Internet Engineering Task Force (IETF)                         D. McGrew
Request for Comments: 6188                           Cisco Systems, Inc.
Category: Standards Track                                     March 2011
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                         D. McGrew
Request for Comments: 6188                           Cisco Systems, Inc.
Category: Standards Track                                     March 2011
ISSN: 2070-1721
        

The Use of AES-192 and AES-256 in Secure RTP

AES-192和AES-256在安全RTP中的应用

Abstract

摘要

This memo describes the use of the Advanced Encryption Standard (AES) with 192- and 256-bit keys within the Secure RTP (SRTP) protocol. It details counter mode encryption for SRTP and Secure Realtime Transport Control Protocol (SRTCP) and a new SRTP Key Derivation Function (KDF) for AES-192 and AES-256.

本备忘录描述了在安全RTP(SRTP)协议中使用具有192位和256位密钥的高级加密标准(AES)。它详细介绍了SRTP和安全实时传输控制协议(SRTCP)的计数器模式加密,以及AES-192和AES-256的新SRTP密钥派生函数(KDF)。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6188.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6188.

Copyright Notice

版权公告

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
   2. AES-192 and AES-256 Encryption ..................................3
   3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions ..4
      3.1. Usage Requirements .........................................5
   4. Crypto Suites ...................................................6
   5. IANA Considerations .............................................9
   6. Security Considerations .........................................9
   7. Test Cases .....................................................10
      7.1. AES-256-CM Test Cases .....................................10
      7.2. AES_256_CM_PRF Test Cases .................................11
      7.3. AES-192-CM Test Cases .....................................13
      7.4. AES_192_CM_PRF Test Cases .................................13
   8. Acknowledgements ...............................................15
   9. References .....................................................15
      9.1. Normative References ......................................15
      9.2. Informative References ....................................15
        
   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
   2. AES-192 and AES-256 Encryption ..................................3
   3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions ..4
      3.1. Usage Requirements .........................................5
   4. Crypto Suites ...................................................6
   5. IANA Considerations .............................................9
   6. Security Considerations .........................................9
   7. Test Cases .....................................................10
      7.1. AES-256-CM Test Cases .....................................10
      7.2. AES_256_CM_PRF Test Cases .................................11
      7.3. AES-192-CM Test Cases .....................................13
      7.4. AES_192_CM_PRF Test Cases .................................13
   8. Acknowledgements ...............................................15
   9. References .....................................................15
      9.1. Normative References ......................................15
      9.2. Informative References ....................................15
        
1. Introduction
1. 介绍

This memo describes the use of the Advanced Encryption Standard (AES) [FIPS197] with 192- and 256-bit keys within the Secure RTP (SRTP) protocol [RFC3711]. Below, those block ciphers are referred to as AES-192 and AES-256, respectively, and the use of AES with a 128-bit key is referred to as AES-128. This document describes counter mode encryption for SRTP and SRTCP and appropriate SRTP key derivation functions for AES-192 and AES-256. It also defines new crypto suites that use these new functions.

本备忘录描述了在安全RTP(SRTP)协议[RFC3711]中使用具有192位和256位密钥的高级加密标准(AES)[FIPS197]。下面,这些分组密码分别被称为AES-192和AES-256,并且具有128位密钥的AES的使用被称为AES-128。本文档描述了SRTP和SRTCP的计数器模式加密,以及AES-192和AES-256的相应SRTP密钥派生函数。它还定义了使用这些新函数的新加密套件。

While AES-128 is widely regarded as more than adequately secure, some users may be motivated to adopt AES-192 or AES-256 due to a perceived need to pursue a highly conservative security strategy. For instance, the Suite B profile requires AES-256 for the protection of TOP SECRET information [suiteB]. (Note that while the AES-192 and AES-256 encryption methods defined in this document use Suite B algorithms, the crypto suites in this document use the HMAC-SHA-1 algorithm, which is not included in Suite B.) See Section 6 for more discussion of security issues.

虽然AES-128被广泛认为是非常安全的,但一些用户可能会出于追求高度保守安全策略的需要而采用AES-192或AES-256。例如,套件B配置文件需要AES-256来保护绝密信息[suiteB]。(请注意,虽然本文档中定义的AES-192和AES-256加密方法使用套件B算法,但本文档中的加密套件使用HMAC-SHA-1算法,该算法未包含在套件B中)。有关安全问题的更多讨论,请参阅第6节。

The crypto functions described in this document are an addition to, and not a replacement for, the crypto functions defined in [RFC3711].

本文件中描述的加密函数是[RFC3711]中定义的加密函数的补充,而不是替代。

1.1. Conventions Used in This Document
1.1. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. AES-192 and AES-256 Encryption
2. AES-192和AES-256加密

Section 4.1.1 of [RFC3711] defines AES counter mode encryption, which it refers to as AES_CM. This definition applies to all of the AES key sizes. In this note, AES-192 counter mode and AES-256 counter mode and are denoted as AES_192_CM and AES_256_CM, respectively. In both of these ciphers, the plaintext inputs to the block cipher are formed as in AES_CM, and the block cipher outputs are processed as in AES_CM. The only difference in the processing is that AES_192_CM uses AES-192, and AES_256_CM uses AES-256. Both AES_192_CM and AES_256_CM use a 112-bit salt as an input, as does AES_CM.

