<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM'rfc2629.dtd' []>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" submissionType="IETF" category="std"docName="draft-ietf-perc-srtp-ekt-diet-13"> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc private=""?> <?rfc topblock="yes"?> <?rfc comments="no"?>consensus="true" docName="draft-ietf-perc-srtp-ekt-diet-13" number="8870" obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.46.0 --> <front> <title abbrev="EKT SRTP">Encrypted Key Transport for DTLS and Secure RTP</title> <seriesInfo name="RFC" value="8870"/> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>fluffy@iii.ca</email><uri></uri></address> </author> <author initials="J." surname="Mattsson" fullname="John Mattsson"> <organization>Ericsson AB</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>john.mattsson@ericsson.com</email><uri></uri></address> </author> <authorinitials="D.A.M."initials="D." surname="McGrew" fullname="David A. McGrew"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>mcgrew@cisco.com</email><uri></uri></address> </author> <author initials="D." surname="Wing" fullname="Dan Wing"><organization>Citrix<organization abbrev="Citrix">Citrix Systems, Inc.</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>dwing-ietf@fuggles.com</email><uri></uri></address> </author> <authorinitials="F.A." surname="Andreason"initials="F." surname="Andreasen" fullname="FlemmingAndreason">Andreasen"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>fandreas@cisco.com</email><uri></uri></address> </author> <dateyear="2020" month="June" day="23"/> <area>Internet</area> <workgroup></workgroup>year="2021" month="January" /> <keyword>PERC</keyword> <keyword>SRTP</keyword> <keyword>RTP</keyword> <keyword>conferencing</keyword> <keyword>encryption</keyword> <abstract> <t>Encrypted Key Transport (EKT) is an extension to DTLS (Datagram Transport Layer Security) and the Secure Real-time Transport Protocol (SRTP) that provides for the secure transport of SRTP master keys, rollover counters, and other information within SRTP. This facility enables SRTP for decentralized conferences by distributing a common key to all of the conference endpoints. </t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction"> <t>Real-timenumbered="true" toc="default"> <name>Introduction</name> <t>The Real-time Transport Protocol (RTP) is designed to allow decentralized groups with minimal control to establish sessions, such as for multimedia conferences. Unfortunately, Secure RTP(SRTP(SRTP) <xreftarget="RFC3711"/>)target="RFC3711" format="default"/> cannot be used in many minimal-control scenarios, because it requires that synchronization source (SSRC) values and other data be coordinated among all of the participants in a session. For example, if a participant joins a session that is already in progress, that participant needs to betoldinformed of the SRTP keys along with the SSRC, rollover counter(ROC)(ROC), and other details of the other SRTP sources. </t> <t>The inability of SRTP to work in the absence of central control was well understood during the design of the protocol; the omission was considered less important than optimizations such as bandwidth conservation. Additionally, in manysituationssituations, SRTP is used in conjunction with a signaling system that can provide the central control needed by SRTP. However, there are several cases in which conventional signaling systems cannot easily provide all of the coordination required. </t> <t>This document defines Encrypted Key Transport (EKT) for SRTP and reduces the amount of external signaling control that is needed inaan SRTP session with multiple receivers. EKT securely distributes the SRTP master key and other information for each SRTP source. With this method, SRTP entities are free to choose SSRC values as they seefit,fit and to start up new SRTP sources with new SRTP master keys within a session without coordinating with other entities via external signaling or other external means. </t> <t>EKT extends DTLS and SRTP to enable a common key encryption key (called anEKTKey)"EKTKey") to be distributed to all endpoints, so that each endpoint can securely send its SRTP master key and current SRTProllover counterROC to the other participants in the session. This data furnishes the information needed by the receiver to instantiate an SRTP receiver context. </t> <t>EKT can be used in conferences where the centralmedia distributorMedia Distributor or conference bridge cannot decrypt the media, such as the type definedforin <xreftarget="I-D.ietf-perc-private-media-framework"/>.target="RFC8871" format="default"/>. It can also be used forlarge scalelarge-scale conferences where the conference bridge ormedia distributorMedia Distributor can decrypt all the media but wishes to encrypt the media it is sending just once and then send the same encrypted media to a large number of participants. This reducesthe amount ofencryption CPU timeneeded for encryptionin general andcan be used for some optimization to mediais necessary when sendingthat use source specific multicast.multicast media. </t> <t>EKT does not control the manner in which the SSRC is generated. It is only concerned with distributing the security parameters that an endpoint needs to associate with a given SSRC in order to decrypt SRTP packets from that sender. </t> <t>EKT is not intended to replace external key establishment mechanisms. Instead, it is used in conjunction with those methods, and it relieves those methods of the burdento deliverof delivering the context for each SRTP source to every SRTP participant. This document defines how EKT works with the DTLS-SRTP approach to key establishment, by using keys derived from the DTLS-SRTP handshake to encipher the EKTKey in addition to the SRTP media. </t> </section> <section anchor="overview"title="Overview">numbered="true" toc="default"> <name>Overview</name> <t>This specification defines a way for the server in a DTLS-SRTPnegotiation, seenegotiation (see <xreftarget="dtls-srtp-kt"/>,target="dtls-srtp-kt" format="default"/>) to provide an EKTKey to the client during the DTLS handshake. The EKTKey thus obtained can be used to encrypt the SRTP master key that is used to encrypt the media sent by the endpoint. This specification also defines a way to send the encrypted SRTP master key (with the EKTKey) along with the SRTPpacket, seepacket (see <xreftarget="srtp_ekt"/>.target="srtp_ekt" format="default"/>). Endpoints that receive this packet and know the EKTKey can use the EKTKey to decrypt the SRTP masterkeykey, which can then be used to decrypt the SRTP packet. </t> <t>One way to use this specification is described in the architecture defined by <xreftarget="I-D.ietf-perc-private-media-framework"/>.target="RFC8871" format="default"/>. Each participant in the conference forms a DTLS-SRTP connection to a commonkey distributorKey Distributor that distributes the same EKTKey to all the endpoints.ThenThen, each endpoint picks its own SRTP master key for the mediathey send.it sends. When sending media, the endpoint may alsoincludesinclude the SRTP master key encrypted with the EKTKey in the SRTP packet. This allows all the endpoints to decrypt the media. </t> </section> <section anchor="conventions-used-in-this-document"title="Conventionsnumbered="true" toc="default"> <name>Conventions UsedInin ThisDocument">Document</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere. </t>here.