]>
The use of AES-192 and AES-256 in Secure RTP
Cisco Systems, Inc.510 McCarthy Blvd.MilpitasCA95035US(408) 525 8651mcgrew@cisco.comhttp://www.mindspring.com/~dmcgrew/dam.htm
General
SRTP
This memo describes the use of the Advanced Encryption Standard (AES)
with 192 and 256 bit keys within the Secure RTP protocol. It defines
Counter Mode encryption for SRTP and SRTCP and a new SRTP Key
Derivation Function (KDF) for AES-192 and AES-256.
This memo describes the use of the Advanced Encryption Standard (AES)
with 192 and 256 bit keys within the Secure
RTP protocol . Below those block ciphers are
referred to as AES-192 and AES-256, respectively, and the use of AES
with a 128 bit key is referred to as AES-128. This document defines
Counter Mode encryption for SRTP and SRTCP and a new SRTP Key
Derivation Function for AES-192 and AES-256. It also defines new
cryptosuites that use these new functions.
While AES-128 is widely regarded as more than adequately secure, some
users may be motivated to adopt AES-192 or AES-256. One motivation is
conformance to the Suite B profile (which requires AES-256 for the
protection of TOP SECRET information) . Others
may be motivated by a perceived need to purse a highly conservative
security strategy; see for more discussion
of security issues.
The crypto functions defined in this document are an addition to, and not
a replacement for, the crypto functions defined in .
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
Section 4.1.1 of defines AES-128 counter mode
encryption, which it refers to as AES_CM.
AES-192 counter mode and AES-256 counter mode are defined in a
similar manner, and are denoted as AES_192_CM and AES_256_CM
respectively. In both of these ciphers, the plaintext inputs to the
block cipher are formed as in AES_CM, and the block cipher outputs are
processed as in AES_CM. The only difference in the processing is that
AES_192_CM uses AES-192, and AES_256_CM uses AES-256. Both AES_192_CM
and AES_256_CM use a 112-bit salt as an input, as does AES_CM.
For the convenience of the reader, the structure of the counter blocks
in SRTP counter mode encryption is illustrated in ,
using the terminology from Section 4.1.1 of .
In this diagram, the symbol (+) denotes the bitwise exclusive-or operation, and
the AES encrypt operation uses AES-128, AES-192, or AES-256 for
AES_CM, AES_192_CM, and AES_256_CM, respectively. The field labeled
b_c contains a block counter, the value of which increments once for
each invocation of the "AES Encrypt" function.
Section 4.3.3 of defines AES-128 counter mode
key derivation function, which it refers to as "AES-CM PRF". (That specification
uses the term PRF, or pseudo-random function, interchangeably with the
term "key derivation function". )
The AES-192 counter mode PRF and AES-256 counter mode PRF are
defined in a similar manner, and are denoted as AES_192_CM_PRF and
AES_256_CM_PRF respectively. In both of these PRFs, the plaintext
inputs to the block cipher are formed as in the AES-CM PRF, and the
block cipher outputs are processed as in the AES-CM PRF. The only
difference in the processing is that AES_192_CM_PRF uses AES-192, and
AES_256_CM_PRF uses AES-256. Both AES_192_CM_PRF and AES_256_CM_PRF
use a 112-bit salt as an input, as does the AES-CM PRF.
For the convenience of the reader, the structure of the counter blocks
in SRTP counter mode key derivation is illustrated in
, using the terminology from Section 4.3.3 of
. In this diagram, the symbol (+) denotes the
bitwise exclusive-or operation, and the "AES Encrypt" operation uses
AES-128, AES-192, or AES-256 for the "AES-CM PRF", AES_192_CM_PRF, and
AES_256_CM_PRF, respectively. The field "LB" contains the 8-bit
constant "label" which is provided as an input to the key derivation
function (and which is distint for each key generated by that
function). The field labeled b_c contains a block counter, the value
of which increments once for each invocation of the "AES Encrypt"
function.
When AES_192_CM is used for encryption, AES_192_CM SHOULD be used as
the key derivation function, and AES_128_CM MUST NOT be
used as the key derivation function.
When AES_256_CM is used for encryption, AES_256_CM SHOULD be used as
the key derivation function. Both AES_128_CM and AES_192_CM MUST NOT
be used as the key derivation function.
Rationale: it is essential that the cryptographic strength of the key
derivation meets or exceeds that of the encryption method.
It is natural to use the same function for both encryption and
key derivation. However, it is not required to do so
because it is desirable to allow these ciphers to be used
with alternative key derivation functions that may
be defined in the future.
In a future version of this document, this section will provide test cases
that can be used to validate implementations.
This section defines SRTP crypto suites that use the ciphers and key
derivation functions defined in this document. These suites are
registered with IANA for use with the SDP Security Descriptions
attributes (Section 10.3.2.1 of
). Other SRTP key
management methods that use the crypto functions defined in this
document are encouraged to also use these crypto suite definitions.
