Internet Engineering Task Force (IETF)                            W. Kim
Request for Comments: 8269                                        J. Lee
Category: Informational                                          J. Park
ISSN: 2070-1721                                                  D. Kwon
                                                                    NSRI
                                                                  D. Kim
                                                           Kookmin Univ.
                                                            October 2017
        
Internet Engineering Task Force (IETF)                            W. Kim
Request for Comments: 8269                                        J. Lee
Category: Informational                                          J. Park
ISSN: 2070-1721                                                  D. Kwon
                                                                    NSRI
                                                                  D. Kim
                                                           Kookmin Univ.
                                                            October 2017
        

The ARIA Algorithm and Its Use with the Secure Real-Time Transport Protocol (SRTP)

ARIA算法及其在安全实时传输协议(SRTP)中的应用

Abstract

摘要

This document defines the use of the ARIA block cipher algorithm within the Secure Real-time Transport Protocol (SRTP). It details two modes of operation (CTR and GCM) and the SRTP key derivation functions for ARIA. Additionally, this document defines DTLS-SRTP protection profiles and Multimedia Internet KEYing (MIKEY) parameter sets for use with ARIA.

本文档定义了在安全实时传输协议(SRTP)中使用ARIA分组密码算法。它详细介绍了两种操作模式(CTR和GCM)以及ARIA的SRTP密钥派生函数。此外,本文档还定义了DTLS-SRTP保护配置文件和多媒体互联网键控(MIKEY)参数集,用于ARIA。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8269.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8269.

Copyright Notice

版权公告

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  ARIA  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Cryptographic Transforms  . . . . . . . . . . . . . . . . . .   3
     2.1.  ARIA-CTR  . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  ARIA-GCM  . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Key Derivation Functions  . . . . . . . . . . . . . . . . . .   4
   4.  Protection Profiles . . . . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.2.  MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  12
     A.1.  ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . .  12
       A.1.1.  SRTP_ARIA_128_CTR_HMAC_SHA1_80  . . . . . . . . . . .  12
       A.1.2.  SRTP_ARIA_256_CTR_HMAC_SHA1_80  . . . . . . . . . . .  13
     A.2.  ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . .  14
       A.2.1.  SRTP_AEAD_ARIA_128_GCM  . . . . . . . . . . . . . . .  14
       A.2.2.  SRTP_AEAD_ARIA_256_GCM  . . . . . . . . . . . . . . .  15
     A.3.  Key Derivation Test Vectors . . . . . . . . . . . . . . .  15
       A.3.1.  ARIA_128_CTR_PRF  . . . . . . . . . . . . . . . . . .  15
       A.3.2.  ARIA_256_CTR_PRF  . . . . . . . . . . . . . . . . . .  17
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  ARIA  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Cryptographic Transforms  . . . . . . . . . . . . . . . . . .   3
     2.1.  ARIA-CTR  . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  ARIA-GCM  . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Key Derivation Functions  . . . . . . . . . . . . . . . . . .   4
   4.  Protection Profiles . . . . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
     6.1.  DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . .   8
     6.2.  MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  12
     A.1.  ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . .  12
       A.1.1.  SRTP_ARIA_128_CTR_HMAC_SHA1_80  . . . . . . . . . . .  12
       A.1.2.  SRTP_ARIA_256_CTR_HMAC_SHA1_80  . . . . . . . . . . .  13
     A.2.  ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . .  14
       A.2.1.  SRTP_AEAD_ARIA_128_GCM  . . . . . . . . . . . . . . .  14
       A.2.2.  SRTP_AEAD_ARIA_256_GCM  . . . . . . . . . . . . . . .  15
     A.3.  Key Derivation Test Vectors . . . . . . . . . . . . . . .  15
       A.3.1.  ARIA_128_CTR_PRF  . . . . . . . . . . . . . . . . . .  15
       A.3.2.  ARIA_256_CTR_PRF  . . . . . . . . . . . . . . . . . .  17
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19
        
1. Introduction
1. 介绍

This document defines the use of the ARIA block cipher algorithm [RFC5794] in the Secure Real-time Transport Protocol (SRTP) [RFC3711] for providing confidentiality for Real-time Transport Protocol (RTP) [RFC3550] traffic and for RTP Control Protocol (RTCP) [RFC3550] traffic.

本文件定义了在安全实时传输协议(SRTP)[RFC3711]中使用ARIA分组密码算法[RFC5794]为实时传输协议(RTP)[RFC3550]通信量和RTP控制协议(RTCP)[RFC3550]通信量提供保密性。

1.1. ARIA
1.1. 咏叹调

ARIA is a general-purpose block cipher algorithm developed by Korean cryptographers in 2003. It is an iterated block cipher with 128-, 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 rounds, depending on the key size. It is secure and suitable for most software and hardware implementations on 32-bit and 8-bit processors. It was established as a Korean standard block cipher algorithm in 2004 [ARIAKS] and has been widely used in Korea, especially for government-to-public services. It was included in Public-Key Cryptography Standards (PKCS) #11 in 2007 [ARIAPKCS]. The algorithm specification and object identifiers are described in [RFC5794].

ARIA是韩国密码学家于2003年开发的一种通用分组密码算法。它是一种迭代分组密码,具有128、192和256位密钥,并根据密钥大小在12、14和16轮中加密128位块。它是安全的,适用于32位和8位处理器上的大多数软件和硬件实现。它于2004年作为韩国标准分组密码算法[ARIAKS]建立,并在韩国得到广泛应用,特别是在政府到公共服务领域。2007年,它被纳入公钥密码标准(PKCS)#11中[ARIAPKCS]。[RFC5794]中描述了算法规范和对象标识符。

1.2. Terminology
1.2. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

2. Cryptographic Transforms
2. 密码变换

Block ciphers ARIA and AES share common characteristics including mode, key size, and block size. ARIA does not have any restrictions for modes of operation that are used with this block cipher. We define two modes of running ARIA within SRTP: (1) ARIA in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-GCM).

分组密码ARIA和AES具有共同的特征,包括模式、密钥大小和块大小。ARIA对此分组密码使用的操作模式没有任何限制。我们在SRTP中定义了两种运行ARIA的模式:(1)计数器模式下的ARIA(ARIA-CTR)和(2)Galois/计数器模式下的ARIA(ARIA-GCM)。

2.1. ARIA-CTR
2.1. ARIA-CTR

Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, which it refers to as "AES_CM". Section 2 of [RFC6188] defines "AES_256_CM" in SRTP. ARIA counter modes are defined in the same manner except that each invocation of AES is replaced by that of ARIA [RFC5794] and are denoted by ARIA_128_CTR and ARIA_256_CTR, respectively, according to the key lengths. The plaintext inputs to the block cipher are formed as in AES-CTR (AES_CM, AES_256_CM) and the block cipher outputs are processed as in AES-CTR. Note that,

[RFC3711]第4.1.1节定义了AES-128计数器模式加密,称为“AES_CM”。[RFC6188]第2节定义了SRTP中的“AES_256_CM”。ARIA计数器模式的定义方式相同,但AES的每次调用都被ARIA[RFC5794]的调用所取代,并根据密钥长度分别由ARIA_128_CTR和ARIA_256_CTR表示。分组密码的明文输入按照AES-CTR(AES_CM,AES_256_CM)的格式形成,分组密码输出按照AES-CTR的格式处理。请注意,

ARIA-CTR MUST be used only in conjunction with an authentication transform.

