draft-ietf-sframe-encv1.txt   rfc9605.txt 
sframe E. Omara Internet Engineering Task Force (IETF) E. Omara
Internet-Draft Apple Request for Comments: 9605 Apple
Intended status: Standards Track J. Uberti Category: Standards Track J. Uberti
Expires: 26 December 2024 Google ISSN: 2070-1721 Fixie.ai
S. Murillo S. G. Murillo
CoSMo Software CoSMo Software
R. L. Barnes, Ed. R. Barnes, Ed.
Cisco Cisco
Y. Fablet Y. Fablet
Apple Apple
24 June 2024 July 2024
Secure Frame (SFrame) Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-
draft-ietf-sframe-enc-latest Time Media
Abstract Abstract
This document describes the Secure Frame (SFrame) end-to-end This document describes the Secure Frame (SFrame) end-to-end
encryption and authentication mechanism for media frames in a encryption and authentication mechanism for media frames in a
multiparty conference call, in which central media servers (Selective multiparty conference call, in which central media servers (Selective
Forwarding Units or SFUs) can access the media metadata needed to Forwarding Units or SFUs) can access the media metadata needed to
make forwarding decisions without having access to the actual media. make forwarding decisions without having access to the actual media.
This mechanism differs from the Secure Real-Time Protocol (SRTP) in This mechanism differs from the Secure Real-Time Protocol (SRTP) in
that it is independent of RTP (thus compatible with non-RTP media that it is independent of RTP (thus compatible with non-RTP media
transport) and can be applied to whole media frames in order to be transport) and can be applied to whole media frames in order to be
more bandwidth efficient. more bandwidth efficient.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 26 December 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9605.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology
3. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Goals
4. SFrame . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. SFrame
4.1. Application Context . . . . . . . . . . . . . . . . . . . 5 4.1. Application Context
4.2. SFrame Ciphertext . . . . . . . . . . . . . . . . . . . . 7 4.2. SFrame Ciphertext
4.3. SFrame Header . . . . . . . . . . . . . . . . . . . . . . 7 4.3. SFrame Header
4.4. Encryption Schema . . . . . . . . . . . . . . . . . . . . 9 4.4. Encryption Schema
4.4.1. Key Selection . . . . . . . . . . . . . . . . . . . . 10 4.4.1. Key Selection
4.4.2. Key Derivation . . . . . . . . . . . . . . . . . . . 10 4.4.2. Key Derivation
4.4.3. Encryption . . . . . . . . . . . . . . . . . . . . . 11 4.4.3. Encryption
4.4.4. Decryption . . . . . . . . . . . . . . . . . . . . . 13 4.4.4. Decryption
4.5. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . 15 4.5. Cipher Suites
4.5.1. AES-CTR with SHA2 . . . . . . . . . . . . . . . . . . 16 4.5.1. AES-CTR with SHA2
5. Key Management . . . . . . . . . . . . . . . . . . . . . . . 18 5. Key Management
5.1. Sender Keys . . . . . . . . . . . . . . . . . . . . . . . 19 5.1. Sender Keys
5.2. MLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.2. MLS
6. Media Considerations . . . . . . . . . . . . . . . . . . . . 22 6. Media Considerations
6.1. Selective Forwarding Units . . . . . . . . . . . . . . . 22 6.1. Selective Forwarding Units
6.1.1. LastN and RTP Stream Reuse . . . . . . . . . . . . . 23 6.1.1. RTP Stream Reuse
6.1.2. Simulcast . . . . . . . . . . . . . . . . . . . . . . 23 6.1.2. Simulcast
6.1.3. SVC . . . . . . . . . . . . . . . . . . . . . . . . . 23 6.1.3. Scalable Video Coding (SVC)
6.2. Video Key Frames . . . . . . . . . . . . . . . . . . . . 23 6.2. Video Key Frames
6.3. Partial Decoding . . . . . . . . . . . . . . . . . . . . 24 6.3. Partial Decoding
7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 7. Security Considerations
7.1. No Header Confidentiality . . . . . . . . . . . . . . . . 24 7.1. No Header Confidentiality
7.2. No per-Sender Authentication . . . . . . . . . . . . . . 25 7.2. No Per-Sender Authentication
7.3. Key Management . . . . . . . . . . . . . . . . . . . . . 25 7.3. Key Management
7.4. Replay . . . . . . . . . . . . . . . . . . . . . . . . . 25 7.4. Replay
7.5. Risks Due to Short Tags . . . . . . . . . . . . . . . . . 25 7.5. Risks Due to Short Tags
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 8. IANA Considerations
8.1. SFrame Cipher Suites . . . . . . . . . . . . . . . . . . 27 8.1. SFrame Cipher Suites
9. Application Responsibilities
9. Application Responsibilities . . . . . . . . . . . . . . . . 28 9.1. Header Value Uniqueness
9.1. Header Value Uniqueness . . . . . . . . . . . . . . . . . 29 9.2. Key Management Framework
9.2. Key Management Framework . . . . . . . . . . . . . . . . 29 9.3. Anti-Replay
9.3. Anti-Replay . . . . . . . . . . . . . . . . . . . . . . . 30 9.4. Metadata
9.4. Metadata . . . . . . . . . . . . . . . . . . . . . . . . 30 10. References
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 10.1. Normative References
10.1. Normative References . . . . . . . . . . . . . . . . . . 30 10.2. Informative References
10.2. Informative References . . . . . . . . . . . . . . . . . 31 Appendix A. Example API
Appendix A. Example API . . . . . . . . . . . . . . . . . . . . 32 Appendix B. Overhead Analysis
Appendix B. Overhead Analysis . . . . . . . . . . . . . . . . . 34 B.1. Assumptions
B.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 35 B.2. Audio
B.2. Audio . . . . . . . . . . . . . . . . . . . . . . . . . . 35 B.3. Video
B.3. Video . . . . . . . . . . . . . . . . . . . . . . . . . . 36 B.4. Conferences
B.4. Conferences . . . . . . . . . . . . . . . . . . . . . . . 38 B.5. SFrame over RTP
B.5. SFrame over RTP . . . . . . . . . . . . . . . . . . . . . 38 Appendix C. Test Vectors
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 40 C.1. Header Encoding/Decoding
C.1. Header Encoding/Decoding . . . . . . . . . . . . . . . . 41 C.2. AEAD Encryption/Decryption Using AES-CTR and HMAC
C.2. AEAD Encryption/Decryption Using AES-CTR and HMAC . . . . 65 C.3. SFrame Encryption/Decryption
C.3. SFrame Encryption/Decryption . . . . . . . . . . . . . . 67 Acknowledgements
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 72 Contributors
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72
1. Introduction 1. Introduction
Modern multiparty video call systems use Selective Forwarding Unit Modern multiparty video call systems use Selective Forwarding Unit
(SFU) servers to efficiently route media streams to call endpoints (SFU) servers to efficiently route media streams to call endpoints
based on factors such as available bandwidth, desired video size, based on factors such as available bandwidth, desired video size,
codec support, and other factors. An SFU typically does not need codec support, and other factors. An SFU typically does not need
access to the media content of the conference, which allows the media access to the media content of the conference, which allows the media
to be encrypted "end to end" so that it cannot be decrypted by the to be encrypted "end to end" so that it cannot be decrypted by the
SFU. In order for the SFU to work properly, though, it usually needs SFU. In order for the SFU to work properly, though, it usually needs
skipping to change at page 4, line 22 skipping to change at line 158
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
MAC: Message Authentication Code MAC: Message Authentication Code
E2EE: End-to-End Encryption E2EE: End-to-End Encryption
HBH: Hop-By-Hop HBH: Hop-by-Hop
We use "Selective Forwarding Unit (SFU)" and "media stream" in a less We use "Selective Forwarding Unit (SFU)" and "media stream" in a less
formal sense than in [RFC7656]. An SFU is a selective switching formal sense than in [RFC7656]. An SFU is a selective switching
function for media payloads, and a media stream a sequence of media function for media payloads, and a media stream is a sequence of
payloads, in both cases regardless of whether those media payloads media payloads, regardless of whether those media payloads are
are transported over RTP or some other protocol. transported over RTP or some other protocol.
3. Goals 3. Goals
SFrame is designed to be a suitable E2EE protection scheme for SFrame is designed to be a suitable E2EE protection scheme for
conference call media in a broad range of scenarios, as outlined by conference call media in a broad range of scenarios, as outlined by
the following goals: the following goals:
1. Provide a secure E2EE mechanism for audio and video in conference 1. Provide a secure E2EE mechanism for audio and video in conference
calls that can be used with arbitrary SFU servers. calls that can be used with arbitrary SFU servers.
2. Decouple media encryption from key management to allow SFrame to 2. Decouple media encryption from key management to allow SFrame to
be used with an arbitrary key management system. be used with an arbitrary key management system.
3. Minimize packet expansion to allow successful conferencing in as 3. Minimize packet expansion to allow successful conferencing in as
many network conditions as possible. many network conditions as possible.
4. Independence from the underlying transport, including use in non- 4. Decouple the media encryption framework from the underlying
RTP transports, e.g., WebTransport [I-D.ietf-webtrans-overview]. transport, allowing use in non-RTP scenarios, e.g., WebTransport
[WEBTRANSPORT].
5. When used with RTP and its associated error-resilience 5. When used with RTP and its associated error-resilience
mechanisms, i.e., RTX and Forward Error Correction (FEC), require mechanisms, i.e., RTX and Forward Error Correction (FEC), require
no special handling for RTX and FEC packets. no special handling for RTX and FEC packets.
6. Minimize the changes needed in SFU servers. 6. Minimize the changes needed in SFU servers.
7. Minimize the changes needed in endpoints. 7. Minimize the changes needed in endpoints.
8. Work with the most popular audio and video codecs used in 8. Work with the most popular audio and video codecs used in
skipping to change at page 5, line 23 skipping to change at line 209
E2EE, is simple to implement, has no dependencies on RTP, and E2EE, is simple to implement, has no dependencies on RTP, and
minimizes encryption bandwidth overhead. This section describes how minimizes encryption bandwidth overhead. This section describes how
the mechanism works and includes details of how applications utilize the mechanism works and includes details of how applications utilize
SFrame for media protection as well as the actual mechanics of E2EE SFrame for media protection as well as the actual mechanics of E2EE
for protecting media. for protecting media.
4.1. Application Context 4.1. Application Context
SFrame is a general encryption framing, intended to be used as an SFrame is a general encryption framing, intended to be used as an
E2EE layer over an underlying HBH-encrypted transport such as SRTP or E2EE layer over an underlying HBH-encrypted transport such as SRTP or
QUIC [RFC3711][I-D.ietf-moq-transport]. QUIC [RFC3711][MOQ-TRANSPORT].