</t> </section> <section anchor="srtp_ekt"title="Encryptednumbered="true" toc="default"> <name>Encrypted KeyTransport">Transport</name> <t>EKT defines a new method of providing SRTP master keys to an endpoint. In order to convey the ciphertext corresponding to the SRTP master key, and other additional information, an additional field, calledEKTField,the "EKTField", is added to the SRTP packets. The EKTField appears at the end of the SRTP packet. It appears after the optional authenticationtagtag, if one ispresent, otherwisepresent; otherwise, the EKTField appears after the ciphertext portion of the packet. </t> <t>EKTMUST NOT<bcp14>MUST NOT</bcp14> be used in conjunction with SRTP's MKI (Master Key Identifier) or with SRTP's <From, To> <xreftarget="RFC3711"/>,target="RFC3711" format="default"/>, as those SRTP features duplicate some of the functions of EKT. SendersMUST NOT<bcp14>MUST NOT</bcp14> include the MKI when using EKT. ReceiversSHOULD<bcp14>SHOULD</bcp14> simply ignore any MKI field received if EKT is in use. </t> <t>This document defines the use of EKT with SRTP. Its use withSRTCPthe Secure Real-time Transport Control Protocol (SRTCP) would be similar, but that topic isreservedleft for a future specification. SRTP is preferred for transmittingkeykeying material becauseit(1) it shares fate with the transmitted media,because SRTP(2) SRTP rekeying can occur without concern for RTCP transmission limits, andbecause it(3) it avoids the need for SRTCP compound packets with RTP translators and mixers. </t> <section anchor="EKT"title="EKTField Formats">numbered="true" toc="default"> <name>EKTField Formats</name> <t>The EKTField uses theformatformats defined in Figures <xref target="tag-format-base" format="counter"/> and <xreftarget="tag-format-base"/>target="tag-format-abbreviated" format="counter"/> for the FullEKTField and ShortEKTField. The EKTField appended to an SRTP packet can be referred to as an"EKT tag"."EKT Tag". </t> <figureanchor="tag-format-base"anchor="tag-format-base"> <name>FullEKTField Format</name> <artwork align="center"title="FullEKTField format "><artwork align="center">name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : : : EKT Ciphertext : : : +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameter Index | Epoch | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length |0 0 0 0 0 0 1 0|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork></figure>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork> </figure> <figureanchor="tag-format-abbreviated"anchor="tag-format-abbreviated"> <name>ShortEKTField Format</name> <artwork align="center"title="ShortEKTField format "><artwork align="center">name="" type="" alt=""><![CDATA[ 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |0 0 0 0 0 0 0 0|+-+-+-+-+-+-+-+-+ </artwork></figure> <t>The following+-+-+-+-+-+-+-+-+]]></artwork> </figure> <t><xref target="tag-formats"/> shows the syntax of theEKTFieldEKTField, expressed in ABNF <xreftarget="RFC5234"/>.target="RFC5234" format="default"/>. The EKTField is added to the end of an SRTP packet. The EKTPlaintext is the concatenation of SRTPMasterKeyLength, SRTPMasterKey, SSRC, andROCROC, in that order. The EKTCiphertext is computed by encrypting the EKTPlaintext using the EKTKey. Future extensions to the EKTFieldMUST<bcp14>MUST</bcp14> conform to the syntax of the ExtensionEKTField. </t> <figureanchor="tag-formats" align="center" title="EKTField Syntax "><artwork align="center">anchor="tag-formats"> <name>EKTField Syntax</name> <sourcecode name="" type="abnf"><![CDATA[ BYTE = %x00-FF EKTMsgTypeFull = %x02 EKTMsgTypeShort = %x00 EKTMsgTypeExtension = %x03-FF ; MessagetypeType %x01 isreserved,not available ; for assignment due to;its usage by ; legacy implementations. EKTMsgLength =2BYTE;2BYTE SRTPMasterKeyLength = BYTE SRTPMasterKey = 1*242BYTE SSRC =4BYTE;4BYTE ; SSRC from RTP ROC = 4BYTE ; ROC from SRTPFOR THE GIVENfor the given SSRC EKTPlaintext = SRTPMasterKeyLength SRTPMasterKey SSRC ROC EKTCiphertext = 1*251BYTE ; EKTEncrypt(EKTKey, EKTPlaintext) Epoch = 2BYTE SPI = 2BYTE FullEKTField = EKTCiphertext SPI Epoch EKTMsgLength EKTMsgTypeFull ShortEKTField = EKTMsgTypeShort ExtensionData = 1*1024BYTE ExtensionEKTField = ExtensionData EKTMsgLength EKTMsgTypeExtension EKTField = FullEKTField / ShortEKTField /ExtensionEKTField </artwork></figure>ExtensionEKTField]]></sourcecode> </figure> <t>These fields and data elements are defined as follows: </t><t>EKTPlaintext: The<dl newline="true" spacing="normal"> <dt>EKTPlaintext:</dt> <dd>This is the data that is input to the EKT encryption operation. This data never appears on thewire, andwire; it is used only in computations internal to EKT. This is the concatenation of the SRTPMaster Keymaster key and its length, the SSRC, and theROC. </t> <t>EKTCiphertext: TheROC.</dd> <dt>EKTCiphertext:</dt> <dd>This is the data that is output from the EKT encryptionoperation, described inoperation (see <xreftarget="cipher"/>.target="cipher" format="default"/>). This field is included in SRTP packets when EKT is in use. The length of the EKTCiphertext can be larger than the length of the EKTPlaintext that wasencrypted. </t> <t>SRTPMasterKey: Onencrypted.</dd> <dt>SRTPMasterKey:</dt> <dd>On the sender side, this is the SRTPMaster Keymaster key associated with the indicatedSSRC. </t> <t>SRTPMasterKeyLength: TheSSRC.</dd> <dt>SRTPMasterKeyLength:</dt> <dd>This is the length of the SRTPMasterKey in bytes. This depends on the cipher suite negotiated for SRTP usingSDPSession Description Protocol (SDP) Offer/Answer <xreftarget="RFC3264"/> for the SRTP. </t> <t>SSRC: Ontarget="RFC3264" format="default"/>. </dd> <dt>SSRC:</dt> <dd>On the sender side, this is the SSRC for this SRTP source. The length of this field is 32 bits. The SSRC value in the EKTtag MUSTTag <bcp14>MUST</bcp14> be the same as the one in the header of the SRTP packet to which the tag isappended. </t> <t>Rolloverappended.</dd> <dt>Rollover Counter(ROC): On(ROC):</dt> <dd>On the sender side, this is set to the current value of the SRTProllover counterROC in the SRTP context associated with the SSRC in the SRTP packet. The length of this field is 32bits. </t> <t>Securitybits.</dd> <dt>Security Parameter Index(SPI): This(SPI):</dt> <dd><t>This field indicates the appropriate EKTKey and other parameters for the receiver to use when processing the packet, within a given conference. The length of this field is 16 bits, representing a two-byte integer in network byte order. The parameters identified by this fieldare: </t> <t> <list style="symbols"> <t>Theare as follows:</t> <ul spacing="normal"> <li>The EKTcipherCipher used to process thepacket.</t> <t>Thepacket.</li> <li>The EKTKey used to process thepacket.</t> <t>Thepacket.</li> <li>The SRTPMaster Saltmaster salt associated with any master key encrypted with this EKT Key.The The master salt is communicated separately, via signaling, typically along with the EKTKey. (Recall that the SRTP master salt is used in the formation ofIVsInitialization Vectors (IVs) /nonces.)</t> </list> </t> <t>Epoch: Thisnonces.)</li> </ul> </dd> <dt>Epoch:</dt> <dd>This field indicates how many SRTP keys have been sent for this SSRC under the current EKTKey, prior to the current key, as atwo-bytetwo&nbhy;byte integer in network byte order. It starts at zero at the beginning of a session and resets to zero whenever the EKTKey is changed (i.e., when a new SPI appears). The epoch for an SSRC increments by one every time the sender transmits a new key. The recipient of a FullEKTFieldMUST<bcp14>MUST</bcp14> reject any future FullEKTField for this SPI and SSRC that has anequal or lowerepoch value equal to or lower than an epoch alreadyseen. </t>seen.