ARIA-CTR只能与身份验证转换结合使用。

Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension keystream generation. When ARIA-CTR is used, the header extension keystream SHALL be generated in the same manner except that each invocation of AES is replaced by that of ARIA [RFC5794].

[RFC6904]第3.2节定义了用于生成SRTP报头扩展密钥流的AES-CTR。使用ARIA-CTR时,应以相同的方式生成报头扩展密钥流,但AES的每次调用均被ARIA的调用替换[RFC5794]。

2.2. ARIA-GCM
2.2. ARIA-GCM

Galois/Counter Mode [GCM] [RFC5116] is an Authenticated Encryption with Associated Data (AEAD) block cipher mode. A detailed description of ARIA-GCM is defined similarly as AES-GCM found in [RFC5116] and [RFC5282].

Galois/计数器模式[GCM][RFC5116]是一种通过身份验证的关联数据加密(AEAD)分组密码模式。ARIA-GCM的详细描述类似于[RFC5116]和[RFC5282]中的AES-GCM。

[RFC7714] describes the use of AES-GCM with SRTP. The use of ARIA-GCM with SRTP is defined the same as AES-GCM except that each invocation of AES is replaced by ARIA [RFC5794]. When encryption of header extensions [RFC6904] is in use, a separate keystream to encrypt selected RTP header extension elements MUST be generated in the same manner defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR.

[RFC7714]介绍了AES-GCM与SRTP的结合使用。ARIA-GCM与SRTP的使用定义与AES-GCM相同,只是AES的每次调用都被ARIA替代[RFC5794]。当使用头扩展加密[RFC6904]时,必须以[RFC7714]中定义的相同方式生成用于加密选定RTP头扩展元素的单独密钥流,但AES-CTR被ARIA-CTR替换。

3. Key Derivation Functions
3. 键导函数

Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key derivation function, which it refers to as "AES-CM PRF". Section 3 of [RFC6188] defines the AES-256 counter mode key derivation function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR Pseudorandom Function (PRF) is defined in a same manner except that each invocation of AES is replaced by that of ARIA. According to the key lengths of the underlying encryption algorithm, ARIA-CTR PRFs are denoted by "ARIA_128_CTR_PRF" and "ARIA_256_CTR_PRF". The usage requirements of [RFC6188] and [RFC7714] regarding the AES-CM PRF apply to the ARIA-CTR PRF as well.

[RFC3711]第4.3.3节定义了AES-128计数器模式密钥派生函数,该函数称为“AES-CM PRF”。[RFC6188]第3节定义了AES-256计数器模式密钥派生函数,该函数称为“AES_256_CM_PRF”。ARIA-CTR伪随机函数(PRF)的定义方式相同,只是AES的每次调用都被ARIA的调用所取代。根据底层加密算法的密钥长度,ARIA-CTR PRF由“ARIA_128_CTR_PRF”和“ARIA_256_CTR_PRF”表示。[RFC6188]和[RFC7714]关于AES-CM PRF的使用要求也适用于ARIA-CTR PRF。

4. Protection Profiles
4. 保护配置文件

This section defines SRTP protection profiles that use the ARIA transforms and key derivation functions defined in this document. The following list indicates the SRTP transform parameters for each protection profile. Those are described for use with DTLS-SRTP [RFC5764].

本节定义了使用本文档中定义的ARIA转换和密钥派生函数的SRTP保护配置文件。下表显示了每个保护配置文件的SRTP转换参数。这些描述用于DTLS-SRTP[RFC5764]。

The parameters cipher_key_length, cipher_salt_length, auth_key_length, and auth_tag_length express the number of bits in the values to which they refer. The maximum_lifetime parameter indicates the maximum number of packets that can be protected with

参数cipher_key_length、cipher_salt_length、auth_key_length和auth_tag_length表示它们所引用的值中的位数。maximum_lifetime参数表示可以使用保护的最大数据包数

each single set of keys when the parameter profile is in use. All of these parameters apply to both RTP and RTCP, unless the RTCP parameters are separately specified.

使用参数配置文件时的每一组键。所有这些参数均适用于RTP和RTCP,除非单独指定RTCP参数。

SRTP_ARIA_128_CTR_HMAC_SHA1_80 cipher: ARIA_128_CTR cipher_key_length: 128 bits cipher_salt_length: 112 bits key derivation function: ARIA_128_CTR_PRF auth_function: HMAC-SHA1 auth_key_length: 160 bits auth_tag_length: 80 bits maximum_lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets

SRTP_ARIA_128_CTR_HMAC_SHA1_80密码:ARIA_128_CTR cipher_key_长度:128位cipher_salt_长度:112位密钥派生函数:ARIA_128_CTR_PRF auth_函数:HMAC-SHA1 auth_key长度:160位auth_tag长度:80位最长生存期:最多2^31 SRTCP数据包,最多2^48 SRTP数据包

SRTP_ARIA_128_CTR_HMAC_SHA1_32 cipher: ARIA_128_CTR cipher_key_length: 128 bits cipher_salt_length: 112 bits key derivation function: ARIA_128_CTR_PRF auth_function: HMAC-SHA1 auth_key_length: 160 bits SRTP auth_tag_length: 32 bits SRTCP auth_tag_length: 80 bits maximum_lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets

SRTP_ARIA_128_CTR_HMAC_SHA1_32密码:ARIA_128_CTR cipher_key_长度:128位密码_salt_长度:112位密钥派生函数:ARIA_128_CTR_PRF auth_函数:HMAC-SHA1 auth_key长度:160位SRTP auth_tag长度:32位SRTCP auth_tag长度:80位最长生命周期:最多2^31个SRTP数据包,最多2^48个SRTP数据包

SRTP_ARIA_256_CTR_HMAC_SHA1_80 cipher: ARIA_256_CTR cipher_key_length: 256 bits cipher_salt_length: 112 bits key derivation function: ARIA_256_CTR_PRF auth_function: HMAC-SHA1 auth_key_length: 160 bits auth_tag_length: 80 bits maximum_lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets

SRTP_ARIA_256_CTR_HMAC_SHA1_80密码:ARIA_256_CTR cipher_key_长度:256位cipher_salt_长度:112位密钥派生函数:ARIA_256_CTR_PRF auth_函数:HMAC-SHA1 auth_key长度:160位auth_tag长度:80位最长生存期:最多2^31 SRTCP数据包,最多2^48 SRTP数据包

SRTP_ARIA_256_CTR_HMAC_SHA1_32 cipher: ARIA_256_CTR cipher_key_length: 256 bits cipher_salt_length: 112 bits key derivation function: ARIA_256_CTR_PRF auth_function: HMAC-SHA1 auth_key_length: 160 bits SRTP auth_tag_length: 32 bits SRTCP auth_tag_length: 80 bits maximum_lifetime: at most 2^31 SRTCP packets and at most 2^48 SRTP packets

SRTP\U ARIA\U 256\U CTR\U HMAC\U SHA1\U 32密码:ARIA\U 256\U CTR密码\U密钥长度:256位密码\U salt\U长度:112位密钥派生函数:ARIA\U 256\U CTR\U PRF身份验证函数:HMAC-SHA1身份验证密钥长度:160位SRTP身份验证标签长度:32位SRTCP身份验证标签长度:80位最长生命周期:最多2^31 SRTP数据包,最多2^48 SRTP数据包