The scale at which SFrame encryption is applied to media determines The scale at which SFrame encryption is applied to media determines
the overall amount of overhead that SFrame adds to the media stream the overall amount of overhead that SFrame adds to the media stream
as well as the engineering complexity involved in integrating SFrame as well as the engineering complexity involved in integrating SFrame
into a particular environment. Two patterns are common: using SFrame into a particular environment. Two patterns are common: using SFrame
to encrypt either whole media frames (per frame) or individual to encrypt either whole media frames (per frame) or individual
transport-level media payloads (per packet). transport-level media payloads (per packet).
For example, Figure 1 shows a typical media sender stack that takes For example, Figure 1 shows a typical media sender stack that takes
media from some source, encodes it into frames, divides those frames media from some source, encodes it into frames, divides those frames
skipping to change at page 7, line 35 skipping to change at line 314
| | | | | | | |
| | | | | | | |
| | | | | | | |
+->+-------------------------------------------------------+<-+ +->+-------------------------------------------------------+<-+
| | Authentication Tag | | | | Authentication Tag | |
| +-------------------------------------------------------+ | | +-------------------------------------------------------+ |
| | | |
| | | |
+--- Encrypted Portion Authenticated Portion ---+ +--- Encrypted Portion Authenticated Portion ---+
Figure 2: Structure of an SFrame Ciphertext
When SFrame is applied per packet, the payload of each packet will be When SFrame is applied per packet, the payload of each packet will be
an SFrame ciphertext. When SFrame is applied per frame, the SFrame an SFrame ciphertext. When SFrame is applied per frame, the SFrame
ciphertext representing an encrypted frame will span several packets, ciphertext representing an encrypted frame will span several packets,
with the header appearing in the first packet and the authentication with the header appearing in the first packet and the authentication
tag in the last packet. It is the responsibility of the application tag in the last packet. It is the responsibility of the application
to reassemble an encrypted frame from individual packets, accounting to reassemble an encrypted frame from individual packets, accounting
for packet loss and reordering as necessary. for packet loss and reordering as necessary.
4.3. SFrame Header 4.3. SFrame Header
The SFrame header specifies two values from which encryption The SFrame header specifies two values from which encryption
parameters are derived: parameters are derived:
* A Key ID (KID) that determines which encryption key should be used * A Key ID (KID) that determines which encryption key should be used
* A counter (CTR) that is used to construct the nonce for the * A Counter (CTR) that is used to construct the nonce for the
encryption encryption
Applications MUST ensure that each (KID, CTR) combination is used for Applications MUST ensure that each (KID, CTR) combination is used for
exactly one SFrame encryption operation. A typical approach to exactly one SFrame encryption operation. A typical approach to
achieve this guarantee is outlined in Section 9.1. achieve this guarantee is outlined in Section 9.1.
Config Byte Config Byte
| |
.-----' '-----. .-----' '-----.
| | | |
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+------------+------------+ +-+-+-+-+-+-+-+-+------------+------------+
|X| K |Y| C | KID... | CTR... | |X| K |Y| C | KID... | CTR... |
+-+-+-+-+-+-+-+-+------------+------------+ +-+-+-+-+-+-+-+-+------------+------------+
Figure 2: SFrame Header Figure 3: SFrame Header
The SFrame header has the overall structure shown in Figure 2. The The SFrame header has the overall structure shown in Figure 3. The
first byte is a "config byte", with the following fields: first byte is a "config byte", with the following fields:
Extended Key ID Flag (X, 1 bit): Indicates if the K field contains Extended KID Flag (X, 1 bit): Indicates if the K field contains the
the Key ID or the Key ID length. KID or the KID length.
Key or Key Length (K, 3 bits): If the X flag is set to 0, this field KID or KID Length (K, 3 bits): If the X flag is set to 0, this field
contains the Key ID. If the X flag is set to 1, then it contains contains the KID. If the X flag is set to 1, then it contains the
the length of the Key ID, minus one. length of the KID, minus one.
Extended Counter Flag (Y, 1 bit): Indicates if the C field contains Extended CTR Flag (Y, 1 bit): Indicates if the C field contains the
the counter or the counter length. CTR or the CTR length.
Counter or Counter Length (C, 3 bits): This field contains the CTR or CTR Length (C, 3 bits): This field contains the CTR if the Y
counter (CTR) if the Y flag is set to 0, or the counter length, flag is set to 0, or the CTR length, minus one, if set to 1.
minus one, if set to 1.
The Key ID and Counter fields are encoded as compact unsigned The KID and CTR fields are encoded as compact unsigned integers in
integers in network (big-endian) byte order. If the value of one of network (big-endian) byte order. If the value of one of these fields
these fields is in the range 0-7, then the value is carried in the is in the range 0-7, then the value is carried in the corresponding
corresponding bits of the config byte (K or C) and the corresponding bits of the config byte (K or C) and the corresponding flag (X or Y)
flag (X or Y) is set to zero. Otherwise, the value MUST be encoded is set to zero. Otherwise, the value MUST be encoded with the
with the minimum number of bytes required and appended after the minimum number of bytes required and appended after the config byte,
config byte, with the Key ID first and Counter second. The header with the KID first and CTR second. The header field (K or C) is set
field (K or C) is set to the number of bytes in the encoded value, to the number of bytes in the encoded value, minus one. The value
minus one. The value 000 represents a length of 1, 001 a length of 000 represents a length of 1, 001 a length of 2, etc. This allows a
2, etc. This allows a 3-bit length field to represent the value 3-bit length field to represent the value lengths 1-8.
lengths 1-8.
The SFrame header can thus take one of the four forms shown in The SFrame header can thus take one of the four forms shown in
Figure 3, depending on which of the X and Y flags are set. Figure 4, depending on which of the X and Y flags are set.
KID < 8, CTR < 8: KID < 8, CTR < 8:
+-+-----+-+-----+ +-+-----+-+-----+
|0| KID |0| CTR | |0| KID |0| CTR |
+-+-----+-+-----+ +-+-----+-+-----+
KID < 8, CTR >= 8: KID < 8, CTR >= 8:
+-+-----+-+-----+------------------------+ +-+-----+-+-----+------------------------+
|0| KID |1|CLEN | CTR... (length=CLEN) | |0| KID |1|CLEN | CTR... (length=CLEN) |
+-+-----+-+-----+------------------------+ +-+-----+-+-----+------------------------+
skipping to change at page 9, line 25 skipping to change at line 399
KID >= 8, CTR < 8: KID >= 8, CTR < 8:
+-+-----+-+-----+------------------------+ +-+-----+-+-----+------------------------+
|1|KLEN |0| CTR | KID... (length=KLEN) | |1|KLEN |0| CTR | KID... (length=KLEN) |
+-+-----+-+-----+------------------------+ +-+-----+-+-----+------------------------+
KID >= 8, CTR >= 8: KID >= 8, CTR >= 8:
+-+-----+-+-----+------------------------+------------------------+ +-+-----+-+-----+------------------------+------------------------+
|1|KLEN |1|CLEN | KID... (length=KLEN) | CTR... (length=CLEN) | |1|KLEN |1|CLEN | KID... (length=KLEN) | CTR... (length=CLEN) |
+-+-----+-+-----+------------------------+------------------------+ +-+-----+-+-----+------------------------+------------------------+
Figure 3: Forms of Encoded SFrame Header Figure 4: Forms of Encoded SFrame Header
4.4. Encryption Schema 4.4. Encryption Schema
SFrame encryption uses an AEAD encryption algorithm and hash function SFrame encryption uses an AEAD encryption algorithm and hash function
defined by the cipher suite in use (see Section 4.5). We will refer defined by the cipher suite in use (see Section 4.5). We will refer
to the following aspects of the AEAD and the hash algorithm below: to the following aspects of the AEAD and the hash algorithm below:
* AEAD.Encrypt and AEAD.Decrypt - The encryption and decryption * AEAD.Encrypt and AEAD.Decrypt - The encryption and decryption
functions for the AEAD. We follow the convention of RFC 5116 functions for the AEAD. We follow the convention of RFC 5116
[RFC5116] and consider the authentication tag part of the [RFC5116] and consider the authentication tag part of the
skipping to change at page 9, line 49 skipping to change at line 423
* AEAD.Nk - The size in bytes of a key for the encryption algorithm * AEAD.Nk - The size in bytes of a key for the encryption algorithm
* AEAD.Nn - The size in bytes of a nonce for the encryption * AEAD.Nn - The size in bytes of a nonce for the encryption
algorithm algorithm
* AEAD.Nt - The overhead in bytes of the encryption algorithm * AEAD.Nt - The overhead in bytes of the encryption algorithm
(typically the size of a "tag" that is added to the plaintext) (typically the size of a "tag" that is added to the plaintext)
* AEAD.Nka - For cipher suites using the compound AEAD described in * AEAD.Nka - For cipher suites using the compound AEAD described in
Section 4.5.1, the size in bytes of a key for the underlying Section 4.5.1, the size in bytes of a key for the underlying
Advanced Encryption Standard Counter Mode (AES-CTR) algorithm encryption algorithm
* Hash.Nh - The size in bytes of the output of the hash function * Hash.Nh - The size in bytes of the output of the hash function
4.4.1. Key Selection 4.4.1. Key Selection
Each SFrame encryption or decryption operation is premised on a Each SFrame encryption or decryption operation is premised on a
single secret base_key, which is labeled with an integer KID value single secret base_key, which is labeled with an integer KID value
signaled in the SFrame header. signaled in the SFrame header.
The sender and receivers need to agree on which base_key should be The sender and receivers need to agree on which base_key should be
skipping to change at page 10, line 23 skipping to change at line 445
on whether a base_key will be used for encryption or decryption only. on whether a base_key will be used for encryption or decryption only.
The process for provisioning base_key values and their KID values is The process for provisioning base_key values and their KID values is
beyond the scope of this specification, but its security properties beyond the scope of this specification, but its security properties
will bound the assurances that SFrame provides. For example, if will bound the assurances that SFrame provides. For example, if
SFrame is used to provide E2E security against intermediary media SFrame is used to provide E2E security against intermediary media
nodes, then SFrame keys need to be negotiated in a way that does not nodes, then SFrame keys need to be negotiated in a way that does not
make them accessible to these intermediaries. make them accessible to these intermediaries.
For each known KID value, the client stores the corresponding For each known KID value, the client stores the corresponding
symmetric key base_key. For keys that can be used for encryption, symmetric key base_key. For keys that can be used for encryption,
the client also stores the next counter value CTR to be used when the client also stores the next CTR value to be used when encrypting
encrypting (initially 0). (initially 0).
When encrypting a plaintext, the application specifies which KID is When encrypting a plaintext, the application specifies which KID is
to be used, and the counter is incremented after successful to be used, and the CTR value is incremented after successful
encryption. When decrypting, the base_key for decryption is selected encryption. When decrypting, the base_key for decryption is selected
from the available keys using the KID value in the SFrame header. from the available keys using the KID value in the SFrame header.