[RFC3711]第4.1.1节定义了AES计数器模式加密,称为AES_CM。此定义适用于所有AES密钥大小。在本说明中,AES-192计数器模式和AES-256计数器模式分别表示为AES_192_CM和AES_256_CM。在这两种密码中,分组密码的明文输入以AES_CM的形式形成,分组密码输出以AES_CM的形式处理。处理中唯一的区别是AES_192_CM使用AES-192,而AES_256_CM使用AES-256。AES_192_CM和AES_256_CM都使用112位salt作为输入,AES_CM也是如此。

For the convenience of the reader, the structure of the counter blocks in SRTP counter mode encryption is illustrated in Figure 1, using the terminology from Section 4.1.1 of [RFC3711]. In this diagram, the symbol (+) denotes the bitwise exclusive-or operation, and the AES encrypt operation uses AES-128, AES-192, or AES-256 for AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled

为了方便读者,图1使用[RFC3711]第4.1.1节中的术语说明了SRTP计数器模式加密中计数器块的结构。在此图中,符号(+)表示按位异或操作,AES加密操作分别使用AES-128、AES-192或AES-256表示AES_CM、AES_192_CM和AES_256_CM。标记为

b_c contains a block counter, the value of which increments once for each invocation of the "AES Encrypt" function. The SSRC field is part of the RTP header [RFC3550].

b_c包含一个块计数器,其值在每次调用“AES加密”函数时递增一次。SSRC字段是RTP标头[RFC3550]的一部分。

        one octet
         <-->
          0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
         |00|00|00|00|   SSRC    |   packet index  | b_c |---+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
         |                  salt (k_s)             |00|00|->(+)
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
                                                             v
                                                      +-------------+
                              encryption key (k_e) -> | AES encrypt |
                                                      +-------------+
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
         |                keystream block                |<--+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        
        one octet
         <-->
          0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
         |00|00|00|00|   SSRC    |   packet index  | b_c |---+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
         |                  salt (k_s)             |00|00|->(+)
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
                                                             v
                                                      +-------------+
                              encryption key (k_e) -> | AES encrypt |
                                                      +-------------+
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
         |                keystream block                |<--+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        

Figure 1: AES Counter Mode

图1:AES计数器模式

3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions
3. AES_192_CM_PRF和AES_256_CM_PRF密钥派生函数

Section 4.3.3 of [RFC3711] defines an AES counter mode key derivation function, which it refers to as AES_CM PRF (and sometimes as AES-CM PRF). (That specification uses the term PRF, or pseudo-random function, interchangeably with the phrase "key derivation function".) This key derivation function can be used with any AES key size. In this note, the AES-192 counter mode PRF and AES-256 counter mode PRF are denoted as AES_192_CM_PRF and AES_256_CM_PRF, respectively. In both of these PRFs, the plaintext inputs to the block cipher are formed as in the AES_CM PRF, and the block cipher outputs are processed as in the AES_CM PRF. The only difference in the processing is that AES_192_CM_PRF uses AES-192, and AES_256_CM_PRF uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF use a 112-bit salt as an input, as does the AES_CM PRF.

[RFC3711]第4.3.3节定义了AES计数器模式密钥派生函数,该函数称为AES_CM PRF(有时称为AES-CM PRF)。(该规范使用术语PRF或伪随机函数,可与短语“密钥派生函数”互换。)该密钥派生函数可用于任何AES密钥大小。在本说明中,AES-192计数器模式PRF和AES-256计数器模式PRF分别表示为AES_192_CM_PRF和AES_256_CM_PRF。在这两种PRF中,分组密码的明文输入形成为AES_CM PRF,分组密码输出处理为AES_CM PRF。处理中唯一的区别是AES_192_CM_PRF使用AES-192,而AES_256_CM_PRF使用AES-256。AES_192_CM_PRF和AES_256_CM_PRF都使用112位salt作为输入,AES_CM PRF也是如此。

For the convenience of the reader, the structure of the counter blocks in SRTP counter mode key derivation is illustrated in Figure 2, using the terminology from Section 4.3.3 of [RFC3711]. In this diagram, the symbol (+) denotes the bitwise exclusive-or operation, and the "AES Encrypt" operation uses AES-128, AES-192, or AES-256 for the AES_CM PRF, AES_192_CM_PRF, and AES_256_CM_PRF,

为了方便读者,图2中使用[RFC3711]第4.3.3节中的术语说明了SRTP计数器模式密钥推导中计数器块的结构。在此图中,符号(+)表示按位异或运算,“AES加密”运算使用AES-128、AES-192或AES-256表示AES_CM PRF、AES_192_CM_PRF和AES_256_CM_PRF,

respectively. The field "LB" contains the 8-bit constant "label", which is provided as an input to the key derivation function (and which is distinct for each type of key generated by that function). The field labeled b_c contains a block counter, the value of which increments once for each invocation of the "AES Encrypt" function. The DIV operation is defined in Section 4.3.1 of [RFC3711] as follows. Let "a DIV t" denote integer division of a by t, rounded down, and with the convention that "a DIV 0 = 0" for all a. We also make the convention of treating "a DIV t" as a bit string of the same length as a, and thus "a DIV t" will, in general, have leading zeros.

