RFC4383 日本語訳
4383 The Use of Timed Efficient Stream Loss-Tolerant Authentication(TESLA) in the Secure Real-time Transport Protocol (SRTP). M.Baugher, E. Carrara. February 2006. (Format: TXT=41766 bytes) (Status: PROPOSED STANDARD)
プログラムでの自動翻訳です。
英語原文
Network Working Group M. Baugher Request for Comments: 4383 Cisco Category: Standards Track E. Carrara Royal Institute of Technology February 2006
Baugherがコメントのために要求するワーキンググループM.をネットワークでつないでください: 4383年のコクチマスカテゴリ: 工科大学2006年2月のロイヤルの標準化過程E.カラーラ
The Use of Timed Efficient Stream Loss-Tolerant Authentication (TESLA) in the Secure Real-time Transport Protocol (SRTP)
安全なリアルタイムのトランスポート・プロトコルにおける調節された効率的なストリーム損失許容性がある認証(テスラ)の使用(SRTP)
Status of This Memo
このメモの状態
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
このドキュメントは、インターネットコミュニティにインターネット標準化過程プロトコルを指定して、改良のために議論と提案を要求します。 このプロトコルの標準化状態と状態への「インターネット公式プロトコル標準」(STD1)の現行版を参照してください。 このメモの分配は無制限です。
Copyright Notice
版権情報
Copyright (C) The Internet Society (2006).
Copyright(C)インターネット協会(2006)。
Abstract
要約
This memo describes the use of the Timed Efficient Stream Loss- tolerant Authentication (RFC 4082) transform within the Secure Real- time Transport Protocol (SRTP), to provide data origin authentication for multicast and broadcast data streams.
このメモは、マルチキャストのためのデータ発生源認証と放送データ・ストリームを供給するために(RFC4082)がSecureレアル時間Transportプロトコル(SRTP)の中で変えるTimed Efficient Stream Lossの許容性があるAuthenticationの使用について説明します。
Baugher & Carrara Standards Track [Page 1] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[1ページ]。
Table of Contents
目次
1. Introduction ....................................................2 1.1. Notational Conventions .....................................3 2. SRTP ............................................................3 3. TESLA ...........................................................4 4. Usage of TESLA within SRTP ......................................5 4.1. The TESLA Extension ........................................5 4.2. SRTP Packet Format .........................................6 4.3. Extension of the SRTP Cryptographic Context ................7 4.4. SRTP Processing ............................................8 4.4.1. Sender Processing ...................................9 4.4.2. Receiver Processing .................................9 4.5. SRTCP Packet Format .......................................11 4.6. TESLA MAC .................................................13 4.7. PRFs ......................................................13 5. TESLA Bootstrapping and Cleanup ................................14 6. SRTP TESLA Default Parameters ..................................14 7. Security Considerations ........................................15 8. Acknowledgements ...............................................16 9. References .....................................................17 9.1. Normative References ......................................17 9.2. Informative References ....................................17
1. 序論…2 1.1. 記号法のコンベンション…3 2. SRTP…3 3. テスラ…4 4. SRTPの中のテスラの使用法…5 4.1. テスラ拡大…5 4.2. SRTPパケット・フォーマット…6 4.3. SRTPの暗号の文脈の拡大…7 4.4. SRTP処理…8 4.4.1. 送付者処理…9 4.4.2. 受信機処理…9 4.5. SRTCPパケット・フォーマット…11 4.6. テスラMac…13 4.7. PRFs…13 5. テスラブートストラップ法とクリーンアップ…14 6. SRTPテスラデフォルトパラメタ…14 7. セキュリティ問題…15 8. 承認…16 9. 参照…17 9.1. 標準の参照…17 9.2. 有益な参照…17
1. Introduction
1. 序論
Multicast and broadcast communications introduce some new security challenges compared to unicast communication. Many multicast and broadcast applications need "data origin authentication" (DOA), or "source authentication", in order to guarantee that a received message had originated from a given source, and was not manipulated during the transmission. In unicast communication, a pairwise security association between one sender and one receiver can provide data origin authentication using symmetric-key cryptography (such as a message authentication code, MAC). When the communication is strictly pairwise, the sender and receiver agree upon a key that is known only to them.
ユニキャストコミュニケーションと比べて、マルチキャストと放送通信はいくつかの新しいセキュリティ挑戦を導入します。 多くのマルチキャストと放送アプリケーションが「データ発生源認証」(DOA)、または「ソース認証」を必要とします、受信されたメッセージが与えられたソースから発して、トランスミッションの間操られなかったのを保証するために。 ユニキャストコミュニケーションに、1人の送付者と1台の受信機との対状セキュリティ仲間は、対称鍵暗号(メッセージ確認コード、MACなどの)を使用することでデータ発生源認証を提供できます。 コミュニケーションが厳密にそうときに、対状、送付者、および受信機はそれらだけにおいて知られているキーで一致しています。
In groups, however, a key is shared among more than two members, and this symmetric-key approach does not guarantee data origin authentication. When there is a group security association [RFC4046] instead of a pairwise security association, any of the members can alter the packet and impersonate any other member. The MAC in this case only guarantees that the packet was not manipulated by an attacker outside the group (and hence not in possession of the group key), and that the packet was sent by a source within the group.
しかしながら、グループでは、キーは2人以上のメンバーの中で共有されます、そして、この対称鍵アプローチはデータ発生源認証を保証しません。 グループセキュリティ協会[RFC4046]が対状セキュリティ協会の代わりにあるとき、メンバーのいずれも、パケットを変更して、いかなる他のメンバーもまねることができます。 MACは、この場合パケットがグループの外における攻撃者によって操られないで、(したがって、グループキーの所持では、そうしません)であり、パケットがグループの中のソースによって送られたのを保証するだけです。
Baugher & Carrara Standards Track [Page 2] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[2ページ]。
Some applications cannot tolerate source ambiguity and need to identify the true sender from any other group member. A common way to solve the problem is by use of asymmetric cryptography, such as digital signatures. This method, unfortunately, suffers from high overhead in terms of time (to sign and verify) and bandwidth (to convey the signature in the packet).
いくつかのアプリケーションは、ソースのあいまいさを許容して、いかなる他のグループのメンバーからも本当の送付者を特定する必要はないことができます。 問題を解決する一般的な方法はデジタル化した署名などの非対称の暗号を使用します。 残念ながら、このメソッドは時間(署名して、確かめる)と帯域幅(パケットで署名を伝える)に関して高いオーバーヘッドが欠点です。
Several schemes have been proposed to provide efficient data origin authentication in multicast and broadcast scenarios. The Timed Efficient Stream Loss-tolerant Authentication (TESLA) is one such scheme.
いくつかの体系が、効率的なデータ発生源認証をマルチキャストと放送シナリオに提供するために提案されました。 Timed Efficient Stream Loss許容性があるAuthentication(テスラ)はそのような体系の1つです。
This memo specifies TESLA authentication for SRTP. SRTP TESLA can provide data origin authentication to RTP applications that use group security associations (such as multicast RTP applications) so long as receivers abide by the TESLA security invariants [RFC4082].