A given base_key MUST NOT be used for encryption by multiple senders. A given base_key MUST NOT be used for encryption by multiple senders.
Such reuse would result in multiple encrypted frames being generated Such reuse would result in multiple encrypted frames being generated
with the same (key, nonce) pair, which harms the protections provided with the same (key, nonce) pair, which harms the protections provided
by many AEAD algorithms. Implementations MUST mark each base_key as by many AEAD algorithms. Implementations MUST mark each base_key as
usable for encryption or decryption, never both. usable for encryption or decryption, never both.
Note that the set of available keys might change over the lifetime of Note that the set of available keys might change over the lifetime of
skipping to change at page 11, line 9 skipping to change at line 478
SFrame encryption and decryption use a key and salt derived from the SFrame encryption and decryption use a key and salt derived from the
base_key associated with a KID. Given a base_key value, the key and base_key associated with a KID. Given a base_key value, the key and
salt are derived using HMAC-based Key Derivation Function (HKDF) salt are derived using HMAC-based Key Derivation Function (HKDF)
[RFC5869] as follows: [RFC5869] as follows:
def derive_key_salt(KID, base_key): def derive_key_salt(KID, base_key):
sframe_secret = HKDF-Extract("", base_key) sframe_secret = HKDF-Extract("", base_key)
sframe_key_label = "SFrame 1.0 Secret key " + KID + cipher_suite sframe_key_label = "SFrame 1.0 Secret key " + KID + cipher_suite
sframe_key = HKDF-Expand(sframe_secret, sframe_key_label, AEAD.Nk) sframe_key =
HKDF-Expand(sframe_secret, sframe_key_label, AEAD.Nk)
sframe_salt_label = "SFrame 1.0 Secret salt " + KID + cipher_suite sframe_salt_label = "SFrame 1.0 Secret salt " + KID + cipher_suite
sframe_salt = HKDF-Expand(sframe_secret, sframe_salt_label, AEAD.Nn) sframe_salt =
HKDF-Expand(sframe_secret, sframe_salt_label, AEAD.Nn)
return sframe_key, sframe_salt return sframe_key, sframe_salt
In the derivation of sframe_secret: In the derivation of sframe_secret:
* The + operator represents concatenation of byte strings. * The + operator represents concatenation of byte strings.
* The KID value is encoded as an 8-byte big-endian integer, not the * The KID value is encoded as an 8-byte big-endian integer, not the
compressed form used in the SFrame header. compressed form used in the SFrame header.
* The cipher_suite value is a 2-byte big-endian integer representing * The cipher_suite value is a 2-byte big-endian integer representing
the cipher suite in use (see Section 8.1). the cipher suite in use (see Section 8.1).
The hash function used for HKDF is determined by the cipher suite in The hash function used for HKDF is determined by the cipher suite in
use. use.
4.4.3. Encryption 4.4.3. Encryption
SFrame encryption uses the AEAD encryption algorithm for the cipher SFrame encryption uses the AEAD encryption algorithm for the cipher
suite in use. The key for the encryption is the sframe_key and the suite in use. The key for the encryption is the sframe_key. The
nonce is formed by XORing the sframe_salt with the current counter, nonce is formed by first XORing the sframe_salt with the current CTR
encoded as a big-endian integer of length AEAD.Nn. value, and then encoding the result as a big-endian integer of length
AEAD.Nn.
The encryptor forms an SFrame header using the CTR and KID values The encryptor forms an SFrame header using the CTR and KID values
provided. The encoded header is provided as AAD to the AEAD provided. The encoded header is provided as AAD to the AEAD
encryption operation, together with application-provided metadata encryption operation, together with application-provided metadata
about the encrypted media (see Section 9.4). about the encrypted media (see Section 9.4).
def encrypt(CTR, KID, metadata, plaintext): def encrypt(CTR, KID, metadata, plaintext):
sframe_key, sframe_salt = key_store[KID] sframe_key, sframe_salt = key_store[KID]
# encode_big_endian(x, n) produces an n-byte string encoding the # encode_big_endian(x, n) produces an n-byte string encoding the
skipping to change at page 13, line 42 skipping to change at line 572
| +---------------+ | | +---------------+ |
+-------------->| SFrame Header | | +-------------->| SFrame Header | |
+---------------+ | +---------------+ |
| | | | | |
| |<----+ | |<----+
| ciphertext | | ciphertext |
| | | |
| | | |
+---------------+ +---------------+
Figure 4: Encrypting an SFrame Ciphertext Figure 5: Encrypting an SFrame Ciphertext
4.4.4. Decryption 4.4.4. Decryption
Before decrypting, a receiver needs to assemble a full SFrame Before decrypting, a receiver needs to assemble a full SFrame
ciphertext. When an SFrame ciphertext is fragmented into multiple ciphertext. When an SFrame ciphertext is fragmented into multiple
parts for transport (e.g., a whole encrypted frame sent in multiple parts for transport (e.g., a whole encrypted frame sent in multiple
SRTP packets), the receiving client collects all the fragments of the SRTP packets), the receiving client collects all the fragments of the
ciphertext, using appropriate sequencing and start/end markers in the ciphertext, using appropriate sequencing and start/end markers in the
transport. Once all of the required fragments are available, the transport. Once all of the required fragments are available, the
client reassembles them into the SFrame ciphertext, then it passes client reassembles them into the SFrame ciphertext and passes the
the ciphertext to SFrame for decryption. ciphertext to SFrame for decryption.
The KID field in the SFrame header is used to find the right key and The KID field in the SFrame header is used to find the right key and
salt for the encrypted frame, and the CTR field is used to construct salt for the encrypted frame, and the CTR field is used to construct
the nonce. The SFrame decryption procedure is as follows: the nonce. The SFrame decryption procedure is as follows:
def decrypt(metadata, sframe_ciphertext): def decrypt(metadata, sframe_ciphertext):
KID, CTR, header, ciphertext = parse_ciphertext(sframe_ciphertext) KID, CTR, header, ciphertext = parse_ciphertext(sframe_ciphertext)
sframe_key, sframe_salt = key_store[KID] sframe_key, sframe_salt = key_store[KID]
skipping to change at page 14, line 28 skipping to change at line 607
return AEAD.Decrypt(sframe_key, nonce, aad, ciphertext) return AEAD.Decrypt(sframe_key, nonce, aad, ciphertext)
If a ciphertext fails to decrypt because there is no key available If a ciphertext fails to decrypt because there is no key available
for the KID in the SFrame header, the client MAY buffer the for the KID in the SFrame header, the client MAY buffer the
ciphertext and retry decryption once a key with that KID is received. ciphertext and retry decryption once a key with that KID is received.
If a ciphertext fails to decrypt for any other reason, the client If a ciphertext fails to decrypt for any other reason, the client
MUST discard the ciphertext. Invalid ciphertexts SHOULD be discarded MUST discard the ciphertext. Invalid ciphertexts SHOULD be discarded
in a way that is indistinguishable (to an external observer) from in a way that is indistinguishable (to an external observer) from
having processed a valid ciphertext. In other words, the SFrame having processed a valid ciphertext. In other words, the SFrame
decrypt operation should be constant time, regardless of whether decrypt operation should take the same amount of time regardless of
decryption succeeds or fails. whether decryption succeeds or fails.
SFrame Ciphertext SFrame Ciphertext
+---------------+ +---------------+
+---------------| SFrame Header | +---------------| SFrame Header |
| +---------------+ | +---------------+
| | | | | |
| | |-----+ | | |-----+
| | ciphertext | | | | ciphertext | |
| | | | | | | |
| | | | | | | |
skipping to change at page 15, line 43 skipping to change at line 648
| |
V V
+---------------+ +---------------+
| | | |
| | | |
| plaintext | | plaintext |
| | | |
| | | |
+---------------+ +---------------+
Figure 5: Decrypting an SFrame Ciphertext Figure 6: Decrypting an SFrame Ciphertext
4.5. Cipher Suites 4.5. Cipher Suites
Each SFrame session uses a single cipher suite that specifies the Each SFrame session uses a single cipher suite that specifies the
following primitives: following primitives:
* A hash function used for key derivation * A hash function used for key derivation
* An AEAD encryption algorithm [RFC5116] used for frame encryption, * An AEAD encryption algorithm [RFC5116] used for frame encryption,
optionally with a truncated authentication tag optionally with a truncated authentication tag
This document defines the following cipher suites, with the constants This document defines the following cipher suites, with the constants
defined in Section 4.4: defined in Section 4.4:
+============================+====+=====+====+====+====+ +============================+====+=====+====+====+====+
| Name | Nh | Nka | Nk | Nn | Nt | | Name | Nh | Nka | Nk | Nn | Nt |
+============================+====+=====+====+====+====+ +============================+====+=====+====+====+====+
| AES_128_CTR_HMAC_SHA256_80 | 32 | 16 | 48 | 12 | 10 | | AES_128_CTR_HMAC_SHA256_80 | 32 | 16 | 48 | 12 | 10 |
skipping to change at page 17, line 9 skipping to change at line 704
In order to allow very short tag sizes, we define a synthetic AEAD In order to allow very short tag sizes, we define a synthetic AEAD
function using the authenticated counter mode of AES together with function using the authenticated counter mode of AES together with
HMAC for authentication. We use an encrypt-then-MAC approach, as in HMAC for authentication. We use an encrypt-then-MAC approach, as in
SRTP [RFC3711]. SRTP [RFC3711].
Before encryption or decryption, encryption and authentication Before encryption or decryption, encryption and authentication
subkeys are derived from the single AEAD key. The overall length of subkeys are derived from the single AEAD key. The overall length of
the AEAD key is Nka + Nh, where Nka represents the key size for the the AEAD key is Nka + Nh, where Nka represents the key size for the
AES block cipher in use and Nh represents the output size of the hash AES block cipher in use and Nh represents the output size of the hash
function (as in Table 1). The encryption subkey comprises the first function (as in Section 4.4). The encryption subkey comprises the
Nka bytes and the authentication subkey comprises the remaining Nh first Nka bytes and the authentication subkey comprises the remaining
bytes. Nh bytes.
def derive_subkeys(sframe_key): def derive_subkeys(sframe_key):
# The encryption key comprises the first Nka bytes # The encryption key comprises the first Nka bytes
enc_key = sframe_key[..Nka] enc_key = sframe_key[..Nka]
# The authentication key comprises Nh remaining bytes # The authentication key comprises Nh remaining bytes
auth_key = sframe_key[Nka..] auth_key = sframe_key[Nka..]
return enc_key, auth_key return enc_key, auth_key
skipping to change at page 19, line 18 skipping to change at line 778
they can use it to distribute SFrame keys. Each client participating they can use it to distribute SFrame keys. Each client participating
in a call generates a fresh base_key value that it will use to in a call generates a fresh base_key value that it will use to
encrypt media. The client then uses the E2E-secure channel to send encrypt media. The client then uses the E2E-secure channel to send
their encryption key to the other participants. their encryption key to the other participants.
