numbers, not SRTP, and each key management protocol chooses the numbering scheme and syntax that it requires.
SRTP使用密钥管理协议发出信号的加密转换。每个特定密钥管理协议的任务是向IANA注册加密转换或转换套件。密钥管理协议传递这些协议编号,而不是SRTP,每个密钥管理协议选择它所需的编号方案和语法。
Specification of a key management protocol for SRTP is out of scope here. Section 8.2, however, provides guidance on the parameters that need to be defined for the default and mandatory transforms.
SRTP密钥管理协议的规范超出了本文的范围。但是,第8.2节提供了有关需要为默认和强制转换定义的参数的指导。
David Oran (Cisco) and Rolf Blom (Ericsson) are co-authors of this document but their valuable contributions are acknowledged here to keep the length of the author list down.
David Oran(Cisco)和Rolf Blom(Ericsson)是本文档的共同作者,但为了缩短作者列表的长度,他们的宝贵贡献在这里得到了认可。
The authors would in addition like to thank Magnus Westerlund, Brian Weis, Ghyslain Pelletier, Morgan Lindqvist, Robert Fairlie-Cuninghame, Adrian Perrig, the AVT WG and in particular the chairmen Colin Perkins and Stephen Casner, the Transport and Security Area Directors, and Eric Rescorla for their reviews and support.
作者还想感谢Magnus Westerlund、Brian Weis、Ghyslain Pelletier、Morgan Lindqvist、Robert Fairlie Cuninghame、Adrian Perrig、AVT工作组,特别是主席Colin Perkins和Stephen Casner、交通和安全区域总监以及Eric Rescorla的评论和支持。
[AES] NIST, "Advanced Encryption Standard (AES)", FIPS PUB 197,
http://www.nist.gov/aes/
[AES] NIST, "Advanced Encryption Standard (AES)", FIPS PUB 197,
http://www.nist.gov/aes/
[RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for Internet Protocol", RFC 2401, November 1998.
[RFC2401]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[RFC2828] Shirey, R., "Internet Security Glossary", FYI 36, RFC 2828, May 2000.
[RFC2828]Shirey,R.,“互联网安全词汇表”,FYI 36,RFC 2828,2000年5月。
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson, "RTP: A Transport Protocol for Real-time Applications", RFC 3550, July 2003.
[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.和V.Jacobson,“RTP:实时应用的传输协议”,RFC 35502003年7月。
[RFC3551] Schulzrinne, H. and S. Casner, "RTP Profile for Audio and Video Conferences with Minimal Control", RFC 3551, July 2003.
[RFC3551]Schulzrinne,H.和S.Casner,“具有最小控制的音频和视频会议的RTP配置文件”,RFC 35512003年7月。
[AES-CTR] Lipmaa, H., Rogaway, P. and D. Wagner, "CTR-Mode
Encryption", NIST, http://csrc.nist.gov/encryption/modes/
workshop1/papers/lipmaa-ctr.pdf
[AES-CTR] Lipmaa, H., Rogaway, P. and D. Wagner, "CTR-Mode
Encryption", NIST, http://csrc.nist.gov/encryption/modes/
workshop1/papers/lipmaa-ctr.pdf
[B96] Bellovin, S., "Problem Areas for the IP Security Protocols," in Proceedings of the Sixth Usenix Unix Security Symposium, pp. 1-16, San Jose, CA, July 1996 (http://www.research.att.com/~smb/papers/index.html).
[B96]Bellovin,S.,“IP安全协议的问题领域”,《第六届Usenix Unix安全研讨会论文集》,第1-16页,加利福尼亚州圣何塞,1996年7月(http://www.research.att.com/~smb/papers/index.html)。
[BDJR] Bellare, M., Desai, A., Jokipii, E. and P. Rogaway, "A Concrete Treatment of Symmetric Encryption: Analysis of DES Modes of Operation", Proceedings 38th IEEE FOCS, pp. 394- 403, 1997.