このメモはテスラの認証をSRTPに指定します。 SRTP TESLAは受信機がテスラセキュリティ不変式[RFC4082]を守る限り、グループセキュリティ協会(マルチキャストRTPアプリケーションなどの)を使用するRTPアプリケーションにデータ発生源認証を提供できます。
1.1. Notational Conventions
1.1. 記号法のコンベンション
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
キーワード“MUST"、「必須NOT」が「必要です」、“SHALL"、「」、“SHOULD"、「「推薦され」て、「5月」の、そして、「任意」のNOTは[RFC2119]で説明されるように本書では解釈されることであるべきですか?
This specification assumes that the reader is familiar with both SRTP and TESLA. Few of their details are explained in this document, and the reader can find them in their respective specifications, [RFC3711] and [RFC4082]. This specification uses the same definitions as TESLA for common terms and assumes that the reader is familiar with the TESLA algorithms and protocols [RFC4082].
この仕様は、読者がSRTPとテスラの両方に詳しいと仮定します。 それらの詳細のわずかしか本書では説明されません、そして、[RFC3711]と[RFC4082]、読者はそれらのそれぞれの仕様でそれらを見つけることができます。 この仕様は、一般的な用語のときにテスラと同じ定義を使用して、読者がテスラアルゴリズムとプロトコル[RFC4082]に詳しいと仮定します。
2. SRTP
2. SRTP
The Secure Real-time Transport Protocol (SRTP) [RFC3711] is a profile of RTP, which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the RTP control protocol, the Real-time Transport Control Protocol (RTCP). Note that the term "SRTP" may often be used to indicate SRTCP as well.
Secureレアル-時間Transportプロトコル(SRTP)[RFC3711]はRTPのプロフィールです。(RTPはRTPトラフィックと、そして、RTP制御プロトコルレアル-時間Transport Controlプロトコル(RTCP)に秘密性、通報認証、および反復操作による保護を提供できます)。 "SRTP"という用語がまた、SRTCPを示すのにしばしば使用されるかもしれないことに注意してください。
SRTP is a framework that allows new security functions and new transforms to be added. SRTP currently does not define any mechanism to provide data origin authentication for group security associations. Fortunately, it is straightforward to add TESLA to the SRTP cryptographic framework.
SRTPは新しいセキュリティ機能と新しい変換が加えるフレームワークです。 SRTPは、現在、データ発生源認証をグループセキュリティ協会に提供するためにどんなメカニズムも定義しません。 幸い、SRTPの暗号のフレームワークにテスラを加えるのは簡単です。
The TESLA extension to SRTP is defined in this specification, which assumes that the reader is familiar with the SRTP specification [RFC3711], its packet structure, and its processing rules. TESLA is
SRTPへのテスラの拡大はこの仕様に基づき定義されます。(それは、読者がSRTP仕様[RFC3711]、パケット構造、およびその処理規則に詳しいと仮定します)。 テスラはそうです。
Baugher & Carrara Standards Track [Page 3] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[3ページ]。
an alternative message-authentication algorithm that authenticates messages from the source when a key is shared among two or more receivers.
キーが2台以上の受信機の中で共有されるときソースからのメッセージを認証する代替の通報認証アルゴリズム。
3. TESLA
3. テスラ
TESLA provides delayed per-packet data authentication and is specified in [RFC4082].
テスラは、1パケットあたりの遅れたデータ認証を提供して、[RFC4082]で指定されます。
In addition to its SRTP data-packet definition given here, TESLA needs an initial synchronization protocol and initial bootstrapping procedure. The synchronization protocol allows the sender and the receiver to compare their clocks and determine an upper bound of the difference. The synchronization protocol is outside the scope of this document.
ここに与えられたSRTPデータ・パケット定義に加えて、テスラは初並列プロトコルと初期のブートストラップ法手順を必要とします。 同期プロトコルで、送付者と受信機は、それらの時計を比較して、違いの上限を決定します。 このドキュメントの範囲の外に同期プロトコルがあります。
TESLA also requires an initial bootstrapping procedure to exchange needed parameters and the initial commitment to the key chain [RFC4082]. For SRTP, it is assumed that the bootstrapping is performed out-of-band, possibly using the key management protocol that is exchanging the security parameters for SRTP, e.g., [RFC3547, RFC3830]. Initial bootstrapping of TESLA is outside the scope of this document.
また、テスラは、キーチェーン[RFC4082]の必要なパラメタと初期の委任を交換するために初期のブートストラップ法手順を必要とします。 SRTPに関しては、ブートストラップ法がバンドの外で実行されると思われます、SRTP、例えば、[RFC3547、RFC3830]にことによるとセキュリティパラメタを交換しているかぎ管理プロトコルを使用して。 このドキュメントの範囲の外にテスラの初期のブートストラップ法があります。
Baugher & Carrara Standards Track [Page 4] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[4ページ]。
4. Usage of TESLA within SRTP
4. SRTPの中のテスラの使用法
The present specification is an extension to the SRTP specification [RFC3711] and describes the use of TESLA with only a single key chain and delayed-authentication [RFC4082].
現在の仕様は、SRTP仕様[RFC3711]への拡大であり、単一のキーチェーンと遅れた認証[RFC4082]だけでテスラの使用について説明します。
4.1. The TESLA Extension
4.1. テスラ拡大
TESLA is an OPTIONAL authentication transform for SRTP. When used, TESLA adds the fields shown in Figure 1 per-packet. The fields added by TESLA are called "TESLA authentication extensions," whereas "authentication tag" or "integrity protection tag" indicate the normal SRTP integrity protection tag, when the SRTP master key is shared by more than two endpoints [RFC3711].
テスラはSRTPのためのOPTIONAL認証変換です。 使用されると、テスラは図1パケットに示された分野を加えます。 テスラによって加えられた分野は「テスラの認証拡大」と呼ばれますが、「認証タグ」か「保全保護タグ」が正常なSRTP保全保護タグを示します、2つ以上の終点[RFC3711]によってSRTPマスターキーが共有されるとき。
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | i | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Disclosed Key ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ TESLA MAC ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | i| 明らかにする..主要..テスラ
Figure 1. The "TESLA authentication extension".
図1。 「テスラの認証拡大。」
i: 32 bit, MANDATORY Identifier of the time interval i, corresponding to the key K_i, which is used to calculate the TESLA MAC of the current packet (and other packets sent in the current time interval i).
i: 32に噛み付いて、時間間隔のMANDATORY Identifierはiです、主要なK_iに対応しています(他のパケットは現在の時間間隔でiを送りました)。(_は、現在のパケットのTESLA MACについて計算するのに使用されます)。
Disclosed Key: variable length, MANDATORY The disclosed key (K_(i-d)), which can be used to authenticate previous packets from earlier time intervals [RFC4082]. A Section 4.3 parameter establishes the size of this field.