</dd> </dl> <t>Together, these data elements are called anEKT"EKT parameterset. Eachset". To avoid ambiguity, each distinct EKT parameter set that is usedMUST<bcp14>MUST</bcp14> be associated with a distinct SPIvalue to avoid ambiguity.value. </t><t>EKTMsgLength: All<dl newline="true" spacing="normal"> <dt>EKTMsgLength:</dt> <dd>All EKTmessages typesMessage Types other than the ShortEKTFieldhaveinclude a lengthas second from the last element. This is the lengthin octets (in network byte order) of either theFullEKTField/ExtensionEKTFieldFullEKTField or the ExtensionEKTField, including this length field and thefollowingEKT MessageType. </t> <t>Message Type: TheType (as defined in the next paragraph).</dd> <dt>Message Type:</dt> <dd>The last byte is used to indicate the type of the EKTField. ThisMUST<bcp14>MUST</bcp14> be 2 for the FullEKTField format and 0infor the ShortEKTField format. If a received EKTtagTag has an unknownmessage type,Message Type, then the receiverMUST<bcp14>MUST</bcp14> discard the whole EKTtag. </t>Tag.</dd> </dl> </section> <section anchor="spis-and-ekt-parameter-sets"title="SPIsnumbered="true" toc="default"> <name>SPIs and EKT ParameterSets">Sets</name> <t>The SPIfieldidentifies the parameters for how the EKTtagTag should be processed: </t><t> <list style="symbols"> <t>The<ul spacing="normal"> <li>The EKTKey and EKTcipherCipher used to process thepacket.</t> <t>Thepacket.</li> <li>The SRTPMaster Saltmaster salt associated with any master key encrypted with this EKT Key.The The master salt is communicated separately, via signaling, typically along with theEKTKey.</t> </list> </t>EKTKey.</li> </ul> <t>Together, these data elements are called an"EKT"EKT parameterset". Eachset". To avoid ambiguity, each distinct EKT parameter set that is usedMUST<bcp14>MUST</bcp14> be associated with a distinct SPIvalue to avoid ambiguity.value. The association of a given parameter set with a given SPI value is configured by some other protocol, e.g., the DTLS-SRTP extension defined in <xreftarget="dtls-srtp-kt"/>.target="dtls-srtp-kt" format="default"/>. </t> </section> <section anchor="pkt_proc"title="Packetnumbered="true" toc="default"> <name>Packet Processing and StateMachine">Machine</name> <t>At any given time, the SSRC for each SRTP source has associated with it a single EKT parameter set. This parameter set is used to process all outboundpackets,packets and is called theoutbound"outbound parametersetset" for that SSRC. There may be other EKT parameter sets that are used by other SRTP sources in the same session, including other SRTP sources on the same endpoint (e.g., one endpoint with voice and video might have two EKT parameter sets, or there might be multiple video sources on anendpointendpoint, each with their own EKT parameter set). All of the received EKT parameter setsSHOULD<bcp14>SHOULD</bcp14> be stored by all of the participants in an SRTP session, for use in processing inbound SRTP traffic. If a participant deletes an EKT parameter set (e.g., because of spacelimitations,limitations), then it will be unable to process Full EKT Tags containing updated mediakeys,keys and thus will be unable to receive media from aparticpantparticipant that has changed its media key. </t> <t>Either the FullEKTField or ShortEKTField is appended at the tail end of all SRTP packets. The decisiononregarding which parameter to send and when is specified in <xreftarget="timing"/>.target="timing" format="default"/>. </t> <section anchor="outbound-processing"title="Outbound Processing">numbered="true" toc="default"> <name>Outbound Processing</name> <t>See <xreftarget="timing"/>target="timing" format="default"/>, which describes when to send an SRTP packet with a FullEKTField. If a FullEKTField is not being sent, then a ShortEKTField is sent so the receiver can correctly determine how to process the packet. </t> <t>When an SRTP packet is sent with a FullEKTField, the EKTField for that packet is createdas follows,per either the steps below orusesan equivalent set of steps. </t><t> <list style="numbers"> <t>The<ol spacing="normal" type="1"> <li>The Security Parameter Index (SPI) field is set to the value of theSecurity Parameter IndexSPI that is associated with the outbound parameterset.</t> <t>Theset.</li> <li>The EKTPlaintext field is computed from the SRTPMaster Key,master key, SSRC, and ROC fields, as shown in <xreftarget="EKT"/>.target="EKT" format="default"/>. The ROC, SRTPMaster Key,master key, and SSRC used in EKT processingMUST<bcp14>MUST</bcp14> be the same as the one used intheSRTPprocessing.</t> <t>Theprocessing.</li> <li>The EKTCiphertext field is set to the ciphertext created by encrypting the EKTPlaintext with the EKTCipher using the EKTKey as the encryption key. The encryption process is detailed in <xreftarget="cipher"/>.</t> <t>Thentarget="cipher" format="default"/>.</li> <li> <t>Then, the FullEKTField is formed using the EKTCiphertext and the SPI associated with the EKTKey used above. Also appended are theLengthlength and Message Type using the FullEKTField format.<list style="symbols"> <t>Note: the</t> </li> </ol> <aside><t>Note: The value of the EKTCiphertext field is identical in successive packets protected by the same EKTKey and SRTP master key. This valueMAY<bcp14>MAY</bcp14> be cached by an SRTP sender to minimize computationaleffort.</t> </list></t> </list> </t>effort.</t></aside> <t>The computed value of the FullEKTField is appended to the end of the SRTP packet, after the encryptedpayload. </t>payload.</t> <t>When a packet is sent with the ShortEKTField, theShortEKFFieldShortEKTField is simply appended to thepacket. </t>packet.</t> <t>Outbound packetsSHOULD<bcp14>SHOULD</bcp14> continue to use the old SRTPMaster Keymaster key for 250 ms after sending any new key in a FullEKTField value. This gives all the receivers in the system time to get the new key before they start receiving media encrypted with the new key. (The specific value of250ms250 ms is chosen to represent a reasonable upper bound on the amount of latency and jitter that is tolerable in a real-time context.) </t> </section> <section anchor="inbound-processing"title="Inbound Processing">numbered="true" toc="default"> <name>Inbound Processing</name> <t>When receiving a packet onaan RTP stream, the following steps are applied for eachSRTPreceived SRTP packet. </t><t> <list style="numbers"> <t>The<ol spacing="normal" type="1"> <li>The final byte is checked to determine which EKT format is in use. When an SRTP packet contains a ShortEKTField, the ShortEKTField is removed from the packet and then normal SRTP processing occurs. If the packet contains a FullEKTField, then processing continues as described below. The reason for using the last byte of the packet to indicate the type is that the length of the SRTP part is not known until the decryption has occurred. At this point in the processing, there is no easy way to know where the EKTField would start. However, the wholeUDPSRTP packet has been received, so instead ofthestarting at the front of the packet, the parsing works backwards at the end of thepacketpacket, and thus the type is placed at the very end of thepacket.</t> <t>Thepacket.