[BDJR]Bellare,M.,Desai,A.,Jokipii,E.和P.Rogaway,“对称加密的具体处理:DES操作模式分析”,第38届IEEE FOCS会议记录,第394-403页,1997年。
[BS00] Biryukov, A. and A. Shamir, "Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers", Proceedings, ASIACRYPT 2000, LNCS 1976, pp. 1-13, Springer Verlag.
[BS00]Biryukov,A.和A.Shamir,“流密码的密码分析时间/内存/数据权衡”,会议记录,ASIACRYPT 2000,LNCS 1976,第1-13页,Springer Verlag。
[C99] Crowell, W. P., "Introduction to the VENONA Project", http://www.nsa.gov:8080/docs/venona/index.html.
[C99]Crowell,W.P.,“维诺纳项目简介”,http://www.nsa.gov:8080/docs/venona/index.html.
[CTR] Dworkin, M., NIST Special Publication 800-38A, "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", 2001. http://csrc.nist.gov/publications/nistpubs/800-38a/sp800- 38a.pdf.
[CTR]Dworkin,M.,NIST特别出版物800-38A,“分组密码操作模式的建议:方法和技术”,2001年。http://csrc.nist.gov/publications/nistpubs/800-38a/sp800- 38a.pdf。
[f8-a] 3GPP TS 35.201 V4.1.0 (2001-12) Technical Specification 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 1: f8 and f9 Specification (Release 4).
[f8-a]3GPP TS 35.201 V4.1.0(2001-12)技术规范第三代合作伙伴项目;技术规范组服务和系统方面;3G安全;3GPP保密性和完整性算法的规范;文件1:f8和f9规范(版本4)。
[f8-b] 3GPP TR 33.908 V4.0.0 (2001-09) Technical Report 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; General Report on the Design, Specification and Evaluation of 3GPP Standard Confidentiality and Integrity Algorithms (Release 4).
[f8-b]3GPP TR 33.908 V4.0.0(2001-09)技术报告第三代合作伙伴项目;技术规范组服务和系统方面;3G安全;关于3GPP标准保密性和完整性算法的设计、规范和评估的一般报告(第4版)。
[GDOI] Baugher, M., Weis, B., Hardjono, T. and H. Harney, "The Group Domain of Interpretation, RFC 3547, July 2003.
[GDOI]Baugher,M.,Weis,B.,Hardjono,T.和H.Harney,“解释的集团领域,RFC 3547,2003年7月。
[HAC] Menezes, A., Van Oorschot, P. and S. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1997, ISBN 0-8493- 8523-7.
[HAC]Menezes,A.,Van Oorschot,P.和S.Vanstone,“应用密码学手册”,CRC出版社,1997年,ISBN 0-8493-8523-7。
[H80] Hellman, M. E., "A cryptanalytic time-memory trade-off", IEEE Transactions on Information Theory, July 1980, pp. 401-406.
[H80]Hellman,M.E.,“密码分析的时间记忆权衡”,IEEE信息论交易,1980年7月,第401-406页。
[IK] T. Iwata and T. Kohno: "New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms", Proceedings of FSE 2004.
[IK]T.Iwata和T.Kohno:“3GPP保密性和完整性算法的新安全证明”,FSE 2004年会议记录。
[KINK] Thomas, M. and J. Vilhuber, "Kerberized Internet Negotiation of Keys (KINK)", Work in Progress.
[KINK]Thomas,M.和J.Vilhuber,“Kerberized Internet密钥协商(KINK)”,正在进行中。
[KEYMGT] Arrko, J., et al., "Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)", Work in Progress.
[KEYMGT]Arrko,J.等人,“会话描述协议(SDP)和实时流协议(RTSP)的密钥管理扩展”,正在进行中。
[KSYH] Kang, J-S., Shin, S-U., Hong, D. and O. Yi, "Provable Security of KASUMI and 3GPP Encryption Mode f8", Proceedings Asiacrypt 2001, Springer Verlag LNCS 2248, pp. 255-271, 2001.