キーを明らかにします: 可変長、MANDATORY、明らかにされたキー(K_(i-d))。(以前の時間間隔[RFC4082]から前のパケットを認証するのにそのキーを使用できます)。 セクション4.3パラメタはこの分野のサイズを確立します。
TESLA MAC (Message Authentication Code): variable length, MANDATORY The MAC computed using the key K'_i (derived from K_i) [RFC4082], which is disclosed in a subsequent packet (in the Disclosed Key field). The MAC coverage is defined in Section 4.6. A Section 4.3 parameter establishes the size of this field.
テスラMAC(メッセージ立証コード): '可変長、MANDATORY MACは主要なK'_i(K_iから、派生する)[RFC4082](その後のパケットで明らかにされる)を使用することで計算しました(Disclosed Key分野で)。 MAC適用範囲はセクション4.6で定義されます。 セクション4.3パラメタはこの分野のサイズを確立します。
Baugher & Carrara Standards Track [Page 5] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[5ページ]。
4.2. SRTP Packet Format
4.2. SRTPパケット・フォーマット
Figure 2 illustrates the format of the SRTP packet when TESLA is applied. When applied to RTP, the TESLA authentication extension SHALL be inserted before the (optional) SRTP MKI and (recommended) authentication tag (SRTP MAC).
テスラが適用されているとき、図2はSRTPパケットの形式を例証します。 いつが(任意)のSRTP MKIの前に挿入されて(お勧め)の認証がタグ(SRTP MAC)であったならRTP、テスラの認証拡大SHALLに適用されましたか?
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ |V=2|P|X| CC |M| PT | sequence number | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | timestamp | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | synchronization source (SSRC) identifier | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | contributing source (CSRC) identifiers | | | | .... | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | RTP extension (OPTIONAL) | | | +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | payload ... | | | | | +-------------------------------+ | | | | | RTP padding | RTP pad count | | | +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ | | | i | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ Disclosed Key ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ TESLA MAC ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+ | ~ MKI ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ MAC ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +- Encrypted Portion TESLA Authenticated Portion ---+ | | Authenticated Portion ---+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1、+++++++++++++++++++++++++++++++++<+<+|V=2|P|X| CC|M| 太平洋標準時| 一連番号| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | タイムスタンプ| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | 同期ソース(SSRC)識別子| | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | ソース(CSRC)識別子を寄付します。| | | | .... | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | RTP拡張子(OPTIONAL)| | | + >+++++++++++++++++++++++++++++++++| | | | ペイロード… | | | | | +-------------------------------+ | | | | | RTP詰め物| RTPパッドカウント| | | + >+++++++++++++++++++++++++++++++++<+| | | i| | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ 明らかにされたキー~| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ テスラMac~| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|、-+ | ~ MKI~| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ Mac~| | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +暗号化された部分テスラは部分を認証しました。---+ | | 認証された部分---+
Figure 2. The format of the SRTP packet when TESLA is applied.
図2。 テスラであるときに、SRTPパケットの形式は適用されています。
As in SRTP, the "Encrypted Portion" of an SRTP packet consists of the encryption of the RTP payload (including RTP padding when present) of the equivalent RTP packet.
SRTPのように、SRTPパケットの「暗号化された部分」は同等なRTPパケットのRTPペイロード(存在しているときそっと歩くRTPを含んでいる)の暗号化から成ります。
Baugher & Carrara Standards Track [Page 6] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[6ページ]。
The "Authenticated Portion" of an SRTP packet consists of the RTP header, the Encrypted Portion of the SRTP packet, and the TESLA authentication extension. Note that the definition is extended from [RFC3711] by the inclusion of the TESLA authentication extension.
SRTPパケットの「認証された部分」はRTPヘッダー、SRTPパケットのEncrypted Portion、およびテスラの認証拡大から成ります。 定義が[RFC3711]からテスラの認証拡大の包含で広げられることに注意してください。
The "TESLA Authenticated Portion" of an SRTP packet consists of the RTP header and the Encrypted Portion of the SRTP packet. As shown in Figure 2, the SRTP MAC covers up to the MKI field but does not include the MKI. It is necessary for packet integrity that the SRTP-TESLA MAC tag be covered by the SRTP integrity check. SRTP does not cover the MKI field (because it does not need to be covered for SRTP packet integrity). In order to make the two tags (SRTP-TESLA MAC and SRTP-MAC) contiguous, we would need to redefine the SRTP specification to include the MKI in SRTP-MAC coverage. This change is impossible, so the MKI field separates the TESLA MAC from the SRTP MAC in the packet layout of Figure 2. This change to the packet format presents no problem to an implementation that supports the new SRTP-TESLA authentication transform.
SRTPパケットの「テスラの認証された部分」はRTPヘッダーとSRTPパケットのEncrypted Portionから成ります。 図2に示されるように、SRTP MACはMKI分野へ隠しますが、MKIを含んでいません。 SRTP-TESLA MACタグがSRTP保全チェックでカバーされているのがパケット保全に必要です。 SRTPはMKI分野をカバーしていません(SRTPパケット保全のためにカバーされている必要はないので)。 2個のタグ(SRTP-TESLA MACとSRTP-MAC)を隣接にするように、私たちは、SRTP-MAC適用範囲にMKIを含むようにSRTP仕様を再定義する必要があるでしょう。 この変化が不可能であるので、MKI分野はSRTP MACと図2のパケットレイアウトでTESLA MACを切り離します。 パケット・フォーマットへのこの変化は新しいSRTP-テスラの認証が変換であるとサポートする実装に問題を全く提示しません。
The lengths of the Disclosed Key and TESLA MAC fields are Section 4.3 parameters. As in SRTP, fields that follow the packet payload are not necessarily aligned on 32-bit boundaries.
Disclosed KeyとTESLA MAC分野の長さはセクション4.3パラメタです。 SRTPのように、パケットペイロードに続く分野は必ず32ビットの境界で並べられるというわけではありません。
4.3. Extension of the SRTP Cryptographic Context
4.3. SRTPの暗号の文脈の拡大
When TESLA is used, the definition of cryptographic context in Section 3.2 of SRTP SHALL include the following extensions.
テスラが使用されているとき、SRTP SHALLのセクション3.2との暗号の文脈の定義は以下の拡大を含んでいます。
Transform-Dependent Parameters
変換依存するパラメタ
1. an identifier for the PRF (TESLA PRF), implementing the one-way function F(x) in TESLA (to derive the keys in the chain), and the one-way function F'(x) in TESLA (to derive the keys for the TESLA MAC, from the keys in the chain), e.g., to indicate HMAC-SHA1. See Section 6 for the default value.