</li> <li>The Security Parameter Index (SPI) field is used to find the right EKT parameter set to be used for processing the packet. If there is no matching SPI, then the verification functionMUST<bcp14>MUST</bcp14> return an indication of authentication failure, and the steps described below are not performed. The EKT parameter set contains the EKTKey, the EKTCipher, and the SRTPMaster Salt.</t> <t>Themaster salt.</li> <li>The EKTCiphertext is authenticated and decrypted, as described in <xreftarget="cipher"/>,target="cipher" format="default"/>, using the EKTKey and EKTCipher found in the previous step. If the EKT decryption operation returns an authentication failure, then EKT processingMUST<bcp14>MUST</bcp14> be aborted. The receiverSHOULD<bcp14>SHOULD</bcp14> discard the wholeUDP packet.</t> <t>TheSRTP packet.</li> <li>The resulting EKTPlaintext is parsed as described in <xreftarget="EKT"/>,target="EKT" format="default"/>, to recover the SRTPMaster Key,master key, SSRC, and ROC fields. The SRTPMaster Saltmaster salt that is associated with the EKTKey is also retrieved. If the value of the srtp_master_salt (see <xref target="ekt_key"/>) sent as part of theEKTkeyEKTKey is longer than needed by SRTP, then it is truncated by taking the first N bytes from the srtp_master_saltfield.</t> <t>Iffield.</li> <li>If the SSRC in the EKTPlaintext does not match the SSRC of the SRTP packet received, then this FullEKTFieldMUST<bcp14>MUST</bcp14> be discarded and thefollowingsubsequent steps in this list skipped. After stripping the FullEKTField, the remainder of the SRTP packetMAY<bcp14>MAY</bcp14> be processed asnormal.</t>normal.</li> <li> <t>The SRTPMaster Key,master key, ROC, and SRTPMaster Saltmaster salt from the previous steps are saved in a map indexed by the SSRC found in the EKTPlaintext and can be used for any future crypto operations on the inbound packets with that SSRC.<list style="symbols"> <t>Unless</t> <ul spacing="normal"> <li>Unless the transform specifies other acceptable key lengths, the length of the SRTPMaster Key MUSTmaster key <bcp14>MUST</bcp14> be the same as the master key length for the SRTP transform in use. If this is not the case, then the receiverMUST<bcp14>MUST</bcp14> abort EKT processing andSHOULD discared<bcp14>SHOULD</bcp14> discard the wholeUDP packet.</t> <t>IfSRTP packet.</li> <li>If the length of the SRTPMaster Keymaster key is less than the master key length for the SRTP transform inuse,use and the transform specifies that this length is acceptable, then the SRTPMaster Keymaster key value is used to replace the first bytes in the existing master key. The other bytes remain the same as in the old key. For example, theDoubledouble GCM transform <xreftarget="I-D.ietf-perc-double"/>target="RFC8723" format="default"/> allows replacement of thefirst, "end to end"first ("end-to-end") half of the masterkey.</t> </list></t> <t>Atkey.</li> </ul> </li> <li>At this point, EKT processing has successfully completed, and the normal SRTP processing takesplace.</t> </list> </t>place.</li> </ol> <t>The value of the EKTCiphertext field is identical in successive packets protected by the same EKT parameterset and the sameset, SRTP master key, and ROC. SRTP senders and receiversMAY<bcp14>MAY</bcp14> cache an EKTCiphertext value to optimize processing in cases where the master key hasn't changed. Instead of encrypting and decrypting, senders can simply copy thepre-computedprecomputed value and receivers can compare a received EKTCiphertext to the known value. </t> <t><xreftarget="outbound-processing"/>target="outbound-processing" format="default"/> recommends that SRTP senders continue using an old key for some time after sending a new key in an EKTtag.Tag. Receivers that wish to avoid packet loss due to decryption failuresMAY<bcp14>MAY</bcp14> perform trial decryption with both the old key and the new key, keeping the result of whichever decryption succeeds. Note that this approach is only compatible with SRTP transforms that include integrity protection. </t> <t>When receiving a new EKTKey, implementations need to use the ekt_ttl field (see <xreftarget="ekt_key"/>)target="ekt_key" format="default"/>) to create a time after which this key cannot beusedused, and they also need to create a counter that keeps track of how many times the key has been used to encryptdatadata, to ensure that it does not exceed the T value for that cipher (see <xreftarget="cipher"/>).target="cipher" format="default"/>). If either of these limitsareis exceeded, the key can no longer be used for encryption. At thispoint implementationpoint, implementations need to either usethecall signaling to renegotiate a new session orneed toterminate the existing session. Terminating the session is a reasonable implementation choice because these limits should not beexceededexceeded, except under an attack or error condition. </t> </section> </section> <section anchor="cipher"title="Ciphers">numbered="true" toc="default"> <name>Ciphers</name> <t>EKT uses an authenticated cipher to encrypt and authenticate the EKTPlaintext. This specification defines the interface to the cipher, in order to abstract the interface away from the details of that function. This specification also defines the default cipher that is used in EKT. The default cipher described in <xreftarget="DefaultCipher"/> MUSTtarget="DefaultCipher" format="default"/> <bcp14>MUST</bcp14> be implemented, but another cipher that conforms to this interfaceMAY<bcp14>MAY</bcp14> be used. The cipher used for a given EKTCiphertext value is negotiated using the supported_ekt_ciphers extension (see <xref target="dtls-srtp-extensions"/>) and indicated with the SPI value in the FullEKTField. </t> <t>An EKTCipher consists of an encryption function and a decryption function. The encryption function E(K, P) takes the following inputs: </t><t> <list style="symbols"> <t>a<ul spacing="normal"> <li>a secret key K with a length of L bytes,and</t> <t>aand</li> <li>a plaintext value P with a length of Mbytes.</t> </list> </t>bytes.</li> </ul> <t>The encryption function returns a ciphertext value C whose length is N bytes, where N may be larger than M. The decryption functionD(K, C)D(K, C) takes the following inputs: </t><t> <list style="symbols"> <t>a<ul spacing="normal"> <li>a secret key K with a length of L bytes,and</t> <t>aand</li> <li>a ciphertext value C with a length of Nbytes.</t> </list> </t>bytes.</li> </ul> <t>The decryption function returns a plaintext value P that is M bytes long, or it returns an indication that the decryption operation failed because the ciphertext was invalid(i.e.(i.e., it was not generated by the encryption of plaintext with the key K). </t> <t>These functions have the property that D(K, E(K, P)) = P for all values of K and P. Each cipher also has a limit T on the number of times that it can be used with any fixed key value. The EKTKeyMUST NOT<bcp14>MUST NOT</bcp14> be used for encryption morethatthan T times. Note that if the same FullEKTField is retransmitted3three times, that only counts as1one encryption. </t> <t>Security requirements for EKTciphersCiphers are discussed in <xreftarget="sec"/>. </t>target="sec" format="default"/>.</t> <section anchor="DefaultCipher"title="AESnumbered="true" toc="default"> <name>AES KeyWrap">Wrap</name> <t>The default EKT Cipher is the Advanced Encryption Standard (AES) Key Wrap with Padding algorithm <xreftarget="RFC5649"/> algorithm.target="RFC5649" format="default"/>. It requires a plaintext length M that is at least one octet, and it returns a ciphertext with a length of N = M + (M mod 8) + 8 octets.