   SRTP_AEAD_ARIA_128_GCM
           cipher:                   ARIA_128_GCM
           cipher_key_length:        128 bits
           cipher_salt_length:       96 bits
           aead_auth_tag_length:     128 bits
           auth_function:            NULL
           auth_key_length:          N/A
           auth_tag_length:          N/A
           key derivation function:  ARIA_128_CTR_PRF
           maximum_lifetime:         at most 2^31 SRTCP packets and
                                     at most 2^48 SRTP packets
        
   SRTP_AEAD_ARIA_128_GCM
           cipher:                   ARIA_128_GCM
           cipher_key_length:        128 bits
           cipher_salt_length:       96 bits
           aead_auth_tag_length:     128 bits
           auth_function:            NULL
           auth_key_length:          N/A
           auth_tag_length:          N/A
           key derivation function:  ARIA_128_CTR_PRF
           maximum_lifetime:         at most 2^31 SRTCP packets and
                                     at most 2^48 SRTP packets
        
   SRTP_AEAD_ARIA_256_GCM
           cipher:                   ARIA_256_GCM
           cipher_key_length:        256 bits
           cipher_salt_length:       96 bits
           aead_auth_tag_length:     128 bits
           auth_function:            NULL
           auth_key_length:          N/A
           auth_tag_length:          N/A
           key derivation function:  ARIA_256_CTR_PRF
           maximum_lifetime:         at most 2^31 SRTCP packets and
                                     at most 2^48 SRTP packets
        
   SRTP_AEAD_ARIA_256_GCM
           cipher:                   ARIA_256_GCM
           cipher_key_length:        256 bits
           cipher_salt_length:       96 bits
           aead_auth_tag_length:     128 bits
           auth_function:            NULL
           auth_key_length:          N/A
           auth_tag_length:          N/A
           key derivation function:  ARIA_256_CTR_PRF
           maximum_lifetime:         at most 2^31 SRTCP packets and
                                     at most 2^48 SRTP packets
        

The ARIA-CTR protection profiles use the same authentication transform that is mandatory to implement in SRTP: HMAC-SHA1 with a 160-bit key.

ARIA-CTR保护配置文件使用的身份验证转换与在SRTP:HMAC-SHA1中使用160位密钥必须实现的身份验证转换相同。

Note that SRTP protection profiles that use AEAD algorithms do not specify an auth_function, auth_key_length, or auth_tag_length, since they do not use a separate auth_function, auth_key, or auth_tag. The term aead_auth_tag_length is used to emphasize that this refers to the authentication tag provided by the AEAD algorithm and that this tag is not located in the authentication tag field provided by SRTP/ SRTCP.

请注意,使用AEAD算法的SRTP保护配置文件不指定验证函数、验证密钥长度或验证标记长度,因为它们不使用单独的验证函数、验证密钥或验证标记。术语aead_auth_tag_length用于强调这是指aead算法提供的身份验证标签,并且该标签不位于SRTP/SRTCP提供的身份验证标签字段中。

The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of the equal key length with the encryption algorithm (see Section 2). SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the ARIA_128_CTR_PRF key derivation function. And SRTP_ARIA_256_CTR_HMAC and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF key derivation function.

ARIA保护配置文件的PRF由具有相同密钥长度的ARIA-CTR PRF和加密算法定义(见第2节)。SRTP_ARIA_128_CTR_HMAC和SRTP_AEAD_ARIA_128_GCM必须使用ARIA_128_CTR_PRF密钥派生函数。SRTP_ARIA_256_CTR_HMAC和SRTP_AEAD_ARIA_256_GCM必须使用ARIA_256_CTR_PRF密钥派生函数。

MIKEY specifies the SRTP protection profile definition separately from the key length (which is specified by the session encryption key length) and the authentication tag length. The DTLS-SRTP [RFC5764] protection profiles are mapped to MIKEY parameter sets as shown below.

MIKEY将SRTP保护配置文件定义与密钥长度(由会话加密密钥长度指定)和身份验证标记长度分开指定。DTLS-SRTP[RFC5764]保护配置文件映射到MIKEY参数集,如下所示。

                              +--------------------------------------+
                              | Encryption | Encryption | Auth.      |
                              | Algorithm  | Key Length | Tag Length |
                              +======================================+
    SRTP_ARIA_128_CTR_HMAC_80 |  ARIA-CTR  | 16 octets  | 10 octets  |
    SRTP_ARIA_128_CTR_HMAC_32 |  ARIA-CTR  | 16 octets  |  4 octets  |
    SRTP_ARIA_256_CTR_HMAC_80 |  ARIA-CTR  | 32 octets  | 10 octets  |
    SRTP_ARIA_256_CTR_HMAC_32 |  ARIA-CTR  | 32 octets  |  4 octets  |
                              +======================================+
        
                              +--------------------------------------+
                              | Encryption | Encryption | Auth.      |
                              | Algorithm  | Key Length | Tag Length |
                              +======================================+
    SRTP_ARIA_128_CTR_HMAC_80 |  ARIA-CTR  | 16 octets  | 10 octets  |
    SRTP_ARIA_128_CTR_HMAC_32 |  ARIA-CTR  | 16 octets  |  4 octets  |
    SRTP_ARIA_256_CTR_HMAC_80 |  ARIA-CTR  | 32 octets  | 10 octets  |
    SRTP_ARIA_256_CTR_HMAC_32 |  ARIA-CTR  | 32 octets  |  4 octets  |
                              +======================================+
        

Figure 1: Mapping MIKEY Parameters to ARIA-CTR with the HMAC Algorithm

图1:使用HMAC算法将MIKEY参数映射到ARIA-CTR

                              +--------------------------------------+
                              | Encryption | Encryption | AEAD Auth. |
                              | Algorithm  | Key Length | Tag Length |
                              +======================================+
       SRTP_AEAD_ARIA_128_GCM |  ARIA-GCM  | 16 octets  | 16 octets  |
       SRTP_AEAD_ARIA_256_GCM |  ARIA-GCM  | 32 octets  | 16 octets  |
                              +======================================+
        
                              +--------------------------------------+
                              | Encryption | Encryption | AEAD Auth. |
                              | Algorithm  | Key Length | Tag Length |
                              +======================================+
       SRTP_AEAD_ARIA_128_GCM |  ARIA-GCM  | 16 octets  | 16 octets  |
       SRTP_AEAD_ARIA_256_GCM |  ARIA-GCM  | 32 octets  | 16 octets  |
                              +======================================+
        

Figure 2: Mapping MIKEY Parameters to the ARIA-GCM Algorithm

图2:将MIKEY参数映射到ARIA-GCM算法

5. Security Considerations
5. 安全考虑

At the time of publication of this document, no security problem has been found on ARIA. Previous security analysis results are summarized in [ATY].

在本文档发布时,在ARIA上未发现任何安全问题。[ATY]中总结了以前的安全分析结果。

The security considerations in [GCM], [RFC3711], [RFC5116], [RFC6188], [RFC6904], and [RFC7714] apply to this document as well. This document includes crypto suites with authentication tags of a length less than 80 bits. These suites MAY be used for certain application contexts where longer authentication tags may be undesirable, for example, those mentioned in [RFC3711], Section 7.5.