[KSYH]Kang,J-S.,Shin,S-U.,Hong,D.和O.Yi,“KASUMI和3GPP加密模式f8的可证明安全性”,Asiacrypt 2001年论文集,Springer Verlag LNCS 2248,第255-271页,2001年。
[MIKEY] Arrko, J., et. al., "MIKEY: Multimedia Internet KEYing", Work in Progress.
[MIKEY]Arrko,J.等人,“MIKEY:多媒体互联网键控”,正在进行的工作。
[MF00] McGrew, D. and S. Fluhrer, "Attacks on Encryption of Redundant Plaintext and Implications on Internet Security", the Proceedings of the Seventh Annual Workshop on Selected Areas in Cryptography (SAC 2000), Springer-Verlag.
[MF00]McGrew,D.和S.Fluhrer,“对冗余明文加密的攻击及其对互联网安全的影响”,第七届密码学选定领域年度研讨会论文集(SAC 2000),Springer Verlag。
[PCST1] Perrig, A., Canetti, R., Tygar, D. and D. Song, "Efficient and Secure Source Authentication for Multicast", in Proc. of Network and Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001.
[PCST1]Perrig,A.,Canetti,R.,Tygar,D.和D.Song,“多播的高效安全源认证”,在Proc。网络和分布式系统安全研讨会NDSS 2001,第35-46页,2001年。
[PCST2] Perrig, A., Canetti, R., Tygar, D. and D. Song, "Efficient Authentication and Signing of Multicast Streams over Lossy Channels", in Proc. of IEEE Security and Privacy Symposium S&P2000, pp. 56-73, 2000.
[PCST2]Perrig,A.,Canetti,R.,Tygar,D.和D.Song,“有损信道上多播流的有效认证和签名”,在Proc。IEEE安全和隐私研讨会S&P2000,第56-73页,2000年。
[RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.
[RFC1750]Eastlake,D.,Crocker,S.和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。
[RFC2675] Borman, D., Deering, S. and R. Hinden, "IPv6 Jumbograms", RFC 2675, August 1999.
[RFC2675]Borman,D.,Deering,S.和R.Hinden,“IPv6巨型程序”,RFC 26751999年8月。
[RFC3095] Bormann, C., Burmeister, C., Degermark, M., Fukuhsima, H., Hannu, H., Jonsson, L-E., Hakenberg, R., Koren, T., Le, K., Liu, Z., Martensson, A., Miyazaki, A., Svanbro, K., Wiebke, T., Yoshimura, T. and H. Zheng, "RObust Header Compression: Framework and Four Profiles: RTP, UDP, ESP, and uncompressed (ROHC)", RFC 3095, July 2001.
[RFC3095]Bormann,C.,Burmeister,C.,Degermark,M.,Fukuxima,H.,Hannu,H.,Jonsson,L-E.,Hakenberg,R.,Koren,T.,Le,K.,Liu,Z.,Martenson,A.,Miyazaki,A.,Svanbro,K.,Wiebke,T.,Yoshimura,T.和H.Zheng,“鲁棒头压缩:框架和四个配置文件:RTP,UDP,ESP和未压缩(ROHC)”,RFC 3095,2001年7月。
[RFC3242] Jonsson, L-E. and G. Pelletier, "RObust Header Compression (ROHC): A Link-Layer Assisted Profile for IP/UDP/RTP ", RFC 3242, April 2002.
[RFC3242]Jonsson,L-E.和G.Pelletier,“鲁棒报头压缩(ROHC):IP/UDP/RTP的链路层辅助配置文件”,RFC 3242,2002年4月。
[SDMS] Andreasen, F., Baugher, M. and D. Wing, "Session Description Protocol Security Descriptions for Media Streams", Work in Progress.
[SDMS]Andreasen,F.,Baugher,M.和D.Wing,“媒体流的会话描述协议安全描述”,正在进行中。
[SWO] Svanbro, K., Wiorek, J. and B. Olin, "Voice-over-IP-over-wireless", Proc. PIMRC 2000, London, Sept. 2000.