Parameter ValueMaster key length 192 bitsMaster salt length 112 bitsKey Derivation Function AES_192_CM_PRF ()Default key lifetime 2^31 packetsCipher (for SRTP and SRTCP) AES_192_CM () SRTP authentication function HMAC-SHA1 (Section 4.2.1 of )SRTP authentication key length 160 bits SRTP authentication tag length 80 bits SRTCP authentication function HMAC-SHA1 (Section 4.2.1 of ) SRTCP authentication key length 160 bits SRTCP authentication tag length 80 bits Parameter ValueMaster key length 192 bitsMaster salt length 112 bitsKey Derivation Function AES_192_CM_PRF ()Default key lifetime 2^31 packetsCipher (for SRTP and SRTCP) AES_192_CM () SRTP authentication function HMAC-SHA1 (Section 4.2.1 of )SRTP authentication key length 160 bits SRTP authentication tag length 32 bits SRTCP authentication function HMAC-SHA1 (Section 4.2.1 of ) SRTCP authentication key length 160 bits SRTCP authentication tag length 80 bits Parameter ValueMaster key length 256 bitsMaster salt length 112 bitsKey Derivation Function AES_256_CM_PRF ()Default key lifetime 2^31 packetsCipher (for SRTP and SRTCP) AES_256_CM () SRTP authentication function HMAC-SHA1 (Section 4.2.1 of )SRTP authentication key length 160 bits SRTP authentication tag length 80 bits SRTCP authentication function HMAC-SHA1 (Section 4.2.1 of ) SRTCP authentication key length 160 bits SRTCP authentication tag length 80 bits Parameter ValueMaster key length 256 bitsMaster salt length 112 bitsKey Derivation Function AES_256_CM_PRF ()Default key lifetime 2^31 packetsCipher (for SRTP and SRTCP) AES_256_CM () SRTP authentication function HMAC-SHA1 (Section 4.2.1 of )SRTP authentication key length 160 bits SRTP authentication tag length 32 bits SRTCP authentication function HMAC-SHA1 (Section 4.2.1 of ) SRTCP authentication key length 160 bits SRTCP authentication tag length 80 bits
IANA is expected to assign the following parameters for the SDP Security
Descriptions crypto suite attribute.
AES_CM_192_HMAC_SHA1_80 AES_CM_192_HMAC_SHA1_32 AES_CM_256_HMAC_SHA1_80 AES_CM_256_HMAC_SHA1_32
The cryptosuites are as defined in .
AES-128 provides a level of security that is widely regarded as being
more than sufficient for providing confidentiality. It is believed
that the economic cost of breaking AES-128 is significantly higher
than the cost of more direct approaches to violating system security,
e.g. theft, bribery, wiretapping, and other forms of malfeasance.
Future advances in the state of the art of cryptanalysis could
eliminate this confidence in AES-128, and motivate the use of AES-192
or AES-256. AES-192 is regarded as being secure even against some
adversaries for which breaking AES-128 may be feasible. Similarly,
AES-256 is regarded as being secure even against some adversaries for
which it may be feasible to break AES-192. The availability
of the larger key size versions of AES provides a fallback plan
in case of unanticipated cryptanalytic results.
It is conjectured that AES-256 provides adequate security even against
adversaries that possess the ability to construct a quantum computer
that works on 256 or more quantum bits. No such computer is known to
exist; its feasibility is an area of active speculation and research.
Despite the apparent sufficiency of AES-128, some users are interested
in the larger AES key sizes. For some applications, the 40% increase
in computational cost for AES-256 over AES-128 is a worthwhile bargain
when traded for the security advantages outlined above. These
applications include those with a perceived need for very high
security, e.g. due to a desire for very long-term confidentiality.
As with any cipher, the conjectured security level of AES may change
over time. The considerations in this section reflect the best
knowledge available at the time of publication of this document.
It is desirable that AES_192_CM and AES_192_CM_PRF be used with an
authentication function that uses a 192 bit key, and that AES_256_CM
and AES_256_CM_PRF be used with an authentication function that uses a
256 bit key. However, this desire is not regarded as
security-critical. Cryptographic authentication is resilient against
future advances in cryptanalysis, since the opportunity for a forgery
attack against a session closes when that session closes.
It may be desirable to eliminate AES-192 altogether, leaving users
with the simpler choice of using AES-128 or AES-256. This option
preserves the possibility of Suite B conformance. Given that the
incremental computational cost of AES-256 over AES-192 is only
16%, and the additional key storage overhead is only 33%,
this option imposes only a minimal burden on implementations.
Thanks to Bob Bell for feedback and encouragement.
&rfc2119;
The Advanced Encryption Standard (AES)
&rfc3711;
&rfc4568;
Fact Sheet for NSA Suite B Cryptography