分别地字段“LB”包含8位常量“label”,作为密钥派生函数的输入提供(该函数生成的每种类型的密钥都不同)。标记为b_c的字段包含一个块计数器,其值在每次调用“AES加密”函数时递增一次。[RFC3711]第4.3.1节对DIV操作进行了如下定义。让“a DIV t”表示a除以t的整数,四舍五入,并使用所有a的约定“a DIV 0=0”。我们还约定将“a DIV t”视为与a长度相同的位字符串,因此“a DIV t”通常具有前导零。

        one octet
         <-->
          0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
         |00|00|00|00|00|00|00|LB| index DIV kdr   | b_c |---+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
         |               master salt               |00|00|->(+)
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
                                                             v
                                                      +-------------+
                                        master key -> | AES encrypt |
                                                      +-------------+
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
         |                   output block                |<--+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        
        one octet
         <-->
          0  1  2  3  4  5  6  7  8  9  10 11 12 13 14 15
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
         |00|00|00|00|00|00|00|LB| index DIV kdr   | b_c |---+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   v
         |               master salt               |00|00|->(+)
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                             |
                                                             v
                                                      +-------------+
                                        master key -> | AES encrypt |
                                                      +-------------+
                                                             |
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+   |
         |                   output block                |<--+
         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
        

Figure 2: The AES Counter Mode Key Derivation Function

图2:AES计数器模式密钥派生函数

3.1. Usage Requirements
3.1. 使用要求

When AES_192_CM is used for encryption, AES_192_CM_PRF SHOULD be used as the key derivation function, and AES_128_CM_PRF MUST NOT be used as the key derivation function.

当AES_192_CM用于加密时,AES_192_CM_PRF应用作密钥派生函数,AES_128_CM_PRF不得用作密钥派生函数。

When AES_256_CM is used for encryption, AES_256_CM_PRF SHOULD be used as the key derivation function. Both AES_128_CM_PRF and AES_192_CM_PRF MUST NOT be used as the key derivation function.

当使用AES_256_CM进行加密时,应使用AES_256_CM_PRF作为密钥派生函数。AES_128_CM_PRF和AES_192_CM_PRF不得用作密钥派生函数。

AES_256_CM_PRF MAY be used as the key derivation function when AES_CM is used for encryption, and when AES_192_CM is used for encryption. AES_192_CM_PRF MAY be used as the key derivation function when AES_CM is used for encryption.

当AES_CM用于加密时,以及当AES_192_CM用于加密时,可以将AES_256_CM_PRF用作密钥导出函数。当AES_-CM用于加密时,AES_-192_-CM_-PRF可用作密钥导出函数。

Rationale: it is essential that the cryptographic strength of the key derivation meets or exceeds that of the encryption method. It is natural to use the same function for both encryption and key derivation. However, it is not required to do so because it is desirable to allow these ciphers to be used with alternative key derivation functions that may be defined in the future.

理由:密钥派生的加密强度必须达到或超过加密方法的加密强度。对于加密和密钥导出,使用相同的函数是很自然的。然而,不需要这样做,因为希望允许这些密码与将来可能定义的替代密钥派生函数一起使用。

4. Crypto Suites
4. 加密套房酒店

This section defines SRTP crypto suites that use the ciphers and key derivation functions defined in this document. The parameters in these crypto suites are described in Section 8.2 of [RFC3711]. These suites are registered with IANA for use with the SDP Security Descriptions attributes (Section 10.3.2.1 of [RFC4568]). Other SRTP key management methods that use the crypto functions defined in this document are encouraged to also use these crypto suite definitions.

本节定义了使用本文档中定义的密码和密钥派生函数的SRTP加密套件。[RFC3711]第8.2节描述了这些加密套件中的参数。这些套件在IANA注册,以便与SDP安全描述属性一起使用(RFC4568第10.3.2.1节)。鼓励使用本文档中定义的加密函数的其他SRTP密钥管理方法也使用这些加密套件定义。

Rationale: the crypto suites use the same authentication function that is mandatory to implement in SRTP, HMAC-SHA1 with a 160-bit key. HMAC-SHA1 would accept larger key sizes, but when it is used with keys larger than 160 bits, it does not provide resistance to cryptanalysis greater than that security level, because it has only 160 bits of internal state. By retaining 160-bit authentication keys, the crypto suites in this note have more compatibility with existing crypto suites and implementations of them.

理由:加密套件使用的身份验证功能与SRTP HMAC-SHA1中使用160位密钥实现的身份验证功能相同。HMAC-SHA1可以接受更大的密钥大小,但当它与大于160位的密钥一起使用时,它不会提供大于该安全级别的对密码分析的抵抗,因为它只有160位的内部状态。通过保留160位身份验证密钥,本说明中的加密套件与现有加密套件及其实现更具兼容性。

   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 192 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_192_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_192_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 80 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        
   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 192 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_192_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_192_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 80 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        

Table 1: The AES_192_CM_HMAC_SHA1_80 Crypto Suite

表1:AES_192_CM_HMAC_SHA1_80加密套件

   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 192 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_192_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_192_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 32 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        
   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 192 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_192_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_192_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 32 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        

Table 2: The AES_192_CM_HMAC_SHA1_32 Crypto Suite

表2:AES_192_CM_HMAC_SHA1_32加密套件

   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 256 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_256_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_256_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 80 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        
   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 256 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_256_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_256_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 80 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        