<vspace/>It can be used with key sizes of L =16, and16 octets or L = 32 octets, and its use with those key sizes is indicated asAESKW128,AESKW128 or AESKW256, respectively. The key size determines the length of the AES key used by the Key Wrap algorithm. With this cipher,T=2^48. </t> <texttableT=2<sup>48</sup>.</t> <table anchor="CipherTable"title="EKT Ciphers "> <ttcol align="left">Cipher</ttcol> <ttcol align="right">L</ttcol> <ttcol align="right">T</ttcol> <c>AESKW128</c><c>16</c><c>2^48</c> <c>AESKW256</c><c>32</c><c>2^48</c> </texttable>align="center"> <name>EKT Ciphers</name> <thead> <tr> <th align="left">Cipher</th> <th align="right">L</th> <th align="right">T</th> </tr> </thead> <tbody> <tr> <td align="left">AESKW128</td> <td align="right">16</td> <td align="right">2<sup>48</sup></td> </tr> <tr> <td align="left">AESKW256</td> <td align="right">32</td> <td align="right">2<sup>48</sup></td> </tr> </tbody> </table> <t>As AES-128 is themandatory to implementmandatory-to-implement transform in SRTP, AESKW128MUST<bcp14>MUST</bcp14> be implemented forEKT andEKT. AESKW256MAY<bcp14>MAY</bcp14> be implemented. </t> </section> <section anchor="defining-new-ekt-ciphers"title="Definingnumbered="true" toc="default"> <name>Defining New EKTCiphers">Ciphers</name> <t>Other specifications may extend this document by defining otherEKTCiphersEKTCiphers, as described in <xreftarget="iana"/>.target="iana" format="default"/>. This section defines how those ciphers interact with this specification. </t> <t>An EKTCipher determines how the EKTCiphertext field iswritten,written and how it is processed when it is read. This field is opaque to the other aspects of EKT processing. EKTciphersCiphers are free to use this field in any way, but theySHOULD NOT<bcp14>SHOULD NOT</bcp14> use other EKT or SRTP fields as an input. The values of the parametersL,L and TMUST<bcp14>MUST</bcp14> be defined by each EKTCipher. The cipherMUST<bcp14>MUST</bcp14> provide integrity protection. </t> </section> </section> <section anchor="SynchronizingOperation"title="Synchronizing Operation">numbered="true" toc="default"> <name>Synchronizing Operation</name> <t>If a source has its EKTKey changed bythekey management, itMUST<bcp14>MUST</bcp14> also change its SRTP master key, which will cause it to send out a new FullEKTField and eventually begin encrypting with it, asdefineddescribed in <xreftarget="outbound-processing"/>.target="outbound-processing" format="default"/>. This ensures that if key management thought the EKTKey needs changing (due to a participant leaving or joining) and communicated that to a source, the source will also change its SRTP master key, so that traffic can be decrypted only by those who know the current EKTKey. </t> </section> <section anchor="timing"title="Timingnumbered="true" toc="default"> <name>Timing and ReliabilityConsideration">Considerations</name> <t>A system using EKT learns the SRTP master keys distributed with the FullEKTField sent withtheSRTP, rather than with call signaling. A receiver can immediately decrypt an SRTP packet, provided the SRTP packet contains a FullEKTField. </t> <t>This section describes how to reliably and expediently deliver new SRTP master keys to receivers. </t> <t>There are three cases to consider.TheIn the firstcase iscase, a new senderjoiningjoins asession, whichsession and needs to communicate its SRTP master key to all the receivers.TheIn the secondcase iscase, a senderchangingchanges its SRTP masterkeykey, which needs to be communicated to all the receivers.TheIn the thirdcase iscase, a new receiverjoiningjoins a session already in progresswhichand needs to know the sender's SRTP master key. </t> <t>The three casesare: </t> <t> <list style="hanging"> <t hangText="New sender:"> <vspace />are as follows:</t> <dl newline="true" spacing="normal"> <dt>New sender:</dt> <dd> A new senderSHOULD<bcp14>SHOULD</bcp14> send a packet containing the FullEKTField as soon as possible,always before or coincident with sendingideally in its initial SRTP packet. To accommodate packet loss, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that the FullEKTField be transmitted in three consecutive packets. If the sender does not send a FullEKTField in its initial packets and receivers have not otherwise been provisioned with a decryption key, then decryption will fail and SRTP packets will be dropped until the receiver receives a FullEKTField from thesender.</t> <t hangText="Rekey:"> <vspace />sender.</dd> <dt>Rekey:</dt> <dd> By sending an EKTtagTag over SRTP, the rekeying event shares fate with the SRTP packets protected with that new SRTP master key. To accommodate packet loss, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that three consecutive packetscontaincontaining the FullEKTField betransmitted.</t> <t hangText="New receiver:"> <vspace />transmitted.</dd> <dt>New receiver:</dt> <dd> When a new receiver joins asessionsession, it does not need to communicate its sending SRTP master key (because it is a receiver).WhenAlso, when a new receiver joins a session, the sender is generally unaware of the receiver joining thesession. Thus,session; thus, sendersSHOULD<bcp14>SHOULD</bcp14> periodically transmit the FullEKTField. That interval depends on how frequently new receivers join the session, the acceptable delay before those receivers can start processing SRTP packets, and the acceptable overhead of sending the FullEKTField. If sending audio and video, theRECOMMENDED<bcp14>RECOMMENDED</bcp14> frequency is the same as the rate ofintra codedintra-coded video frames. If only sending audio, theRECOMMENDED<bcp14>RECOMMENDED</bcp14> frequency is every100ms.</t> </list>100 ms.</dd> </dl> <t>If none of the above three cases apply, a ShortEKTField <bcp14>SHOULD</bcp14> be sent. </t><t>In<t> In general, sendingEKTFullEKTField tags less frequently will consume lessbandwidth,bandwidth but will increase the time it takes for a join or rekey to take effect. Applications should schedule the sending ofEKTFullEKTField tags in a way that makes sense for their bandwidth and latency requirements. </t> </section> </section> <section anchor="dtls-srtp-kt"title="Usenumbered="true" toc="default"> <name>Use of EKT withDTLS-SRTP">DTLS-SRTP</name> <t>This document defines an extension to DTLS-SRTP calledSRTP"SRTP EKTKeyTransportTransport", which enables secure transport of EKT keying material from the DTLS-SRTP peer in the server role to the client. This allowsthose peerssuch a peer to process EKT keying material in SRTP and retrieve the embedded SRTP keying material. This combination of protocols is valuable because it combines the advantages of DTLS, which has strong authentication of the endpoint and flexibility, along with allowing securemultipartymulti-party RTP with loose coordination and efficient communication of per-source keys. </t> <t>In cases where the DTLS termination point is more trusted than the media relay, the protection that DTLS affords to EKTkeykeying material can allow EKTkeysKeys to be tunneled through an untrusted relay such as a centralized conference bridge. For more details, see <xreftarget="I-D.ietf-perc-private-media-framework"/>.target="RFC8871" format="default"/>. </t> <section anchor="dtlssrtp-recap"title="DTLS-SRTP Recap">numbered="true" toc="default"> <name>DTLS-SRTP Recap</name> <t>DTLS-SRTP <xreftarget="RFC5764"/>target="RFC5764" format="default"/> uses