In this scheme, it is assumed that receivers have a signal outside of In this scheme, it is assumed that receivers have a signal outside of
SFrame for which client has sent a given frame (e.g., an RTP SFrame for which client has sent a given frame (e.g., an RTP
synchronization source (SSRC)). SFrame KID values are then used to synchronization source (SSRC)). SFrame KID values are then used to
distinguish between versions of the sender's base_key. distinguish between versions of the sender's base_key.
Key IDs in this scheme have two parts: a "key generation" and a KID values in this scheme have two parts: a "key generation" and a
"ratchet step". Both are unsigned integers that begin at zero. The "ratchet step". Both are unsigned integers that begin at zero. The
"key generation" increments each time the sender distributes a new key generation increments each time the sender distributes a new key
key to receivers. The "ratchet step" is incremented each time the to receivers. The ratchet step is incremented each time the sender
sender ratchets their key forward for forward secrecy: ratchets their key forward for forward secrecy:
base_key[i+1] = HKDF-Expand( base_key[i+1] = HKDF-Expand(
HKDF-Extract("", base_key[i]), HKDF-Extract("", base_key[i]),
"SFrame 1.0 Ratchet", CipherSuite.Nh) "SFrame 1.0 Ratchet", CipherSuite.Nh)
For compactness, we do not send the whole ratchet step. Instead, we For compactness, we do not send the whole ratchet step. Instead, we
send only its low-order R bits, where R is a value set by the send only its low-order R bits, where R is a value set by the
application. Different senders may use different values of R, but application. Different senders may use different values of R, but
each receiver of a given sender needs to know what value of R is used each receiver of a given sender needs to know what value of R is used
by the sender so that they can recognize when they need to ratchet by the sender so that they can recognize when they need to ratchet
(vs. expecting a new key). R effectively defines a reordering (vs. expecting a new key). R effectively defines a reordering
window, since no more than 2^R ratchet steps can be active at a given window, since no more than 2^R ratchet steps can be active at a given
time. The key generation is sent in the remaining 64 - R bits of the time. The key generation is sent in the remaining 64 - R bits of the
Key ID. KID.
KID = (key_generation << R) + (ratchet_step % (1 << R)) KID = (key_generation << R) + (ratchet_step % (1 << R))
64-R bits R bits 64-R bits R bits
<---------------> <------------> <---------------> <------------>
+-----------------+--------------+ +-----------------+--------------+
| Key Generation | Ratchet Step | | Key Generation | Ratchet Step |
+-----------------+--------------+ +-----------------+--------------+
Figure 6: Structure of a KID in the Sender Keys Scheme Figure 7: Structure of a KID in the Sender Keys Scheme
The sender signals such a ratchet step update by sending with a KID The sender signals such a ratchet step update by sending with a KID
value in which the ratchet step has been incremented. A receiver who value in which the ratchet step has been incremented. A receiver who
receives from a sender with a new KID computes the new key as above. receives from a sender with a new KID computes the new key as above.
The old key may be kept for some time to allow for out-of-order The old key may be kept for some time to allow for out-of-order
delivery, but should be deleted promptly. delivery, but should be deleted promptly.
If a new participant joins in the middle of a session, they will need If a new participant joins in the middle of a session, they will need
to receive from each sender (a) the current sender key for that to receive from each sender (a) the current sender key for that
sender and (b) the current KID value for the sender. Evicting a sender and (b) the current KID value for the sender. Evicting a
participant requires each sender to send a fresh sender key to all participant requires each sender to send a fresh sender key to all
receivers. receivers.
It is up to the application to decide when sender keys are updated. It is the application's responsibility to decide when sender keys are
A sender key may be updated by sending a new base_key (updating the updated. A sender key may be updated by sending a new base_key
key generation) or by hashing the current base_key (updating the (updating the key generation) or by hashing the current base_key
ratchet step). Ratcheting the key forward is useful when adding new (updating the ratchet step). Ratcheting the key forward is useful
receivers to an SFrame-based interaction, since it ensures that the when adding new receivers to an SFrame-based interaction, since it
new receivers can't decrypt any media encrypted before they were ensures that the new receivers can't decrypt any media encrypted
added. If a sender wishes to assure the opposite property when before they were added. If a sender wishes to assure the opposite
removing a receiver (i.e., ensuring that the receiver can't decrypt property when removing a receiver (i.e., ensuring that the receiver
media after they are removed), then the sender will need to can't decrypt media after they are removed), then the sender will
distribute a new sender key. need to distribute a new sender key.
5.2. MLS 5.2. MLS
The Messaging Layer Security (MLS) protocol provides group The Messaging Layer Security (MLS) protocol provides group
authenticated key exchange [MLS-ARCH] [MLS-PROTO]. In principle, it authenticated key exchange [MLS-ARCH] [MLS-PROTO]. In principle, it
could be used to instantiate the sender key scheme above, but it can could be used to instantiate the sender key scheme above, but it can
also be used more efficiently directly. also be used more efficiently directly.
MLS creates a linear sequence of keys, each of which is shared among MLS creates a linear sequence of keys, each of which is shared among
the members of a group at a given point in time. When a member joins the members of a group at a given point in time. When a member joins
skipping to change at page 20, line 49 skipping to change at line 858
member has a unique sframe_key and sframe_salt that it uses to member has a unique sframe_key and sframe_salt that it uses to
encrypt with. Senders may choose any KID value within their assigned encrypt with. Senders may choose any KID value within their assigned
set of KID values, e.g., to allow a single sender to send multiple, set of KID values, e.g., to allow a single sender to send multiple,
uncoordinated outbound media streams. uncoordinated outbound media streams.
base_key = MLS-Exporter("SFrame 1.0 Base Key", "", AEAD.Nk) base_key = MLS-Exporter("SFrame 1.0 Base Key", "", AEAD.Nk)
For compactness, we do not send the whole epoch number. Instead, we For compactness, we do not send the whole epoch number. Instead, we
send only its low-order E bits, where E is a value set by the send only its low-order E bits, where E is a value set by the
application. E effectively defines a reordering window, since no application. E effectively defines a reordering window, since no
more than 2^E epochs can be active at a given time. Receivers MUST more than 2^E epochs can be active at a given time. To handle
be prepared for the epoch counter to roll over, removing an old epoch rollover of the epoch counter, receivers MUST remove an old epoch
when a new epoch with the same E lower bits is introduced. when a new epoch with the same low-order E bits is introduced.
Let S be the number of bits required to encode a member index in the Let S be the number of bits required to encode a member index in the
group, i.e., the smallest value such that group_size <= (1 << S). group, i.e., the smallest value such that group_size <= (1 << S).
The sender index is encoded in the S bits above the epoch. The The sender index is encoded in the S bits above the epoch. The
remaining 64 - S - E bits of the KID value are a context value chosen remaining 64 - S - E bits of the KID value are a context value chosen
by the sender (context value 0 will produce the shortest encoded by the sender (context value 0 will produce the shortest encoded
KID). KID).
KID = (context << (S + E)) + (sender_index << E) + (epoch % (1 << E)) KID = (context << (S + E)) + (sender_index << E) + (epoch % (1 << E))
64-S-E bits S bits E bits 64-S-E bits S bits E bits
<-----------> <------> <------> <-----------> <------> <------>
+-------------+--------+-------+ +-------------+--------+-------+
| Context ID | Index | Epoch | | Context ID | Index | Epoch |
+-------------+--------+-------+ +-------------+--------+-------+
Figure 7: Structure of a KID for an MLS Sender Figure 8: Structure of a KID for an MLS Sender
Once an SFrame stack has been provisioned with the Once an SFrame stack has been provisioned with the
sframe_epoch_secret for an epoch, it can compute the required KID sframe_epoch_secret for an epoch, it can compute the required KID
values on demand (as well as the resulting SFrame keys/nonces derived values on demand (as well as the resulting SFrame keys/nonces derived
from the base_key and KID) as it needs to encrypt or decrypt for a from the base_key and KID) as it needs to encrypt or decrypt for a
given member. given member.
... ...
| |
| |
skipping to change at page 22, line 32 skipping to change at line 912
| +--> context = 3 --> KID = 0xc20 | +--> context = 3 --> KID = 0xc20
| |
| |
Epoch 17 +--+-- index=33 --> KID = 0x211 Epoch 17 +--+-- index=33 --> KID = 0x211
| | | |
| +-- index=51 --> KID = 0x331 | +-- index=51 --> KID = 0x331
| |
| |
... ...
Figure 8: An Example Sequence of KIDs for an MLS-based SFrame Figure 9: An Example Sequence of KIDs for an MLS-based SFrame
Session (E=4; S=6, Allowing for 64 Group Members) Session (E=4; S=6, Allowing for 64 Group Members)
6. Media Considerations 6. Media Considerations
6.1. Selective Forwarding Units 6.1. Selective Forwarding Units
SFUs (e.g., those described in Section 3.7 of [RFC7667]) receive the SFUs (e.g., those described in Section 3.7 of [RFC7667]) receive the
media streams from each participant and select which ones should be media streams from each participant and select which ones should be
forwarded to each of the other participants. There are several forwarded to each of the other participants. There are several
approaches for stream selection, but in general, the SFU needs to approaches for stream selection, but in general, the SFU needs to
access metadata associated with each frame and modify the RTP access metadata associated with each frame and modify the RTP
information of the incoming packets when they are transmitted to the information of the incoming packets when they are transmitted to the
received participants. received participants.
This section describes how these normal SFU modes of operation This section describes how these normal SFU modes of operation
interact with the E2EE provided by SFrame. interact with the E2EE provided by SFrame.
6.1.1. LastN and RTP Stream Reuse 6.1.1. RTP Stream Reuse
The SFU may choose to send only a certain number of streams based on The SFU may choose to send only a certain number of streams based on
the voice activity of the participants. To avoid the overhead the voice activity of the participants. To avoid the overhead
involved in establishing new transport streams, the SFU may decide to involved in establishing new transport streams, the SFU may decide to
reuse previously existing streams or even pre-allocate a predefined reuse previously existing streams or even pre-allocate a predefined
number of streams and choose in each moment in time which participant number of streams and choose in each moment in time which participant
media will be sent through it. media will be sent through it.
This means that in the same transport-level stream (e.g., an RTP This means that the same transport-level stream (e.g., an RTP stream
stream defined by either SSRC or Media Identification (MID)) may defined by either SSRC or Media Identification (MID)) may carry media
carry media from different streams of different participants. As from different streams of different participants. Because each
different keys are used by each participant for encoding their media, participant uses a different key to encrypt their media, the receiver
the receiver will be able to verify which is the sender of the media will be able to verify the sender of the media within the RTP stream
coming within the RTP stream at any given point in time, preventing at any given point in time. Thus the receiver will correctly
the SFU trying to impersonate any of the participants with another associate the media with the sender indicated by the authenticated
participant's media. SFrame KID value, irrespective of how the SFU transmits the media to
the client.