Table 3: The AES_256_CM_HMAC_SHA1_80 Crypto Suite

表3:AES_256_CM_HMAC_SHA1_80加密套件

   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 256 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_256_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_256_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 32 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        
   +------------------------------+------------------------------------+
   | Parameter                    | Value                              |
   +------------------------------+------------------------------------+
   | Master key length            | 256 bits                           |
   | Master salt length           | 112 bits                           |
   | Key Derivation Function      | AES_256_CM_PRF (Section 3)         |
   | Default key lifetime         | 2^31 packets                       |
   | Cipher (for SRTP and SRTCP)  | AES_256_CM (Section 2)             |
   | SRTP authentication function | HMAC-SHA1 (Section 4.2.1 of        |
   |                              | [RFC3711])                         |
   | SRTP authentication key      | 160 bits                           |
   | length                       |                                    |
   | SRTP authentication tag      | 32 bits                            |
   | length                       |                                    |
   | SRTCP authentication         | HMAC-SHA1 (Section 4.2.1 of        |
   | function                     | [RFC3711])                         |
   | SRTCP authentication key     | 160 bits                           |
   | length                       |                                    |
   | SRTCP authentication tag     | 80 bits                            |
   | length                       |                                    |
   +------------------------------+------------------------------------+
        

Table 4: The AES_256_CM_HMAC_SHA1_32 Crypto Suite

表4:AES_256_CM_HMAC_SHA1_32加密套件

5. IANA Considerations
5. IANA考虑

IANA has assigned the following parameters in the Session Description Protocol (SDP) Security Descriptions registry.

IANA在会话描述协议(SDP)安全描述注册表中分配了以下参数。

                  +-------------------------+-----------+
                  | Crypto Suite Name       | Reference |
                  +-------------------------+-----------+
                  | AES_192_CM_HMAC_SHA1_80 | [RFC6188] |
                  | AES_192_CM_HMAC_SHA1_32 | [RFC6188] |
                  | AES_256_CM_HMAC_SHA1_80 | [RFC6188] |
                  | AES_256_CM_HMAC_SHA1_32 | [RFC6188] |
                  +-------------------------+-----------+
        
                  +-------------------------+-----------+
                  | Crypto Suite Name       | Reference |
                  +-------------------------+-----------+
                  | AES_192_CM_HMAC_SHA1_80 | [RFC6188] |
                  | AES_192_CM_HMAC_SHA1_32 | [RFC6188] |
                  | AES_256_CM_HMAC_SHA1_80 | [RFC6188] |
                  | AES_256_CM_HMAC_SHA1_32 | [RFC6188] |
                  +-------------------------+-----------+
        
6. Security Considerations
6. 安全考虑

AES-128 provides a level of security that is widely regarded as being more than sufficient for providing confidentiality. It is believed that the economic cost of breaking AES-128 is significantly higher than the cost of more direct approaches to violating system security, e.g., theft, bribery, wiretapping, and other forms of malfeasance.

AES-128提供的安全级别被广泛认为足以提供机密性。据信,破坏AES-128的经济成本远远高于更直接的违反系统安全(例如盗窃、贿赂、窃听和其他形式的渎职)的成本。

Future advances in state-of-the art cryptanalysis could eliminate this confidence in AES-128, and motivate the use of AES-192 or AES-256. AES-192 is regarded as being secure even against some adversaries for which breaking AES-128 may be feasible. Similarly, AES-256 is regarded as being secure even against some adversaries for which it may be feasible to break AES-192. The availability of the larger key size versions of AES provides a fallback plan in case of unanticipated cryptanalytic results.

未来最先进的密码分析技术的进步可能会消除对AES-128的这种信任,并促使AES-192或AES-256的使用。AES-192被认为是安全的,即使在某些对手面前,破解AES-128也是可行的。类似地,AES-256被认为是安全的,即使是针对某些对手,破解AES-192也是可行的。AES的较大密钥大小版本的可用性提供了一个备用计划,以防出现意外的密码分析结果。

It is conjectured that AES-256 provides adequate security even against adversaries that possess the ability to construct a quantum computer that works on 256 or more quantum bits. No such computer is known to exist; its feasibility is an area of active speculation and research.

据推测,AES-256提供了足够的安全性,甚至可以对抗那些能够构建256或更多量子位的量子计算机的对手。目前还不存在这样的计算机;它的可行性是一个积极猜测和研究的领域。

Despite the apparent sufficiency of AES-128, some users are interested in the larger AES key sizes. For some applications, the 40% increase in computational cost for AES-256 over AES-128 is a worthwhile bargain when traded for the security advantages outlined above. These applications include those with a perceived need for very high security, e.g., due to a desire for very long-term confidentiality.

尽管AES-128显然足够,但一些用户对更大的AES密钥大小感兴趣。对于某些应用程序,AES-256的计算成本比AES-128高出40%,这是一笔值得交易的交易,以换取上述安全优势。这些应用程序包括那些认为需要非常高安全性的应用程序,例如,由于需要非常长期的保密性。

AES-256 (as it is used in this note) provides the highest level of security, and it SHOULD be used whenever the highest possible security is desired. AES-192 provides a middle ground between the

AES-256(本说明中使用的)提供了最高级别的安全性,应在需要最高安全性时使用。AES-192提供了两个接口之间的中间接地

128-bit and 256-bit versions of AES, and it MAY be used when security higher than that of AES-128 is desired. In this note, AES-192 and AES-256 are used with keys that are generated via a strong pseudo-random source, and thus the related-key attacks that have been described in the theoretical literature are not applicable.

