Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

The Use of AES-192 and AES-256 in Secure RTP
RFC 6188

Yes

(Robert Sparks)

No Objection

(Adrian Farrel)

(Alexey Melnikov)

(Gonzalo Camarillo)

(Jari Arkko)

(Peter Saint-Andre)

(Ralph Droms)

(Ron Bonica)

(Russ Housley)

(Sean Turner)

(Stewart Bryant)

(Tim Polk)

Note: This ballot was opened for revision 06 and is now closed.

Robert Sparks Former IESG member

Yes

Yes () Unknown

Adrian Farrel Former IESG member

No Objection

No Objection () Unknown

Alexey Melnikov Former IESG member

No Objection

No Objection (2010-12-24) Unknown

3.1.  Usage Requirements

   When AES_192_CM is used for encryption, AES_192_CM SHOULD be used as

I think the 2nd AES_192_CM should be AES_192_CM_PRF

   the key derivation function, and AES_128_CM MUST NOT be used as the

s/AES_128_CM/AES_128_CM_PRF ?

   key derivation function.

   When AES_256_CM is used for encryption, AES_256_CM SHOULD be used as
   the key derivation function.  Both AES_128_CM and AES_192_CM MUST NOT
   be used as the key derivation function.

Same comments as above.

Gonzalo Camarillo Former IESG member

No Objection

No Objection () Unknown

Jari Arkko Former IESG member

No Objection

No Objection () Unknown

Peter Saint-Andre Former IESG member

No Objection

No Objection () Unknown

Ralph Droms Former IESG member

No Objection

No Objection () Unknown

Ron Bonica Former IESG member

No Objection

No Objection () Unknown

Russ Housley Former IESG member

(was Discuss) No Objection

No Objection (2011-01-02) Unknown

Please consider the nit and editorial comments from the Gen-ART Review
  by Richard Barnes on 10-Dec-2010:
  >
  > [Section3] In the first sentence, should "AES_CM PRF" be changed
  > to "AES_CM_PRF"?
  >
  > [Section3.1] Do you want to say explicitly that stronger KDFs MAY
  > be used?  That you could use the AES_256_CM KDF with AES_192_CM as
  > the bulk encryption algorithm, or use either 192 or 256 with 128?

Sean Turner Former IESG member

(was Discuss) No Objection

No Objection (2011-01-05) Unknown

#1) Support Russ' and Tim's discusses.

#2) Section 3: 

   In
   this note, the AES-192 counter mode PRF and AES-256 counter mode PRF
   are and are denoted as AES_192_CM_PRF and AES_256_CM_PRF
   respectively.

extra words "are and"?

#3) Section 3.1 (similar to Russ's 2nd comment): Should the rationale include a MUST?  For example:

   The cryptographic strength of the key derivation function MUST
   meet or exceed the cryptographic strength of the encryption method.

Stewart Bryant Former IESG member

No Objection

No Objection () Unknown

Tim Polk Former IESG member

(was Discuss) No Objection

No Objection (2011-01-04) Unknown

Please note Hilarie Orman's secdir review.

(1) In particular, she notes:

The block counter "b_c" is two octets, but the "default key lifetime"
is 2^31.  Is this perhaps the "maximum" key lifetime?  Should
implementors introduce an internal counter to keep track of the
history of key usage (across sessions?)?  Perhaps earlier documents
explain this?

Should implementers use the rollover counter (ROC) from RFC 3711
in combination with b_c, or is there another mechanism that the
authors had in mind?

(2)  You might consider moving the rationale to the front of the section
as an alternative to Hilarie's suggestions on section 3.1,

The Use of AES-192 and AES-256 in Secure RTP RFC 6188

The Use of AES-192 and AES-256 in Secure RTP
RFC 6188