an extended DTLS exchange between two peers to exchange keying material, algorithms, and parameters for SRTP. The SRTP flow operates over the same transport as the DTLS-SRTP exchange (i.e., the same 5-tuple). DTLS-SRTP combines the performance and encryption flexibility benefits of SRTP with the flexibility and convenience of DTLS-integrated key and association management. DTLS-SRTP can be viewed in two equivalent ways: as a new key management method forSRTP,SRTP and as a new RTP-specific data format for DTLS. </t> </section> <section anchor="dtls-srtp-extensions"title="SRTPnumbered="true" toc="default"> <name>SRTP EKT Key Transport Extensions toDTLS-SRTP">DTLS-SRTP</name> <t>This document defines a new TLS negotiated extensionsupported_ekt_cipherscalled "supported_ekt_ciphers" and a new TLS handshake message typeekt_key.called "ekt_key". The extension negotiates the cipher to be used in encrypting and decrypting EKTCiphertext values, and the handshake message carries the corresponding key. </t> <t><xreftarget="dtls-srtp-flow"/>target="dtls-srtp-flow" format="default"/> shows a message flowofbetween a DTLS 1.3 client and server using EKT configured using the DTLS extensions described in this section. (The initial cookie exchange and other normal DTLS messages are omitted.) To be clear, EKT can be used with versions of DTLS prior to 1.3. The only difference is that inapre-1.3TLSTLS, stacks will not have built-in support for generating and processing ACK messages. </t> <figureanchor="dtls-srtp-flow" align="center"><artwork align="center">anchor="dtls-srtp-flow"> <name>DTLS 1.3 Message Flow</name> <artwork align="center" name="" type="" alt=""><![CDATA[ Client Server ClientHello + use_srtp + supported_ekt_ciphers-------->--------> ServerHello {EncryptedExtensions} + use_srtp + supported_ekt_ciphers {... Finished}<--------<-------- {... Finished}-------->--------> [ACK]<--------<-------- [EKTKey] [ACK]-------->--------> |SRTP packets|<-------><-------> |SRTP packets| +<EKT tags><EKT Tags> +<EKT tags><EKT Tags> {} Messages protected using DTLS handshake keys [] Messages protected using DTLS application traffic keys<><> Messages protected using the EKTKey and EKTcipherCipher || Messages protected using the SRTPMaster Keymaster key sent in a Full EKTTag </artwork></figure>Tag]]></artwork> </figure> <t>In the context of a multi-party SRTP session in which each endpoint performs a DTLS handshake as a client with a central DTLS server, the extensions defined in this document allow the DTLS server to set a common EKTKey for all participants. Each endpoint can then use EKTtagsTags encrypted with that common key to inform otherendpointendpoints of the keys it uses to protect SRTP packets. This avoids the need for many individual DTLS handshakes among the endpoints, at the cost of preventing endpoints from directly authenticating one another. </t><figure align="center"><artwork align="center"><artwork align="center" name="" type="" alt=""><![CDATA[ Client A Server Client B<----DTLS Handshake----> <--------EKTKey--------- <----DTLS Handshake----> ---------EKTKey--------><----DTLS Handshake----> <--------EKTKey--------- <----DTLS Handshake----> ---------EKTKey--------> -------------SRTP Packet + EKTTag-------------> <------------SRTPTag-------------> <------------SRTP Packet + EKTTag-------------- </artwork></figure>Tag--------------]]></artwork> <section anchor="negotiating-an-ektcipher"title="Negotiatingnumbered="true" toc="default"> <name>Negotiating anEKTCipher">EKTCipher</name> <t>To indicate its support for EKT, a DTLS-SRTP client includes in its ClientHello an extension of type supported_ekt_ciphers listing the ciphers used for EKT by theclient supportsclient, in preference order, with the most preferred version first. If the server agrees to use EKT, then it includes a supported_ekt_ciphers extension in its EncryptedExtensions (or ServerHello for DTLS 1.2) containing a cipher selected from among those advertised by the client. </t> <t>The extension_data field of this extension contains an"EKTCipher""EKTCipher" value, encoded using the syntax defined in <xreftarget="RFC8446"/>:target="RFC8446" format="default"/>: </t><figure align="center"><artwork align="center"><sourcecode name="" type="tls-presentation"><![CDATA[ enum { reserved(0), aeskw_128(1), aeskw_256(2), } EKTCipherType; struct { select (Handshake.msg_type) { case client_hello: EKTCipherTypesupported_ciphers<1..255>;supported_ciphers<1..255>; case server_hello: EKTCipherType selected_cipher; case encrypted_extensions: EKTCipherType selected_cipher; }; }EKTCipher; </artwork></figure>EKTCipher;]]></sourcecode> </section> <section anchor="ekt_key"title="Establishingnumbered="true" toc="default"> <name>Establishing an EKTKey">Key</name> <t>Once a client and server have concluded a handshake that negotiated an EKTCipher, the serverMUST<bcp14>MUST</bcp14> provide to the client a key to be used when encrypting and decrypting EKTCiphertext values. EKTKeys are sent in encrypted handshake records, using handshake typeekt_key(TBD).ekt_key(26). The body of the handshake message contains an EKTKeystructure: </t> <t>[[ NOTE: RFC Editor, please replace "TBD" above with the code point assigned by IANA ]]structure as follows: </t><figure align="center"><artwork align="center"><artwork align="center" name="" type="" alt=""><![CDATA[ struct { opaqueekt_key_value<1..256>;ekt_key_value<1..256>; opaquesrtp_master_salt<1..256>;srtp_master_salt<1..256>; uint16 ekt_spi; uint24 ekt_ttl; }EKTKey; </artwork></figure>EKTKey;]]></artwork> <t>The contents of the fields in this message are as follows: </t><t> <list style="hanging"> <t hangText="ekt_key_value"> <vspace /><dl newline="true" spacing="normal"> <dt>ekt_key_value</dt> <dd> The EKTKey that the recipient should use when generating EKTCiphertextvalues</t> <t hangText="srtp_master_salt"> <vspace />values</dd> <dt>srtp_master_salt</dt> <dd> The SRTPMaster Saltmaster salt to be used with anyMaster Keymaster key encrypted with this EKTKey</t> <t hangText="ekt_spi"> <vspace />Key</dd> <dt>ekt_spi</dt> <dd> The SPI value to be used to reference this EKTKey and SRTPMaster Saltmaster salt in EKTtagsTags (along with the EKTcipherCipher negotiated in thehandshake)</t> <t hangText="ekt_ttl"> <vspace />handshake)</dd> <dt>ekt_ttl</dt> <dd> The maximum amount of time, in seconds, that this EKTKey can be used. The ekt_key_value in this messageMUST NOT<bcp14>MUST NOT</bcp14> be used for encrypting or decrypting information after the TTLexpires.</t> </list> </t>expires.</dd> </dl> <t>If the server did not provide a supported_ekt_ciphers extension in itsServerHello,EncryptedExtensions (or ServerHello for DTLS 1.2), then EKTKey messagesMUST NOT<bcp14>MUST NOT</bcp14> be sent by the client or the server. </t> <t>When an EKTKey is received and processed successfully, the recipientMUST<bcp14>MUST</bcp14> respond with an ACK message as described inSection 7 of<xreftarget="I-D.ietf-tls-dtls13"/>.target="I-D.ietf-tls-dtls13" sectionFormat="of" section="7"/>. The EKTKey message and ACKMUST<bcp14>MUST</bcp14> be retransmitted following the rules of the negotiated version ofDTLS. </t>DTLS.