1. PRF(TESLA PRF)のための例えばHMAC-SHA1を示すために一方向関数がテスラのF(x)(チェーンでキーを引き出す)と、テスラの一方向関数F'(x)である(TESLA MACのためにキーからチェーンでキーを引き出す)と実装する識別子 デフォルト値に関してセクション6を見てください。
2. a non-negative integer, n_p, determining the length of the F output; i.e., the length of the keys in the chain (that is also the key disclosed in an SRTP packet). See Section 6 for the default value.
2. 非負の整数、F出力の長さを測定するn_p。 すなわち、チェーン(また、それはSRTPパケットで明らかにされたキーである)における、キーの長さ。 デフォルト値に関してセクション6を見てください。
3. a non-negative integer, n_f, determining the length of the output of F', i.e., of the key for the TESLA MAC. See Section 6 for the default value.
'3. 非負の整数、TESLA MACのためにすなわち、F'の出力、キーの長さを測定するn_f。 デフォルト値に関してセクション6を見てください。
4. an identifier for the TESLA MAC that accepts the output of F'(x) as its key, e.g., to indicate HMAC-SHA1. See Section 6 for the default value.
4. 例えばHMAC-SHA1を示すためにキーとしてF'(x)の出力を認めるTESLA MACのための識別子、' デフォルト値に関してセクション6を見てください。
Baugher & Carrara Standards Track [Page 7] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[7ページ]。
5. a non-negative integer, n_m, determining the length of the output of the TESLA MAC. See Section 6 for the default value.
5. 非負の整数、TESLA MACの出力の長さを測定するn_m。 デフォルト値に関してセクション6を見てください。
6. the beginning of the session T_0.
6.セッションT_0の始まり。
7. the interval duration T_int (in msec).
7. 間隔持続時間T_int(msecにおける)。
8. the key disclosure delay d (in number of intervals).
8. 主要な公開遅れd(間隔の数における)。
9. the upper bound D_t (in sec) on the lag of the receiver clock relative to the sender clock (this quantity has to be calculated by the peers out-of-band).
9. 送付者時計(この量はバンドの外で同輩によって計算されなければならない)に比例した受信機時計の立ち遅れでの上限D_t(秒の)。
10. a non-negative integer, n_c, determining the length of the key chain, K_0...K_n-1 of [RFC4082] (see also Section 6 of this document), which is determined based upon the expected duration of the stream.
10. 非負の整数、キーの長さを測定するn_cが鎖を作って、K_は0です…[RFC4082](また、このドキュメントのセクション6を見る)のK-1つ。(それは、ストリームの予想された持続時間に基づいた状態で断固としています)。
11. the initial key of the chain to which the sender has committed himself.
11. 送付者が立場を明らかにしたチェーンの初期のキー。
F(x) is used to compute a keychain of keys in SRTP TESLA, as defined in Section 6. Also according to TESLA, F'(x) computes a TESLA MAC key with inputs as defined in Section 6.
F(x)は、SRTP TESLAでキーのキーホルダーを計算するのにセクション6で定義されるように使用されます。 テスラによるとも、F'(x)はセクション6'で定義されるように入力によって主要なTESLA MACを計算します。
Section 6 of this document defines the default values for the transform-specific TESLA parameters.
このドキュメントのセクション6は変換特有のテスラパラメタのためにデフォルト値を定義します。
4.4. SRTP Processing
4.4. SRTP処理
The SRTP packet processing is described in Section 3.3 of the SRTP specification [RFC3711]. The use of TESLA slightly changes the processing, as the SRTP MAC is checked upon packet arrival for DoS prevention, but the current packet is not TESLA-authenticated. Each packet is buffered until a subsequent packet discloses its TESLA key. The TESLA verification itself consists of some steps, such as tests of TESLA security invariants, that are described in Sections 3.5-3.7 of [RFC4082]. The words "TESLA computation" and "TESLA verification" hereby imply all those steps, which are not all spelled out in the following. In particular, notice that the TESLA verification implies checking the safety condition (Section 3.5 of [RFC4082]).
SRTPパケット処理はSRTP仕様[RFC3711]のセクション3.3で説明されます。 SRTP MACがDoS防止のためのパケット到着のときにチェックされるとき、テスラの使用は処理をわずかに変えますが、現在のパケットはテスラによって認証されていません。 その後のパケットがテスラキーを明らかにするまで、各パケットはバッファリングされます。 テスラの検証自体は[RFC4082]のセクション3.5-3.7で説明されるテスラセキュリティ不変式のテストなどの数ステップから成ります。 単語「テスラの計算」と「テスラの検証」はこれによりそれらのすべてのステップを含意します。(ステップは以下にすべて詳しく説明されません)。 特に、テスラの検証が、安全をチェックして、([RFC4082]のセクション3.5)を条件とさせるように含意するのに注意してください。
As pointed out in [RFC4082], if the packet is deemed "unsafe", then the receiver considers the packet unauthenticated. It should discard unsafe packets, but, at its own risk, it may choose to use them unverified. Hence, if the safe condition does not hold, it is RECOMMENDED to discard the packet and log the event.
指摘されるように、受信機が考える[RFC4082]その時、パケットが「危険である」と考えられるならパケットは非認証されました。 危険なパケットを捨てるべきですが、自分の責任で、それは、非検証されていた状態でそれらを使用するのを選ぶかもしれません。 したがって、安全な状態が成立しないなら、それはパケットを捨てて、イベントを登録するRECOMMENDEDです。
Baugher & Carrara Standards Track [Page 8] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[8ページ]。
4.4.1. Sender Processing
4.4.1. 送付者処理
The sender processing is as described in Section 3.3 of [RFC3711], up to step 5, inclusive. After that, the following process is followed:
送付者処理がステップ5まで包括的な[RFC3711]のセクション3.3で説明されるようにあります。 その後に、以下のプロセスは続かれています:
6. When TESLA is applied, identify the key in the TESLA chain to be used in the current time interval, and the TESLA MAC key derived from it. Execute the TESLA computation to obtain the TESLA authentication extension for the current packet, by appending the current interval identifier (as i field), the disclosed key of the chain for the previous disclosure interval (i.e., the key for interval i is disclosed in interval i+d), and the TESLA MAC under the current key from the chain. This step uses the related TESLA parameters from the crypto context as for Step 4.
6. テスラが適用されていたらテスラチェーンでキーを特定して、現在の時間間隔、およびそれから得られたTESLA MACキーで使用されてください。 テスラの計算を実行して、現在のパケットのためのテスラの認証拡大を得てください、チェーンから現在の間隔識別子(i分野としての)、前の公開間隔(間隔iの間のすなわち、キーは間隔i+dで明らかにされる)の間のチェーンの明らかにされたキー、および現在のキーの下のTESLA MACを追加することによって。 このステップはStep4のように暗号文脈からの関連するテスラパラメタを使用します。
7. If the MKI indicator in the SRTP crypto context is set to one, append the MKI to the packet.
7. SRTP暗号文脈のMKIインディケータが1つに設定されるなら、MKIをパケットに追加してください。
8. When TESLA is applied, and if the SRTP authentication (external tag) is required (for DoS), compute the authentication tag as described in step 7 of Section 3.3 of the SRTP specification, but with coverage as defined in this specification (see Section 4.6).