[SWO]Svanbro,K.,Wiorek,J.和B.Olin,“无线IP语音”,Proc。PIMRC 2000,伦敦,2000年9月。
[V02] Vaudenay, S., "Security Flaws Induced by CBC Padding - Application to SSL, IPsec, WTLS...", Advances in Cryptology, EUROCRYPT'02, LNCS 2332, pp. 534-545.
[V02]Vaudenay,S.,“CBC填充引起的安全缺陷-SSL、IPsec、WTLS的应用…”,密码学进展,EUROCRYPT'02,LNCS 2332,第534-545页。
[WC81] Wegman, M. N., and J.L. Carter, "New Hash Functions and Their Use in Authentication and Set Equality", JCSS 22, 265-279, 1981.
[WC81]Wegman,M.N.和J.L.Carter,“新的哈希函数及其在身份验证和集相等中的使用”,JCSS 22265-279,1981年。
Appendix A: Pseudocode for Index Determination
附录A:指数确定的伪代码
The following is an example of pseudo-code for the algorithm to determine the index i of an SRTP packet with sequence number SEQ. In the following, signed arithmetic is assumed.
以下是用于确定序列号为SEQ的SRTP分组的索引i的算法的伪代码示例。在下文中,假定使用有符号算术。
if (s_l < 32,768) if (SEQ - s_l > 32,768) set v to (ROC-1) mod 2^32 else set v to ROC endif else if (s_l - 32,768 > SEQ) set v to (ROC+1) mod 2^32 else set v to ROC endif endif return SEQ + v*65,536
if(su l<32768)if(SEQ-su l>32768)将v设置为(ROC-1)mod 2^32 else将v设置为ROC endif else if(su l-32768>SEQ)将v设置为(ROC+1)mod 2^32 else将v设置为ROC endif endif返回SEQ+v*65536
Appendix B: Test Vectors
附录B:测试向量
All values are in hexadecimal.
所有值均为十六进制。
SRTP PREFIX LENGTH : 0
SRTP前缀长度:0
RTP packet header : 806e5cba50681de55c621599
RTP数据包头:806e5cba50681de55c621599
RTP packet payload : 70736575646f72616e646f6d6e657373 20697320746865206e65787420626573 74207468696e67
RTP数据包有效负载:70736575646F72616E646F6D6E6573373 2069732074665206E6577420626573 7420746696E67
ROC : d462564a
key : 234829008467be186c3de14aae72d62c
salt key : 32f2870d
key-mask (m) : 32f2870d555555555555555555555555
key XOR key-mask : 11baae0dd132eb4d3968b41ffb278379
ROC : d462564a
key : 234829008467be186c3de14aae72d62c
salt key : 32f2870d
key-mask (m) : 32f2870d555555555555555555555555
key XOR key-mask : 11baae0dd132eb4d3968b41ffb278379
IV : 006e5cba50681de55c621599d462564a
IV' : 595b699bbd3bc0df26062093c1ad8f73
IV : 006e5cba50681de55c621599d462564a
IV' : 595b699bbd3bc0df26062093c1ad8f73
j = 0
IV' xor j : 595b699bbd3bc0df26062093c1ad8f73
S(-1) : 00000000000000000000000000000000
IV' xor S(-1) xor j : 595b699bbd3bc0df26062093c1ad8f73
S(0) : 71ef82d70a172660240709c7fbb19d8e
plaintext : 70736575646f72616e646f6d6e657373
ciphertext : 019ce7a26e7854014a6366aa95d4eefd
j = 0
IV' xor j : 595b699bbd3bc0df26062093c1ad8f73
S(-1) : 00000000000000000000000000000000
IV' xor S(-1) xor j : 595b699bbd3bc0df26062093c1ad8f73
S(0) : 71ef82d70a172660240709c7fbb19d8e
plaintext : 70736575646f72616e646f6d6e657373
ciphertext : 019ce7a26e7854014a6366aa95d4eefd
j = 1
IV' xor j : 595b699bbd3bc0df26062093c1ad8f72
S(0) : 71ef82d70a172660240709c7fbb19d8e
IV' xor S(0) xor j : 28b4eb4cb72ce6bf020129543a1c12fc
S(1) : 3abd640a60919fd43bd289a09649b5fc
plaintext : 20697320746865206e65787420626573
ciphertext : 1ad4172a14f9faf455b7f1d4b62bd08f
j = 1
IV' xor j : 595b699bbd3bc0df26062093c1ad8f72
S(0) : 71ef82d70a172660240709c7fbb19d8e
IV' xor S(0) xor j : 28b4eb4cb72ce6bf020129543a1c12fc
S(1) : 3abd640a60919fd43bd289a09649b5fc
plaintext : 20697320746865206e65787420626573