[GCM]、[RFC3711]、[RFC5116]、[RFC6188]、[RFC6904]和[RFC7714]中的安全注意事项也适用于本文档。本文档包括长度小于80位的认证标签的加密套件。这些套件可用于某些不需要更长认证标签的应用环境,例如[RFC3711]第7.5节中提到的认证标签。

Otherwise, short authentication tags SHOULD NOT be used, since they may reduce authentication strength. See [RFC3711], Section 9.5 for a discussion of risks related to weak authentication in SRTP.

否则,不应使用短认证标签,因为它们可能会降低认证强度。有关SRTP中弱认证相关风险的讨论,请参见[RFC3711],第9.5节。

At the time of publication of this document, SRTP recommends HMAC-SHA1 as the default and mandatory-to-implement MAC algorithm. All currently registered SRTP crypto suites except the GCM-based ones use HMAC-SHA1 as their HMAC algorithm to provide message authentication. Due to security concerns with SHA-1 [RFC6194], the IETF is gradually moving away from SHA-1 and towards stronger hash algorithms such as SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in the calculation of an HMAC, and no security issue is known for this usage at the time of this publication.

在本文件发布时,SRTP建议将HMAC-SHA1作为实现MAC算法的默认和强制性工具。除基于GCM的SRTP加密套件外,所有当前注册的SRTP加密套件都使用HMAC-SHA1作为其HMAC算法来提供消息身份验证。由于对SHA-1[RFC6194]的安全性担忧,IETF正逐渐从SHA-1转向更强大的散列算法,如SHA-2或SHA-3系列。然而,对于SRTP,SHA-1仅用于HMAC的计算,在本出版物发布时,还不知道这种用法的安全性问题。

6. IANA Considerations
6. IANA考虑
6.1. DTLS-SRTP
6.1. DTLS-SRTP

DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP protection profile". In order to allow the use of the algorithms defined in this document in DTLS-SRTP, IANA has added the following protection profiles below to the "DTLS-SRTP Protection Profiles" registry (see <http://www.iana.org/assignments/srtp-protection/>) created by [RFC5764]:

DTLS-SRTP[RFC5764]定义了DTLS-SRTP“SRTP保护配置文件”。为了允许在DTLS-SRTP中使用本文档中定义的算法,IANA已将以下保护配置文件添加到“DTLS-SRTP保护配置文件”注册表中(请参阅<http://www.iana.org/assignments/srtp-protection/>)由[RFC5764]创建:

      SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {0x00, 0x0B}
      SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {0x00, 0x0C}
      SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {0x00, 0x0D}
      SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {0x00, 0x0E}
      SRTP_AEAD_ARIA_128_GCM = {0x00, 0x0F}
      SRTP_AEAD_ARIA_256_GCM = {0x00, 0x10}
        
      SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {0x00, 0x0B}
      SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {0x00, 0x0C}
      SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {0x00, 0x0D}
      SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {0x00, 0x0E}
      SRTP_AEAD_ARIA_128_GCM = {0x00, 0x0F}
      SRTP_AEAD_ARIA_256_GCM = {0x00, 0x10}
        
6.2. MIKEY
6.2. 米奇

[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the SRTP policy in MIKEY. In order to allow the use of the algorithms defined in this document in MIKEY, IANA has updated the "Multimedia Internet KEYing (MIKEY) Payload Name Spaces" registry (see <http://www.iana.org/assignments/mikey-payloads/>.)

[RFC3830]和[RFC5748]为MIKEY中的SRTP策略定义加密算法和PRF。为了允许在MIKEY中使用本文档中定义的算法,IANA更新了“多媒体互联网密钥(MIKEY)有效负载名称空间”注册表(见<http://www.iana.org/assignments/mikey-payloads/>.)

IANA has registered the following two encryption algorithms in the "Encryption algorithm (Value 0)" subregistry within the "MIKEY Security Protocol Parameters" registry:

IANA已在“MIKEY Security Protocol Parameters”注册表的“encryption algorithm(Value 0)”子区域中注册了以下两种加密算法:

                         +---------------+-------+
                         | SRTP encr alg | Value |
                         +---------------+-------+
                         |    ARIA-CTR   |   7   |
                         |    ARIA-GCM   |   8   |
                         +---------------+-------+
        
                         +---------------+-------+
                         | SRTP encr alg | Value |
                         +---------------+-------+
                         |    ARIA-CTR   |   7   |
                         |    ARIA-GCM   |   8   |
                         +---------------+-------+
        

The default session encryption key length is 16 octets.

默认会话加密密钥长度为16个八位字节。

IANA has registered the following PRF in the "SRTP Pseudo Random Function (Value 5)" subregistry within the "MIKEY Security Protocol Parameters" registry:

IANA已在“MIKEY Security Protocol Parameters”注册表中的“SRTP伪随机函数(值5)”子区域中注册了以下PRF:

                           +----------+-------+
                           | SRTP PRF | Value |
                           +----------+-------+
                           | ARIA-CTR |   2   |
                           +----------+-------+
        
                           +----------+-------+
                           | SRTP PRF | Value |
                           +----------+-------+
                           | ARIA-CTR |   2   |
                           +----------+-------+
        
7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC", NIST Special publication 800-38D, DOI 10.6028/NIST.SP.800-38D, November 2007.

[GCM]Dworkin,M.“分组密码操作模式的建议:Galois/计数器模式(GCM)和GMAC”,NIST特别出版物800-38D,DOI 10.6028/NIST.SP.800-38D,2007年11月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, <https://www.rfc-editor.org/info/rfc3550>.

[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 3550,DOI 10.17487/RFC3550,2003年7月<https://www.rfc-editor.org/info/rfc3550>.

[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, <https://www.rfc-editor.org/info/rfc3711>.

[RFC3711]Baugher,M.,McGrew,D.,Naslund,M.,Carrara,E.,和K.Norrman,“安全实时传输协议(SRTP)”,RFC 3711,DOI 10.17487/RFC3711,2004年3月<https://www.rfc-editor.org/info/rfc3711>.

[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, DOI 10.17487/RFC3830, August 2004, <https://www.rfc-editor.org/info/rfc3830>.

[RFC3830]Arkko,J.,Carrara,E.,Lindholm,F.,Naslund,M.,和K.Norrman,“米奇:多媒体互联网键控”,RFC 3830,DOI 10.17487/RFC3830,2004年8月<https://www.rfc-editor.org/info/rfc3830>.

[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, <https://www.rfc-editor.org/info/rfc5116>.

[RFC5116]McGrew,D.“认证加密的接口和算法”,RFC 5116,DOI 10.17487/RFC5116,2008年1月<https://www.rfc-editor.org/info/rfc5116>.

[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol", RFC 5282, DOI 10.17487/RFC5282, August 2008, <https://www.rfc-editor.org/info/rfc5282>.

[RFC5282]Black,D.和D.McGrew,“使用互联网密钥交换版本2(IKEv2)协议的加密有效载荷的认证加密算法”,RFC 5282,DOI 10.17487/RFC5282,2008年8月<https://www.rfc-editor.org/info/rfc5282>.

[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, DOI 10.17487/RFC5764, May 2010, <https://www.rfc-editor.org/info/rfc5764>.

[RFC5764]McGrew,D.和E.Rescorla,“为安全实时传输协议(SRTP)建立密钥的数据报传输层安全(DTLS)扩展”,RFC 5764,DOI 10.17487/RFC5764,2010年5月<https://www.rfc-editor.org/info/rfc5764>.