8. テスラが適用されていたら、SRTP認証(外部のタグ)が必要であるなら(DoSのために)、SRTP仕様のセクション3.3のステップ7で説明されますが、この仕様に基づき定義される適用範囲がある認証タグを計算してください(セクション4.6を見てください)。
9. If necessary, update the rollover counter (step 8 in Section 3.3 of [RFC3711]).
9. 必要なら、ロールオーバーカウンタ([RFC3711]のセクション3.3のステップ8)をアップデートしてください。
4.4.2. Receiver Processing
4.4.2. 受信機処理
The receiver processing is as described in Section 3.3 of [RFC3711], up to step 4, inclusive.
受信機処理がステップ4まで包括的な[RFC3711]のセクション3.3で説明されるようにあります。
To authenticate and replay-protect the current packet, the processing is as follows:
現在のパケットを認証して、再生で保護するために、処理は以下の通りです:
First, check if the packet has been replayed (as per Section 3.3 of [RFC3711]). Note, however, that the SRTP replay list contains SRTP indices of recently received packets that have been authenticated by TESLA (i.e., replay list updates MUST NOT be based on SRTP MAC). If the packet is judged to be replayed, then the packet MUST be discarded, and the event SHOULD be logged.
まず最初に、パケットが再演されたかどうか([RFC3711]のセクション3.3に従って)チェックしてください。 しかしながら、SRTP再生リストがテスラによって認証された最近容認されたパケットのSRTPインデックスリストを含むことに注意してください(すなわち、再生リスト最新版はSRTP MACに基づいてはいけません)。 パケットが判断されるなら、再演されていて、次に、パケットが捨てられてイベントSHOULDであるに違いないということになるように、登録されてください。
Next, perform verification of the SRTP integrity protection tag (not the TESLA MAC), if present, using the rollover counter from the current packet, the authentication algorithm indicated in the cryptographic context, and the session authentication key. If the verification is unsuccessful, the packet MUST be discarded from further processing, and the event SHOULD be logged.
次に、SRTP保全保護タグ(TESLA MACでない)の検証を実行してください、存在しているなら、現在のパケットからロールオーバーカウンタを使用します、と認証アルゴリズムは暗号の文脈、およびセッション認証キーで示しました。 失敗していて、検証がそうならさらなる処理、およびイベントSHOULDからパケットを捨てなければなりません。登録されます。
Baugher & Carrara Standards Track [Page 9] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[9ページ]。
If the verification is successful, remove and store the MKI (if present) and authentication tag fields from the packet. The packet is buffered, awaiting disclosure of the TESLA key in a subsequent packet.
検証がうまくいくなら、パケットからMKI(存在しているなら)と認証タグ・フィールドを取り外して、保存してください。 その後のパケットで主要なテスラの公開を待って、パケットはバッファリングされます。
TESLA authentication is performed on a packet when the key is disclosed in a subsequent packet. Recall that a key for interval i is disclosed during interval i+d, i.e., the same key is disclosed in packets sent over d intervals of length t_int. If the interval identifier i from the packet (Section 4.1) has advanced more than d intervals from the highest value of i that has been received, then packets have been lost, and one or more keys MUST be computed as described in Section 3.2, second paragraph, of the TESLA specification [RFC4082]. The computation is performed recursively for all disclosed keys that have been lost, from the newly-received interval to the last-received interval.
キーがその後のパケットで明らかにされるとき、テスラの認証はパケットに実行されます。 間隔iの間のキーが間隔i+dの間、明らかにされて、すなわち、同じキーが長さのt_intのd間隔の間に送られたパケットで明らかにされたと思い出してください。 間隔識別子であるなら、パケット(セクション4.1)からのiはd間隔より受け取られたiの最も高い値から進みました、そして、次に、パケットは失われました、そして、セクション3.2、第2パラグラフで説明されるテスラ仕様について1個以上のキーを計算しなければなりません[RFC4082]。 計算はなくされたすべての明らかにされたキーのために再帰的に実行されます、新たに容認された間隔から最後容認された間隔まで。
When a newly-disclosed key is received or computed, perform the TESLA verification of the packet using the rollover counter from the packet, the TESLA security parameters from the cryptographic context, and the disclosed key. If the verification is unsuccessful, the packet MUST be discarded from further processing, and the event SHOULD be logged. If the TESLA verification is successful, remove the TESLA authentication extension from the packet.
新たに明らかにされたキーを受け取るか、または計算するときには、パケット、暗号の文脈からのテスラセキュリティパラメタ、および明らかにされたキーからロールオーバーカウンタを使用することでパケットのテスラの検証を実行してください。 失敗していて、検証がそうならさらなる処理、およびイベントSHOULDからパケットを捨てなければなりません。登録されます。 テスラの検証がうまくいくなら、パケットからテスラの認証拡大を取り除いてください。
To decrypt the current packet, the processing is as follows:
現在のパケットを解読するために、処理は以下の通りです:
Decrypt the Encrypted Portion of the packet, using the decryption algorithm indicated in the cryptographic context, the session encryption key, and salt (if used) found in Step 4 with the index from Step 2.
パケットのEncrypted Portionを解読してください、Step4でインデックスでStep2から見つけられた暗号の文脈で示された復号化アルゴリズム、セッション暗号化キー、および塩(使用されるなら)を使用して。
(Note that the order of decryption and TESLA verification is not mandated. It is RECOMMENDED that the TESLA verification be performed before decryption. TESLA application designers might choose to implement optimistic processing techniques such as notification of TESLA verification results after decryption or even after plaintext processing. Optimistic verification is beyond the scope of this document.)
(復号化とテスラの検証の注文が強制されないことに注意してください。 テスラの検証が復号化の前に実行されるのは、RECOMMENDEDです。 テスラアプリケーション設計者は、復号化の後か平文処理の後にさえ楽観的な処理がテスラ検証結果の通知などのテクニックであると実装するのを選ぶかもしれません。 楽観的な検証はこのドキュメントの範囲を超えています。)
Update the rollover counter and highest sequence number, s_l, in the cryptographic context, using the packet index estimated in Step 2. If replay protection is provided, also update the Replay List (i.e., the Replay List is updated after the TESLA authentication is successfully verified).
ロールオーバーカウンタと最も高い一連番号をアップデートしてください、s_l、暗号の文脈で、Step2で見積もられていたパケットインデックスを使用して。 また、反復操作による保護を提供するなら、Replay Listをアップデートしてください(首尾よくテスラの認証について確かめた後にすなわち、Replay Listをアップデートします)。
Baugher & Carrara Standards Track [Page 10] RFC 4383 TESLA-SRTP February 2006
Baugherとカラーラ規格はテスラ-SRTP2006年2月にRFC4383を追跡します[10ページ]。
4.5. SRTCP Packet Format
4.5. SRTCPパケット・フォーマット
Figure 3 illustrates the format of the SRTCP packet when TESLA is applied. The TESLA authentication extension SHALL be inserted before the MKI and authentication tag. Recall from [RFC3711] that in SRTCP the MKI is OPTIONAL, while the E-bit, the SRTCP index, and the authentication tag are MANDATORY. This means that the SRTP (external) MAC is MANDATORY also when TESLA is used.