Note that in order to prevent impersonation by a malicious Note that in order to prevent impersonation by a malicious
participant (not the SFU), a mechanism based on digital signature participant (not the SFU), a mechanism based on digital signature
would be required. SFrame does not protect against such attacks. would be required. SFrame does not protect against such attacks.
6.1.2. Simulcast 6.1.2. Simulcast
When using simulcast, the same input image will produce N different When using simulcast, the same input image will produce N different
encoded frames (one per simulcast layer), which would be processed encoded frames (one per simulcast layer), which would be processed
independently by the frame encryptor and assigned an unique counter independently by the frame encryptor and assigned an unique CTR value
for each. for each.
6.1.3. SVC 6.1.3. Scalable Video Coding (SVC)
In both temporal and spatial scalability, the SFU may choose to drop In both temporal and spatial scalability, the SFU may choose to drop
layers in order to match a certain bitrate or to forward specific layers in order to match a certain bitrate or to forward specific
media sizes or frames per second. In order to support the SFU media sizes or frames per second. In order to support the SFU
selectively removing layers, the sender MUST encapsulate each layer selectively removing layers, the sender MUST encapsulate each layer
in a different SFrame ciphertext. in a different SFrame ciphertext.
6.2. Video Key Frames 6.2. Video Key Frames
Forward security and post-compromise security require that the E2EE Forward security and post-compromise security require that the E2EE
keys (base keys) are updated any time a participant joins or leaves keys (base keys) are updated any time a participant joins or leaves
the call. the call.
The key exchange happens asynchronously and on a different path than The key exchange happens asynchronously and on a different path than
the SFU signaling and media. So it may happen that, when a new the SFU signaling and media. So it may happen that when a new
participant joins the call and the SFU side requests a key frame, the participant joins the call and the SFU side requests a key frame, the
sender generates the E2EE frame with a key that is not known by the sender generates the E2EE frame with a key that is not known by the
receiver, so it will be discarded. When the sender updates his receiver, so it will be discarded. When the sender updates his
sending key with the new key, it will send it in a non-key frame, so sending key with the new key, it will send it in a non-key frame, so
the receiver will be able to decrypt it, but not decode it. the receiver will be able to decrypt it, but not decode it.
The new receiver will then re-request a key frame, but due to sender The new receiver will then re-request a key frame, but due to sender
and SFU policies, that new key frame could take some time to be and SFU policies, that new key frame could take some time to be
generated. generated.
If the sender sends a key frame after the new E2EE key is in use, the If the sender sends a key frame after the new E2EE key is in use, the
time required for the new participant to display the video is time required for the new participant to display the video is
minimized. minimized.
Note that this issue does not arise for media streams that do not Note that this issue does not arise for media streams that do not
have dependencies among frames, e.g., audio streams. In these have dependencies among frames, e.g., audio streams. In these
streams, each frame is independently decodable, so there is never a streams, each frame is independently decodable, so a frame never
need to process together two frames that might be on two sides of a depends on another frame that might be on the other side of a key
key rotation. rotation.
6.3. Partial Decoding 6.3. Partial Decoding
Some codecs support partial decoding, where individual packets can be Some codecs support partial decoding, where individual packets can be
decoded without waiting for the full frame to arrive. When SFrame is decoded without waiting for the full frame to arrive. When SFrame is
applied per frame, partial decoding is not possible because the applied per frame, partial decoding is not possible because the
decoder cannot access data until an entire frame has arrived and has decoder cannot access data until an entire frame has arrived and has
been decrypted. been decrypted.
7. Security Considerations 7. Security Considerations
7.1. No Header Confidentiality 7.1. No Header Confidentiality
SFrame provides integrity protection to the SFrame header (the Key ID SFrame provides integrity protection to the SFrame header (the KID
and counter values), but it does not provide confidentiality and CTR values), but it does not provide confidentiality protection.
protection. Parties that can observe the SFrame header may learn, Parties that can observe the SFrame header may learn, for example,
for example, which parties are sending SFrame payloads (from KID which parties are sending SFrame payloads (from KID values) and at
values) and at what rates (from CTR values). In cases where SFrame what rates (from CTR values). In cases where SFrame is used for end-
is used for end-to-end security on top of hop-by-hop protections to-end security on top of hop-by-hop protections (e.g., running over
(e.g., running over SRTP as described in Appendix B.5), the hop-by- SRTP as described in Appendix B.5), the hop-by-hop security
hop security mechanisms provide confidentiality protection of the mechanisms provide confidentiality protection of the SFrame header
SFrame header between hops. between hops.
7.2. No per-Sender Authentication 7.2. No Per-Sender Authentication
SFrame does not provide per-sender authentication of media data. Any SFrame does not provide per-sender authentication of media data. Any
sender in a session can send media that will be associated with any sender in a session can send media that will be associated with any
other sender. This is because SFrame uses symmetric encryption to other sender. This is because SFrame uses symmetric encryption to
protect media data, so that any receiver also has the keys required protect media data, so that any receiver also has the keys required
to encrypt packets for the sender. to encrypt packets for the sender.
7.3. Key Management 7.3. Key Management
The key exchange mechanism is out of scope of this document; however, The specifics of key management are beyond the scope of this
every client SHOULD change their keys when new clients join or leave document. However, every client SHOULD change their keys when new
the call for forward secrecy and post-compromise security. clients join or leave the call for forward secrecy and post-
compromise security.
7.4. Replay 7.4. Replay
The handling of replay is out of the scope of this document. The handling of replay is out of the scope of this document.
However, senders MUST reject requests to encrypt multiple times with However, senders MUST reject requests to encrypt multiple times with
the same key and nonce since several AEAD algorithms fail badly in the same key and nonce since several AEAD algorithms fail badly in
such cases (see, e.g., Section 5.1.1 of [RFC5116]). such cases (see, e.g., Section 5.1.1 of [RFC5116]).
7.5. Risks Due to Short Tags 7.5. Risks Due to Short Tags
skipping to change at page 26, line 14 skipping to change at line 1073
* Receivers only accept SFrame ciphertexts over HBH-secure channels * Receivers only accept SFrame ciphertexts over HBH-secure channels
(e.g., SRTP security associations or QUIC connections). If this (e.g., SRTP security associations or QUIC connections). If this
is the case, only an entity that is part of such a channel can is the case, only an entity that is part of such a channel can
mount the above attack. mount the above attack.
* The expected packet rate for a media stream is very predictable * The expected packet rate for a media stream is very predictable
(and typically far lower than the above example). On the one (and typically far lower than the above example). On the one
hand, attacks at this rate will succeed even less often than the hand, attacks at this rate will succeed even less often than the
high-rate attack described above. On the other hand, the high-rate attack described above. On the other hand, the
application may use an elevated packet-arrival rate as a signal of application may use an elevated packet arrival rate as a signal of
a brute-force attack. This latter approach is common in other a brute-force attack. This latter approach is common in other
settings, e.g., mitigating brute-force attacks on passwords. settings, e.g., mitigating brute-force attacks on passwords.
* Media applications typically do not provide feedback to media * Media applications typically do not provide feedback to media
senders as to which media packets failed to decrypt. When media- senders as to which media packets failed to decrypt. When media-
quality feedback mechanisms are used, decryption failures will quality feedback mechanisms are used, decryption failures will
typically appear as packet losses, but only at an aggregate level. typically appear as packet losses, but only at an aggregate level.
* Anti-replay mechanisms (see Section 7.4) prevent the attacker from * Anti-replay mechanisms (see Section 7.4) prevent the attacker from
reusing valid ciphertexts (either observed or guessed by the reusing valid ciphertexts (either observed or guessed by the
skipping to change at page 26, line 39 skipping to change at line 1098
encrypted content is unchanged. In other words, when the above encrypted content is unchanged. In other words, when the above
brute-force attack succeeds, it only allows the attacker to send a brute-force attack succeeds, it only allows the attacker to send a
single SFrame ciphertext; the ciphertext cannot be reused because single SFrame ciphertext; the ciphertext cannot be reused because
either it will have the same CTR value and be discarded as a either it will have the same CTR value and be discarded as a
replay, or else it will have a different CTR value and its tag replay, or else it will have a different CTR value and its tag
will no longer be valid. will no longer be valid.
Nonetheless, without these mitigations, an application that makes use Nonetheless, without these mitigations, an application that makes use
of short tags will be at heightened risk of forgery attacks. In many of short tags will be at heightened risk of forgery attacks. In many
cases, it is simpler to use full-size tags and tolerate slightly cases, it is simpler to use full-size tags and tolerate slightly
higher-bandwidth usage rather than to add the additional defenses higher bandwidth usage rather than to add the additional defenses
necessary to safely use short tags. necessary to safely use short tags.
8. IANA Considerations 8. IANA Considerations
IANA has created a new registry called "SFrame Cipher Suites" IANA has created a new registry called "SFrame Cipher Suites"
(Section 8.1) under the "SFrame" group registry heading. Assignments (Section 8.1) under the "SFrame" group registry heading.
are made via the Specification Required policy [RFC8126].
8.1. SFrame Cipher Suites 8.1. SFrame Cipher Suites
The "SFrame Cipher Suites" registry lists identifiers for SFrame The "SFrame Cipher Suites" registry lists identifiers for SFrame
cipher suites as defined in Section 4.5. The cipher suite field is cipher suites as defined in Section 4.5. The cipher suite field is
two bytes wide, so the valid cipher suites are in the range 0x0000 to two bytes wide, so the valid cipher suites are in the range 0x0000 to
0xFFFF. 0xFFFF. Except as noted below, assignments are made via the
Specification Required policy [RFC8126].
The registration template is as follows: The registration template is as follows:
* Value: The numeric value of the cipher suite * Value: The numeric value of the cipher suite
* Name: The name of the cipher suite * Name: The name of the cipher suite
* Recommended: Whether support for this cipher suite is recommended * Recommended: Whether support for this cipher suite is recommended
by the IETF. Valid values are "Y", "N", and "D" as described in by the IETF. Valid values are "Y", "N", and "D" as described in
Section 17.1 of [MLS-PROTO]. The default value of the Section 17.1 of [MLS-PROTO]. The default value of the
skipping to change at page 28, line 34 skipping to change at line 1163
+--------+----------------------------+---+-----------+------------+ +--------+----------------------------+---+-----------+------------+
Table 2: SFrame Cipher Suites Table 2: SFrame Cipher Suites
9. Application Responsibilities 9. Application Responsibilities
To use SFrame, an application needs to define the inputs to the To use SFrame, an application needs to define the inputs to the
SFrame encryption and decryption operations, and how SFrame SFrame encryption and decryption operations, and how SFrame
ciphertexts are delivered from sender to receiver (including any ciphertexts are delivered from sender to receiver (including any
fragmentation and reassembly). In this section, we lay out fragmentation and reassembly). In this section, we lay out
additional requirements that an implementation must meet in order for additional requirements that an application must meet in order for
SFrame to operate securely. SFrame to operate securely.