AES的128位和256位版本,当需要比AES-128更高的安全性时,可以使用它。在本说明中,AES-192和AES-256与通过强伪随机源生成的密钥一起使用,因此理论文献中描述的相关密钥攻击不适用。

As with any cipher, the conjectured security level of AES may change over time. The considerations in this section reflect the best knowledge available at the time of publication of this document.

与任何密码一样,AES的推测安全级别可能会随时间而变化。本节中的注意事项反映了本文件出版时的最佳知识。

It is desirable that AES_192_CM and AES_192_CM_PRF be used with an authentication function that uses a 192-bit key, and that AES_256_CM and AES_256_CM_PRF be used with an authentication function that uses a 256-bit key. However, this desire is not regarded as security critical. Cryptographic authentication is resilient against future advances in cryptanalysis, since the opportunity for a forgery attack against a session closes when that session closes. For this reason, this note defines new ciphers, but not new authentication functions.

希望AES_192_CM和AES_192_CM_PRF与使用192位密钥的认证函数一起使用,并且AES_256_CM和AES_256_CM_PRF与使用256位密钥的认证函数一起使用。然而,这种愿望并不被视为安全关键。加密身份验证对密码分析的未来发展具有弹性,因为对会话进行伪造攻击的机会在会话关闭时关闭。因此,本说明定义了新的密码,但没有定义新的身份验证函数。

7. Test Cases
7. 测试用例

The test cases in this section are based on Appendix B of [RFC3711].

本节中的测试用例基于[RFC3711]的附录B。

7.1. AES-256-CM Test Cases
7.1. AES-256-CM测试用例
    Keystream segment length: 1044512 octets (65282 AES blocks)
    Session Key:      57f82fe3613fd170a85ec93c40b1f092
                      2ec4cb0dc025b58272147cc438944a98
    Rollover Counter: 00000000
    Sequence Number:  0000
    SSRC:             00000000
    Session Salt:     f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
    Offset:           f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
        
    Keystream segment length: 1044512 octets (65282 AES blocks)
    Session Key:      57f82fe3613fd170a85ec93c40b1f092
                      2ec4cb0dc025b58272147cc438944a98
    Rollover Counter: 00000000
    Sequence Number:  0000
    SSRC:             00000000
    Session Salt:     f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
    Offset:           f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
        

Counter Keystream

计数器键流

    f0f1f2f3f4f5f6f7f8f9fafbfcfd0000   92bdd28a93c3f52511c677d08b5515a4
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0001   9da71b2378a854f67050756ded165bac
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0002   63c4868b7096d88421b563b8c94c9a31
    ...                                ...
    f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff   cea518c90fd91ced9cbb18c078a54711
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff00   3dbc4814f4da5f00a08772b63c6a046d
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff01   6eb246913062a16891433e97dd01a57f
        
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0000   92bdd28a93c3f52511c677d08b5515a4
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0001   9da71b2378a854f67050756ded165bac
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0002   63c4868b7096d88421b563b8c94c9a31
    ...                                ...
    f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff   cea518c90fd91ced9cbb18c078a54711
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff00   3dbc4814f4da5f00a08772b63c6a046d
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff01   6eb246913062a16891433e97dd01a57f
        
7.2. AES_256_CM_PRF Test Cases
7.2. AES_256_CM_PRF测试用例

This section provides test data for the AES_256_CM_PRF key derivation function, which uses AES-256 in counter mode. In the following, we walk through the initial key derivation for the AES-256 counter mode cipher, which requires a 32-octet session encryption key and a 14- octet session salt, and the HMAC-SHA1 authentication function, which requires a 20-octet session authentication key. These values are called the cipher key, the cipher salt, and the auth key in the following. Since this is the initial key derivation and the key derivation rate is equal to zero, the value of (index DIV key_derivation_rate) is zero (actually, a six-octet string of zeros). In the following, we shorten key_derivation_rate to kdr.

本节提供AES_256_CM_PRF密钥派生函数的测试数据,该函数在计数器模式下使用AES-256。在下面,我们将介绍AES-256计数器模式密码的初始密钥派生,它需要32个八位字节的会话加密密钥和14个八位字节的会话salt,以及HMAC-SHA1身份验证函数,它需要20个八位字节的会话身份验证密钥。这些值在下文中称为密码密钥、密码盐和身份验证密钥。由于这是初始密钥派生,并且密钥派生率等于零,因此(index DIV key_delivery_rate)的值为零(实际上是一个六个八位组的零字符串)。在下面,我们将key_派生率缩短为kdr。

The inputs to the key derivation function are the 32-octet master key and the 14-octet master salt:

密钥派生函数的输入为32个八位组主密钥和14个八位组主密钥:

master key: f0f04914b513f2763a1b1fa130f10e29 98f6f6e43e4309d1e622a0e332b9f1b6 master salt: 3b04803de51ee7c96423ab5b78d2

主钥匙:f0f04914b513f2763a1b1fa130f10e29 98F6F6E43E4309D1E62A0E332B9F1B6主钥匙:3B0403DE51EEE7C96423AB5B78D2

We first show how the cipher key is generated. The input block for AES-256-CM is generated by exclusive-oring the master salt with the concatenation of the encryption key label 0x00 with (index DIV kdr), then padding on the right with two null octets (which implements the multiply-by-2^16 operation, see Section 4.3.3 of RFC 3711). The resulting value is then AES-256-CM-encrypted using the master key to get the cipher key.