[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A Description of the ARIA Encryption Algorithm", RFC 5794, DOI 10.17487/RFC5794, March 2010, <https://www.rfc-editor.org/info/rfc5794>.

[RFC5794]Lee,J.,Lee,J.,Kim,J.,Kwon,D.,和C.Kim,“ARIA加密算法的描述”,RFC 5794,DOI 10.17487/RFC57942010年3月<https://www.rfc-editor.org/info/rfc5794>.

[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, <https://www.rfc-editor.org/info/rfc6188>.

[RFC6188]McGrew,D.,“AES-192和AES-256在安全RTP中的使用”,RFC 6188,DOI 10.17487/RFC6188,2011年3月<https://www.rfc-editor.org/info/rfc6188>.

[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)", RFC 6904, DOI 10.17487/RFC6904, April 2013, <https://www.rfc-editor.org/info/rfc6904>.

[RFC6904]Lennox,J.,“安全实时传输协议(SRTP)中的报头扩展加密”,RFC 6904,DOI 10.17487/RFC6904,2013年4月<https://www.rfc-editor.org/info/rfc6904>.

[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)", RFC 7714, DOI 10.17487/RFC7714, December 2015, <https://www.rfc-editor.org/info/rfc7714>.

[RFC7714]McGrew,D.和K.Igoe,“安全实时传输协议(SRTP)中的AES-GCM认证加密”,RFC 7714,DOI 10.17487/RFC7714,2015年12月<https://www.rfc-editor.org/info/rfc7714>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

7.2. Informative References
7.2. 资料性引用

[ARIAKS] Korean Agency for Technology and Standards, "128 bit block encryption algorithm ARIA - Part 1: General (in Korean)", KS X 1213-1:2014, December 2014.

[Ariks]韩国技术和标准局,“128位块加密算法ARIA-第1部分:概述(韩文)”,KS X 1213-1:2014,2014年12月。

[ARIAPKCS] RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS #11 v2.20, Amendment 3, Revision 1, January 2007.

[ARIAPKCS]RSA实验室,“附加PKCS#11机制”,PKCS#11 v2.20,修订版3,修订版1,2007年1月。

[ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved Linear Cryptanalysis of Round-Reduced ARIA", Information Security - ISC 2016, Lecture Notes in Computer Science (LNCS), Vol. 9866, pp. 18-34, DOI 10.1007/978-3-319-45871-7_2, September 2016.

[ATY]Abdelkhalek,A.,Tolba,M.和A.Youssef,“改进的圆缩略ARIA线性密码分析”,信息安全-ISC 2016,计算机科学(LNCS)课堂讲稿,第9866卷,第18-34页,DOI 10.1007/978-3-319-45871-7Ø2,2016年9月。

[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA Registry Update for Support of the SEED Cipher Algorithm in Multimedia Internet KEYing (MIKEY)", RFC 5748, DOI 10.17487/RFC5748, August 2010, <https://www.rfc-editor.org/info/rfc5748>.

[RFC5748]Yoon,S.,Jeong,J.,Kim,H.,Jeong,H.,和Y.Won,“支持多媒体互联网密钥(MIKEY)中种子密码算法的IANA注册表更新”,RFC 5748,DOI 10.17487/RFC5748,2010年8月<https://www.rfc-editor.org/info/rfc5748>.

[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, <https://www.rfc-editor.org/info/rfc6194>.

[RFC6194]Polk,T.,Chen,L.,Turner,S.,和P.Hoffman,“SHA-0和SHA-1消息摘要算法的安全考虑”,RFC 6194,DOI 10.17487/RFC6194,2011年3月<https://www.rfc-editor.org/info/rfc6194>.

Appendix A. Test Vectors
附录A.测试向量

All values are in hexadecimal and represented by the network order (called big endian).

所有值均为十六进制,并以网络顺序表示(称为big-endian)。

A.1. ARIA-CTR Test Vectors
A.1. ARIA-CTR测试向量

Common values are organized as follows:

通用值的组织方式如下:

      Rollover Counter:          00000000
      Sequence Number:           315e
      SSRC:                      20e8f5eb
      Authentication Key:        f93563311b354748c978913795530631
                                 16452309
      Session Salt:              cd3a7c42c671e0067a2a2639b43a
      Initialization Vector:     cd3a7c42e69915ed7a2a263985640000
      RTP Header:                8008315ebf2e6fe020e8f5eb
      RTP Payload:               f57af5fd4ae19562976ec57a5a7ad55a
                                 5af5c5e5c5fdf5c55ad57a4a7272d572
                                 62e9729566ed66e97ac54a4a5a7ad5e1
                                 5ae5fdd5fd5ac5d56ae56ad5c572d54a
                                 e54ac55a956afd6aed5a4ac562957a95
                                 16991691d572fd14e97ae962ed7a9f4a
                                 955af572e162f57a956666e17ae1f54a
                                 95f566d54a66e16e4afd6a9f7ae1c5c5
                                 5ae5d56afde916c5e94a6ec56695e14a
                                 fde1148416e94ad57ac5146ed59d1cc5
        
      Rollover Counter:          00000000
      Sequence Number:           315e
      SSRC:                      20e8f5eb
      Authentication Key:        f93563311b354748c978913795530631
                                 16452309
      Session Salt:              cd3a7c42c671e0067a2a2639b43a
      Initialization Vector:     cd3a7c42e69915ed7a2a263985640000
      RTP Header:                8008315ebf2e6fe020e8f5eb
      RTP Payload:               f57af5fd4ae19562976ec57a5a7ad55a
                                 5af5c5e5c5fdf5c55ad57a4a7272d572
                                 62e9729566ed66e97ac54a4a5a7ad5e1
                                 5ae5fdd5fd5ac5d56ae56ad5c572d54a
                                 e54ac55a956afd6aed5a4ac562957a95
                                 16991691d572fd14e97ae962ed7a9f4a
                                 955af572e162f57a956666e17ae1f54a
                                 95f566d54a66e16e4afd6a9f7ae1c5c5
                                 5ae5d56afde916c5e94a6ec56695e14a
                                 fde1148416e94ad57ac5146ed59d1cc5
        

Note: SSRC = Synchronization Source

注:SSRC=同步源

A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80
      Session Key:               0c5ffd37a11edc42c325287fc0604f2e
        
      Session Key:               0c5ffd37a11edc42c325287fc0604f2e
        
      Encrypted RTP Payload:     1bf753f412e6f35058cc398dc851aae3
                                 a6ccdcb463fbed9cfb3de2fb76fdffa9
                                 e481f5efb64c92487f59dabbc7cc72da
                                 092485f3fbad87888820b86037311fa4
                                 4330e18a59a1e1338ba2c21458493a57
                                 463475c54691f91cec785429119e0dfc
                                 d9048f90e07fecd50b528e8c62ee6e71
                                 445de5d7f659405135aff3604c2ca4ff
                                 4aaca40809cb9eee42cc4ad232307570
                                 81ca289f2851d3315e9568b501fdce6d
        