テスラが適用されているとき、図3はSRTCPパケットの形式を例証します。 テスラの認証拡大SHALL、MKIと認証タグの前に挿入されてください。 [RFC3711]からMKIがSRTCPでは、OPTIONALであると思い出してください、E-ビット、SRTCPインデックス、および認証タグはMANDATORYですが。 これは、また、テスラが使用されているときSRTPの(外部)のMACがMANDATORYであることを意味します。
As in SRTP, the "Encrypted Portion" of an SRTCP packet consists of the encryption of the RTCP payload of the equivalent compound RTCP packet, from the first RTCP packet, i.e., from the ninth (9) byte to the end of the compound packet.
SRTPのように、SRTCPパケットの「暗号化された部分」は同等な合成RTCPパケットのRTCPペイロードの暗号化から成ります、最初のRTCPパケットから、すなわち、9(9)番目のバイトから合成パケットの端まで。
The "Authenticated Portion" of an SRTCP packet consists of the entire equivalent (eventually compound) RTCP packet, the E flag, the SRTCP index (after any encryption has been applied to the payload), and the TESLA extension. Note that the definition is extended from [RFC3711] by the inclusion of the TESLA authentication extension.
SRTCPパケットの「認証された部分」は全体の同等な(結局化合物)RTCPパケット、E旗、SRTCPインデックス(どんな暗号化もペイロードに適用された後に)、およびテスラの拡大から成ります。 定義が[RFC3711]からテスラの認証拡大の包含で広げられることに注意してください。
We define the "TESLA Authenticated Portion" of an SRTCP packet as consisting of the RTCP header (first 8 bytes) and the Encrypted Portion of the SRTCP packet.
We define the "TESLA Authenticated Portion" of an SRTCP packet as consisting of the RTCP header (first 8 bytes) and the Encrypted Portion of the SRTCP packet.
Processing of an SRTCP packets is similar to the SRTP processing (Section 4.3), but there are SRTCP-specific changes described in Section 3.4 of the SRTP specification [RFC3711] and in Section 4.6 of this memo.
Processing of an SRTCP packets is similar to the SRTP processing (Section 4.3), but there are SRTCP-specific changes described in Section 3.4 of the SRTP specification [RFC3711] and in Section 4.6 of this memo.
Baugher & Carrara Standards Track [Page 11] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 11] RFC 4383 TESLA-SRTP February 2006
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ |V=2|P| RC | PT=SR or RR | length | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | SSRC of sender | | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | ~ sender info ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ report block 1 ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ report block 2 ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ ... ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | |V=2|P| SC | PT=SDES=202 | length | | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | | SSRC/CSRC_1 | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ SDES items ~ | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | ~ ... ~ | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | |E| SRTCP index | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ | | | i | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ Disclosed Key ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ TESLA MAC ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+ | ~ SRTCP MKI ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | : authentication tag : | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +-- Encrypted Portion TESLA Authenticated Portion -----+ | | Authenticated Portion -------+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ |V=2|P| RC | PT=SR or RR | length | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | SSRC of sender | | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | ~ sender info ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ report block 1 ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ report block 2 ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ ... ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | |V=2|P| SC | PT=SDES=202 | length | | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | | SSRC/CSRC_1 | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ SDES items ~ | | | +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | ~ ... ~ | | +>+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | | | |E| SRTCP index | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ | | | i | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ Disclosed Key ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ~ TESLA MAC ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<|-+ | ~ SRTCP MKI ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | : authentication tag : | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +-- Encrypted Portion TESLA Authenticated Portion -----+ | | Authenticated Portion -------+
Figure 3. The format of the SRTCP packet when TESLA is applied.
Figure 3. The format of the SRTCP packet when TESLA is applied.
Note that when additional fields are added to a packet, it will increase the packet size and thus the RTCP average packet size.
Note that when additional fields are added to a packet, it will increase the packet size and thus the RTCP average packet size.
Baugher & Carrara Standards Track [Page 12] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 12] RFC 4383 TESLA-SRTP February 2006
4.6. TESLA MAC
4.6. TESLA MAC
Let M' denote packet data to be TESLA-authenticated. In the case of SRTP, M' SHALL consist of the SRTP TESLA Authenticated Portion (RTP header and SRTP Encrypted Portion; see Figure 2) of the packet concatenated with the rollover counter (ROC) of the same packet:
Let M' denote packet data to be TESLA-authenticated. In the case of SRTP, M' SHALL consist of the SRTP TESLA Authenticated Portion (RTP header and SRTP Encrypted Portion; see Figure 2) of the packet concatenated with the rollover counter (ROC) of the same packet:
M' = ROC || TESLA Authenticated Portion.
M' = ROC || TESLA Authenticated Portion.
In the case of SRTCP, M' SHALL consist of the SRTCP TESLA Authenticated Portion only (RTCP header and SRTCP Encrypted Portion).
In the case of SRTCP, M' SHALL consist of the SRTCP TESLA Authenticated Portion only (RTCP header and SRTCP Encrypted Portion).
The normal authentication tag (OPTIONAL for SRTP, MANDATORY for SRTCP) SHALL be applied with the same coverage as specified in [RFC3711]. That is:
The normal authentication tag (OPTIONAL for SRTP, MANDATORY for SRTCP) SHALL be applied with the same coverage as specified in [RFC3711]. That is:
- for SRTP: Authenticated Portion || ROC (with the extended definition of SRTP Authentication Portion as in Section 4.2).
- for SRTP: Authenticated Portion || ROC (with the extended definition of SRTP Authentication Portion as in Section 4.2).
- for SRTCP: Authenticated Portion (with the extended definition of SRTCP Authentication Portion as in Section 4.2).
- for SRTCP: Authenticated Portion (with the extended definition of SRTCP Authentication Portion as in Section 4.2).
The predefined authentication transform in SRTP, HMAC-SHA1 [RFC2104], is also used to generate the TESLA MAC. For SRTP (and respectively for SRTCP), the HMAC SHALL be applied to the key in the TESLA chain corresponding to a particular time interval, and to M' as specified above. The HMAC output SHALL then be truncated to the n_m left-most bits. Default values are in Section 6.
The predefined authentication transform in SRTP, HMAC-SHA1 [RFC2104], is also used to generate the TESLA MAC. For SRTP (and respectively for SRTCP), the HMAC SHALL be applied to the key in the TESLA chain corresponding to a particular time interval, and to M' as specified above. The HMAC output SHALL then be truncated to the n_m left-most bits. Default values are in Section 6.
As with SRTP, the predefined HMAC-SHA1 authentication algorithm MAY be replaced with an alternative algorithm that is specified in a future Internet RFC.