我们首先展示密码密钥是如何生成的。AES-256-CM的输入块是通过将加密密钥标签0x00与(索引DIV kdr)串联,然后在右侧填充两个空八位组(实现乘2^16运算,请参见RFC 3711第4.3.3节)来生成的。然后使用主密钥对结果值进行AES-256-CM加密,以获得密码密钥。

      index DIV kdr:                 000000000000
      label:                       00
      master salt:   3b04803de51ee7c96423ab5b78d2
      -----------------------------------------------
      xor:           3b04803de51ee7c96423ab5b78d2     (x, PRF input)
        
      index DIV kdr:                 000000000000
      label:                       00
      master salt:   3b04803de51ee7c96423ab5b78d2
      -----------------------------------------------
      xor:           3b04803de51ee7c96423ab5b78d2     (x, PRF input)
        
      x*2^16:        3b04803de51ee7c96423ab5b78d20000 (AES-256-CM input)
      x*2^16 + 1:    3b04803de51ee7c96423ab5b78d20001 (2nd AES input)
        
      x*2^16:        3b04803de51ee7c96423ab5b78d20000 (AES-256-CM input)
      x*2^16 + 1:    3b04803de51ee7c96423ab5b78d20001 (2nd AES input)
        

cipher key: 5ba1064e30ec51613cad926c5a28ef73 (1st AES output) 1ec7fb397f70a960653caf06554cd8c4 (2nd AES output)

密码密钥:5ba1064e30ec51613cad926c5a28ef73(第一个AES输出)1ec7fb397f70a960653caf06554cd8c4(第二个AES输出)

Next, we show how the cipher salt is generated. The input block for AES-256-CM is generated by exclusive-oring the master salt with the concatenation of the encryption salt label. That value is padded and encrypted as above.

接下来,我们将展示密码salt是如何生成的。AES-256-CM的输入块是通过将主盐与加密盐标签连接起来进行异或生成的。该值如上所述进行填充和加密。

index DIV kdr: 000000000000 label: 02 master salt: 3b04803de51ee7c96423ab5b78d2

索引分区kdr:000000000000标签:02主盐:3B04803DE51EEE7C96423AB5B78D2

      ----------------------------------------------
      xor:           3b04803de51ee7cb6423ab5b78d2     (x, PRF input)
        
      ----------------------------------------------
      xor:           3b04803de51ee7cb6423ab5b78d2     (x, PRF input)
        
      x*2^16:        3b04803de51ee7cb6423ab5b78d20000 (AES-256-CM input)
        
      x*2^16:        3b04803de51ee7cb6423ab5b78d20000 (AES-256-CM input)
        

fa31791685ca444a9e07c6c64e93ae6b (AES-256 ouptut)

fa31791685ca444a9e07c6c64e93ae6b(AES-256输出)

cipher salt: fa31791685ca444a9e07c6c64e93

密码:fa31791685ca444a9e07c6c64e93

We now show how the auth key is generated. The input block for AES-256-CM is generated as above, but using the authentication key label.

我们现在展示如何生成auth密钥。AES-256-CM的输入块如上所述生成,但使用身份验证密钥标签。

       index DIV kdr:                   000000000000
       label:                         01
       master salt:     3b04803de51ee7c96423ab5b78d2
       -----------------------------------------------
       xor:             3b04803de51ee7c86423ab5b78d2     (x, PRF input)
        
       index DIV kdr:                   000000000000
       label:                         01
       master salt:     3b04803de51ee7c96423ab5b78d2
       -----------------------------------------------
       xor:             3b04803de51ee7c86423ab5b78d2     (x, PRF input)
        
       x*2^16:          3b04803de51ee7c86423ab5b78d20000 (AES-256-CM in)
        
       x*2^16:          3b04803de51ee7c86423ab5b78d20000 (AES-256-CM in)
        

Below, the AES-256 output blocks that form the auth key are shown on the left, while the corresponding AES-256 input blocks are shown on the right. Note that the final AES-256 output is truncated to a 4-byte length. The final auth key is shown below.

下面,构成认证密钥的AES-256输出块显示在左侧,而相应的AES-256输入块显示在右侧。请注意,最终的AES-256输出被截断为4字节长度。最终的身份验证密钥如下所示。

    auth key blocks                    AES-256 input blocks
    fd9c32d39ed5fbb5a9dc96b30818454d   3b04803de51ee7c86423ab5b78d20000
    1313dc05                           3b04803de51ee7c86423ab5b78d20001
        
    auth key blocks                    AES-256 input blocks
    fd9c32d39ed5fbb5a9dc96b30818454d   3b04803de51ee7c86423ab5b78d20000
    1313dc05                           3b04803de51ee7c86423ab5b78d20001
        
    auth key: fd9c32d39ed5fbb5a9dc96b30818454d1313dc05
        
    auth key: fd9c32d39ed5fbb5a9dc96b30818454d1313dc05
        
7.3. AES-192-CM Test Cases
7.3. AES-192-CM测试用例
    Keystream segment length: 1044512 octets (65282 AES blocks)
    Session Key:      eab234764e517b2d3d160d587d8c8621
                      9740f65f99b6bcf7
    Rollover Counter: 00000000
    Sequence Number:  0000
    SSRC:             00000000
    Session Salt:     f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
    Offset:           f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
        
