SIP Requirements for SRTP Keying
description
Transcript of SIP Requirements for SRTP Keying
![Page 2: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/2.jpg)
2
SIP Requirements for SRTP Keying
1. SIP Forking and Retargeting2. Avoid Clipping Media Before SDP Answer3. Best-Effort Encryption4. Shared-Key Conferencing5. Attack Protection6. Perfect Forward Secrecy7. Future Algorithms8. Computational Effort when Forking9. Self-Signed Certificates10. Rekeying11. SSRC/ROC signaling12. Clock Synchronization
![Page 3: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/3.jpg)
3
Presentation Format
• 3 minutes: Present requirement• 2 minutes: Microphone Discussion• 1 minute: Hum vote MUST/SHOULD/MAY
– Votes drive requirements for protocol design
![Page 4: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/4.jpg)
4
1. SIP Forking and Retargeting
![Page 5: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/5.jpg)
5
Review: SIP Forking
Alice Atlanta Biloxi
Bob
INVITE INVITE
INVITE
OK
OK
OK
Carol
INVITE OK
SRTP
SRTP
Alice/Bob and Alice/Carolneed different keys
![Page 6: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/6.jpg)
6
• Offerer doesn’t know final target
Review: SIP Retargeting
draft-ietf-sip-certs
Alice Proxy
Bob
INVITE
INVITE
3xx redirect
OK
Carol
INVITE
OK
![Page 7: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/7.jpg)
7
SIP Forking & Retargeting Requirements (1/3)
• Forking and Retargeting MUST be possible when all endpoints are SRTP?– Retargeting: offerer doesn’t know final target
![Page 8: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/8.jpg)
8
SIP Forking & Retargeting Requirements (2/3)
• Forking and Retargeting MUST allow establishing SRTP or RTP with mixed of SRTP- and RTP-capable targets
![Page 9: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/9.jpg)
9
SIP Forking & Retargeting Requirements (3/3)
• Forking and Retargeting MUST/SHOULD be secured– Immediately? – Can we do RTP for “a while” and upgrade to
SRTP? – Can other forks and other targets see keys?
![Page 10: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/10.jpg)
10
2. Avoid Clipping Media Before SDP Answer
![Page 11: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/11.jpg)
11
Avoid Clipping Media Before SDP Answer
Alice Biloxi BobINVITE
INVITE
SRTP (before SDP Answer)
Provisional ACK (Ringing)
OK (containing SDP answer)
OK (containing SDP answer)
SRTP (Two-Way)
(Bob answers)avoidclipping
Provisional ACK (Ringing)
![Page 12: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/12.jpg)
12
Avoid Clipping
• MUST/SHOULD avoid clipping without additional SIP signaling?– Without PRACK (RFC3262)– Without Security Preconditions (-mmusic-
securityprecondition)
![Page 13: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/13.jpg)
13
3. Best-Effort Encryption
![Page 14: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/14.jpg)
14
• Retargeting: If one party doesn’t understand RTP/SAVP, Bad Things Happen– entire call fails or– Quietly re-Invite on error
• Re-alert called party• Additional signaling, additional user-noticed latency
• Security Preconditions helps, but doesn’t cure
Best Effort Encryption
![Page 15: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/15.jpg)
15
Best Effort Encryption
Alice Proxy
Bob’s phoneRTP onlyINVITE SRTP
INVITE SRTP
OK
Bob’s voicemailwith SRTP
NAK
Alice Proxy
Bob’s phonewith SRTPINVITE SRTP
INVITE SRTP
NAK
Bob’s voicemail RTP only
INVITE SRTP
NAK
CANCEL
![Page 16: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/16.jpg)
16
Best Effort Encryption
Offer Answerer Session
RTP RTP RTP
RTP SRTP RTP
SRTP RTP RTP
SRTP SRTP SRTP
• MUST provide mechanism for non-SRTP-aware answerers to use RTP?
![Page 17: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/17.jpg)
17
4. Shared-Key Conferencing
![Page 18: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/18.jpg)
18
Shared-Key Conferencing
Alice Bob Sam
ConferenceBridge
AliceTalks
Different SRTP key for each participant
Unique key conferencing
Key=B Key=S
Alice Bob Sam
Router or Conference
Bridge
Multicast or unicast
Shared key conferencing
AliceTalks
Key=C Key=C
![Page 19: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/19.jpg)
19
Shared-Key Conferencing Requirement
• Useful application: push-to-talk groups
• MUST/SHOULD support shared-key conferencing?
• MUST/SHOULD allow initiator to indicate the shared key?
• MUST/SHOULD allow terminator to indicate shared key?
• MUST/SHOULD allow either?
![Page 20: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/20.jpg)
20
4. Attack Protection
![Page 21: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/21.jpg)
21
Attack Protection
• Attacker can include SIP proxies• Passive Attacker
– Attacker sniffs signaling or media streams• Active Attacker
– Attacker modifies packets• SIP, SDP, or media-path packets• Example: downgrade security
![Page 22: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/22.jpg)
22
Attack Protection Requirements
• MUST protect against passive attack?– afterall, that’s why we’re doing SRTP
• SHOULD/MUST protect against active attack?
![Page 23: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/23.jpg)
23
6. Perfect Forward Secrecy
![Page 24: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/24.jpg)
24
Perfect Forward Secrecy
• Disclosure of private key doesn’t disclose all previous and all future sessions– typically uses Diffie-Hellman operation
• MUST be able to establish PFS?
![Page 25: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/25.jpg)
25
7. Future Algorithm Negotiation
![Page 26: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/26.jpg)
26
Future Algorithm Negotiation
• Computationally expensive offers are computationally expensive!– Example:Offer with MIKEY-RSA, MIKEY-
RSA-R, and SRTP with AES and SRTP with AES
• MUST offer multiple SRTP cipher suites without additional computational expense– SRTP with ECC– SRTP with SHA-256
![Page 27: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/27.jpg)
27
8. Computational Effort when Forking
![Page 28: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/28.jpg)
28
Computational Effort when Forking
• Forking can cause multiple Answers. If these answers require computational effort to process, the offerer can be swamped.
• Offerer SHOULD (MUST?) be able to associate SDP answer with incoming SRTP flow.
![Page 29: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/29.jpg)
29
9. Self-Signed Certificates
![Page 30: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/30.jpg)
30
Self-Signed Certificate
• Endpoints might have self-signed certificates
• MUST operate with self-signed certificates
![Page 31: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/31.jpg)
31
10. Rekeying
![Page 32: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/32.jpg)
32
Rekeying
• MUST support rekeying
• SHOULD/MUST support rekeying without a re-INVITE?– We have separate dialogs, but additional
signaling isn’t desirable
![Page 33: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/33.jpg)
33
11. SSRC and Rollover Counter (ROC)
![Page 34: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/34.jpg)
34
SSRC / Rollover Counter (ROC)
• Call setup entity may not always be aware of SSRC values or ROC value
• Signaling SSRC duplicates RTP’s SSRC collision detection
• Late joiners– Use their own SSRCs SSRCs– Need to learn ROC
• MUST NOT signal SSRC SDP?• MUST NOT require signaling ROC?
![Page 35: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/35.jpg)
35
12. Clock Synchronization
![Page 36: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/36.jpg)
36
Clock Synchronization
• MUST NOT require synchronized clocks?
![Page 37: SIP Requirements for SRTP Keying](https://reader036.fdocuments.us/reader036/viewer/2022070404/56813aef550346895da36422/html5/thumbnails/37.jpg)
37
The End