</t> <t>EKTMAY<bcp14>MAY</bcp14> be used with versions of DTLS prior to 1.3. In such cases, to provide reliability, the ACK message is stillused to provide reliability.used. Thus, DTLS implementations supporting EKT withDTLSpre-1.3 versions of DTLS will need to have explicit affordances for sending the ACK message in response to an EKTKeymessage,message and for verifying that an ACK message was received. The retransmission rules for both sides are otherwise defined by the negotiated version of DTLS. </t> <t>If an EKTKey message is received that cannot be processed, then the recipientMUST<bcp14>MUST</bcp14> respond with an appropriate DTLS alert. </t> </section> </section> <section anchor="offeranswer-considerations"title="Offer/Answer Considerations">numbered="true" toc="default"> <name>Offer/Answer Considerations</name> <t>When using EKT with DTLS-SRTP, the negotiation to use EKT is done at the DTLS handshake level and does not change the SDP Offer&wj;/Answer messaging <xreftarget="RFC3264"/> Offer / Answer messaging.target="RFC3264" format="default"/>. </t> </section> <section anchor="sending-the-dtls-ektkey-reliably"title="Sendingnumbered="true" toc="default"> <name>Sending the DTLS EKTKeyReliably">Reliably</name> <t>The DTLS EKTKey message is sent using the retransmissions specified inSection 4.2.4. of DTLS<xreftarget="RFC6347"/>.target="RFC6347" sectionFormat="of" section="4.2.4">DTLS</xref>. Retransmission is finished with an ACKmessagemessage, or an alert isreceived. </t>received.</t> </section> </section> <section anchor="sec"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>EKT inherits the security properties of thethekey management protocol that is used to establish the EKTKey, e.g., the DTLS-SRTP extension defined in thisdocument. </t>document.</t> <t>With EKT, each SRTP sender and receiverMUST<bcp14>MUST</bcp14> generate distinct SRTP master keys. This property avoids any securityconcernconcerns over there-usereuse of keys, by empowering the SRTP layer to create keys on demand. Note that the inputs of EKT are the same as for SRTP with key-sharing: a single key is provided to protect an entire SRTP session. However, EKT remains secure even when SSRC values collide. </t> <t>SRTP master keysMUST<bcp14>MUST</bcp14> be randomly generated, and <xreftarget="RFC4086"/>target="RFC4086" format="default"/> offers some guidance about random number generation. SRTP master keysMUST NOT<bcp14>MUST NOT</bcp14> bere-usedreused for any other purpose, and SRTP master keysMUST NOT<bcp14>MUST NOT</bcp14> be derived from other SRTP master keys. </t> <t>The EKT Cipher includes its own authentication/integrity check.For an attacker to successfully forge a FullEKTField, it would need to defeat the authentication mechanisms of the EKT Cipher authentication mechanism.</t> <t>The presence of the SSRC in the EKTPlaintext ensures that an attacker cannot substitute an EKTCiphertext from one SRTP stream into another SRTP stream. This mitigates the impact ofthecut-and-paste attacks that arise due to the lack of a cryptographic binding between the EKTtagTag and the rest of the SRTP packet. SRTP tags can only be cut-and-pasted within the stream of packets sent by a given RTP endpoint; an attacker cannot"cross"cross thestreams"streams" and use an EKTtagTag from one SSRC to reset the key for another SSRC. TheepochEpoch field in the FullEKTField also prevents an attacker from rolling back to a previous key. </t> <t>An attacker could send packets containing a FullEKTField, in an attempt to consume additional CPU resources of the receiving system by causing the receiving system to decrypt the EKT ciphertext and detect an authentication failure. In some cases, caching the previous values of theCiphertextciphertext as described in <xreftarget="inbound-processing"/>target="inbound-processing" format="default"/> helps mitigate this issue. </t> <t>In a similar vein, EKT has no replay protection, so an attacker could implant improper keys in receivers by capturing EKTCiphertext values encrypted with a given EKTKey and replaying them in a different context, e.g., from a different sender. When the underlying SRTP transform provides integrity protection, this attack will just result in packet loss. If it does not, then it will result in random data being fed to RTP payload processing. An attacker that is in a position to mount these attacks, however, could achieve the same effects more easily without attacking EKT. </t> <t>The key encryption keys distributed with EKTKey messages are group shared symmetric keys, which means they do not provide protection within the group. Group members can impersonate each other; for example, any group member can generate an EKTtagTag for any SSRC. The entity that distributes EKTKeys can decrypt any keys distributed usingEKT,EKT and thus any media protected with those keys. </t> <t>Each EKTcipherCipher specifies a value T that is the maximum number of times a given key can be used. An endpointMUST NOT<bcp14>MUST NOT</bcp14> encrypt more than T different FullEKTField values using the same EKTKey. In addition, the EKTKeyMUST NOT<bcp14>MUST NOT</bcp14> be used beyond the lifetime provided by the TTL described in <xreftarget="dtls-srtp-extensions"/>.target="dtls-srtp-extensions" format="default"/>. </t> <t>Theconfidentiality, integrity, and authenticationkey length of the EKTcipher MUSTCipher <bcp14>MUST</bcp14> be at least asstronglong as the SRTP cipher and at least asstronglong as the DTLS-SRTP ciphers. </t> <t>Part of the EKTPlaintext isknown,known or is easily guessable to an attacker. Thus, the EKT CipherMUST<bcp14>MUST</bcp14> resist known plaintext attacks. In practice, this requirement does not impose any restrictions on our choices, since the ciphers in use provide high security even when much plaintext is known. </t> <t>An EKTcipher MUSTCipher <bcp14>MUST</bcp14> resist attacks in which both ciphertexts and plaintexts can be adaptively chosenand adversaries that can queryby an attacker querying both the encryption and decryptionfunctions adaptively.functions. </t> <t>In some systems, when a member of a conference leaves theconferences, the conferencesconference, that conference is rekeyed so that the member who left the conference no longer has the key. When changing to a new EKTKey, it is possible that the attacker could block the EKTKey message getting to a particular endpoint and that endpoint would keep sending media encrypted using the old key. To mitigate that risk, the lifetime of the EKTKeyMUST<bcp14>MUST</bcp14> be limited by using the ekt_ttl. </t> </section> <section anchor="iana"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="iana-ekt-msg-types"title="EKTnumbered="true" toc="default"> <name>EKT MessageTypes">Types</name> <t>IANAis requested to createhas created a new table for"EKT Messages Types""EKT Message Types" in the"Real-Time"Real-Time Transport Protocol (RTP)Parameters"Parameters" registry. The initial values in this registryare:are as follows: </t><texttable<table anchor="EKTMsgTypeTable"title="EKT Messages Types "> <ttcolalign="center"> <name>EKT Message Types</name> <thead> <tr> <th align="left">MessageType</ttcol> <ttcol align="right">Value</ttcol> <ttcol align="left">Specification</ttcol> <c>Short</c><c>0</c><c>RFCAAAA</c> <c>Full</c><c>2</c><c>RFCAAAA</c> <c>Unallocated</c><c>3-254</c><c>RFCAAAA</c> <c>Reserved</c><c>255</c><c>RFCAAAA</c> </texttable> <t>Note to RFC Editor: Please replace RFCAAAA with the RFC number for this specification. </t>Type</th> <th align="right">Value</th> <th align="left">Specification</th> </tr> </thead> <tbody> <tr> <td align="left">Short</td> <td align="right">0</td> <td align="left">RFC 8870</td> </tr> <tr> <td align="left">Unassigned</td> <td align="right">1</td> <td