ciphertext : 1ad4172a14f9faf455b7f1d4b62bd08f
j = 2
IV' xor j : 595b699bbd3bc0df26062093c1ad8f71
S(1) : 3abd640a60919fd43bd289a09649b5fc
IV' xor S(1) xor j : 63e60d91ddaa5f0b1dd4a93357e43a8d
S(2) : 220c7a8715266565b09ecc8a2a62b11b
plaintext : 74207468696e67
ciphertext : 562c0eef7c4802
j = 2
IV' xor j : 595b699bbd3bc0df26062093c1ad8f71
S(1) : 3abd640a60919fd43bd289a09649b5fc
IV' xor S(1) xor j : 63e60d91ddaa5f0b1dd4a93357e43a8d
S(2) : 220c7a8715266565b09ecc8a2a62b11b
plaintext : 74207468696e67
ciphertext : 562c0eef7c4802
Keystream segment length: 1044512 octets (65282 AES blocks)
Session Key: 2B7E151628AED2A6ABF7158809CF4F3C
Rollover Counter: 00000000
Sequence Number: 0000
SSRC: 00000000
Session Salt: F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000 (already shifted)
Offset: F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000
Keystream segment length: 1044512 octets (65282 AES blocks)
Session Key: 2B7E151628AED2A6ABF7158809CF4F3C
Rollover Counter: 00000000
Sequence Number: 0000
SSRC: 00000000
Session Salt: F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000 (already shifted)
Offset: F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000
Counter Keystream
计数器键流
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000 E03EAD0935C95E80E166B16DD92B4EB4
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001 D23513162B02D0F72A43A2FE4A5F97AB
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0002 41E95B3BB0A2E8DD477901E4FCA894C0
... ...
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF EC8CDF7398607CB0F2D21675EA9EA1E4
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFF00 362B7C3C6773516318A077D7FC5073AE
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFF01 6A2CC3787889374FBEB4C81B17BA6C44
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0000 E03EAD0935C95E80E166B16DD92B4EB4
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001 D23513162B02D0F72A43A2FE4A5F97AB
F0F1F2F3F4F5F6F7F8F9FAFBFCFD0002 41E95B3BB0A2E8DD477901E4FCA894C0
... ...
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF EC8CDF7398607CB0F2D21675EA9EA1E4
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFF00 362B7C3C6773516318A077D7FC5073AE
F0F1F2F3F4F5F6F7F8F9FAFBFCFDFF01 6A2CC3787889374FBEB4C81B17BA6C44
Nota Bene: this test case is contrived so that the latter part of the keystream segment coincides with the test case in Section F.5.1 of [CTR].
注:该测试用例的设计使密钥流段的后部分与[CTR]第F.5.1节中的测试用例一致。
This section provides test data for the default key derivation function, which uses AES-128 in Counter Mode. In the following, we walk through the initial key derivation for the AES-128 Counter Mode cipher, which requires a 16 octet session encryption key and a 14 octet session salt, and an authentication function which requires a 94-octet session authentication key. These values are called the cipher key, the cipher salt, and the auth key in the following. Since this is the initial key derivation and the key derivation rate is equal to zero, the value of (index DIV key_derivation_rate) is zero (actually, a six-octet string of zeros). In the following, we shorten key_derivation_rate to kdr.
