100 likes | 246 Views
RTCWEB Encrypted Key Transport draft- ietf - avtcore -srtp- ekt -00 (previously draft- ietf - avt -srtp- ekt -03). August 2, 2012 IETF-84, Vancouver. Authors: David McGrew, Flemming Andreasen, Dan Wing, Kai Fischer. EKT for Interop.
E N D
RTCWEBEncrypted Key Transportdraft-ietf-avtcore-srtp-ekt-00(previously draft-ietf-avt-srtp-ekt-03) August 2, 2012 IETF-84, Vancouver Authors: David McGrew, Flemming Andreasen, Dan Wing, Kai Fischer draft-ietf-avtcore-srtp-ekt
EKT for Interop • Interoperate between Security Descriptions and EKT (e.g., DTLS-SRTP-EKT) • Avoids per-packet SRTP cryptographic operations on gateway • EKT tag now independent of SRTP packet • Media gateway can add/remove EKT tag to/from SRTP packet, resulting in normal SRTP packet • Implementation and security analysis simpler draft-ietf-avtcore-srtp-ekt
Previous situation Web Server Media gateway SIP Proxy SIP JSEP + a=fingerprint SIP + SDESC keys SRTP DTLS handshake, SRTP Browser IP phone Media Gateway decrypts and re-encrypts SRTP going from Security Descriptions to DTLS-SRTP. Ouch!! draft-ietf-avtcore-srtp-ekt
How SRTP decryption works SRTP Payload RTP Payload Check Authentication,Decrypt SRTP master key SRTP authentication tag draft-ietf-avtcore-srtp-ekt
How EKT decryption works SRTP Payload RTP Payload Check Authentication,Decrypt SRTP master key SRTP authentication tag Check Authentication,Decrypt EKT tag EKT key draft-ietf-avtcore-srtp-ekt
Enhancement to EKT for Interop • Adds to SRTP without changing SRTP format or processing rules • EKT tag is now removable • Benefit: Easy for media gateway interoperation DTLS-SRTP-EKT leg Security Descriptions leg Media gateway SRTP payload SRTP payload SRTP authentication tag SRTP authentication tag EKT tag draft-ietf-avtcore-srtp-ekt
DTLS-SRTP-EKT and Security Descriptions Interop DTLS-SRTP-EKT Security Descriptions Web Server Media gateway SIP Proxy SIP JSEP + a=fingerprint SIP + SDESC keys SRTP DTLS –SRTP-EKT, SRTP Browser IP phone draft-ietf-avtcore-srtp-ekt
Key Changes from EKT DTLS-SRTP-EKT Security Descriptions Re-INVITE, a=crypto Web Server Media gateway SIP Proxy SIP Re-INVITE, a=crypto JSEP + a=fingerprint SRTP EKT Key Browser IP phone draft-ietf-avtcore-srtp-ekt
Key Change from SDES DTLS-SRTP-EKT Security Descriptions Re-INVITE, a=crypto Web Server Media gateway SIP Proxy SIP Re-INVITE, a=crypto JSEP + a=fingerprint SRTP EKT Key Browser IP phone draft-ietf-avtcore-srtp-ekt
End draft-ietf-avtcore-srtp-ekt