align="left"></td> </tr> <tr> <td align="left">Full</td> <td align="right">2</td> <td align="left">RFC 8870</td> </tr> <tr> <td align="left">Unassigned</td> <td align="right">3-254</td> <td align="left"></td> </tr> <tr> <td align="left">Reserved</td> <td align="right">255</td> <td align="left">RFC 8870</td> </tr> </tbody> </table> <t>New entriestoin this table can be added via"Specification Required""Specification Required" as defined in <xreftarget="RFC8126"/>.target="RFC8126" format="default"/>. To avoid conflicts with pre-standard versions of EKT that have been deployed, IANASHOULD prefer<bcp14>SHOULD</bcp14> give preference to the allocation of even values over oddonesvalues until the even code points areconsumed to avoid conflicts with pre standard versions of EKT that have been deployed.consumed. Allocated valuesMUST<bcp14>MUST</bcp14> be in the range of 0 to 254. </t> <t>All new EKT messagesMUST<bcp14>MUST</bcp14> be defined tohaveinclude a length parameter, assecond from the last element, as specified.specified in <xref target="EKT"/>. </t> </section> <section anchor="iana-ciphers"title="EKT Ciphers">numbered="true" toc="default"> <name>EKT Ciphers</name> <t>IANAis requested to createhas created a new table for"EKT Ciphers""EKT Ciphers" in the"Real-Time"Real-Time Transport Protocol (RTP)Parameters"Parameters" registry. The initial values in this registryare:are as follows: </t><texttable<table anchor="EKTCipherTable"title="EKTalign="center"> <name>EKT CipherTypes "> <ttcol align="left">Name</ttcol> <ttcol align="right">Value</ttcol> <ttcol align="left">Specification</ttcol> <c>AESKW128</c><c>0</c><c>RFCAAAA</c> <c>AESKW256</c><c>1</c><c>RFCAAAA</c> <c>Unallocated</c><c>2-254</c><c></c> <c>Reserved</c><c>255</c><c>RFCAAAA</c> </texttable> <t>Note to RFC Editor: Please replace RFCAAAA with the RFC number for this specification. </t>Types</name> <thead> <tr> <th align="left">Name</th> <th align="right">Value</th> <th align="left">Specification</th> </tr> </thead> <tbody> <tr> <td align="left">AESKW128</td> <td align="right">0</td> <td align="left">RFC 8870</td> </tr> <tr> <td align="left">AESKW256</td> <td align="right">1</td> <td align="left">RFC 8870</td> </tr> <tr> <td align="left">Unassigned</td> <td align="right">2-254</td> <td align="left"/> </tr> <tr> <td align="left">Reserved</td> <td align="right">255</td> <td align="left">RFC 8870</td> </tr> </tbody> </table> <t>New entriestoin this table can be added via"Specification Required""Specification Required" as defined in <xreftarget="RFC8126"/>.target="RFC8126" format="default"/>. The expertSHOULD<bcp14>SHOULD</bcp14> ensure that the specification defines the values for L and T as required in <xreftarget="cipher"/>target="cipher" format="default"/> ofRFCAAAA.this document. Allocated valuesMUST<bcp14>MUST</bcp14> be in the range of 0 to 254. </t> </section> <section anchor="tls-extensions"title="TLS Extensions">numbered="true" toc="default"> <name>TLS Extensions</name> <t>IANAis requested to addhas added supported_ekt_ciphers as a new extension name to the"TLS"TLS ExtensionTypeValues"Values" table of the"Transport"Transport Layer Security (TLS)Extensions"Extensions" registry: </t><figure align="center"><artwork align="center"> Value: [TBD-at-Registration] Extension Name: supported_ekt_ciphers TLS 1.3: CH, SH Recommended: Y Reference: RFCAAAA </artwork></figure> <t>[[ Note to RFC Editor: TBD will be allocated by IANA. ]] </t><dl newline="false" spacing="normal"> <dt>Value:</dt> <dd>39</dd> <dt>Extension Name:</dt> <dd>supported_ekt_ciphers</dd> <dt>TLS 1.3:</dt> <dd>CH, EE</dd> <dt>Recommended:</dt> <dd>Y</dd> <dt>Reference:</dt> <dd>RFC 8870</dd> </dl> </section> <section anchor="tls-handshake-type"title="TLSnumbered="true" toc="default"> <name>TLS HandshakeType">Type</name> <t>IANAis requested to addhas added ekt_key as a new entry in the"TLS HandshakeType Registry""TLS HandshakeType" table of the"Transport"Transport Layer Security (TLS)Parameters"Parameters" registry: </t><figure align="center"><artwork align="center"> Value: [TBD-at-Registration] Description: ekt_key DTLS-OK: Y Reference: RFCAAAA Comment: </artwork></figure> <t>[[ Note to RFC Editor: TBD will be allocated by IANA. ]] </t><dl newline="false" spacing="normal"> <dt>Value:</dt> <dd>26</dd> <dt>Description:</dt> <dd>ekt_key</dd> <dt>DTLS-OK:</dt> <dd>Y</dd> <dt>Reference:</dt> <dd>RFC 8870</dd> <dt>Comment:</dt> <dd></dd> </dl> </section> </section> </middle> <back> <displayreference target="I-D.ietf-tls-dtls13" to="TLS-DTLS13"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3264.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5649.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6347.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> </references> <references> <name>Informative References</name> <!-- draft-ietf-perc-double (RFC 8723 / Published) --> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8723.xml"/> <!-- draft-ietf-perc-private-media-framework (RFC 8871) --> <reference anchor='RFC8871' target="https://www.rfc-editor.org/info/rfc8871"> <front> <title>A Solution Framework for Private Media in Privacy-Enhanced RTP Conferencing (PERC)</title> <author initials='P' surname='Jones' fullname='Paul Jones'> <organization /> </author> <author initials='D' surname='Benham' fullname='David Benham'> <organization /> </author> <author initials='C' surname='Groves' fullname='Christian Groves'> <organization /> </author> <date month='January' year='2021'/> </front> <seriesInfo name="RFC" value="8871"/> <seriesInfo name="DOI" value="10.17487/RFC8871"/> </reference> <!-- draft-ietf-tls-dtls13 (AD Eval/Revised I-D needed) --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.draft-ietf-tls-dtls13-39.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> </references> </references> <section anchor="acknowledgements"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgments</name> <t>Thank you toRuss Housley<contact fullname="Russ Housley"/>, who provided a detailed review and significant help with crafting text for this document. Thanks toDavid Benham, Yi Cheng, Lakshminath Dondeti, Kai Fischer, Nermeen Ismail, Paul Jones, Eddy Lem, Jonathan Lennox, Michael Peck, Rob Raymond, Sean Turner, Magnus Westerlund, and Felix Wyss<contact fullname="David Benham"/>, <contact fullname="Yi Cheng"/>, <contact fullname="Lakshminath Dondeti"/>, <contact fullname="Kai Fischer"/>, <contact fullname="Nermeen Ismail"/>, <contact fullname="Paul Jones"/>, <contact fullname="Eddy Lem"/>, <contact fullname="Jonathan Lennox"/>, <contact fullname="Michael Peck"/>, <contact fullname="Rob Raymond"/>, <contact fullname="Sean Turner"/>, <contact fullname="Magnus Westerlund"/>, and <contact fullname="Felix Wyss"/> for fruitful discussions, comments, and contributions to thisdocument. </t>document.</t> </section></middle> <back> <references title="Normative References"> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3264.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5649.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6347.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"?> </references> <references title="Informative References"> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-perc-double.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-perc-private-media-framework.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-dtls13.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"?> </references></back> </rfc>