本节提供默认密钥派生函数的测试数据,该函数在计数器模式下使用AES-128。在下文中,我们将介绍AES-128计数器模式密码的初始密钥派生,该密码需要16个八位字节会话加密密钥和14个八位字节会话salt,以及需要94个八位字节会话认证密钥的认证函数。这些值在下文中称为密码密钥、密码盐和身份验证密钥。由于这是初始密钥派生,并且密钥派生率等于零,因此(index DIV key_delivery_rate)的值为零(实际上是一个六个八位组的零字符串)。在下面,我们将key_派生率缩短为kdr。
The inputs to the key derivation function are the 16 octet master key and the 14 octet master salt:
密钥派生函数的输入是16个八位字节的主密钥和14个八位字节的主密钥:
master key: E1F97A0D3E018BE0D64FA32C06DE4139 master salt: 0EC675AD498AFEEBB6960B3AABE6
主密钥:E1F97A0D3E018BE0D64FA32C06DE4139主密钥:0EC675AD498AFEEBB6960B3AABE6
We first show how the cipher key is generated. The input block for AES-CM is generated by exclusive-oring the master salt with the concatenation of the encryption key label 0x00 with (index DIV kdr), then padding on the right with two null octets (which implements the multiply-by-2^16 operation, see Section 4.3.3). The resulting value is then AES-CM- encrypted using the master key to get the cipher key.
我们首先展示密码密钥是如何生成的。AES-CM的输入块是通过将加密密钥标签0x00与(索引DIV kdr)串联,然后在右侧填充两个空八位组(实现乘2^16运算,请参见第4.3.3节)来生成的。然后使用主密钥对结果值进行AES-CM加密,以获得密码密钥。
index DIV kdr: 000000000000
label: 00
master salt: 0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor: 0EC675AD498AFEEBB6960B3AABE6 (x, PRF input)
index DIV kdr: 000000000000
label: 00
master salt: 0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor: 0EC675AD498AFEEBB6960B3AABE6 (x, PRF input)
x*2^16: 0EC675AD498AFEEBB6960B3AABE60000 (AES-CM input)
x*2^16: 0EC675AD498AFEEBB6960B3AABE60000 (AES-CM input)
cipher key: C61E7A93744F39EE10734AFE3FF7A087 (AES-CM output)
密码密钥:C61E7A93744F39EE10734AFE3FF7A087(AES-CM输出)
Next, we show how the cipher salt is generated. The input block for AES-CM is generated by exclusive-oring the master salt with the concatenation of the encryption salt label. That value is padded and encrypted as above.
接下来,我们将展示密码salt是如何生成的。AES-CM的输入块是通过将主盐与加密盐标签的串联进行异或生成的。该值如上所述进行填充和加密。
index DIV kdr: 000000000000 label: 02 master salt: 0EC675AD498AFEEBB6960B3AABE6
索引分区kdr:000000000000标签:02主盐:0EC675AD498AFEEBB6960B3AABE6
----------------------------------------------
xor: 0EC675AD498AFEE9B6960B3AABE6 (x, PRF input)
----------------------------------------------
xor: 0EC675AD498AFEE9B6960B3AABE6 (x, PRF input)
x*2^16: 0EC675AD498AFEE9B6960B3AABE60000 (AES-CM input)
x*2^16: 0EC675AD498AFEE9B6960B3AABE60000 (AES-CM input)
30CBBC08863D8C85D49DB34A9AE17AC6 (AES-CM ouptut)
30CBBC08863D8C85D49DB34A9AE17AC6(AES-CM组)
cipher salt: 30CBBC08863D8C85D49DB34A9AE1
密码:30CBBC08863D8C85D49DB34A9AE1
We now show how the auth key is generated. The input block for AES-CM is generated as above, but using the authentication key label.