In general, an application using SFrame is responsible for In general, an application using SFrame is responsible for
configuring SFrame. The application must first define when SFrame is configuring SFrame. The application must first define when SFrame is
applied at all. When SFrame is applied, the application must define applied at all. When SFrame is applied, the application must define
which cipher suite is to be used. If new versions of SFrame are which cipher suite is to be used. If new versions of SFrame are
defined in the future, it will be up to the application to determine defined in the future, it will be the application's responsibility to
which version should be used. determine which version should be used.
This division of responsibilities is similar to the way other media This division of responsibilities is similar to the way other media
parameters (e.g., codecs) are typically handled in media parameters (e.g., codecs) are typically handled in media
applications, in the sense that they are set up in some signaling applications, in the sense that they are set up in some signaling
protocol and not described in the media. Applications might find it protocol and not described in the media. Applications might find it
useful to extend the protocols used for negotiating other media useful to extend the protocols used for negotiating other media
parameters (e.g., Session Description Protocol (SDP) [RFC8866]) to parameters (e.g., Session Description Protocol (SDP) [RFC8866]) to
also negotiate parameters for SFrame. also negotiate parameters for SFrame.
9.1. Header Value Uniqueness 9.1. Header Value Uniqueness
skipping to change at page 29, line 27 skipping to change at line 1203
persistent storage, this context needs to include the last-used CTR persistent storage, this context needs to include the last-used CTR
value. When the context is used later, the application should use value. When the context is used later, the application should use
the stored CTR value to determine the next CTR value to be used in an the stored CTR value to determine the next CTR value to be used in an
encryption operation, and then write the next CTR value back to encryption operation, and then write the next CTR value back to
storage before using the CTR value for encryption. Storing the CTR storage before using the CTR value for encryption. Storing the CTR
value before usage (vs. after) helps ensure that a storage failure value before usage (vs. after) helps ensure that a storage failure
will not cause reuse of the same (base_key, KID, CTR) combination. will not cause reuse of the same (base_key, KID, CTR) combination.
9.2. Key Management Framework 9.2. Key Management Framework
It is up to the application to provision SFrame with a mapping of KID The application is responsible for provisioning SFrame with a mapping
values to base_key values and the resulting keys and salts. More of KID values to base_key values and the resulting keys and salts.
importantly, the application specifies which KID values are used for More importantly, the application specifies which KID values are used
which purposes (e.g., by which senders). An application's KID for which purposes (e.g., by which senders). An application's KID
assignment strategy MUST be structured to assure the non-reuse assignment strategy MUST be structured to assure the non-reuse
properties discussed in Section 9.1. properties discussed in Section 9.1.
It is also up to the application to define a rotation schedule for The application is also responsible for defining a rotation schedule
keys. For example, one application might have an ephemeral group for for keys. For example, one application might have an ephemeral group
every call and keep rotating keys when endpoints join or leave the for every call and keep rotating keys when endpoints join or leave
call, while another application could have a persistent group that the call, while another application could have a persistent group
can be used for multiple calls and simply derives ephemeral symmetric that can be used for multiple calls and simply derives ephemeral
keys for a specific call. symmetric keys for a specific call.
It should be noted that KID values are not encrypted by SFrame and It should be noted that KID values are not encrypted by SFrame and
are thus visible to any application-layer intermediaries that might are thus visible to any application-layer intermediaries that might
handle an SFrame ciphertext. If there are application semantics handle an SFrame ciphertext. If there are application semantics
included in KID values, then this information would be exposed to included in KID values, then this information would be exposed to
intermediaries. For example, in the scheme of Section 5.1, the intermediaries. For example, in the scheme of Section 5.1, the
number of ratchet steps per sender is exposed, and in the scheme of number of ratchet steps per sender is exposed, and in the scheme of
Section 5.2, the number of epochs and the MLS sender ID of the SFrame Section 5.2, the number of epochs and the MLS sender ID of the SFrame
sender are exposed. sender are exposed.
skipping to change at page 30, line 21 skipping to change at line 1242
key and nonce. key and nonce.
It is not mandatory to implement anti-replay on the receiver side. It is not mandatory to implement anti-replay on the receiver side.
Receivers MAY apply time- or counter-based anti-replay mitigations. Receivers MAY apply time- or counter-based anti-replay mitigations.
For example, Section 3.3.2 of [RFC3711] specifies a counter-based For example, Section 3.3.2 of [RFC3711] specifies a counter-based
anti-replay mitigation, which could be adapted to use with SFrame, anti-replay mitigation, which could be adapted to use with SFrame,
using the CTR field as the counter. using the CTR field as the counter.
9.4. Metadata 9.4. Metadata
The metadata input to SFrame operations is pure application-specified The metadata input to SFrame operations is an opaque byte string
data. As such, it is up to the application to define what specified by the application. As such, the application needs to
information should go in the metadata input and ensure that it is define what information should go in the metadata input and ensure
provided to the encryption and decryption functions at the that it is provided to the encryption and decryption functions at the
appropriate points. A receiver MUST NOT use SFrame-authenticated appropriate points. A receiver MUST NOT use SFrame-authenticated
metadata until after the SFrame decrypt function has authenticated metadata until after the SFrame decrypt function has authenticated
it, unless the purpose of such usage is to prepare an SFrame it, unless the purpose of such usage is to prepare an SFrame
ciphertext for SFrame decryption. Essentially, metadata may be used ciphertext for SFrame decryption. Essentially, metadata may be used
"upstream of SFrame" in a processing pipeline, but only to prepare "upstream of SFrame" in a processing pipeline, but only to prepare
for SFrame decryption. for SFrame decryption.
For example, consider an application where SFrame is used to encrypt For example, consider an application where SFrame is used to encrypt
audio frames that are sent over SRTP, with some application data audio frames that are sent over SRTP, with some application data
included in the RTP header extension. Suppose the application also included in the RTP header extension. Suppose the application also
skipping to change at page 30, line 52 skipping to change at line 1273
data. data.
10. References 10. References
10.1. Normative References 10.1. Normative References
[MLS-PROTO] [MLS-PROTO]
Barnes, R., Beurdouche, B., Robert, R., Millican, J., Barnes, R., Beurdouche, B., Robert, R., Millican, J.,
Omara, E., and K. Cohn-Gordon, "The Messaging Layer Omara, E., and K. Cohn-Gordon, "The Messaging Layer
Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420, Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420,
July 2023, <https://www.rfc-editor.org/rfc/rfc9420>. July 2023, <https://www.rfc-editor.org/info/rfc9420>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/rfc/rfc5116>. <https://www.rfc-editor.org/info/rfc5116>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010, DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/rfc/rfc5869>. <https://www.rfc-editor.org/info/rfc5869>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/rfc/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References 10.2. Informative References
[I-D.codec-agnostic-rtp-payload-format]
Murillo, S. G. and A. Gouaillard, "Codec agnostic RTP
payload format for video", Work in Progress, Internet-
Draft, draft-codec-agnostic-rtp-payload-format-00, 19
February 2021, <https://datatracker.ietf.org/doc/html/
draft-codec-agnostic-rtp-payload-format-00>.
[I-D.ietf-moq-transport]
Curley, L., Pugin, K., Nandakumar, S., Vasiliev, V., and
I. Swett, "Media over QUIC Transport", Work in Progress,
Internet-Draft, draft-ietf-moq-transport-04, 29 May 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-moq-
transport-04>.
[I-D.ietf-webtrans-overview]
Vasiliev, V., "The WebTransport Protocol Framework", Work
in Progress, Internet-Draft, draft-ietf-webtrans-overview-
07, 4 March 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-webtrans-overview-07>.
[MLS-ARCH] Beurdouche, B., Rescorla, E., Omara, E., Inguva, S., and [MLS-ARCH] Beurdouche, B., Rescorla, E., Omara, E., Inguva, S., and
A. Duric, "The Messaging Layer Security (MLS) A. Duric, "The Messaging Layer Security (MLS)
Architecture", Work in Progress, Internet-Draft, draft- Architecture", Work in Progress, Internet-Draft, draft-
ietf-mls-architecture-13, 22 March 2024, ietf-mls-architecture-14, 8 July 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-mls- <https://datatracker.ietf.org/doc/html/draft-ietf-mls-
architecture-13>. architecture-14>.
[MOQ-TRANSPORT]
Curley, L., Pugin, K., Nandakumar, S., Vasiliev, V., and
I. Swett, Ed., "Media over QUIC Transport", Work in
Progress, Internet-Draft, draft-ietf-moq-transport-05, 8
July 2024, <https://datatracker.ietf.org/doc/html/draft-
ietf-moq-transport-05>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/rfc/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC6716] Valin, JM., Vos, K., and T. Terriberry, "Definition of the [RFC6716] Valin, JM., Vos, K., and T. Terriberry, "Definition of the
Opus Audio Codec", RFC 6716, DOI 10.17487/RFC6716, Opus Audio Codec", RFC 6716, DOI 10.17487/RFC6716,
September 2012, <https://www.rfc-editor.org/rfc/rfc6716>. September 2012, <https://www.rfc-editor.org/info/rfc6716>.
[RFC7656] Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and [RFC7656] Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and
B. Burman, Ed., "A Taxonomy of Semantics and Mechanisms B. Burman, Ed., "A Taxonomy of Semantics and Mechanisms
for Real-Time Transport Protocol (RTP) Sources", RFC 7656, for Real-Time Transport Protocol (RTP) Sources", RFC 7656,
DOI 10.17487/RFC7656, November 2015, DOI 10.17487/RFC7656, November 2015,
<https://www.rfc-editor.org/rfc/rfc7656>. <https://www.rfc-editor.org/info/rfc7656>.
[RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667, [RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
DOI 10.17487/RFC7667, November 2015, DOI 10.17487/RFC7667, November 2015,
<https://www.rfc-editor.org/rfc/rfc7667>. <https://www.rfc-editor.org/info/rfc7667>.
[RFC8723] Jennings, C., Jones, P., Barnes, R., and A.B. Roach, [RFC8723] Jennings, C., Jones, P., Barnes, R., and A.B. Roach,
"Double Encryption Procedures for the Secure Real-Time "Double Encryption Procedures for the Secure Real-Time
Transport Protocol (SRTP)", RFC 8723, Transport Protocol (SRTP)", RFC 8723,
DOI 10.17487/RFC8723, April 2020, DOI 10.17487/RFC8723, April 2020,
<https://www.rfc-editor.org/rfc/rfc8723>. <https://www.rfc-editor.org/info/rfc8723>.
