The Use of AES-192 and AES-256 in Secure RTP
RFC 6188

Document Type RFC - Proposed Standard (March 2011; No errata)
Last updated 2015-10-14
Replaces draft-mcgrew-srtp-big-aes
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 6188 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Robert Sparks
Send notices to (None)
Internet Engineering Task Force (IETF)                         D. McGrew
Request for Comments: 6188                           Cisco Systems, Inc.
Category: Standards Track                                     March 2011
ISSN: 2070-1721

              The Use of AES-192 and AES-256 in Secure RTP

Abstract

   This memo describes the use of the Advanced Encryption Standard (AES)
   with 192- and 256-bit keys within the Secure RTP (SRTP) protocol.  It
   details counter mode encryption for SRTP and Secure Realtime
   Transport Control Protocol (SRTCP) and a new SRTP Key Derivation
   Function (KDF) for AES-192 and AES-256.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6188.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

McGrew                       Standards Track                    [Page 1]
RFC 6188                SRTP AES-192 and AES-256              March 2011

Table of Contents

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
   2. AES-192 and AES-256 Encryption ..................................3
   3. The AES_192_CM_PRF and AES_256_CM_PRF Key Derivation Functions ..4
      3.1. Usage Requirements .........................................5
   4. Crypto Suites ...................................................6
   5. IANA Considerations .............................................9
   6. Security Considerations .........................................9
   7. Test Cases .....................................................10
      7.1. AES-256-CM Test Cases .....................................10
      7.2. AES_256_CM_PRF Test Cases .................................11
      7.3. AES-192-CM Test Cases .....................................13
      7.4. AES_192_CM_PRF Test Cases .................................13
   8. Acknowledgements ...............................................15
   9. References .....................................................15
      9.1. Normative References ......................................15
      9.2. Informative References ....................................15

McGrew                       Standards Track                    [Page 2]
RFC 6188                SRTP AES-192 and AES-256              March 2011

1.  Introduction

   This memo describes the use of the Advanced Encryption Standard (AES)
   [FIPS197] with 192- and 256-bit keys within the Secure RTP (SRTP)
   protocol [RFC3711].  Below, those block ciphers are referred to as
   AES-192 and AES-256, respectively, and the use of AES with a 128-bit
   key is referred to as AES-128.  This document describes counter mode
   encryption for SRTP and SRTCP and appropriate SRTP key derivation
   functions for AES-192 and AES-256.  It also defines new crypto suites
   that use these new functions.

   While AES-128 is widely regarded as more than adequately secure, some
   users may be motivated to adopt AES-192 or AES-256 due to a perceived
   need to pursue a highly conservative security strategy.  For
   instance, the Suite B profile requires AES-256 for the protection of
   TOP SECRET information [suiteB].  (Note that while the AES-192 and
   AES-256 encryption methods defined in this document use Suite B
   algorithms, the crypto suites in this document use the HMAC-SHA-1
   algorithm, which is not included in Suite B.) See Section 6 for more
   discussion of security issues.

   The crypto functions described in this document are an addition to,
   and not a replacement for, the crypto functions defined in [RFC3711].

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].
Show full document text