我们现在展示如何生成auth密钥。AES-CM的输入块如上所述生成,但使用身份验证密钥标签。
index DIV kdr: 000000000000
label: 01
master salt: 0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor: 0EC675AD498AFEEAB6960B3AABE6 (x, PRF input)
index DIV kdr: 000000000000
label: 01
master salt: 0EC675AD498AFEEBB6960B3AABE6
-----------------------------------------------
xor: 0EC675AD498AFEEAB6960B3AABE6 (x, PRF input)
x*2^16: 0EC675AD498AFEEAB6960B3AABE60000 (AES-CM input)
x*2^16: 0EC675AD498AFEEAB6960B3AABE60000 (AES-CM input)
Below, the auth key is shown on the left, while the corresponding AES input blocks are shown on the right.
下面,auth键显示在左侧,而相应的AES输入块显示在右侧。
auth key AES input blocks
CEBE321F6FF7716B6FD4AB49AF256A15 0EC675AD498AFEEAB6960B3AABE60000
6D38BAA48F0A0ACF3C34E2359E6CDBCE 0EC675AD498AFEEAB6960B3AABE60001
E049646C43D9327AD175578EF7227098 0EC675AD498AFEEAB6960B3AABE60002
6371C10C9A369AC2F94A8C5FBCDDDC25 0EC675AD498AFEEAB6960B3AABE60003
6D6E919A48B610EF17C2041E47403576 0EC675AD498AFEEAB6960B3AABE60004
6B68642C59BBFC2F34DB60DBDFB2 0EC675AD498AFEEAB6960B3AABE60005
auth key AES input blocks
CEBE321F6FF7716B6FD4AB49AF256A15 0EC675AD498AFEEAB6960B3AABE60000
6D38BAA48F0A0ACF3C34E2359E6CDBCE 0EC675AD498AFEEAB6960B3AABE60001
E049646C43D9327AD175578EF7227098 0EC675AD498AFEEAB6960B3AABE60002
6371C10C9A369AC2F94A8C5FBCDDDC25 0EC675AD498AFEEAB6960B3AABE60003
6D6E919A48B610EF17C2041E47403576 0EC675AD498AFEEAB6960B3AABE60004
6B68642C59BBFC2F34DB60DBDFB2 0EC675AD498AFEEAB6960B3AABE60005
Authors' Addresses
作者地址
Questions and comments should be directed to the authors and avt@ietf.org:
问题和意见应提交给作者和avt@ietf.org:
Mark Baugher Cisco Systems, Inc. 5510 SW Orchid Street Portland, OR 97219 USA
Mark Baugher Cisco Systems,Inc.美国波特兰兰花街西南5510号,邮编:97219
Phone: +1 408-853-4418
EMail: mbaugher@cisco.com
Phone: +1 408-853-4418
EMail: mbaugher@cisco.com
Elisabetta Carrara Ericsson Research SE-16480 Stockholm Sweden
Elisabetta Carrara Ericsson Research SE-16480瑞典斯德哥尔摩
Phone: +46 8 50877040
EMail: elisabetta.carrara@ericsson.com
Phone: +46 8 50877040
EMail: elisabetta.carrara@ericsson.com
David A. McGrew Cisco Systems, Inc. San Jose, CA 95134-1706 USA
David A.McGrew思科系统公司,美国加利福尼亚州圣何塞95134-1706
Phone: +1 301-349-5815
EMail: mcgrew@cisco.com
Phone: +1 301-349-5815
EMail: mcgrew@cisco.com
Mats Naslund Ericsson Research SE-16480 Stockholm Sweden
Mats Naslund Ericsson Research SE-16480瑞典斯德哥尔摩
Phone: +46 8 58533739
EMail: mats.naslund@ericsson.com
Phone: +46 8 58533739
EMail: mats.naslund@ericsson.com
Karl Norrman Ericsson Research SE-16480 Stockholm Sweden
卡尔·诺尔曼·爱立信研究所SE-16480瑞典斯德哥尔摩
Phone: +46 8 4044502
EMail: karl.norrman@ericsson.com
Phone: +46 8 4044502
EMail: karl.norrman@ericsson.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。