[RFC8866] Begen, A., Kyzivat, P., Perkins, C., and M. Handley, "SDP: [RFC8866] Begen, A., Kyzivat, P., Perkins, C., and M. Handley, "SDP:
Session Description Protocol", RFC 8866, Session Description Protocol", RFC 8866,
DOI 10.17487/RFC8866, January 2021, DOI 10.17487/RFC8866, January 2021,
<https://www.rfc-editor.org/rfc/rfc8866>. <https://www.rfc-editor.org/info/rfc8866>.
[RTP-PAYLOAD]
Murillo, S. G., Fablet, Y., and A. Gouaillard, "Codec
agnostic RTP payload format for video", Work in Progress,
Internet-Draft, draft-gouaillard-avtcore-codec-agn-rtp-
payload-01, 9 March 2021,
<https://datatracker.ietf.org/doc/html/draft-gouaillard-
avtcore-codec-agn-rtp-payload-01>.
[TestVectors] [TestVectors]
"SFrame Test Vectors", commit 025d568, September 2023, "SFrame Test Vectors", commit 025d568, September 2023,
<https://github.com/sframe-wg/sframe/blob/main/test- <https://github.com/sframe-wg/sframe/blob/025d568/test-
vectors/test-vectors.json>. vectors/test-vectors.json>.
[WEBTRANSPORT]
Vasiliev, V., "The WebTransport Protocol Framework", Work
in Progress, Internet-Draft, draft-ietf-webtrans-overview-
07, 4 March 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-webtrans-overview-07>.
Appendix A. Example API Appendix A. Example API
*This section is not normative.* *This section is not normative.*
This section describes a notional API that an SFrame implementation This section describes a notional API that an SFrame implementation
might expose. The core concept is an "SFrame context", within which might expose. The core concept is an "SFrame context", within which
KID values are meaningful. In the key management scheme described in KID values are meaningful. In the key management scheme described in
Section 5.1, each sender has a different context; in the scheme Section 5.1, each sender has a different context; in the scheme
described in Section 5.2, all senders share the same context. described in Section 5.2, all senders share the same context.
skipping to change at page 33, line 18 skipping to change at line 1386
operations). A key context tracks the key and salt associated to the operations). A key context tracks the key and salt associated to the
KID, and the current CTR value. A key context to be used for sending KID, and the current CTR value. A key context to be used for sending
also tracks the next CTR value to be used. also tracks the next CTR value to be used.
The primary operations on an SFrame context are as follows: The primary operations on an SFrame context are as follows:
* *Create an SFrame context:* The context is initialized with a * *Create an SFrame context:* The context is initialized with a
cipher suite and no KID mappings. cipher suite and no KID mappings.
* *Add a key for sending:* The key and salt are derived from the * *Add a key for sending:* The key and salt are derived from the
base key, and are used to initialize a send context, together with base key and used to initialize a send context, together with a
a zero counter value. zero CTR value.
* *Add a key for receiving:* The key and salt are derived from the * *Add a key for receiving:* The key and salt are derived from the
base key, and are used to initialize a send context. base key and used to initialize a send context.
* *Encrypt a plaintext:* Encrypt a given plaintext using the key for * *Encrypt a plaintext:* Encrypt a given plaintext using the key for
a given KID, including the specified metadata. a given KID, including the specified metadata.
* *Decrypt an SFrame ciphertext:* Decrypt an SFrame ciphertext with * *Decrypt an SFrame ciphertext:* Decrypt an SFrame ciphertext with
the KID and CTR values specified in the SFrame header, and the the KID and CTR values specified in the SFrame header, and the
provided metadata. provided metadata.
Figure 9 shows an example of the types of structures and methods that Figure 10 shows an example of the types of structures and methods
could be used to create an SFrame API in Rust. that could be used to create an SFrame API in Rust.
type KeyId = u64; type KeyId = u64;
type Counter = u64; type Counter = u64;
type CipherSuite = u16; type CipherSuite = u16;
struct SendKeyContext { struct SendKeyContext {
key: Vec<u8>, key: Vec<u8>,
salt: Vec<u8>, salt: Vec<u8>,
next_counter: Counter, next_counter: Counter,
} }
skipping to change at page 34, line 35 skipping to change at line 1432
trait SFrameContextMethods { trait SFrameContextMethods {
fn create(cipher_suite: CipherSuite) -> Self; fn create(cipher_suite: CipherSuite) -> Self;
fn add_send_key(&self, kid: KeyId, base_key: &[u8]); fn add_send_key(&self, kid: KeyId, base_key: &[u8]);
fn add_recv_key(&self, kid: KeyId, base_key: &[u8]); fn add_recv_key(&self, kid: KeyId, base_key: &[u8]);
fn encrypt(&mut self, kid: KeyId, metadata: &[u8], fn encrypt(&mut self, kid: KeyId, metadata: &[u8],
plaintext: &[u8]) -> Vec<u8>; plaintext: &[u8]) -> Vec<u8>;
fn decrypt(&self, metadata: &[u8], ciphertext: &[u8]) -> Vec<u8>; fn decrypt(&self, metadata: &[u8], ciphertext: &[u8]) -> Vec<u8>;
} }
Figure 9: An Example SFrame API Figure 10: An Example SFrame API
Appendix B. Overhead Analysis Appendix B. Overhead Analysis
Any use of SFrame will impose overhead in terms of the amount of Any use of SFrame will impose overhead in terms of the amount of
bandwidth necessary to transmit a given media stream. Exactly how bandwidth necessary to transmit a given media stream. Exactly how
much overhead will be added depends on several factors: much overhead will be added depends on several factors:
* The number of senders involved in a conference (length of KID) * The number of senders involved in a conference (length of KID)
* The duration of the conference (length of CTR) * The duration of the conference (length of CTR)
skipping to change at page 35, line 24 skipping to change at line 1468
In the remainder of this section, we compute overhead estimates for a In the remainder of this section, we compute overhead estimates for a
collection of common scenarios. collection of common scenarios.
B.1. Assumptions B.1. Assumptions
In the below calculations, we make conservative assumptions about In the below calculations, we make conservative assumptions about
SFrame overhead so that the overhead amounts we compute here are SFrame overhead so that the overhead amounts we compute here are
likely to be an upper bound of those seen in practice. likely to be an upper bound of those seen in practice.
+==============+=======+================================+ +==============+=======+============================+
| Field | Bytes | Explanation | | Field | Bytes | Explanation |
+==============+=======+================================+ +==============+=======+============================+
| Fixed header | 1 | Fixed | | Config byte | 1 | Fixed |
+--------------+-------+--------------------------------+ +--------------+-------+----------------------------+
| Key ID (KID) | 2 | >255 senders; or MLS epoch | | Key ID (KID) | 2 | >255 senders; or MLS epoch |
| | | (E=4) and >16 senders | | | | (E=4) and >16 senders |
+--------------+-------+--------------------------------+ +--------------+-------+----------------------------+
| Counter | 3 | More than 24 hours of media in | | Counter | 3 | More than 24 hours of |
| (CTR) | | common cases | | (CTR) | | media in common cases |
+--------------+-------+--------------------------------+ +--------------+-------+----------------------------+
| Cipher | 16 | Full Galois/Counter Mode (GCM) | | Cipher | 16 | Full authentication tag |
| overhead | | tag (longest defined here) | | overhead | | (longest defined here) |
+--------------+-------+--------------------------------+ +--------------+-------+----------------------------+
Table 3: Overhead Analysis Assumptions Table 3: Overhead Analysis Assumptions
In total, then, we assume that each SFrame encryption will add 22 In total, then, we assume that each SFrame encryption will add 22
bytes of overhead. bytes of overhead.
We consider two scenarios: applying SFrame per frame and per packet. We consider two scenarios: applying SFrame per frame and per packet.
In each scenario, we compute the SFrame overhead in absolute terms In each scenario, we compute the SFrame overhead in absolute terms
(kbps) and as a percentage of the base bandwidth. (kbps) and as a percentage of the base bandwidth.
B.2. Audio B.2. Audio
In audio streams, there is typically a one-to-one relationship In audio streams, there is typically a one-to-one relationship
between frames and packets, so the overhead is the same whether one between frames and packets, so the overhead is the same whether one
uses SFrame at a per-packet or per-frame level. uses SFrame at a per-packet or per-frame level.
Table 4 considers three scenarios that are based on recommended Table 4 considers three scenarios that are based on recommended
configurations of the Opus codec [RFC6716]: configurations of the Opus codec [RFC6716] (where "fps" stands for
"frames per second"):
* Narrow-band (NB) speech: 120 ms packets, 8 kbps
* Full-band (FB) speech: 20 ms packets, 32 kbps
* Full-band stereo music: 10 ms packets, 128 kbps
+================+==============+======+==========+==========+ +==============+==============+=====+======+==========+==========+
| Scenario | Frames per | Base | Overhead | Overhead | | Scenario | Frame length | fps | Base | Overhead | Overhead |
| | Second (fps) | kbps | kbps | % | | | | | kbps | kbps | % |
+================+==============+======+==========+==========+ +==============+==============+=====+======+==========+==========+
| NB speech, 120 | 8.3 | 8 | 1.4 | 17.9% | | Narrow-band | 120 ms | 8.3 | 8 | 1.4 | 17.9% |
| ms packets | | | | | | speech | | | | | |
+----------------+--------------+------+----------+----------+ +--------------+--------------+-----+------+----------+----------+
| FB speech, 20 | 50 | 32 | 8.6 | 26.9% | | Full-band | 20 ms | 50 | 32 | 8.6 | 26.9% |
| ms packets | | | | | | speech | | | | | |
+----------------+--------------+------+----------+----------+ +--------------+--------------+-----+------+----------+----------+
| FB stereo, 10 | 100 | 128 | 17.2 | 13.4% | | Full-band | 10 ms | 100 | 128 | 17.2 | 13.4% |
| ms packets | | | | | | stereo music | | | | | |
+----------------+--------------+------+----------+----------+ +--------------+--------------+-----+------+----------+----------+
Table 4: SFrame Overhead for Audio Streams Table 4: SFrame Overhead for Audio Streams
B.3. Video B.3. Video
Video frames can be larger than an MTU and thus are commonly split Video frames can be larger than an MTU and thus are commonly split
across multiple frames. Table 5 and Table 6 show the estimated across multiple frames. Tables 5 and 6 show the estimated overhead
overhead of encrypting a video stream, where SFrame is applied per of encrypting a video stream, where SFrame is applied per frame and
frame and per packet, respectively. The choices of resolution, per packet, respectively. The choices of resolution, frames per
frames per second, and bandwidth roughly reflect the capabilities of second, and bandwidth roughly reflect the capabilities of modern
modern video codecs across a range from very-low to very-high video codecs across a range from very low to very high quality.
quality.