As with SRTP, the predefined HMAC-SHA1 authentication algorithm MAY be replaced with an alternative algorithm that is specified in a future Internet RFC.
4.7. PRFs
4.7. PRFs
TESLA requires a pseudo-random function (PRF) to implement
TESLA requires a pseudo-random function (PRF) to implement
* one one-way function F(x) to derive the key chain, and * one one-way function F'(x) to derive (from each key of the chain) the key that is actually used to calculate the TESLA MAC.
* one one-way function F(x) to derive the key chain, and * one one-way function F'(x) to derive (from each key of the chain) the key that is actually used to calculate the TESLA MAC.
When TESLA is used within SRTP, the default choice of the PRF SHALL be HMAC-SHA1. Default values are in Section 6.
When TESLA is used within SRTP, the default choice of the PRF SHALL be HMAC-SHA1. Default values are in Section 6.
Other PRFs can be chosen, and their use SHALL follow the common guidelines in [RFC3711] when adding new security parameters.
Other PRFs can be chosen, and their use SHALL follow the common guidelines in [RFC3711] when adding new security parameters.
Baugher & Carrara Standards Track [Page 13] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 13] RFC 4383 TESLA-SRTP February 2006
5. TESLA Bootstrapping and Cleanup
5. TESLA Bootstrapping and Cleanup
The extensions to the SRTP cryptographic context include a set of TESLA parameters that are listed in Section 4.3 of this document. Furthermore, TESLA MUST be bootstrapped at session setup (for the parameter exchange and the initial key commitment) through a regular data authentication system (a digital signature algorithm is RECOMMENDED). Key management procedures can take care of this bootstrapping prior to the commencement of an SRTP session where TESLA authentication is used. The bootstrapping mechanism is out of scope for this document (it could, for example, be part of the key management protocol).
The extensions to the SRTP cryptographic context include a set of TESLA parameters that are listed in Section 4.3 of this document. Furthermore, TESLA MUST be bootstrapped at session setup (for the parameter exchange and the initial key commitment) through a regular data authentication system (a digital signature algorithm is RECOMMENDED). Key management procedures can take care of this bootstrapping prior to the commencement of an SRTP session where TESLA authentication is used. The bootstrapping mechanism is out of scope for this document (it could, for example, be part of the key management protocol).
A critical factor for the security of TESLA is that the sender and receiver need to be loosely synchronized. TESLA requires a bound on clock drift to be known (D_t). Use of TESLA in SRTP assumes that the time synchronization is guaranteed by out-of-band schemes (e.g., key management). That is, it is not in the scope of SRTP.
A critical factor for the security of TESLA is that the sender and receiver need to be loosely synchronized. TESLA requires a bound on clock drift to be known (D_t). Use of TESLA in SRTP assumes that the time synchronization is guaranteed by out-of-band schemes (e.g., key management). That is, it is not in the scope of SRTP.
It also should be noted that TESLA has some reliability requirements in that a key is disclosed for a packet in a subsequent packet, which can get lost. Since a key in a lost packet can be derived from a future packet, TESLA is robust to packet loss. This key stream stops, however, when the key-bearing data stream packets stop at the conclusion of the RTP session. To avoid this nasty boundary condition, send null packets with TESLA keys for one entire key- disclosure period following the interval in which the stream ceases: Null packets SHOULD be sent for d intervals of duration t_int (items 8 and 9 of Section 4.3). The rate of null packets SHOULD be the average rate of the session media stream.
It also should be noted that TESLA has some reliability requirements in that a key is disclosed for a packet in a subsequent packet, which can get lost. Since a key in a lost packet can be derived from a future packet, TESLA is robust to packet loss. This key stream stops, however, when the key-bearing data stream packets stop at the conclusion of the RTP session. To avoid this nasty boundary condition, send null packets with TESLA keys for one entire key- disclosure period following the interval in which the stream ceases: Null packets SHOULD be sent for d intervals of duration t_int (items 8 and 9 of Section 4.3). The rate of null packets SHOULD be the average rate of the session media stream.
6. SRTP TESLA Default Parameters
6. SRTP TESLA Default Parameters
Key management procedures establish SRTP TESLA operating parameters, which are listed in Section 4.3 of this document. The operating parameters appear in the SRTP cryptographic context and have the default values that are described in this section. In the future, an Internet RFC MAY define alternative settings for SRTP TESLA that are different than those specified here. In particular, note that the settings defined in this memo can have a large impact on bandwidth, as they add 38 bytes to each packet (when the field length values are the default ones). For certain applications, this overhead may represent more than a 50% increase in packet size. Alternative settings might seek to reduce the number and length of various TESLA fields and outputs. No such optimizations are considered in this memo.
Key management procedures establish SRTP TESLA operating parameters, which are listed in Section 4.3 of this document. The operating parameters appear in the SRTP cryptographic context and have the default values that are described in this section. In the future, an Internet RFC MAY define alternative settings for SRTP TESLA that are different than those specified here. In particular, note that the settings defined in this memo can have a large impact on bandwidth, as they add 38 bytes to each packet (when the field length values are the default ones). For certain applications, this overhead may represent more than a 50% increase in packet size. Alternative settings might seek to reduce the number and length of various TESLA fields and outputs. No such optimizations are considered in this memo.
Baugher & Carrara Standards Track [Page 14] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 14] RFC 4383 TESLA-SRTP February 2006
It is RECOMMENDED that the SRTP MAC be truncated to 32 bits, since the SRTP MAC provides only group authentication and serves only as protection against external DoS.
It is RECOMMENDED that the SRTP MAC be truncated to 32 bits, since the SRTP MAC provides only group authentication and serves only as protection against external DoS.
The default values for the security parameters are listed in the following table.
The default values for the security parameters are listed in the following table.
Parameter Mandatory-to-support Default --------- -------------------- ------- TESLA PRF HMAC-SHA1 HMAC-SHA1 BIT-OUTPUT LENGTH n_p 160 160 BIT-OUTPUT LENGTH n_f 160 160
Parameter Mandatory-to-support Default --------- -------------------- ------- TESLA PRF HMAC-SHA1 HMAC-SHA1 BIT-OUTPUT LENGTH n_p 160 160 BIT-OUTPUT LENGTH n_f 160 160
TESLA MAC HMAC-SHA1 HMAC-SHA1 (TRUNCATED) BIT-OUTPUT LENGTH n_m 80 80
TESLA MAC HMAC-SHA1 HMAC-SHA1 (TRUNCATED) BIT-OUTPUT LENGTH n_m 80 80
As shown above, TESLA implementations MUST support HMAC-SHA1 [RFC2104] for the TESLA MAC and the TESLA PRF. The TESLA keychain generator is recursively defined as follows [RFC4082].
As shown above, TESLA implementations MUST support HMAC-SHA1 [RFC2104] for the TESLA MAC and the TESLA PRF. The TESLA keychain generator is recursively defined as follows [RFC4082].