      Encrypted RTP Payload:     1bf753f412e6f35058cc398dc851aae3
                                 a6ccdcb463fbed9cfb3de2fb76fdffa9
                                 e481f5efb64c92487f59dabbc7cc72da
                                 092485f3fbad87888820b86037311fa4
                                 4330e18a59a1e1338ba2c21458493a57
                                 463475c54691f91cec785429119e0dfc
                                 d9048f90e07fecd50b528e8c62ee6e71
                                 445de5d7f659405135aff3604c2ca4ff
                                 4aaca40809cb9eee42cc4ad232307570
                                 81ca289f2851d3315e9568b501fdce6d
        
      Authenticated Portion || Rollover Counter:
                                 8008315ebf2e6fe020e8f5eb1bf753f4
                                 12e6f35058cc398dc851aae3a6ccdcb4
                                 63fbed9cfb3de2fb76fdffa9e481f5ef
                                 b64c92487f59dabbc7cc72da092485f3
                                 fbad87888820b86037311fa44330e18a
                                 59a1e1338ba2c21458493a57463475c5
                                 4691f91cec785429119e0dfcd9048f90
                                 e07fecd50b528e8c62ee6e71445de5d7
                                 f659405135aff3604c2ca4ff4aaca408
                                 09cb9eee42cc4ad23230757081ca289f
                                 2851d3315e9568b501fdce6d00000000
        
      Authenticated Portion || Rollover Counter:
                                 8008315ebf2e6fe020e8f5eb1bf753f4
                                 12e6f35058cc398dc851aae3a6ccdcb4
                                 63fbed9cfb3de2fb76fdffa9e481f5ef
                                 b64c92487f59dabbc7cc72da092485f3
                                 fbad87888820b86037311fa44330e18a
                                 59a1e1338ba2c21458493a57463475c5
                                 4691f91cec785429119e0dfcd9048f90
                                 e07fecd50b528e8c62ee6e71445de5d7
                                 f659405135aff3604c2ca4ff4aaca408
                                 09cb9eee42cc4ad23230757081ca289f
                                 2851d3315e9568b501fdce6d00000000
        

Authentication Tag: f9de4e729054672b0e35

身份验证标签:f9de4e729054672b0e35

A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80
A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80
      Session Key:               0c5ffd37a11edc42c325287fc0604f2e
                                 3e8cd5671a00fe3216aa5eb105783b54
        
      Session Key:               0c5ffd37a11edc42c325287fc0604f2e
                                 3e8cd5671a00fe3216aa5eb105783b54
        
      Encrypted RTP Payload:     c424c59fd5696305e5b13d8e8ca76566
                                 17ccd7471088af9debf07b55c750f804
                                 a5ac2b737be48140958a9b420524112a
                                 e72e4da5bca59d2b1019ddd7dbdc30b4
                                 3d5f046152ced40947d62d2c93e7b8e5
                                 0f02db2b6b61b010e4c1566884de1fa9
                                 702cdf8157e8aedfe3dd77c76bb50c25
                                 ae4d624615c15acfdeeb5f79482aaa01
                                 d3e4c05eb601eca2bd10518e9d46b021
                                 16359232e9eac0fabd05235dd09e6dea
        
      Encrypted RTP Payload:     c424c59fd5696305e5b13d8e8ca76566
                                 17ccd7471088af9debf07b55c750f804
                                 a5ac2b737be48140958a9b420524112a
                                 e72e4da5bca59d2b1019ddd7dbdc30b4
                                 3d5f046152ced40947d62d2c93e7b8e5
                                 0f02db2b6b61b010e4c1566884de1fa9
                                 702cdf8157e8aedfe3dd77c76bb50c25
                                 ae4d624615c15acfdeeb5f79482aaa01
                                 d3e4c05eb601eca2bd10518e9d46b021
                                 16359232e9eac0fabd05235dd09e6dea
        
      Authenticated Portion || Rollover Counter:
                                 8008315ebf2e6fe020e8f5ebc424c59f
                                 d5696305e5b13d8e8ca7656617ccd747
                                 1088af9debf07b55c750f804a5ac2b73
                                 7be48140958a9b420524112ae72e4da5
                                 bca59d2b1019ddd7dbdc30b43d5f0461
                                 52ced40947d62d2c93e7b8e50f02db2b
                                 6b61b010e4c1566884de1fa9702cdf81
                                 57e8aedfe3dd77c76bb50c25ae4d6246
                                 15c15acfdeeb5f79482aaa01d3e4c05e
                                 b601eca2bd10518e9d46b02116359232
                                 e9eac0fabd05235dd09e6dea00000000
        
      Authenticated Portion || Rollover Counter:
                                 8008315ebf2e6fe020e8f5ebc424c59f
                                 d5696305e5b13d8e8ca7656617ccd747
                                 1088af9debf07b55c750f804a5ac2b73
                                 7be48140958a9b420524112ae72e4da5
                                 bca59d2b1019ddd7dbdc30b43d5f0461
                                 52ced40947d62d2c93e7b8e50f02db2b
                                 6b61b010e4c1566884de1fa9702cdf81
                                 57e8aedfe3dd77c76bb50c25ae4d6246
                                 15c15acfdeeb5f79482aaa01d3e4c05e
                                 b601eca2bd10518e9d46b02116359232
                                 e9eac0fabd05235dd09e6dea00000000
        

Authentication Tag: 192f515fab04bbb4e62c

认证标签:192f515fab04bbb4e62c

A.2. ARIA-GCM Test Vectors
A.2. ARIA-GCM测试向量

Common values are organized as follows:

通用值的组织方式如下:

Rollover Counter: 00000000 Sequence Number: 315e SSRC: 20e8f5eb Encryption Salt: 000000000000000000000000

滚动计数器:00000000序列号:315e SSRC:20e8f5eb加密盐:000000000000000000

Initialization Vector: 000020e8f5eb00000000315e RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a 5af5c5e5c5fdf5c55ad57a4a7272d572 62e9729566ed66e97ac54a4a5a7ad5e1 5ae5fdd5fd5ac5d56ae56ad5c572d54a e54ac55a956afd6aed5a4ac562957a95 16991691d572fd14e97ae962ed7a9f4a 955af572e162f57a956666e17ae1f54a 95f566d54a66e16e4afd6a9f7ae1c5c5 5ae5d56afde916c5e94a6ec56695e14a fde1148416e94ad57ac5146ed59d1cc5 Associated Data: 8008315ebf2e6fe020e8f5eb

初始化向量:000020e8f5eb00000000315e RTP有效载荷:f57af5fd4ae19562976ec57a5a7ad55a 5AF5C55E5C5FDF5AD57A4A72D572 62e9729566ed66e97ac54a4a5a7ad5e1 5AE5FD5AC5D56AE56AD5C572D54A E54AC55A956AFD6AD5A4AC562957A95 16991691D57214FDE97AE962ED7A9F4A 5AF572E565E567E566E5F567A6AE545F567A5A5577A5AE545F56A6F567A5F567A5AE5F567A6A5F567A5A5A5F5F5A5A5A5F5A5A5F5F5ae5d56afde916c5e94a6ec56695e14a fde1148416e94ad57ac5146ed59d1cc5相关数据:8008315ebf2e6fe020e8f5eb

The encrypted RTP payload is longer than the RTP payload by exactly the GCM authentication tag length (16 octets).