+=============+=====+===========+===============+============+ +=============+=====+===========+===============+============+
| Scenario | fps | Base kbps | Overhead kbps | Overhead % | | Scenario | fps | Base kbps | Overhead kbps | Overhead % |
+=============+=====+===========+===============+============+ +=============+=====+===========+===============+============+
| 426 x 240 | 7.5 | 45 | 1.3 | 2.9% | | 426 x 240 | 7.5 | 45 | 1.3 | 2.9% |
+-------------+-----+-----------+---------------+------------+ +-------------+-----+-----------+---------------+------------+
| 640 x 360 | 15 | 200 | 2.6 | 1.3% | | 640 x 360 | 15 | 200 | 2.6 | 1.3% |
+-------------+-----+-----------+---------------+------------+ +-------------+-----+-----------+---------------+------------+
| 640 x 360 | 30 | 400 | 5.2 | 1.3% | | 640 x 360 | 30 | 400 | 5.2 | 1.3% |
+-------------+-----+-----------+---------------+------------+ +-------------+-----+-----------+---------------+------------+
skipping to change at page 38, line 9 skipping to change at line 1578
as the quality of the video improves since bandwidth is driven more as the quality of the video improves since bandwidth is driven more
by picture size than frame rate. In the per-packet case, the SFrame by picture size than frame rate. In the per-packet case, the SFrame
percentage overhead approaches the ratio between the SFrame overhead percentage overhead approaches the ratio between the SFrame overhead
per packet and the MTU (here 22 bytes of SFrame overhead divided by per packet and the MTU (here 22 bytes of SFrame overhead divided by
an assumed 1200-byte MTU, or about 1.8%). an assumed 1200-byte MTU, or about 1.8%).
B.4. Conferences B.4. Conferences
Real conferences usually involve several audio and video streams. Real conferences usually involve several audio and video streams.
The overhead of SFrame in such a conference is the aggregate of the The overhead of SFrame in such a conference is the aggregate of the
overhead of all the individual streams. Thus, while SFrame incurs a overhead across all the individual streams. Thus, while SFrame
large percentage overhead on an audio stream, if the conference also incurs a large percentage overhead on an audio stream, if the
involves a video stream, then the audio overhead is likely negligible conference also involves a video stream, then the audio overhead is
relative to the overall bandwidth of the conference. likely negligible relative to the overall bandwidth of the
conference.
For example, Table 7 shows the overhead estimates for a two-person For example, Table 7 shows the overhead estimates for a two-person
conference where one person is sending low-quality media and the conference where one person is sending low-quality media and the
other is sending high-quality media. (And we assume that SFrame is other is sending high-quality media. (And we assume that SFrame is
applied per frame.) The video streams dominate the bandwidth at the applied per frame.) The video streams dominate the bandwidth at the
SFU, so the total bandwidth overhead is only around 1%. SFU, so the total bandwidth overhead is only around 1%.
+=====================+===========+===============+============+ +=====================+===========+===============+============+
| Stream | Base Kbps | Overhead Kbps | Overhead % | | Stream | Base Kbps | Overhead Kbps | Overhead % |
+=====================+===========+===============+============+ +=====================+===========+===============+============+
skipping to change at page 38, line 48 skipping to change at line 1618
SFrame is a generic encapsulation format, but many of the SFrame is a generic encapsulation format, but many of the
applications in which it is likely to be integrated are based on RTP. applications in which it is likely to be integrated are based on RTP.
This section discusses how an integration between SFrame and RTP This section discusses how an integration between SFrame and RTP
could be done, and some of the challenges that would need to be could be done, and some of the challenges that would need to be
overcome. overcome.
As discussed in Section 4.1, there are two natural patterns for As discussed in Section 4.1, there are two natural patterns for
integrating SFrame into an application: applying SFrame per frame or integrating SFrame into an application: applying SFrame per frame or
per packet. In RTP-based applications, applying SFrame per packet per packet. In RTP-based applications, applying SFrame per packet
means that the payload of each RTP packet will be an SFrame means that the payload of each RTP packet will be an SFrame
ciphertext, starting with an SFrame header, as shown in Figure 10. ciphertext, starting with an SFrame header, as shown in Figure 11.
Applying SFrame per frame means that different RTP payloads will have Applying SFrame per frame means that different RTP payloads will have
different formats: the first payload of a frame will contain the different formats: The first payload of a frame will contain the
SFrame headers, and subsequent payloads will contain further chunks SFrame headers, and subsequent payloads will contain further chunks
of the ciphertext, as shown in Figure 11. of the ciphertext, as shown in Figure 12.
In order for these media payloads to be properly interpreted by In order for these media payloads to be properly interpreted by
receivers, receivers will need to be configured to know which of the receivers, receivers will need to be configured to know which of the
above schemes the sender has applied to a given sequence of RTP above schemes the sender has applied to a given sequence of RTP
packets. SFrame does not provide a mechanism for distributing this packets. SFrame does not provide a mechanism for distributing this
configuration information. In applications that use SDP for configuration information. In applications that use SDP for
negotiating RTP media streams [RFC8866], an appropriate extension to negotiating RTP media streams [RFC8866], an appropriate extension to
SDP could provide this function. SDP could provide this function.
Applying SFrame per frame also requires that packetization and Applying SFrame per frame also requires that packetization and
depacketization be done in a generic manner that does not depend on depacketization be done in a generic manner that does not depend on
the media content of the packets, since the content being packetized/ the media content of the packets, since the content being packetized
depacketized will be opaque ciphertext (except for the SFrame or depacketized will be opaque ciphertext (except for the SFrame
header). In order for such a generic packetization scheme to work header). In order for such a generic packetization scheme to work
interoperably, one would have to be defined, e.g., as proposed in interoperably, one would have to be defined, e.g., as proposed in
[I-D.codec-agnostic-rtp-payload-format]. [RTP-PAYLOAD].
+---+-+-+-------+-+-------------+-------------------------------+<-+ +---+-+-+-------+-+-------------+-------------------------------+<-+
|V=2|P|X| CC |M| PT | sequence number | | |V=2|P|X| CC |M| PT | sequence number | |
+---+-+-+-------+-+-------------+-------------------------------+ | +---+-+-+-------+-+-------------+-------------------------------+ |
| timestamp | | | timestamp | |
+---------------------------------------------------------------+ | +---------------------------------------------------------------+ |
| synchronization source (SSRC) identifier | | | synchronization source (SSRC) identifier | |
+===============================================================+ | +===============================================================+ |
| contributing source (CSRC) identifiers | | | contributing source (CSRC) identifiers | |
| .... | | | .... | |
skipping to change at page 39, line 44 skipping to change at line 1663
| +--------------------+ | | | +--------------------+ | |
| | | | | | | |
| | SFrame encrypted and authenticated payload | | | | SFrame encrypted and authenticated payload | |
| | | | | | | |
+->+---------------------------------------------------------------+<-+ +->+---------------------------------------------------------------+<-+
| | SRTP authentication tag | | | | SRTP authentication tag | |
| +---------------------------------------------------------------+ | | +---------------------------------------------------------------+ |
| | | |
+--- SRTP Encrypted Portion SRTP Authenticated Portion ---+ +--- SRTP Encrypted Portion SRTP Authenticated Portion ---+
Figure 10: SRTP Packet with SFrame-Protected Payload Figure 11: SRTP Packet with SFrame-Protected Payload
+----------------+ +---------------+ +----------------+ +---------------+
| frame metadata | | | | frame metadata | | |
+-------+--------+ | | +-------+--------+ | |
| | frame | | | frame |
| | | | | |
| | | | | |
| +-------+-------+ | +-------+-------+
| | | |
| | | |
skipping to change at page 40, line 43 skipping to change at line 1703
| | | | | | | |
V V V V V V V V
+---------------+ +---------------+ +---------------+ +---------------+ +---------------+ +---------------+
| SFrame header | | | | | | SFrame header | | | | |
+---------------+ | | | | +---------------+ | | | |
| | | payload 2/N | ... | payload N/N | | | | payload 2/N | ... | payload N/N |
| payload 1/N | | | | | | payload 1/N | | | | |
| | | | | | | | | | | |
+---------------+ +---------------+ +---------------+ +---------------+ +---------------+ +---------------+
Figure 11: Encryption Flow with per-Frame Encryption for RTP Figure 12: Encryption Flow with per-Frame Encryption for RTP
Appendix C. Test Vectors Appendix C. Test Vectors
This section provides a set of test vectors that implementations can This section provides a set of test vectors that implementations can
use to verify that they correctly implement SFrame encryption and use to verify that they correctly implement SFrame encryption and
decryption. In addition to test vectors for the overall process of decryption. In addition to test vectors for the overall process of
SFrame encryption/decryption, we also provide test vectors for header SFrame encryption/decryption, we also provide test vectors for header
encoding/decoding, and for AEAD encryption/decryption using the AES- encoding/decoding, and for AEAD encryption/decryption using the AES-
CTR construction defined in Section 4.5.1. CTR construction defined in Section 4.5.1.
skipping to change at page 72, line 13 skipping to change at line 3156
3c1cc24d56ceabced279 3c1cc24d56ceabced279
Acknowledgements Acknowledgements
The authors wish to specially thank Dr. Alex Gouaillard as one of the The authors wish to specially thank Dr. Alex Gouaillard as one of the
early contributors to the document. His passion and energy were key early contributors to the document. His passion and energy were key
to the design and development of SFrame. to the design and development of SFrame.
Contributors Contributors
Frederic Jacobs Frédéric Jacobs
Apple Apple
Email: frederic.jacobs@apple.com Email: frederic.jacobs@apple.com
Marta Mularczyk Marta Mularczyk
Amazon Amazon
Email: mulmarta@amazon.com Email: mulmarta@amazon.com
Suhas Nandakumar Suhas Nandakumar
Cisco Cisco
Email: snandaku@cisco.com Email: snandaku@cisco.com
skipping to change at page 72, line 40 skipping to change at line 3183
Phoenix R&D Phoenix R&D
Email: ietf@raphaelrobert.com Email: ietf@raphaelrobert.com
Authors' Addresses Authors' Addresses
Emad Omara Emad Omara
Apple Apple
Email: eomara@apple.com Email: eomara@apple.com
Justin Uberti Justin Uberti
Google Fixie.ai
Email: juberti@google.com Email: justin@fixie.ai
Sergio Garcia Murillo Sergio Garcia Murillo
CoSMo Software CoSMo Software
Email: sergio.garcia.murillo@cosmosoftware.io Email: sergio.garcia.murillo@cosmosoftware.io
Richard L. Barnes (editor)
Richard Barnes (editor)
Cisco Cisco
Email: rlb@ipv.sx Email: rlb@ipv.sx
Youenn Fablet Youenn Fablet
Apple Apple
Email: youenn@apple.com Email: youenn@apple.com
 End of changes. 98 change blocks. 
302 lines changed or deleted 303 lines changed or added

This html diff was produced by rfcdiff 1.48.