K_i=HMAC_SHA1(K_{i+1},0), i=0..N-1
K_i=HMAC_SHA1(K_{i+1},0), i=0..N-1
where N-1=n_c from the cryptographic context.
where N-1=n_c from the cryptographic context.
The TESLA MAC key generator is defined as follows [RFC4082].
The TESLA MAC key generator is defined as follows [RFC4082].
K'_i=HMAC_SHA1(K_i,1)
K'_i=HMAC_SHA1(K_i,1)
The TESLA MAC uses a truncated output of ten bytes [RFC2104] and is defined as follows.
The TESLA MAC uses a truncated output of ten bytes [RFC2104] and is defined as follows.
HMAC_SHA1(K'_i, M')
HMAC_SHA1(K'_i, M')
where M' is as specified in Section 4.6.
where M' is as specified in Section 4.6.
7. Security Considerations
7. Security Considerations
Denial of Service (DoS) attacks on delayed authentication are discussed in [PCST]. TESLA requires receiver buffering before authentication; therefore, the receiver can suffer a denial of service attack due to a flood of bogus packets. To address this problem, the external SRTP MAC, based on the group key, MAY be used in addition to the TESLA MAC. The short size of the SRTP MAC (default 32 bits) is motivated because that MAC is purely for DoS prevention from attackers external to the group. The shorter output tag means that an attacker has a better chance of getting a forged packet accepted, which is about 2^31 attempts on average. As a first line of defense against a denial of service attack, a short tag is
Denial of Service (DoS) attacks on delayed authentication are discussed in [PCST]. TESLA requires receiver buffering before authentication; therefore, the receiver can suffer a denial of service attack due to a flood of bogus packets. To address this problem, the external SRTP MAC, based on the group key, MAY be used in addition to the TESLA MAC. The short size of the SRTP MAC (default 32 bits) is motivated because that MAC is purely for DoS prevention from attackers external to the group. The shorter output tag means that an attacker has a better chance of getting a forged packet accepted, which is about 2^31 attempts on average. As a first line of defense against a denial of service attack, a short tag is
Baugher & Carrara Standards Track [Page 15] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 15] RFC 4383 TESLA-SRTP February 2006
probably adequate; a victim will likely have ample evidence that it is under attack before accepting a forged packet, which will subsequently fail the TESLA check. [RFC4082] describes other mechanisms that can be used to prevent DoS, in place of the external group-key MAC. If used, they need to be added as processing steps (following the guidelines of [RFC4082]).
probably adequate; a victim will likely have ample evidence that it is under attack before accepting a forged packet, which will subsequently fail the TESLA check. [RFC4082] describes other mechanisms that can be used to prevent DoS, in place of the external group-key MAC. If used, they need to be added as processing steps (following the guidelines of [RFC4082]).
The use of TESLA in SRTP defined in this specification is subject to the security considerations discussed in the SRTP specification [RFC3711] and in the TESLA specification [RFC4082]. In particular, the TESLA security is dependent on the computation of the "safety condition" as defined in Section 3.5 of [RFC4082].
The use of TESLA in SRTP defined in this specification is subject to the security considerations discussed in the SRTP specification [RFC3711] and in the TESLA specification [RFC4082]. In particular, the TESLA security is dependent on the computation of the "safety condition" as defined in Section 3.5 of [RFC4082].
SRTP TESLA depends on the effective security of the systems that perform bootstrapping (time synchronization) and key management. These systems are external to SRTP and are not considered in this specification.
SRTP TESLA depends on the effective security of the systems that perform bootstrapping (time synchronization) and key management. These systems are external to SRTP and are not considered in this specification.
The length of the TESLA MAC is by default 80 bits. RFC 2104 requires the MAC length to be at least 80 bits and at least half the output size of the underlying hash function. The SHA-1 output size is 160 bits, so both of these requirements are met with the 80-bit MAC specified in this document. Note that IPsec implementations tend to use 96 bits for their MAC values to align the header with a 64-bit boundary. Both MAC sizes are well beyond the reach of current cryptanalytic techniques.
The length of the TESLA MAC is by default 80 bits. RFC 2104 requires the MAC length to be at least 80 bits and at least half the output size of the underlying hash function. The SHA-1 output size is 160 bits, so both of these requirements are met with the 80-bit MAC specified in this document. Note that IPsec implementations tend to use 96 bits for their MAC values to align the header with a 64-bit boundary. Both MAC sizes are well beyond the reach of current cryptanalytic techniques.
8. Acknowledgements
8. Acknowledgements
The authors would like to thank Ran Canetti, Karl Norrman, Mats Naslund, Fredrik Lindholm, David McGrew, and Bob Briscoe for their valuable help.
The authors would like to thank Ran Canetti, Karl Norrman, Mats Naslund, Fredrik Lindholm, David McGrew, and Bob Briscoe for their valuable help.
Baugher & Carrara Standards Track [Page 16] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 16] RFC 4383 TESLA-SRTP February 2006
9. References
9. References
9.1. Normative References
9.1. Normative References
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004.
[RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B. Briscoe, "Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction", RFC 4082, June 2005.
[RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B. Briscoe, "Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction", RFC 4082, June 2005.
9.2. Informative References
9.2. Informative References
[PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and Secure Source Authentication for Multicast", in Proc. of Network and Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001.
[PCST] Perrig, A., Canetti, R., Song, D., Tygar, D., "Efficient and Secure Source Authentication for Multicast", in Proc. of Network and Distributed System Security Symposium NDSS 2001, pp. 35-46, 2001.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, August 2004.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, August 2004.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005.
Baugher & Carrara Standards Track [Page 17] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 17] RFC 4383 TESLA-SRTP February 2006
Authors' Addresses
Authors' Addresses
Questions and comments should be directed to the authors and msec@ietf.org.
Questions and comments should be directed to the authors and msec@ietf.org.
Mark Baugher Cisco Systems, Inc. 5510 SW Orchid Street Portland, OR 97219 USA
Mark Baugher Cisco Systems, Inc. 5510 SW Orchid Street Portland, OR 97219 USA
Phone: +1 408-853-4418 EMail: mbaugher@cisco.com
Phone: +1 408-853-4418 EMail: mbaugher@cisco.com
Elisabetta Carrara Royal Institute of Technology Stockholm Sweden
Elisabetta Carrara Royal Institute of Technology Stockholm Sweden
EMail: carrara@kth.se
EMail: carrara@kth.se
Baugher & Carrara Standards Track [Page 18] RFC 4383 TESLA-SRTP February 2006
Baugher & Carrara Standards Track [Page 18] RFC 4383 TESLA-SRTP February 2006
Full Copyright Statement
Full Copyright Statement
Copyright (C) The Internet Society (2006).
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
Acknowledgement
Acknowledgement
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
Baugher & Carrara Standards Track [Page 19]
Baugher & Carrara Standards Track [Page 19]
一覧
スポンサーリンク