加密的RTP有效负载比RTP有效负载长出GCM认证标签长度(16个八位字节)。

A.2.1. SRTP_AEAD_ARIA_128_GCM
A.2.1. SRTP_AEAD_ARIA_128_GCM
      Key:                       e91e5e75da65554a48181f3846349562
        
      Key:                       e91e5e75da65554a48181f3846349562
        
      Encrypted RTP Payload:     4d8a9a0675550c704b17d8c9ddc81a5c
                                 d6f7da34f2fe1b3db7cb3dfb9697102e
                                 a0f3c1fc2dbc873d44bceeae8e444297
                                 4ba21ff6789d3272613fb9631a7cf3f1
                                 4bacbeb421633a90ffbe58c2fa6bdca5
                                 34f10d0de0502ce1d531b6336e588782
                                 78531e5c22bc6c85bbd784d78d9e680a
                                 a19031aaf89101d669d7a3965c1f7e16
                                 229d7463e0535f4e253f5d18187d40b8
                                 ae0f564bd970b5e7e2adfb211e89a953
                                 5abace3f37f5a736f4be984bbffbedc1
        
      Encrypted RTP Payload:     4d8a9a0675550c704b17d8c9ddc81a5c
                                 d6f7da34f2fe1b3db7cb3dfb9697102e
                                 a0f3c1fc2dbc873d44bceeae8e444297
                                 4ba21ff6789d3272613fb9631a7cf3f1
                                 4bacbeb421633a90ffbe58c2fa6bdca5
                                 34f10d0de0502ce1d531b6336e588782
                                 78531e5c22bc6c85bbd784d78d9e680a
                                 a19031aaf89101d669d7a3965c1f7e16
                                 229d7463e0535f4e253f5d18187d40b8
                                 ae0f564bd970b5e7e2adfb211e89a953
                                 5abace3f37f5a736f4be984bbffbedc1
        
A.2.2. SRTP_AEAD_ARIA_256_GCM
A.2.2. SRTP_AEAD_ARIA_256_GCM
      Key:                       0c5ffd37a11edc42c325287fc0604f2e
                                 3e8cd5671a00fe3216aa5eb105783b54
        
      Key:                       0c5ffd37a11edc42c325287fc0604f2e
                                 3e8cd5671a00fe3216aa5eb105783b54
        
      Encrypted RTP Payload:     6f9e4bcbc8c85fc0128fb1e4a0a20cb9
                                 932ff74581f54fc013dd054b19f99371
                                 425b352d97d3f337b90b63d1b082adee
                                 ea9d2d7391897d591b985e55fb50cb53
                                 50cf7d38dc27dda127c078a149c8eb98
                                 083d66363a46e3726af217d3a00275ad
                                 5bf772c7610ea4c23006878f0ee69a83
                                 97703169a419303f40b72e4573714d19
                                 e2697df61e7c7252e5abc6bade876ac4
                                 961bfac4d5e867afca351a48aed52822
                                 e210d6ced2cf430ff841472915e7ef48
        
      Encrypted RTP Payload:     6f9e4bcbc8c85fc0128fb1e4a0a20cb9
                                 932ff74581f54fc013dd054b19f99371
                                 425b352d97d3f337b90b63d1b082adee
                                 ea9d2d7391897d591b985e55fb50cb53
                                 50cf7d38dc27dda127c078a149c8eb98
                                 083d66363a46e3726af217d3a00275ad
                                 5bf772c7610ea4c23006878f0ee69a83
                                 97703169a419303f40b72e4573714d19
                                 e2697df61e7c7252e5abc6bade876ac4
                                 961bfac4d5e867afca351a48aed52822
                                 e210d6ced2cf430ff841472915e7ef48
        
A.3. Key Derivation Test Vectors
A.3. 密钥派生测试向量

This section provides test vectors for the default key derivation function that uses ARIA in Counter Mode. In the following, we walk through the initial key derivation for the ARIA Counter Mode cipher that requires a session encryption key of 16/24/32 octets according to the session encryption key length, a 14-octet session salt, and an authentication function that requires a 94-octet session authentication key. These values are called the cipher key, the cipher salt, and the auth key in the following. The test vectors are generated in the same way with the test vectors of key derivation functions in [RFC3711] and [RFC6188] but with each invocation of AES replaced with an invocation of ARIA.

本节为在计数器模式下使用ARIA的默认密钥派生函数提供测试向量。在下文中,我们将介绍ARIA计数器模式密码的初始密钥派生,该密码根据会话加密密钥长度需要16/24/32个八位字节的会话加密密钥、14个八位字节的会话salt以及需要94个八位字节会话认证密钥的认证函数。这些值在下文中称为密码密钥、密码盐和身份验证密钥。测试向量的生成方式与[RFC3711]和[RFC6188]中键派生函数的测试向量相同,但每次调用AES都被调用ARIA替换。

A.3.1. ARIA_128_CTR_PRF
A.3.1. ARIA_128_中心_PRF

The inputs to the key derivation function are the 16-octet master key and the 14-octet master salt:

密钥派生函数的输入是16个八位字节的主密钥和14个八位字节的主密钥:

master key: e1f97a0d3e018be0d64fa32c06de4139 master salt: 0ec675ad498afeebb6960b3aabe6

主密钥:e1f97a0d3e018be0d64fa32c06de4139主密钥:0ec675ad498afeebb6960b3aabe6

     index DIV kdr:                 000000000000
     label:                       00
     master salt:   0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:           0ec675ad498afeebb6960b3aabe6     (x, PRF input)
        
     index DIV kdr:                 000000000000
     label:                       00
     master salt:   0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:           0ec675ad498afeebb6960b3aabe6     (x, PRF input)
        
     x*2^16:        0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:        0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
        

cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output)

密码密钥:dbd85a3c4d9219b3e81f7d942e299de4(ARIA-CTR输出)

ARIA-CTR protection profile requires a 14-octet cipher salt while ARIA-GCM protection profile requires a 12-octet cipher salt.

ARIA-CTR保护配置文件需要14个八位字节的密码盐,而ARIA-GCM保护配置文件需要12个八位字节的密码盐。

     index DIV kdr:                 000000000000
     label:                       02
     master salt:   0ec675ad498afeebb6960b3aabe6
     ----------------------------------------------
     xor:           0ec675ad498afee9b6960b3aabe6     (x, PRF input)
        
     index DIV kdr:                 000000000000
     label:                       02
     master salt:   0ec675ad498afeebb6960b3aabe6
     ----------------------------------------------
     xor:           0ec675ad498afee9b6960b3aabe6     (x, PRF input)
        
     x*2^16:        0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:        0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
        

9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output)

9700657f5f34161830d7d85f5dc8be7f(ARIA-CTR输出)

     cipher salt:   9700657f5f34161830d7d85f5dc8     (ARIA-CTR profile)
                    9700657f5f34161830d7d85f         (ARIA-GCM profile)
     index DIV kdr:                 000000000000
     label:                       01
     master salt:   0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:           0ec675ad498afeeab6960b3aabe6     (x, PRF input)
        
     cipher salt:   9700657f5f34161830d7d85f5dc8     (ARIA-CTR profile)
                    9700657f5f34161830d7d85f         (ARIA-GCM profile)
     index DIV kdr:                 000000000000
     label:                       01
     master salt:   0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:           0ec675ad498afeeab6960b3aabe6     (x, PRF input)
        
     x*2^16:        0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:        0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input)
        

Below, the auth key is shown on the left, while the corresponding ARIA input blocks are shown on the right.

