160 likes | 304 Views
RTP Encryption for 3G Networks. Rolf Blom, Elisabetta Carrara, Karl Norrman, Mats Näslund Communications Security Lab Ericsson. “ Conversational Multimedia Security in 3G Networks ” draft-blom-cmsec-3G-00.txt “ RTP Encryption for 3G Networks ” draft-blom-rtp-encrypt-00.txt. Objective
E N D
RTP Encryption for 3G Networks Rolf Blom, Elisabetta Carrara, Karl Norrman, Mats Näslund Communications Security Lab Ericsson
“Conversational Multimedia Security in 3G Networks” draft-blom-cmsec-3G-00.txt • “RTP Encryption for 3G Networks” draft-blom-rtp-encrypt-00.txt
Objective Confidentiality of media streams in Conversational Multimedia scenarios (cellular environment) to end up with a service as attractive as today’s CS (cost andspeech quality)
Scenario • Conversational Multimedia • IP-all-the-way • Heterogeneous environment (including wireless)
Requirements for the encryption scheme • Target BER over the air link • error-robustness • Delay (processing time, thin client) • efficiency • Packet-loss and non-ordered delivery (IP) • "fast-forward/rewind" property • Classification and demuxof the traffic • selective payload encryption
Requirements(cont.) • Bandwidth • message-size expansion and added fields limitation • Header Compression (ROHC) • unencrypted IP/UDP/RTP headers • Unequal Error Protection • UEP classes independence
Message Integrity and Authentication Two issues: • bandwidth consumption (96/128/160 bits of MAC) • even using a very short MAC (with lower security), still it has cost impact, and what should it cover? Message integrity and authentication as optional
IPsec Applicability IPsec is the promising security solution for the All-IP scenario and ROHC supports IPsec hc but • ‘transport ESP’ • the most efficient ROHC profile does not work • IPsec header • ‘tunnel ESP’ • header overhead • AH and ESP+NULL • bandwidth
Encryption Algorithm Cons: padding, error prop BLOCK CIPHERS if random-access property () STREAM CIPHERS BLOCK CIPHERS used as STREAM
Conclusions • We have to accept the cost/security trade-off to get an attractive service • We go for • application encryption • only the RTP payload is encrypted • a block cipher used as a stream cipher • careful analysis of message authentication usage • We promote the use of security profiles.
Our proposal • Objective: confidentiality of the media session • Use the f8mode of operation with AES • It satisfies all the requirements, plus it is flexible (any secure block cipher as core) and the sync is given by the IV on a per-packet base
From the RTP header AES in f8-mode IV AES m ct=1 ct=2 AES AES AES AES k 128 bits, may be the same for all RTP sessions media session Public sec evaluation doc available
Open issues • Adding a MAC per-packet is unacceptable for cost (optional) • realtime aspects + f8 sync mechanism make attacks difficult, at least in conversational multimedia • the main danger (as usual): DoS • RTCP • key management
Implementation • Running testbed • AES/Rijndael 128 • 40-60 Mbit/s • 6 microsec initialization
Conclusions • Our proposal {f8+AES on RTP payload} as a low cost method, to allow full hc, and low complexity implementation • RTPEncrypt achieves confidentiality of the media session also in the most demanding scenario (conversational multimedia) • local policies decide the sec scheme (profiles)
Similarities confidentiality by per-packet appl of block cipher bandwidth saving (hc) low computational cost Differences f8 vs CTM authentication cost RTCP keying RTPEncrypt and SRTP