    Keystream segment length: 1044512 octets (65282 AES blocks)
    Session Key:      eab234764e517b2d3d160d587d8c8621
                      9740f65f99b6bcf7
    Rollover Counter: 00000000
    Sequence Number:  0000
    SSRC:             00000000
    Session Salt:     f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 (already shifted)
    Offset:           f0f1f2f3f4f5f6f7f8f9fafbfcfd0000
        

Counter Keystream

计数器键流

    f0f1f2f3f4f5f6f7f8f9fafbfcfd0000   35096cba4610028dc1b57503804ce37c
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0001   5de986291dcce161d5165ec4568f5c9a
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0002   474a40c77894bc17180202272a4c264d
    ...                                ...
    f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff   d108d1a31a00bad6367ec23eb044b415
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff00   c8f57129fdeb970b59f917b257662d4c
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff01   a5dab625811034e8cebdfeb6dc158dd3
        
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0000   35096cba4610028dc1b57503804ce37c
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0001   5de986291dcce161d5165ec4568f5c9a
    f0f1f2f3f4f5f6f7f8f9fafbfcfd0002   474a40c77894bc17180202272a4c264d
    ...                                ...
    f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff   d108d1a31a00bad6367ec23eb044b415
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff00   c8f57129fdeb970b59f917b257662d4c
    f0f1f2f3f4f5f6f7f8f9fafbfcfdff01   a5dab625811034e8cebdfeb6dc158dd3
        
7.4. AES_192_CM_PRF Test Cases
7.4. AES_192_CM_PRF测试用例

This section provides test data for the AES_192_CM_PRF key derivation function, which uses AES-192 in counter mode. In the following, we walk through the initial key derivation for the AES-192 counter mode cipher, which requires a 24-octet session encryption key and a 14- octet session salt, and the HMAC-SHA1 authentication function, which requires a 20-octet session authentication key. These values are called the cipher key, the cipher salt, and the auth key in the following. Since this is the initial key derivation and the key derivation rate is equal to zero, the value of (index DIV key_derivation_rate) is zero (actually, a six-octet string of zeros). In the following, we shorten key_derivation_rate to kdr.

本节提供AES_192_CM_PRF密钥派生函数的测试数据,该函数在计数器模式下使用AES-192。在下面,我们将介绍AES-192计数器模式密码的初始密钥派生,它需要24个八位字节的会话加密密钥和14个八位字节的会话salt,以及HMAC-SHA1身份验证函数,它需要20个八位字节的会话身份验证密钥。这些值在下文中称为密码密钥、密码盐和身份验证密钥。由于这是初始密钥派生,并且密钥派生率等于零,因此(index DIV key_delivery_rate)的值为零(实际上是一个六个八位组的零字符串)。在下面,我们将key_派生率缩短为kdr。

The inputs to the key derivation function are the 24-octet master key and the 14-octet master salt:

密钥派生函数的输入为24个八位组主密钥和14个八位组主密钥:

master key: 73edc66c4fa15776fb57f9505c171365 50ffda71f3e8e5f1 master salt: c8522f3acd4ce86d5add78edbb11

主密钥:73edc66c4fa15776fb57f9505c171365 50ffda71f3e8e5f1主密钥:c8522f3acd4ce86d5add78edbb11

We first show how the cipher key is generated. The input block for AES-192-CM is generated by exclusive-oring the master salt with the concatenation of the encryption key label 0x00 with (index DIV kdr), then padding on the right with two null octets (which implements the

我们首先展示密码密钥是如何生成的。AES-192-CM的输入块是通过将加密密钥标签0x00与(index DIV kdr)串联,然后在右侧填充两个空八位组(实现

multiply-by-2^16 operation, see Section 4.3.3 of RFC 3711). The resulting value is then AES-192-CM encrypted using the master key to get the cipher key.

乘2^16运算,见RFC 3711第4.3.3节)。然后使用主密钥对结果值进行AES-192-CM加密,以获得密码密钥。

      index DIV kdr:                 000000000000
      label:                       00
      master salt:   c8522f3acd4ce86d5add78edbb11
      -----------------------------------------------
      xor:           c8522f3acd4ce86d5add78edbb11     (x, PRF input)
        
      index DIV kdr:                 000000000000
      label:                       00
      master salt:   c8522f3acd4ce86d5add78edbb11
      -----------------------------------------------
      xor:           c8522f3acd4ce86d5add78edbb11     (x, PRF input)
        
      x*2^16:        c8522f3acd4ce86d5add78edbb110000 (AES-192-CM input)
      x*2^16 + 1:    c8522f3acd4ce86d5add78edbb110001 (2nd AES input)
        
      x*2^16:        c8522f3acd4ce86d5add78edbb110000 (AES-192-CM input)
      x*2^16 + 1:    c8522f3acd4ce86d5add78edbb110001 (2nd AES input)
        

cipher key: 31874736a8f1143870c26e4857d8a5b2 (1st AES output) c4a354407faadabb (2nd AES output)

密码密钥:31874736a8f1143870c26e4857d8a5b2(第一个AES输出)c4a354407faadabb(第二个AES输出)

Next, we show how the cipher salt is generated. The input block for AES-192-CM is generated by exclusive-oring the master salt with the concatenation of the encryption salt label. That value is padded and encrypted as above.

