[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The use of AES-192 and AES-256 in Secure RTP

To: David McGrew <mcgrew@xxxxxxxxx>, AVT <avt@xxxxxxxx>
Subject: Re: The use of AES-192 and AES-256 in Secure RTP
From: Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx>
Date: Tue, 02 May 2006 09:50:27 -0700
Cc: saag@xxxxxxx, ietf-rtpsec@xxxxxxx
In-reply-to: <A9ACC159-C642-43D4-9DB1-FD2889543814@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <A9ACC159-C642-43D4-9DB1-FD2889543814@xxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx


Hi David,

As I read the email, I wondered about replacing HMAC-SHA-1 in 3711also, and glad to see that your open questions lists that. I have afew questions:

1. Is the 112-bit salt sufficient even with longer keys? You mightrecall that we've (Mark B., you and I) had discussions on the masterkey and salt being input to a KDF that results in the derivation ofthe encr_key, integ_key and a salt, where the output might be longerthan the input to the KDF. You are the expert in this area, but I amstill wondering if it is an issue.


Figure 2 applies to AES-128 only, right?

2. I would suggest that this draft include AES-based CMAC, so we canmove away from SHA-1 and also use a single crypto primitive forencryption, and PRF and MAC computation (opinion on your open question).

Q: What are the considerations in truncating cipher-based MACoutputs? Specifically, is truncating below half-the-size of theoutput (which I vaguely recall as relating to the birthday attack incase of hash-based MACs -- perhaps it is not) of the cipher-based MACok? What would be the strength of the MAC in that case. If we aremaking a case for AES-192 or AES-256, then we have a certain strongeradversary in mind (one that requires us to move away fromAES-128). In that case, why is MAC truncation not an issue?

Let's discuss those for now. I may have more later :-). Thanks fordoing this! I was going to ask you about using CMAC in 3711!


regards,
Lakshminath

At 08:15 AM 5/2/2006, David McGrew wrote:

Hello,

there has been some interest in using AES with larger key sizes in
Secure RTP, and some implementations have gone in this direction in
advance of any specification.  I wrote up an internet draft to fill
this gap (after trying unsuccessfully to get someone else to write
it :-) and to provide usage guidance and (eventually) test vectors.

It's online athttp://www.ietf.org/internet-drafts/draft-mcgrew-srtp- big-aes-00.txt


I propose that this draft be adopted for standards track, and I ask
for your review (if you have an interest in Secure RTP).  Please note
the "Open Questions" section.   The ietf-rtpsec list is copied since
this draft is potentially interesting there, even though the draft
has little architectural impact.

Best regards,

David

Follow-Ups:
- Re: The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew

References:
- The use of AES-192 and AES-256 in Secure RTP
  - From: David McGrew

Prev by Date: The use of AES-192 and AES-256 in Secure RTP
Next by Date: Re: Requirements, First
Previous by thread: The use of AES-192 and AES-256 in Secure RTP
Next by thread: Re: The use of AES-192 and AES-256 in Secure RTP
Index(es):
- Date
- Thread