下面,auth键显示在左侧,而相应的ARIA输入块显示在右侧。

auth key ARIA input blocks

验证键输入块

     d021877bd3eaf92d581ed70ddc050e03  0ec675ad498afeeab6960b3aabe60000
     f11257032676f2a29f57b21abd3a1423  0ec675ad498afeeab6960b3aabe60001
     769749bdc5dd9ca5b43ca6b6c1f3a7de  0ec675ad498afeeab6960b3aabe60002
     4047904bcf811f601cc03eaa5d7af6db  0ec675ad498afeeab6960b3aabe60003
     9f88efa2e51ca832fc2a15b126fa7be2  0ec675ad498afeeab6960b3aabe60004
     469af896acb1852c31d822c45799      0ec675ad498afeeab6960b3aabe60005
        
     d021877bd3eaf92d581ed70ddc050e03  0ec675ad498afeeab6960b3aabe60000
     f11257032676f2a29f57b21abd3a1423  0ec675ad498afeeab6960b3aabe60001
     769749bdc5dd9ca5b43ca6b6c1f3a7de  0ec675ad498afeeab6960b3aabe60002
     4047904bcf811f601cc03eaa5d7af6db  0ec675ad498afeeab6960b3aabe60003
     9f88efa2e51ca832fc2a15b126fa7be2  0ec675ad498afeeab6960b3aabe60004
     469af896acb1852c31d822c45799      0ec675ad498afeeab6960b3aabe60005
        
A.3.2. ARIA_256_CTR_PRF
A.3.2. ARIA_256_中心_PRF

The inputs to the key derivation function are the 32-octet master key and the 14-octet master salt:

密钥派生函数的输入为32个八位组主密钥和14个八位组主密钥:

master key: 0c5ffd37a11edc42c325287fc0604f2e 3e8cd5671a00fe3216aa5eb105783b54 master salt: 0ec675ad498afeebb6960b3aabe6

主密钥:0c5ffd37a11edc42c325287fc0604f2e 3E8CD5671A00FE3216A5EB105783B54主密钥:0ec675ad498afeebb6960b3aabe6

     index DIV kdr:               000000000000
     label:                     00
     master salt: 0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:         0ec675ad498afeebb6960b3aabe6     (x, PRF input)
        
     index DIV kdr:               000000000000
     label:                     00
     master salt: 0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:         0ec675ad498afeebb6960b3aabe6     (x, PRF input)
        
     x*2^16:      0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:      0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
        

cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output)

密码密钥:0649a09d93755fe9c2b2efba1cce930a(ARIA-CTR第一次输出)f2e76ce8b77e4b175950321aa94b0cf4(ARIA-CTR第二次输出)

ARIA-CTR protection profile requires a 14-octet cipher salt while ARIA-GCM protection profile requires a 12-octet cipher salt.

ARIA-CTR保护配置文件需要14个八位字节的密码盐,而ARIA-GCM保护配置文件需要12个八位字节的密码盐。

     index DIV kdr:                000000000000
     label:                      02
     master salt:  0ec675ad498afeebb6960b3aabe6
     ----------------------------------------------
     xor:          0ec675ad498afee9b6960b3aabe6     (x, PRF input)
        
     index DIV kdr:                000000000000
     label:                      02
     master salt:  0ec675ad498afeebb6960b3aabe6
     ----------------------------------------------
     xor:          0ec675ad498afee9b6960b3aabe6     (x, PRF input)
        
     x*2^16:       0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:       0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
        

194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output)

194abaa8553a8eba8a413a340fc80a3d(ARIA-CTR输出)

cipher salt: 194abaa8553a8eba8a413a340fc8 (ARIA-CTR profile) 194abaa8553a8eba8a413a34 (ARIA-GCM profile)

密码盐:194abaa8553a8eba8a413a340fc8(ARIA-CTR配置文件)194abaa8553a8eba8a413a34(ARIA-GCM配置文件)

     index DIV kdr:                000000000000
     label:                      01
     master salt:  0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:          0ec675ad498afeeab6960b3aabe6     (x, PRF input)
        
     index DIV kdr:                000000000000
     label:                      01
     master salt:  0ec675ad498afeebb6960b3aabe6
     -----------------------------------------------
     xor:          0ec675ad498afeeab6960b3aabe6     (x, PRF input)
        
     x*2^16:       0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input)
        
     x*2^16:       0ec675ad498afeeab6960b3aabe60000 (ARIA-CTR input)
        

Below, the auth key is shown on the left, while the corresponding ARIA input blocks are shown on the right.

下面,auth键显示在左侧,而相应的ARIA输入块显示在右侧。

auth key ARIA input blocks

验证键输入块

     e58d42915873b71899234807334658f2   0ec675ad498afeeab6960b3aabe60000
     0bc460181d06e02b7a9e60f02ff10bfc   0ec675ad498afeeab6960b3aabe60001
     9ade3795cf78f3e0f2556d9d913470c4   0ec675ad498afeeab6960b3aabe60002
     e82e45d254bfb8e2933851a3930ffe7d   0ec675ad498afeeab6960b3aabe60003
     fca751c03ec1e77e35e28dac4f17d1a5   0ec675ad498afeeab6960b3aabe60004
     80bdac028766d3b1e8f5a41faa3c       0ec675ad498afeeab6960b3aabe60005
        
     e58d42915873b71899234807334658f2   0ec675ad498afeeab6960b3aabe60000
     0bc460181d06e02b7a9e60f02ff10bfc   0ec675ad498afeeab6960b3aabe60001
     9ade3795cf78f3e0f2556d9d913470c4   0ec675ad498afeeab6960b3aabe60002
     e82e45d254bfb8e2933851a3930ffe7d   0ec675ad498afeeab6960b3aabe60003
     fca751c03ec1e77e35e28dac4f17d1a5   0ec675ad498afeeab6960b3aabe60004
     80bdac028766d3b1e8f5a41faa3c       0ec675ad498afeeab6960b3aabe60005
        

Authors' Addresses

作者地址

Woo-Hwan Kim National Security Research Institute P.O. Box 1, Yuseong Daejeon 34188 Korea

吴焕金国家安全研究所,韩国大田余城1号信箱,邮编34188

   Email: whkim5@nsr.re.kr
        
   Email: whkim5@nsr.re.kr
        

Jungkeun Lee National Security Research Institute P.O. Box 1, Yuseong Daejeon 34188 Korea

韩国大田余城李正根国家安全研究所邮政信箱1 34188

   Email: jklee@nsr.re.kr
        
   Email: jklee@nsr.re.kr
        

Je-Hong Park National Security Research Institute P.O. Box 1, Yuseong Daejeon 34188 Korea

韩国大田裕成区第1号邮政信箱,Je Hong Park国家安全研究所,邮编:34188

   Email: jhpark@nsr.re.kr
        
   Email: jhpark@nsr.re.kr
        

Daesung Kwon National Security Research Institute P.O. Box 1, Yuseong Daejeon 34188 Korea

韩国大田裕盛县大松权国家安全研究所邮政信箱1,邮编34188

   Email: ds_kwon@nsr.re.kr
        
   Email: ds_kwon@nsr.re.kr
        

Dong-Chan Kim Kookmin University 77 Jeongneung-ro, Seongbuk-gu Seoul 02707 Korea

东灿金国民大学韩国首尔城步镇正东路77号02707

   Email: dckim@kookmin.ac.kr
        
   Email: dckim@kookmin.ac.kr