接下来,我们将展示密码salt是如何生成的。AES-192-CM的输入块是通过将主盐与加密盐标签的串联进行异或生成的。该值如上所述进行填充和加密。

index DIV kdr: 000000000000 label: 02 master salt: c8522f3acd4ce86d5add78edbb11

索引分区kdr:000000000000标签:02主盐:c8522f3acd4ce86d5add78edbb11

      ----------------------------------------------
      xor:           c8522f3acd4ce86f5add78edbb11     (x, PRF input)
        
      ----------------------------------------------
      xor:           c8522f3acd4ce86f5add78edbb11     (x, PRF input)
        
      x*2^16:        c8522f3acd4ce86f5add78edbb110000 (AES-192-CM input)
        
      x*2^16:        c8522f3acd4ce86f5add78edbb110000 (AES-192-CM input)
        

2372b82d639b6d8503a47adc0a6c2590 (AES-192 ouptut)

2372b82d639b6d8503a47adc0a6c2590(AES-192输出)

cipher salt: 2372b82d639b6d8503a47adc0a6c

密码:2372b82d639b6d8503a47adc0a6c

We now show how the auth key is generated. The input block for AES-192-CM is generated as above, but using the authentication key label.

我们现在展示如何生成auth密钥。AES-192-CM的输入块如上所述生成,但使用身份验证密钥标签。

       index DIV kdr:                   000000000000
       label:                         01
       master salt:     c8522f3acd4ce86d5add78edbb11
       -----------------------------------------------
       xor:             c8522f3acd4ce86c5add78edbb11     (x, PRF input)
        
       index DIV kdr:                   000000000000
       label:                         01
       master salt:     c8522f3acd4ce86d5add78edbb11
       -----------------------------------------------
       xor:             c8522f3acd4ce86c5add78edbb11     (x, PRF input)
        
       x*2^16:          c8522f3acd4ce86c5add78edbb110000 (AES-192-CM in)
        
       x*2^16:          c8522f3acd4ce86c5add78edbb110000 (AES-192-CM in)
        

Below, the AES-192 output blocks that form the auth key are shown on the left, while the corresponding AES-192 input blocks are shown on the right. Note that the final AES-192 output is truncated to a four-byte length. The final auth key is shown below.

下面,构成认证密钥的AES-192输出块显示在左侧,而相应的AES-192输入块显示在右侧。请注意,最终的AES-192输出被截断为四字节长度。最终的身份验证密钥如下所示。

    auth key blocks                    AES-192 input blocks
    355b10973cd95b9eacf4061c7e1a7151   c8522f3acd4ce86c5add78edbb110000
    e7cfbfcb                           c8522f3acd4ce86c5add78edbb110001
        
    auth key blocks                    AES-192 input blocks
    355b10973cd95b9eacf4061c7e1a7151   c8522f3acd4ce86c5add78edbb110000
    e7cfbfcb                           c8522f3acd4ce86c5add78edbb110001
        
    auth key: 355b10973cd95b9eacf4061c7e1a7151e7cfbfcb
        
    auth key: 355b10973cd95b9eacf4061c7e1a7151e7cfbfcb
        
8. Acknowledgements
8. 致谢

Thanks are due to John Mattsson for verifying the test cases in the document and providing comments, to Bob Bell for feedback and encouragement, and to Richard Barnes and Hilarie Orman for constructive review.

感谢John Mattsson验证文档中的测试用例并提供评论,感谢Bob Bell提供反馈和鼓励,感谢Richard Barnes和Hilarie Orman进行建设性的审查。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[FIPS197] "The Advanced Encryption Standard (AES)", FIPS-197 Federal Information Processing Standard.

[FIPS197]“高级加密标准(AES)”,FIPS-197联邦信息处理标准。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003.

[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 35502003年7月。

[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004.

[RFC3711]Baugher,M.,McGrew,D.,Naslund,M.,Carrara,E.,和K.Norrman,“安全实时传输协议(SRTP)”,RFC 37112004年3月。

[RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol (SDP) Security Descriptions for Media Streams", RFC 4568, July 2006.

[RFC4568]Andreasen,F.,Baugher,M.和D.Wing,“媒体流的会话描述协议(SDP)安全描述”,RFC 4568,2006年7月。

9.2. Informative References
9.2. 资料性引用

[suiteB] "Suite B Cryptography", http://www.nsa.gov/ia/programs/ suiteb_cryptography/index.shtml.

[suiteB]“套件B加密”,http://www.nsa.gov/ia/programs/ suiteb_cryptography/index.shtml。

Author's Address

作者地址

David A. McGrew Cisco Systems, Inc. 510 McCarthy Blvd. Milpitas, CA 95035 US

David A.McGrew思科系统公司,位于麦卡锡大道510号。加利福尼亚州米尔皮塔斯95035美国

   Phone: (408) 525 8651
   EMail: mcgrew@cisco.com
   URI:   http://www.mindspring.com/~dmcgrew/dam.htm
        
   Phone: (408) 525 8651
   EMail: mcgrew@cisco.com
   URI:   http://www.mindspring.com/~dmcgrew/dam.htm